How to remove unwanted Chrome Extensions (hangout) and lock down Chrome.

steventhemacman
New Contributor III

Hello,

We are using Chrome more and more and I have been asked to block extensions. Also, to remove certain ones that have been installed (google hangouts in particular to be removed). Just looking for some expert opinions. Thanks!

1 ACCEPTED SOLUTION

sburrows
New Contributor III

We currently use this script at log in to delete the users Chrome extensions directory, re-create it, and change the permissions on the new folder. It seems to be working fairly well.

I believe someone on here posted this script, so I can't take credit for it.

#!/bin/sh
# current user is $3

# remove the google extensions directory
rm -rf "/Users/$3/Library/Application Support/Google/Chrome/Default/Extensions"

# recreate the google extensions directory
mkdir "/Users/$3/Library/Application Support/Google/Chrome/Default/Extensions"

# change the permissions on the folder
chmod -R 444 "/Users/$3/Library/Application Support/Google/Chrome/Default/Extensions"

View solution in original post

34 REPLIES 34

rohrt85
New Contributor II

if your place has google emails like we do at our school then you should be able to go into the Google Admin side and block from there. Our staff and students all have email hailing from Google but we are able to block that out but the only way they can access it is with their personal email.

sburrows
New Contributor III

We currently use this script at log in to delete the users Chrome extensions directory, re-create it, and change the permissions on the new folder. It seems to be working fairly well.

I believe someone on here posted this script, so I can't take credit for it.

#!/bin/sh
# current user is $3

# remove the google extensions directory
rm -rf "/Users/$3/Library/Application Support/Google/Chrome/Default/Extensions"

# recreate the google extensions directory
mkdir "/Users/$3/Library/Application Support/Google/Chrome/Default/Extensions"

# change the permissions on the folder
chmod -R 444 "/Users/$3/Library/Application Support/Google/Chrome/Default/Extensions"

zanb
New Contributor III

Hey there @steventhemacman!

The current version of Chrome can be managed by using OS X's deprecated method of using Managed Preferences. You can write a plist file to "/Library/Managed Preferences/usershortname/com.google.Chrome.plist". Here's a sample script to block an extension (use on test machine first!):

[ Replace "usershortname" with the current username (${3} by default in script policies) and "asdfasdfasdfasdfasdfasdf" with the extension ID* ]

#!/bin/bash
sudo defaults write "/Library/Managed Preferences/usershortname/com.google.Chrome.plist" ExtensionInstallBlacklist -array "asdfasdfasdfasdfasdfasdf"
exit

If you want to whitelist an extension, you would use ExtensionInstallWhitelist instead of ExtensionInstallBlacklist. For more information on Google Chrome policies, see the Chromium project page or the [internal Chrome policy page](chrome://policy).

I am yet to try managing Chrome policies with Apple's "profiles". I will reference any newer findings in a blog post (which I'm yet to set up).

* You can find the extension ID of any extension by opening Google Chrome, navigating to Preferences > Extensions -> Check the box under "Development Mode" and the extension ID will appear under each installed extension.

elliotjordan
Contributor III

Hi @zanb,

I ran your script to try to block Awesome Screenshot (ID alelhddbbhepgpmgidjdcjakblofbmce), but even though the script ran successfully, I was subsequently able to install and use Awesome Screenshot just fine.

Have you had consistent results with the script you posted?

steventhemacman
New Contributor III

Hi @Burrows

I tried your script, but for some reason it does not work. Extensions are still installed and working and I am able to add more. Not sure what to think of it. Have yet to try @zanb approach yet. Still chugging away...

sburrows
New Contributor III

@steventhemacman, do you have it triggered at login? The way it was written it won't work otherwise.

Does it look like the script ran? Check the folder permissions to see if they have changed to read only.

zanb
New Contributor III

@elliotjordan & @steventhemacman,

You may need to restart Chrome after writing to "/Library/Managed Preferences/username/". In my experience with OS X 10.9+, the OS doesn't like me manually writing preference files to this directory and will sometimes delete "com.google.Chrome.plist". I have a launch daemon that writes the file back if it is ever removed by the system (primitive method, I know, I know).

I'm sure this could be remedied by re-configuring the local Open Directory to write MCX preferences. I'm yet to test this method to get Chrome controls to be more persistent than my archaic method described above.

steventhemacman
New Contributor III

Hi @Burrows

I did have it run at login. Still wasn't working. I think something got messed up on my end with copy and paste. So I retyped and retested and it is working great now. (permission checked out). Thanks!

sburrows
New Contributor III

@steventhemacman, good to hear it is working! It looks like my paste job may have been the culprit, sorry. I edited the script above to remove the carriage returns in the file paths.

kstrick
Contributor III

I just tried an extension blacklist via config profile (pushed via JSS), seems to work fine....
even if the extension was previously installed, it will not work and no longer appear in the extensions list in chrome (after a relaunch)

zanb
New Contributor III

I have also confirmed this by writing my own .mobileconfig profile by adding custom MCX preference settings for Chrome, then pushing it out via a DMG package, installing the profile via BASH script. Works like a charm!

michael_sysum
New Contributor

@kstrick Where exactly is this extension blacklist in conf profiles? I cannot find it. Your help here would be appreciated.

