I have seen various people struggling with this, some claiming it's not possible and Chromium documentation on this particular policy isn't straight forward so here we go...
Based on Google Chrome documentation for the policy "ExtensionSettings".
The following assumes you've already got the application you'll be pinning installed either via other Chrome policies (E.g. ExtensionInstallForcelist) or manually installed.
See the below image what the end result looks like - Pinned chrome extensions (HTTPS Everywhere + MyApps) which can't be unpinned by end-users.
- Create a new configuration profile.
- Add the "Application & Custom Settings" payload.
- Enter the preference domain as "com.google.Chrome".
- Populate the property list contents with the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionSettings</key>
<dict>
<key>ggjhpefgjjfobnfoldnjipclpcfbgbhl</key>
<dict>
<key>toolbar_pin</key>
<string>force_pinned</string>
</dict>
<key>gcbommkclmclpchllfjekcdonpmejbdp</key>
<dict>
<key>toolbar_pin</key>
<string>force_pinned</string>
</dict>
</dict>
</dict>
</plist>Note: Replace the key value (E.g. ggjhpefgjjfobnfoldnjipclpcfbgbhl) for each application you want to pin. If you want to pin more, copy/paste the code block.
- Scope your policy to some testing devices and save.
I would generally recommend deploying this config profile separately from your policies used to install extensions to keep things simpler and easier to troubleshoot.
The Google documentation seems to indicate that you can use a wildcard (*) to pin all installed extensions however I haven't had much luck with that in my testing. So ended up explicitly specifying the extensions to pin in the plist.
Hopefully this helps someone out. Long term, could benefit from converting to a JSON compatible Jamf CP Schema but this does the job for now.
