Extension workflows: Let users request extensions

For Chrome version 92 or later.

Applies to computers that are managed using Chrome Enterprise Core and managed ChromeOS devices. This feature is not currently available for Enterprise accounts on unmanaged browsers or unmanaged ChromeOS devices.

As an admin, you can use the Google Admin console to let users request the extensions that they need in the Chrome Web Store. Then, you can allow, block, or automatically install extensions that users request.

Things to consider

  • We recommend that first you apply settings to a small number of users and devices in a test organizational unit. Then, after you verify that devices are working correctly, you can apply them to your entire organization.
  • Allowing users to request extensions on their personal devices needs more discussion. For now, only include users with company owned devices in your test organizational unit.
  • When you complete these steps to turn the feature on, users can only install the extensions that you allow in the Apps & extensions list and requested extensions that you approve. All other apps are disabled or blocked. In steps 2 and 3 below, make sure that you approve or automatically install all of the apps that your users need.
  • To manage extension requests for a specific group of users or enrolled Chrome browsers, put the user accounts or browsers in an organizational unit. You can’t set the installation policy for individual users or browsers.
  • To make sure that you can service the extension requests, verify that this privilege is enabled:
    Servicesand thenChrome Managementand thenSettingsand thenManaged Application Settings.

How to

Step 1: Turn on reporting

For details, about how to receive daily profile and system state data in your Admin console, see Enable Chrome browser reporting.

Before you proceed to the next step, verify that reports are populated with data. It can take up to 48 hours for data to show up in reports.

Step 2: Get a list of currently installed extensions

There are two ways to get a list of all the extensions that are currently installed on users’ enrolled Chrome browsers and ChromeOS devices:

Step 3: Specify the apps you want to allow

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenUsers & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensionsand thenUsers & browsers.

  3. (Users only) To apply the setting to a group, do the following:
    1. Select Groups.
    2. Select the group to which you want to apply the setting.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. Add the apps that appear in the list that you already obtained in Step 2:
    1. Point to Add and click Add from Chrome Web Store.
    2. Find the app and click Select.
    3. If prompted, accept the app permissions on behalf of your organization.

For details about setting policies for a specific Chrome extension, go to View and configure apps and extensions.

Step 4: Allow users to request extensions

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenUsers & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensionsand thenUsers & browsers.

  3. (Users only) To apply the setting to a group, do the following:
    1. Select Groups.
    2. Select the group to which you want to apply the setting.
  4. (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
  5. On the right, click Additional settings.
  6. Scroll down to Allow/block mode.
  7. Under Chrome Web Store, select Block all apps, admin manages allowlist, users may request extensions.
  8. Click Save.

Step 5: Enable privileges

Before you can view and manage user extension requests, make sure you are assigned specific privileges in the Admin console. For more details, see View a user’s roles and privileges.

Note: If you cannot assign these privileges in the Privileges page, contact your admin.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Accountand thenAdmin roles.
  3. Click the link of the role you want to change.
  4. Click Privileges.
  5. Under Admin Console Privileges, scroll to Servicesand thenChrome Managementand thenSettings.
  6. Enable the following privileges:
    • Scroll to Managed Browsers and check Read.
    • Scroll to View Reports and check View Extensions List Report.
    • Scroll to Manage User Settings and check Manage Application Settings.
  7. Click Save.

Step 6: Manage extension requests

View and manage extensions that users have requested on the extension request page.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. In the Admin console, go to Menu and then Devicesand thenChromeand thenApps & extensionsand thenRequests.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browserand thenApps & extensionsand thenRequests.

  3. Click on the row of the extension that you want to set the installation policy for.
  4. Set the installation policy. Choose an option:
    • To let admins automatically install and pin the extension, choose the option that is available for the selected extension:
      • Force install + pin
      • Force install + pin to ChromeOS taskbar
      • Force install + pin to browser toolbar
    • Force install—Lets admins automatically install the extension.
    • Allow install—Lets users install the extension.
    • Block—Prevents users from installing the extension. Removes the extension from users that have it installed. Add a customized message to explain to users why you’re blocking the extension.
  5. Select the organizational unit you want to force install, allow install, or block the extension for.
  6. Click Save.

What users can do

Request an extension

  1. Open the Chrome Web Store.
  2. In the left column, click Extensions.
  3. Browse or search for the extension you want to add.
  4. Click Request. Sometimes you might see one of the following buttons instead:
    • Pending—You have already requested the extension and are waiting for approval.
    • Blocked by admin—Admin has rejected the request.
    • Installed—Admin has already force-installed the extension.
  5. Do one of the following:
    • If you’re requesting the extension for the first time, confirm that you want to send a request to your admin. Review the types of data that the extension will be able to access and click Send.
    • If you already requested the extension, you’ll see a message that lets you know you already requested it. Click OK.
    • If the admin blocked the extension, you’ll see a message that lets you know it’s blocked. Click OK.
  6. To check the status of extensions that you requested, in your browser window, go to chrome://extensions.

You'll see your installed extensions in Chrome as buttons on the taskbar. When your admin approves, automatically installs, or blocks the extension you requested, you’ll get a Chrome notification letting you know.

