Chrome Extensions

dufurl
New Contributor

Has anyone figured out how to stop students from downloading extensions in Chrome and Safari like the dreaded Ultrasurf and other VPN's? We are a mac environment running 10.14.5 OS.

11 REPLIES 11

cdev
Contributor III

Chrome extensions can be managed via Configuration Profiles, including blacklists and removal:

https://www.chromium.org/administrators/policy-list-3

Safari on the other hand, has limited controls for extensions. If it's a plugin, you can manage it, but I don't believe there is a control mechanism for extensions.

epomelow
New Contributor III

Here's the master preferences file I use. There are several ways to do it, as @cdev said, a configuration profile will probably be best. Using the following text file and replacing the extensions section with your extensions you want to install will configure Chrome users who have not launched chrome before. If you use a config profile and use the 'ExtensionInstallBlacklist' set to ' * ', all extensions are blacklisted from install. Then simply whitelist the google apps you want them to run, and they are restricted.

{
 "homepage": "[HomepageURL]",
 "homepage_is_newtabpage" : false,
 "first_run_tabs": [
          "[HomepageURL]"
    ],
 "distribution": {
        "skip_first_run_ui": true,
        "show_welcome_page": false
    },
 "browser": {
        "show_home_button": true,
        "check_default_browser": false,
        "show_welcome_page": false
    },
 "extensions": {
    "settings": {
       "kgjfgplpablkjnlkjmjdecgdpfankdle": {
          "location": 1,
          "manifest": {
             "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlan6AArPtHCPCKtQ/5ca/dJehlghjF0M0bR9j2WmNFRM+/vFvIPXqs2VbAvnYHgkoB1UxrtMK/bcVHzAb3Nxctfg5oWrV5P7Xamh1zIBN8MERge83ipbMtOZJPLA+qWUqS7pKcWBA6eyHvic7JeKOjSK6yqWmWEm8cyvdgBKF/io1p9lthOJjWpmbanwHvnaPbelVuUVzYtoxTPF7n3vsNJzHh3sPav4RfQzxvqQSt7he1n/XifGeAK1C+YEqyKRd/fi193XQZDzk4IqYFuvVYnvT8/Ks3W54Hptm9gBC7QZA+5wP0NfAsa5+/MwlTnHb+ZcoB4RbbpFyBAArjVPZwIDAQAB",
             "name": "Zoom Scheduler",
             "permissions": [ "identity", "storage", "unlimitedStorage", "https://www.google.com/calendar/*", "https://calendar.google.com/calendar/*", "https://*.zoom.us/*" ],
             "update_url": "https://clients2.google.com/service/update2/crx",
             "version": "0.0",
             "manifest_version": 2
          },
          "granted_permissions": {
                    "api": [
                        "identity",
                        "storage",
                        "unlimitedStorage"
                    ],
                    "explicit_host": [
                        "https://*.zoom.us/*",
                        "https://accounts.google.com/*",
                        "https://calendar.google.com/*",
                        "https://www.google.com/*"
                    ],
                    "manifest_permissions": [],
                    "scriptable_host": [
                        "https://*.zoom.us/google/oauth/*",
                        "https://*.zoom.us/saml/extension/*",
                        "https://*.zoom.us/wc/*",
                        "https://calendar.google.com/calendar/*",
                        "https://www.google.com/calendar/*"
                    ]
                },
          "path": "kgjfgplpablkjnlkjmjdecgdpfankdle\0.0",
          "state": 1
       }
    }
 }
}

nmcguire
New Contributor

Google Chrome Browser Management!

https://cloud.google.com/chrome-enterprise/browser-management/

I believe you can create a Google Admin account for free if you want to manage browsers. You end up deploying one preference via profile and then you're able to manage the entire browser from the Google Admin.

marklamont
Contributor III

profilecreator lets you build chrome profiles easily, amongst many other profiles of course

vmalapati_mu
New Contributor III

Hey @epomelow, Can you help me by posting complete plist file. Bcaz the posted giving error and Zoom Scheduler is not getting added to Chrome Extensions. Hey Guys, can you help with plist file to add Zoom Scheduler extension to Chrome?

mainelysteve
Valued Contributor II

@nmcguire +1 . I've started doing this and it's working well. Only hiccup is that sometimes a second launch is needed for the enrollment process to take effect.

GerardWeese
New Contributor

Google indicates the Chrome extenssion page is moving. from: https://www.chromium.org/administrators/policy-list-3
to the new location. here: https://cloud.google.com/docs/chrome-enterprise/policies/

vmalapati_mu
New Contributor III

@nmcguire, thanks for the suggestion. Does this end up with adding another console to manage browsers alone? Also will this sums up another budget to get the license and support? If I am not wrong, you are saying to manage browser from Google Admin console? if you don't mind can you give more details on this?

Thanks & Regards
Venu Malapati

jefff
Contributor II

Your antivirus solution may be able to help with this. I know that the default settings for ESET block browser extensions. In my environment, that's undesirable behavior, but it sounds like it would be just what you need.

epomelow
New Contributor III

@vmalapati_mu sorry for the delay, holiday vacations and all. Here's the plist I use to force my setup on my lab computers. This disallows users from changing it. The above is a json file you can add to the computer for first run configurations, then allow the user to change it.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>AutoplayAllowed</key>
    <false/>
    <key>DefaultPluginsSetting</key>
    <integer>3</integer>
    <key>DefaultSearchProviderEnabled</key>
    <true/>
    <key>ExtensionInstallForcelist</key>
    <array>
        <string>kgjfgplpablkjnlkjmjdecgdpfankdle;http://clients2.google.com/service/update2/crx</string>
        <string>idkloemkmldbemijiamdiolojbffnjlh;http://clients2.google.com/service/update2/crx</string>
    </array>
    <key>HomepageLocation</key>
    <string>https://yoursite.example.com</string>
    <key>RestoreOnStartup</key>
    <integer>4</integer>
    <key>RestoreOnStartupURLs</key>
    <array>
        <string>https://yoursite.example.com</string>
    </array>
    <key>ShowHomeButton</key>
    <true/>
</dict>
</plist>

bcbackes
Contributor III

I'm using the "ExtensionInstallBlacklist" in my configuration profile to prevent people from installing extensions, however, I wasn't able to find anything that will disable and/or remove extensions on the blacklist that might have been installed previous to my deployment.

In my testing, I installed Adblock Plus extension on my test Mac. I then added that extension to my blacklist. I found that any Macs that didn't have the extension already will be blocked from trying to install it. However, with my test Mac that had it already installed when I pushed out my config profile, Adblock Plus functioned normally and wasn't being disabled or removed.

Anyone know how to remove extensions that have been installed already? Thanks in advance!