Cheers

kempt
New Contributor II

When I try to run the script posted by @sburrows, I get a Syntax Error - Expected End of line, etc. but found """". Any suggestions? Also, we need to run this as our currently logged in AD user, so I'm not sure what to change the username to in order to reflect that.

merps
Contributor III

@kempt When I copied the code above, everything worked except the file path throwing "no such file or directory" because the $3 doesn't evaluate when running directly from shell. Make sure you're not using TextEdit, but something like BBEdit, Sublime Text, or TextWrangler (free) so there aren't any invalid characters being added to your script.

The script above is meant to be used as a Casper Login policy, which is what makes $3 evaluate properly as the "logging in" user. If you want to have this run as a policy on check-in, you'll need to grab the currently logged in user. There are many methods to get this user, but you might want to do something like this, replacing $3 with $userName:

userName=$(stat -f "%Su" "$HOME")

roadrunner2348
Contributor

I know this is an old post but I figured I'd provide an update for those searching for it. I created a plist with the preferences that I wanted to change (a full list of preferences are listed on the chromium site), then you can either convert it to an xml plist and upload it into a configuration profile, or use the MCXtoProfile to create the config profile and upload it into jss to assign to computers. Its been working great so far.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DeveloperToolsDisabled</key>
    <true/>
    <key>ExtensionInstallBlacklist</key>
    <array>
        <string>*</string>
    </array>
</dict>
</plist>

scole2
New Contributor

Roadrunner2348: thank you so much for your response this morning. I'm rather new to JAMF, and finishing up at a workshop currently. Specifically, I'm looking to disable/kill Chrome extensions like Gom VPN, Betternet and Ultrasurf - could you explain to a novice like me how I might do that? Thanks!

roadrunner2348
Contributor

To block specific extensions you need to grab the extension ID. Easiest way to do that is install the extension in chrome, then go to settings, extensions, and check the box at the top for developer mode, and you'll see the ID listed under each extension. You can then put these ID's in the blacklist with each id in its own string tags (see below)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>DeveloperToolsDisabled</key>
    <true/>
    <key>ExtensionInstallBlacklist</key>
    <array>
        <!-- ID for Adblock -->
        <string>gighmmpiobklfepjocnamgkkbiglidom</string>
        <!-- ID for Google Cast -->
        <string>boadgeojelhgndaghljhdicfkmllpafd</string
    </array>
</dict>
</plist>

Then roll it into a config profile and deploy. There is also a key for whitelisting, so if you wanted to blacklist everything, then add back allowed extensions that is an option as well.

Buscher
New Contributor II

How is this file made? xcode? text editor? Seems like I should know the answer. Also when creating the config profile what is the Preference Domain used?

Thanks

apizz
Valued Contributor

@Buscher I use TextWrangler, but you could use a different text editor like TextEdit or vi(m) in Terminal.

If you create your com.google.Chrome.plist file, when you upload that using the Custom Setting payload it will automatically fill the Preference Domain section.

Buscher
New Contributor II

This solution is working great! How about for Firefox?

Chubs
Contributor

@Buscher you'll need two files: one called application.ini and one called mozilla.cfg.

*These instructions are for 10.11.X - I'm sure 10.10.X and earlier are different.

Here's the script I threw together (along with some other google'd ones).

moves application.ini into proper directory

applicationIni="/Applications/Firefox.app/Contents/Resources/application.ini"
overrideIni="/Applications/Firefox.app/Contents/MacOS/application.ini"
/bin/cp $applicationIni $overrideIni

disables First Run

sed -i -e 's/EnableProfileMigrator=1/EnableProfileMigrator=false/g' "$overrideIni"

Creates mandatory autoconfig file

cd "/Applications/Firefox.app/Contents/Resources/defaults/pref"
cat > autoconfig.js << EOF
pref("general.config.filename", "mozilla.cfg");
pref("general.config.obscure_value", 0);
EOF

creates preferences file

cd "/Applications/Firefox.app/Contents/Resources"
cat > mozilla.cfg << EOF
// Disable default
lockPref("browser.shell.checkDefaultBrowser", false);
// Disable updater
lockPref("app.update.enabled", false);
// make absolutely sure it is really off
lockPref("app.update.auto", false);
lockPref("app.update.mode", 0);
lockPref("app.update.service.enabled", false);
// Set default homepage - users can change, but will reset on relaunch
pref("browser.startup.homepage", "http://www.memphis.edu");
// Disable crash reporter
lockPref("toolkit.crashreporter.enabled", false);
Components.classes["@mozilla.org/toolkit/crash-reporter;1"].getService(Components.interfaces.nsICrashReporter).submitReports = false;
// Disable health reporter
lockPref("datareporting.healthreport.service.enabled", false);
// Disable all data upload (Telemetry and FHR)
lockPref("datareporting.policy.dataSubmissionEnabled", false);
// Don't show 'know your rights' on first run
pref("browser.rights.3.shown", true);
// Don't show WhatsNew on first run after every update
pref("browser.startup.homepage_override.mstone","ignore");
// set Firefox Default homepage defaultPref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=http://www.memphis.edu");
defaultPref("browser.newtab.url", "http://www.memphis.edu");
EOF

Mozilla has all of the JSON switches available on their site.

I have this script following my updatefirefox shell that removes the current version, installs the latest version, and they lays down the above files.

I find your lack of faith disturbing

TexasITAdmin
New Contributor III

roadrunner2348 you had the answer i've been searching for all afternoon. I could find all the information on the Chrome site for what configurations existed but not how to actually create the plist file. Thanks!

I found a student using the Chrome Remote Desktop to access his unfiltered home computer's internet and games... had to get that shut down right quick.

jgrubbs
New Contributor III

@roadrunner2348 Sorry to ask what may be a silly question, but here goes:

What do I call the newly created file and where do I place it? Do I use the Custom Settings payload in a config profile to assign the plist?

roadrunner2348
Contributor

@jgrubbs Once you've created the file, the name isn't so important, you can name it whatever makes sense to you. Its just going to get uploaded to the JSS anyway. I usually store them somewhere on my computer so I can update settings later without having to re-create the file though.

Once you've created the file you'll need to convert it to XML:

plutil -convert xml1 <path to file>

Then upload it into JSS as a customs settings payload. The preference domain, needs to be set to com.google.Chrome

If you need to make changes just edit the plist file and re-upload.

Thanks,
Justin

kempt
New Contributor II

@roadrunner2348 I got your Configuration Profile suggestion to work, but how would I go about using the whitelisting key?

dhmyers
New Contributor

[

jgebers
New Contributor

@roadrunner2348 I am interested in your method but having some troubles getting it to take. What are the steps from start to finish to get the profile onto the laptops? So far I have created in vim then converted to xml then to plist then uploaded it with proper preference domain. Am i missing something?

ed_sfdc
New Contributor

I know this thread is old, but I wanted to share what I did for Chrome. Hopefully it helps someone out.

I used Xcode to create com.google.Chrome.plist. I found all of the settings from https://www.chromium.org/administrators/policy-list-3

I took the plist, placed it in /Library/Managed Preferences/, and the relaunched chrome to get the settings to apply. 304b6a3a14a84f57b2939788d767acb7

shoch
New Contributor III

Hey ed_sfdc,

I downloaded Xcode and created the plist. If I put the plist in the proper spot it kills the extension that I want killed.

However if I reboot the machine the plist is gone.

I'm new to a lot of this but wonder if you have any suggestions? Also about deploying it properly via Jamf. I can deploy it all day long but it doesn't seem to be "taking" on the computers like if it is installed directly, but that doesn't matter once they reboot.

Any ideas?

dsweigart
New Contributor III

I have created this config profile and set it to automatically install at the computer level but it seems it never actually installed and just sits in the "remaining" section. Any insight on why that might be happening? I checked to make sure that the computer has checked in after creating the policy.

Thanks in advance

sietsemaeri
New Contributor III

If you are running the google admin console you can shut off unnecessary apps and programs either to a single student or the entire grade level, changes take place almost instantly.

Buscher
New Contributor II

Google Admin Console options only works when a user is logged into their google account they can easily log out and into their personal account and add whatever extensions they like.

dsweigart
New Contributor III

Correct, we can block them through or Google Admin Console but that does not prevent them from logging into their own Google account and using the extensions feature that way. I was looking to blacklist known bad extensions.

mattstevens
New Contributor

You can follow these steps:
Open Google Chrome.
Look at the right of the window, find three dots and click on them.
Choose the icon “Settings”.
After you click on “Settings”, you’ll see another menu. Now click on “Extensions”.
Find what particular extension must be removed.
Click the button “Remove”.

If you use Mac you can delete extensions with finder. I haven't done this but you can see the full guide here https://freewindows10.download/articles/how-to-remove-extensions-on-chrome