Allow or block apps and extensions

For administrators who manage Chrome policies from the Google Admin console.

Manage extensions in your enterprise with Chrome Enterprise Core.   Schedule a demo

As a Chrome Enterprise admin, you can control which apps or extensions users can install on managed Chrome browsers or ChromeOS devices.

This article gives a high-level overview of how to set policies for all users or customize settings for different groups. For more detailed information, see the guide Managing Extensions in Your Enterprise.

Before you begin

  • To make settings for a specific group of users or enrolled Chrome browsers, put the user accounts or browsers in a group or organizational unit. Only user accounts can be added to groups. For details, see Groups and Add an organizational unit.
  • To apply settings for Chrome browser users on Windows, Mac, or Linux computers, turn on Chrome browser management for the organizational unit that they belong to. See Turn on Chrome browser management.
  • Make sure that the Chrome Web Store service is turned on. Otherwise, your users can’t access the Chrome Web Store to browse or install apps and extensions, including ones that you allow.
    By default, the Chrome Web Store service is turned off in some Education domains. For details about turning on Chrome Web Store service for users, see Additional Google services.
    Note: Even if Chrome Web Store service is turned off, force-installed apps and extensions continue to automatically install and users can still sideload extensions.
  • There is a limit of 500 for the total number of apps times the number of groups.

Set policies in the Admin console

Can apply for signed-in users on any device or enrolled browsers on Windows, Mac, or Linux. For details, see Understand when settings apply.

Allow or block all apps and extensions except the ones you specify

These steps assume you're familiar with configuring Chrome settings in your Admin console.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Devices > Chrome > Apps & extensions > Users & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browser > Apps & extensions > Users & browsers.

  3. (Users only) To apply the setting to a group, do the following:
    1. Select Groups.
    2. Select the group to which you want to apply the setting. 
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. On the right, click Additional settingsSettings.
  6. Go to Allow/block mode.
  7. Click Edit.
  8. For Play Store, choose what type of apps and extensions you want to let users install.
    Note: Only the primary account user can install apps and extensions from the Google Play store.
    • Allow all apps, admin manages blocklist—Users can install all apps and extensions from the Google Play Store, except the ones that you block.
    • Block all apps, admin manages allowlist—Users can only install the apps and extensions from the Google Play Store that you allow.
  9. For Chrome Web Store, choose what type of apps and extensions you want to let users install.
    • Allow all apps, admin manages blocklist—Users can install all apps and extensions from the Chrome Web Store, except the ones that you block.
    • Block all apps, admin manages allowlist—Users can only install the apps and extensions from Chrome Web Store that you allow.
    • Block all apps, admin manages allowlist, users may request extensions—Users can only install the apps and extensions from the Chrome Web Store that you allow, but they can also request the extensions that they need. Then, you can allow, block, or automatically install extensions that users request. For details, see Extension workflows: Let users request extensions.
  10. Click Save.
Block or allow one app

These steps assume you're familiar with configuring Chrome settings in your Admin console.

Tip: To block or allow an extension for enrolled browsers, it's easier to use the apps and extensions usage report. For details, go to View app and extension usage details.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Devices > Chrome > Apps & extensions > Users & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browser > Apps & extensions > Users & browsers.

  3. (Users only) To apply the setting to a group, do the following:
    1. Select Groups.
    2. Select the group to which you want to apply the setting. 
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. Find the app that you want to configure policies for.
  6. Under Installation policy, choose Block.
  7. Click Save.
Block apps and extensions based on permissions

These steps assume you're familiar with configuring Chrome settings in your Admin console.

You can prevent users from running apps or extensions that request certain permissions that your organization doesn’t allow. For example, you can block extensions that connect to USB devices or access cookies.

  1. Sign in with an administrator account to the Google Admin console.

    If you aren’t using an administrator account, you can’t access the Admin console.

  2. Go to Menu and then Devices > Chrome > Apps & extensions > Users & browsers.

    If you signed up for Chrome Browser Cloud Management, go to Menu and then Chrome browser > Apps & extensions > Users & browsers.

  3. (Users only) To apply the setting to a group, do the following:
    1. Select Groups.
    2. Select the group to which you want to apply the setting. 
  4. To apply the setting to all users and enrolled browsers, leave the top organizational unit selected. Otherwise, select a child organizational unit.
  5. On the far right, click Additional settings Settings.
  6. Next to Permissions and URLs, check each permission you want to block. For details about permissions, go to Chrome app and extension permissions.
  7. Click Save.

How to manage security settings for apps and extensions

For a step by step guide, watch this how-to demo video

Managing security settings for apps and extensions

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
true
Search
Clear search
Close search
Main menu
6875412951535020501
true
Search Help Center
true
true
true
true
true
410864
false
false
false