Verify policies are applied

Check users’ devices to make sure the policy was applied correctly.

  1. On a users’ device, go to chrome://policy.
  2. Click Reload policies.
  3. Check the Show policies with no value set box.
  4. For the CloudExtensionRequestEnabled policy, make sure that Status is set to OK and Policy value is True.
  5. For the CloudReportingEnabled policy, make sure that Status is set to OK and Policy value is True.

Set up alerts and rules for emails

Some admins want to be alerted by email when there is an extension request. You can do this by creating a rule. For details, see Create and manage rules from the Rules page.

You can create reporting rules or activity rules depending on your Google Workspace edition, your administrative privileges, and the data source. For more details, see Admin access to reporting rules & activity rules.

Before you begin

Reporting rules

You can create reporting rules if you have non-premium editions such as Business Starter, Business Standard, and Education Standard.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Do one of the following:
    • From the Admin console Home page, on the left, go to Rules.
      • Click Create Ruleand thenReporting.
    • From the Admin console Home page, on the left, go to Reportingand thenAudit and investigationand thenChrome log events.
      • Click Create reporting rule.
  3. Under Rule Details and Scope, enter a name for the rule.
  4. Click Next: View Conditions.
  5. Under Conditions, do the following:
    1. From Data Source, select Chrome Log Events.
    2. Click Add a filter and select Event.
    3. In the Event box, do the following:
      1. From the top list, select Is.
      2. From the bottom list, select Extension Request.
    4. Click Apply.
    5. Click Next: Add Actions.
  6. Under Actions, do the following:
    1. Make sure that Send to Alert Center is selected.
    2. Click Send email notifications.
    3. Click Add email recipients. The Select recipients box is displayed.
    4. Select the email recipients.
    5. Click Done.
    6. Click Next: Review.
  7. Under Review, do the following:
    1. Review the rule to make it is setup correctly.
    2. Click Create Rule.

See or modify the rule

  1. Do one of the following:
    • On the left, go to Rules.
    • On the left, go to Reportingand thenManage Reporting Rules.

The rule you created should appear in the list.

See existing extension requests

  1. Go to Reportingand thenAuditing and investigation.
  2. Click the Data Source list.
  3. Click Chrome log events.
  4. Click Add filter.
  5. Select Event.
  6. In the Event box, do the following:
    1. From the top list, select Is.
    2. From the bottom list, select Extension Request.
  7. Click Apply.
  8. Click Search.

A list of extension request events is displayed.

Activity rules

You can create activity rules if you have premium editions such as Business Plus, Enterprise Plus, and Enterprise Essentials.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. Do one of the following:
    • From the Admin console Home page, on the left, go to Rules.
      • Click Create Ruleand thenActivity.
    • From the Admin console Home page, on the left, go to Reportingand thenAudit and investigationand thenChrome log events.
      • Click Create activity rule.
  3. Under Rule Details and Scope, enter a name for the rule.
  4. Click Next: View Conditions.
  5. Under Conditions, do the following:
    1. From Data Source, select Chrome Log Events.
    2. Select Event, Is, and Extension Request.
    3. Click Apply.
    4. Click Next: Add Actions.
  6. Under Actions, do the following:
    1. For Threshold, do the following:
      1. Select a time period, every 1 hour or every 24 hours.
      2. Select a comparator.
      3. Add a count.
        For example, you can select Every 24 hours, >,100. This means for any given period of 24 hours, if your search returns more than 100 results, this rule is triggered.
    2. (Optional) Under Action, click Add action and select an action.
    3. (Optional) Under Severity, select a severity.
    4. Make sure that Send to Alert Center is selected.
    5. Click Send email notifications.
    6. Click Add email recipients. The Select recipients box is displayed.
    7. Select the email recipients.
    8. Click Done.
    9. Click Next: Review.
  7. Under Review, do the following:
    1. Review the rule to make it is setup correctly.
    2. Click Create Rule.

See or modify the rule

Do one of the following:

  • On the left, go to Rules.
  • On the left, go to Reportingand thenManage Reporting Rules.
    • Remove the Reporting filter.

The rule you created should appear in the list.

See existing extension requests

Do one of the following:

  • On the left, go to Rules.
    1. Click the rule you want to view.
    2. Click Investigate.
      A tab is displayed with the conditions of your rule.
    3. For the conditions, ensure Chrome log events, Is, and Extension request are selected.
    4. Click Search.
  • On the left, go to Reportingand thenAuditing and investigation.
    1. Click the Data Source list.
    2. Click Chrome log events.
    3. Click Add filter.
    4. Select Event.
    5. In the Event box, do the following:
      1. From the top list, select Is.
      2. From the bottom list, select Extension Request.
    6. Click Apply.
    7. Click Search.

A list of extension request events is displayed.

Troubleshooting

Verify requests are sent

Check users’ devices to make sure the request was sent.

  1. On a users’ device, go to chrome://prefs-internals.
  2. Search for enterprise_reporting. You'll see a list of extension IDs and timestamps.

Known Issues

Newly enrolled browsers and ChromeOS devices can take up to 24 hours to send their requests to the Admin console.

Related topics

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu