Search
Clear search
Close search
Google apps
Main menu
true

Are your Chrome devices having WiFi connection problems? Fix now

Manage Chrome apps by organizational unit

As an administrator, you can manage Chrome apps and extensions for users by organizational unit. For example, you can automatically install a certain app or extension on devices for certain groups of people and block it for others. You might also want to prevent apps or extensions from altering webpages. If so, you can block certain URLs.

You can also configure settings and policies for individual Chrome apps.

Before you begin

Before you can manage specific Chrome apps and extensions for users in a certain organization, you need to turn on the Chrome Web Store for those users.

Configure Chrome app and extension policies

Choose how to install apps and extensions

By default, users can install any app or extension on their device. As an administrator, you can block specific apps and extensions that you don’t want users to install. Or, you can restrict them to only installing apps and extensions that you specify. You can also automatically install specific apps and extensions that users can’t uninstall.

When you choose to automatically install an app or extension on devices, it’s added to the list of force-installed apps and extensions. Apps and extensions on the force-installed list override apps and extensions that you blacklisted. Therefore, Chrome apps that you automatically install using the Google Admin console, Google Play for Education, and ExtensionInstallForcelist, take precedence over apps that you blacklisted.

Allow, install, or block Chrome apps

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device managementand thenChrome management.

    If you don't see Device management on the dashboard, click More controls at the bottom.

  3. Click User settings.
  4. On the left, select the organization where you want to configure the app or extension policy.
    For everyone in your organization, select the top-level organization. Otherwise, select a child organization.
  5. Go to the Apps and Extensions section.
  6. If you want to automatically install a specific app or extension on devices:
    1. Next to Force-installed Apps and Extensions, click Manage force-installed apps.
    2. Select the apps or extensions that you want to automatically install on devices and click Add. If you need help, see How to select apps and extensions.
    3. Click Save.
  7. If you want to specify apps and extensions that users can or can’t install:
    1. Next to Allow or Block All Apps and Extensions, choose an option.
    2. Next to Allowed Apps and Extensions, click Manage.
    3. Select the apps or extensions that you want to block or allow and click Add. If you need help, see How to select apps and extensions.
    4. Click Save.
  8. If you want to allow or block extensions that request certain permissions:
    1. Next to Block extensions by Permission, choose an option.
    2. Check the permissions that you want to allow or block.
  9. If you want to pin an installed app or extension to the Chrome launcher:
    1. Next to Pinned Apps and Extensions, click Manage pinned apps.
    2. Select the apps or extensions that you want to pin to the Chrome launcher and click Add. If you need help, see How to select apps and extensions.
    3. Click Save.
  10. Click Save.

Prevent apps and extensions from altering webpages

You can prevent apps or extensions from modifying websites that you specify. Modifications include blocking script injection, cookie access, and web-request modifications. This setting doesn’t prevent users from installing or removing extensions.

You can use 2 settings:

  • Blocked URLs—Prevents an app or extension from interacting with specified hosts.
  • Allowed URLs—Allows an app or extension to interact with specified hosts, even if they’re also defined in Blocked URLs.

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required, and
  • [subdomain|*] is optional.

For example, if users host code in a third-party code repository, you can make sure that Chrome extensions can't steal or modify that code. To do this, block the repository’s webpage URL.

Prevent webpage modification

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Device managementand thenChrome management.

    If you don't see Device management on the dashboard, click More controls at the bottom.

  3. Click User settings.
  4. On the left, select the organization where you want to configure policies.
    For everyone in the organization, select the top-level organization. Otherwise, select a child organization.
  5. Enter the webpage URLs for Blocked URLs and Allowed URLs.
  6. Click Save.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://*.* All Urls  
Invalid host patterns    

http://t.*.example.com

http*://example.com

http://*example.com

http://example.com/

http://example.com/*

   

How to select apps and extensions

You can find most of the apps and extensions you need in the Chrome Web Store, but you can also manage third-party apps and extensions. How you block or install them depends on what type of app or extension it is.

Chrome Web Store app or extension

  1. On the left, click Chrome Web Store.
  2. Enter the name of the app or extension in the text box.
  3. Press Enter to search the Chrome Web Store. Items matching your search criteria appear in the left column.
  4. Select the app or extension.
  5. Finish steps to allow, install, or block Chrome apps (above).

Chrome Web Store app or extension that’s published to trusted testers

  1. On the left, click Specify a Custom App.
  2. For ID, enter the Chrome app or extension identity.
  3. For URL, enter https://clients2.google.com/service/update2/crx.
  4. Finish steps to allow, install, or block Chrome apps (above).

Third-party app or extension

  1. On the left, click Specify a Custom App.
  2. Enter the app or extension ID and URL.
    Note: You'll need to contact the app developer for the ID and URL. https://thirdparty.com/update.xml is an example of a third-party URL.
  3. Finish steps to allow, install, or block Chrome apps (above).

Example scenarios for preventing webpage modification

Allow certain apps to modify a webpage

Your organization has multiple subdomains with different top-level domains, such as example.com, example.info, example.co.uk, and so on. You want to prevent Chrome apps and extensions from modifying your organization’s webpages. However, you want to allow your organization’s own private app to alter your organization’s webpages.

How to

  1. Configure general settings for all apps and extensions:
    1. Follow the steps to prevent apps and extensions from altering webpages for everyone in the organization.
    2. For Blocked URLs, enter *://.example.*.
  2. Configure settings for a specific app or extension:
    1. For your organization’s private app, follow the steps to configure app and extension policies.
    2. For Allowed URLs, enter *://*.*. (See Block extensions by permission.)
Customize what users can install and access

You want to validate any apps and extensions that your users install. You also want to specify certain webpages that apps or extensions can access.

  • Extension1 can only access transport layer security (TLS) secured pages on private.example.com.
  • Extension2 can access unencrypted pages on public.example.com.

How to

  1. Configure general settings for all apps and extensions:
    1. Follow the steps to prevent apps and extensions from altering webpages for everyone in the organization.
    2. For Blocked URLs, enter *://*.*.
  2. Configure settings for Extension1:
    1. Follow the steps to configure app and extension policies.
    2. For Blocked URLs, enter *://*.*. (See Block extensions by permission.)
    3. For Allowed URLs, enter https://private.example.com. (See Block extensions by permission.)
  3. Configure settings for Extension2:
    1. Follow the steps to configure app and extension policies.
    2. For Blocked URLs, enter *://*.*. (See Block extensions by permission.)
    3. For Allowed URLs, enter http://public.example.com. (See Block extensions by permission.)

Related topics

Was this article helpful?
How can we improve it?