Allow or block apps and extensions

This page is for IT administrators who manage Chrome Browsers or Chrome OS devices for a business or school.

As a Chrome Enterprise admin, you can control which apps or extensions users can install on managed Chrome Browsers or devices that use Chrome OS. By default, users can install any app or extension.

You can set policies that apply for all users in your organization. You can also customize settings for groups of users.

Before you begin

To manage Chrome apps and extensions for users, you need to turn on their Chrome Web Store service in your Admin console. Find this service in your Admin console by going to Apps > Additional Google Services. For steps, see Turn Additional Google Services on or off.

Set policies in the Admin console

Applies when users are signed in to a managed Google Account on a Chrome Browser or device running Chrome OS.

Allow all apps but those you want to block

These steps assume you're familiar with setting app and extension policies on the Chrome management User settings page. If you need more details, see Set a Chrome policy for multiple apps.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click User settings.
  4. On the left, select the organization containing the users you want to set policies for.
  5. Next to Allow or Block All Apps and Extensions, choose the option to allow apps and extensions except ones you block.
  6. Next to Allowed Apps and Extensions, click Manage. Then select each app or extension you want to block.
  7. Click Save.
Block all apps but those you want to allow

These steps assume you're familiar with setting app and extension policies on the Chrome management User settings page. If you need more details, see Set a Chrome policy for multiple apps.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click User settings.
  4. On the left, select the organization containing the users you want to set policies for.
  5. Next to Allow or Block All Apps and Extensions, choose the option to block all apps and extensions except ones you allow.
  6. Next to Allowed Apps and Extensions, click Manage. Then select each app or extension you want to allow.
  7. Click Save.
Block or allow one app

These steps assume you're familiar with setting policies on the Chrome management App management page. If you need more details, see Set Chrome policies for one app.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click App management. Then select the app or extension you want to block or allow.
  4. Select the category of settings you want to configure:
    • User settings: Allow or block the app for users who sign in with an account in your domain.
    • Public session settings: Allow or block the app for users who sign in to a public session on your devices.
  5. On the left, select the organization containing the users you want to allow or block the app for.
  6. Under Allow installation, click to either block Turn off icon or allow Turn on icon the app.

    Initially, an organization inherits the settings of its parent. If you're changing a setting for a child organization:

    • To override an inherited value, click Override. You can then change the setting.
    • To return an overridden setting to the value of its parent, click Inherit.
  7. Click Save.
Block apps and extensions based on permissions

These steps assume you're familiar with setting app and extension policies on the Chrome management User settings page. For more details, see Set a Chrome policy for multiple apps.

You can prevent users from running apps or extensions that request certain permissions that your organization doesn’t allow. For example, you can block extensions that connect to USB devices or access cookies.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Device managementand thenChrome management.

    If you don't see Device management on the Home page, click More controls at the bottom.

  3. Click User settings.
  4. On the left, select the organization containing the users you want to set policies for.
  5. Next to Block extensions by permission, select the option to either block or allow apps that request the permissions you select.
  6. Check each permission to block or allow.

    See details about Chrome app and extension permissions.

  7. Click Save.

Related topics

Was this article helpful?
How can we improve it?