Jamf Nation Community

Hey there @steventhemacman!

The current version of Chrome can be managed by using OS X's deprecated method of using Managed Preferences. You can write a plist file to "/Library/Managed Preferences/usershortname/com.google.Chrome.plist". Here's a sample script to block an extension (use on test machine first!):

[ Replace "usershortname" with the current username (${3} by default in script policies) and "asdfasdfasdfasdfasdfasdf" with the extension ID* ]

#!/bin/bash
sudo defaults write "/Library/Managed Preferences/usershortname/com.google.Chrome.plist" ExtensionInstallBlacklist -array "asdfasdfasdfasdfasdfasdf"
exit

If you want to whitelist an extension, you would use ExtensionInstallWhitelist instead of ExtensionInstallBlacklist. For more information on Google Chrome policies, see the Chromium project page or the [internal Chrome policy page](chrome://policy).

I am yet to try managing Chrome policies with Apple's "profiles". I will reference any newer findings in a blog post (which I'm yet to set up).

* You can find the extension ID of any extension by opening Google Chrome, navigating to Preferences > Extensions -> Check the box under "Development Mode" and the extension ID will appear under each installed extension.

Hi @zanb,

I ran your script to try to block Awesome Screenshot (ID alelhddbbhepgpmgidjdcjakblofbmce), but even though the script ran successfully, I was subsequently able to install and use Awesome Screenshot just fine.

Have you had consistent results with the script you posted?

Hi @Burrows

I tried your script, but for some reason it does not work. Extensions are still installed and working and I am able to add more. Not sure what to think of it. Have yet to try @zanb approach yet. Still chugging away...

@steventhemacman, do you have it triggered at login? The way it was written it won't work otherwise.

Does it look like the script ran? Check the folder permissions to see if they have changed to read only.

@elliotjordan & @steventhemacman,

You may need to restart Chrome after writing to "/Library/Managed Preferences/username/". In my experience with OS X 10.9+, the OS doesn't like me manually writing preference files to this directory and will sometimes delete "com.google.Chrome.plist". I have a launch daemon that writes the file back if it is ever removed by the system (primitive method, I know, I know).

I'm sure this could be remedied by re-configuring the local Open Directory to write MCX preferences. I'm yet to test this method to get Chrome controls to be more persistent than my archaic method described above.

Hi @Burrows

I did have it run at login. Still wasn't working. I think something got messed up on my end with copy and paste. So I retyped and retested and it is working great now. (permission checked out). Thanks!

@steventhemacman, good to hear it is working! It looks like my paste job may have been the culprit, sorry. I edited the script above to remove the carriage returns in the file paths.

I just tried an extension blacklist via config profile (pushed via JSS), seems to work fine....
even if the extension was previously installed, it will not work and no longer appear in the extensions list in chrome (after a relaunch)

I have also confirmed this by writing my own .mobileconfig profile by adding custom MCX preference settings for Chrome, then pushing it out via a DMG package, installing the profile via BASH script. Works like a charm!

@kstrick Where exactly is this extension blacklist in conf profiles? I cannot find it. Your help here would be appreciated.

Cheers

When I try to run the script posted by @sburrows, I get a Syntax Error - Expected End of line, etc. but found """". Any suggestions? Also, we need to run this as our currently logged in AD user, so I'm not sure what to change the username to in order to reflect that.

@kempt When I copied the code above, everything worked except the file path throwing "no such file or directory" because the $3 doesn't evaluate when running directly from shell. Make sure you're not using TextEdit, but something like BBEdit, Sublime Text, or TextWrangler (free) so there aren't any invalid characters being added to your script.

The script above is meant to be used as a Casper Login policy, which is what makes $3 evaluate properly as the "logging in" user. If you want to have this run as a policy on check-in, you'll need to grab the currently logged in user. There are many methods to get this user, but you might want to do something like this, replacing $3 with $userName:

userName=$(stat -f "%Su" "$HOME")

I know this is an old post but I figured I'd provide an update for those searching for it. I created a plist with the preferences that I wanted to change (a full list of preferences are listed on the chromium site), then you can either convert it to an xml plist and upload it into a configuration profile, or use the MCXtoProfile to create the config profile and upload it into jss to assign to computers. Its been working great so far.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DeveloperToolsDisabled</key>
    <true/>
    <key>ExtensionInstallBlacklist</key>
    <array>
        <string>*</string>
    </array>
</dict>
</plist>

Roadrunner2348: thank you so much for your response this morning. I'm rather new to JAMF, and finishing up at a workshop currently. Specifically, I'm looking to disable/kill Chrome extensions like Gom VPN, Betternet and Ultrasurf - could you explain to a novice like me how I might do that? Thanks!

To block specific extensions you need to grab the extension ID. Easiest way to do that is install the extension in chrome, then go to settings, extensions, and check the box at the top for developer mode, and you'll see the ID listed under each extension. You can then put these ID's in the blacklist with each id in its own string tags (see below)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DeveloperToolsDisabled</key>
    <true/>
    <key>ExtensionInstallBlacklist</key>
    <array>
        <!-- ID for Adblock -->
        <string>gighmmpiobklfepjocnamgkkbiglidom</string>
        <!-- ID for Google Cast -->
        <string>boadgeojelhgndaghljhdicfkmllpafd</string
    </array>
</dict>
</plist>

Then roll it into a config profile and deploy. There is also a key for whitelisting, so if you wanted to blacklist everything, then add back allowed extensions that is an option as well.

How is this file made? xcode? text editor? Seems like I should know the answer. Also when creating the config profile what is the Preference Domain used?

Thanks

@Buscher I use TextWrangler, but you could use a different text editor like TextEdit or vi(m) in Terminal.

If you create your com.google.Chrome.plist file, when you upload that using the Custom Setting payload it will automatically fill the Preference Domain section.

This solution is working great! How about for Firefox?

@Buscher you'll need two files: one called application.ini and one called mozilla.cfg.

*These instructions are for 10.11.X - I'm sure 10.10.X and earlier are different.

Here's the script I threw together (along with some other google'd ones).

moves application.ini into proper directory

applicationIni="/Applications/Firefox.app/Contents/Resources/application.ini"
overrideIni="/Applications/Firefox.app/Contents/MacOS/application.ini"
/bin/cp $applicationIni $overrideIni

disables First Run

sed -i -e 's/EnableProfileMigrator=1/EnableProfileMigrator=false/g' "$overrideIni"

Creates mandatory autoconfig file

cd "/Applications/Firefox.app/Contents/Resources/defaults/pref"
cat > autoconfig.js << EOF
pref("general.config.filename", "mozilla.cfg");
pref("general.config.obscure_value", 0);
EOF

creates preferences file

cd "/Applications/Firefox.app/Contents/Resources"
cat > mozilla.cfg << EOF
// Disable default
lockPref("browser.shell.checkDefaultBrowser", false);
// Disable updater
lockPref("app.update.enabled", false);
// make absolutely sure it is really off
lockPref("app.update.auto", false);
lockPref("app.update.mode", 0);
lockPref("app.update.service.enabled", false);
// Set default homepage - users can change, but will reset on relaunch
pref("browser.startup.homepage", "http://www.memphis.edu");
// Disable crash reporter
lockPref("toolkit.crashreporter.enabled", false);
Components.classes["@mozilla.org/toolkit/crash-reporter;1"].getService(Components.interfaces.nsICrashReporter).submitReports = false;
// Disable health reporter
lockPref("datareporting.healthreport.service.enabled", false);
// Disable all data upload (Telemetry and FHR)
lockPref("datareporting.policy.dataSubmissionEnabled", false);
// Don't show 'know your rights' on first run
pref("browser.rights.3.shown", true);
// Don't show WhatsNew on first run after every update
pref("browser.startup.homepage_override.mstone","ignore");
// set Firefox Default homepage defaultPref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=http://www.memphis.edu");
defaultPref("browser.newtab.url", "http://www.memphis.edu");
EOF

Mozilla has all of the JSON switches available on their site.

I have this script following my updatefirefox shell that removes the current version, installs the latest version, and they lays down the above files.

roadrunner2348 you had the answer i've been searching for all afternoon. I could find all the information on the Chrome site for what configurations existed but not how to actually create the plist file. Thanks!

I found a student using the Chrome Remote Desktop to access his unfiltered home computer's internet and games... had to get that shut down right quick.

@roadrunner2348 Sorry to ask what may be a silly question, but here goes:

What do I call the newly created file and where do I place it? Do I use the Custom Settings payload in a config profile to assign the plist?

@jgrubbs Once you've created the file, the name isn't so important, you can name it whatever makes sense to you. Its just going to get uploaded to the JSS anyway. I usually store them somewhere on my computer so I can update settings later without having to re-create the file though.

Once you've created the file you'll need to convert it to XML:

plutil -convert xml1 <path to file>

Then upload it into JSS as a customs settings payload. The preference domain, needs to be set to com.google.Chrome

If you need to make changes just edit the plist file and re-upload.

Thanks,
Justin

@roadrunner2348 I got your Configuration Profile suggestion to work, but how would I go about using the whitelisting key?

[

@roadrunner2348 I am interested in your method but having some troubles getting it to take. What are the steps from start to finish to get the profile onto the laptops? So far I have created in vim then converted to xml then to plist then uploaded it with proper preference domain. Am i missing something?

I know this thread is old, but I wanted to share what I did for Chrome. Hopefully it helps someone out.

I used Xcode to create com.google.Chrome.plist. I found all of the settings from https://www.chromium.org/administrators/policy-list-3

I took the plist, placed it in /Library/Managed Preferences/, and the relaunched chrome to get the settings to apply.

Hey ed_sfdc,

I downloaded Xcode and created the plist. If I put the plist in the proper spot it kills the extension that I want killed.

However if I reboot the machine the plist is gone.

I'm new to a lot of this but wonder if you have any suggestions? Also about deploying it properly via Jamf. I can deploy it all day long but it doesn't seem to be "taking" on the computers like if it is installed directly, but that doesn't matter once they reboot.

Any ideas?

I have created this config profile and set it to automatically install at the computer level but it seems it never actually installed and just sits in the "remaining" section. Any insight on why that might be happening? I checked to make sure that the computer has checked in after creating the policy.

Thanks in advance

If you are running the google admin console you can shut off unnecessary apps and programs either to a single student or the entire grade level, changes take place almost instantly.

Google Admin Console options only works when a user is logged into their google account they can easily log out and into their personal account and add whatever extensions they like.

Correct, we can block them through or Google Admin Console but that does not prevent them from logging into their own Google account and using the extensions feature that way. I was looking to blacklist known bad extensions.

You can follow these steps:
Open Google Chrome.
Look at the right of the window, find three dots and click on them.
Choose the icon “Settings”.
After you click on “Settings”, you’ll see another menu. Now click on “Extensions”.
Find what particular extension must be removed.
Click the button “Remove”.

If you use Mac you can delete extensions with finder. I haven't done this but you can see the full guide here https://freewindows10.download/articles/how-to-remove-extensions-on-chrome