Posted on 03-03-2021 10:35 AM
I have seen various people struggling with this, some claiming it's not possible and Chromium documentation on this particular policy isn't straight forward so here we go...
Based on Google Chrome documentation for the policy "ExtensionSettings".
The following assumes you've already got the application you'll be pinning installed either via other Chrome policies (E.g. ExtensionInstallForcelist) or manually installed.
See the below image what the end result looks like - Pinned chrome extensions (HTTPS Everywhere + MyApps) which can't be unpinned by end-users.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ExtensionSettings</key> <dict> <key>ggjhpefgjjfobnfoldnjipclpcfbgbhl</key> <dict> <key>toolbar_pin</key> <string>force_pinned</string> </dict> <key>gcbommkclmclpchllfjekcdonpmejbdp</key> <dict> <key>toolbar_pin</key> <string>force_pinned</string> </dict> </dict> </dict> </plist>
Note: Replace the key value (E.g. ggjhpefgjjfobnfoldnjipclpcfbgbhl) for each application you want to pin. If you want to pin more, copy/paste the code block.
I would generally recommend deploying this config profile separately from your policies used to install extensions to keep things simpler and easier to troubleshoot.
The Google documentation seems to indicate that you can use a wildcard (*) to pin all installed extensions however I haven't had much luck with that in my testing. So ended up explicitly specifying the extensions to pin in the plist.
Hopefully this helps someone out. Long term, could benefit from converting to a JSON compatible Jamf CP Schema but this does the job for now.
Posted on 03-03-2021 10:46 AM
Troubleshooting: Head to chrome://policy/ to view the Chrome policy logs and review any error messages.