Set Chrome app and extension policies (Mac)

Applies to Mac users who sign in to a managed account on Chrome browser.

As an administrator, you can automatically install Chrome apps and extensions on users' computers. You can also control which apps or extensions users can install. You set the default policies for all apps and extensions. Then, if you want to customize policies for specific apps or extensions, you can override your defaults.

Step 1: Review the policy

Policy Description and settings
ExtensionSettings

Manage the apps and extensions users can install. 

Overrides the following extension policies (which might already be set):

Step 2: Update the configuration profile

In your Chrome configuration profile,

  1. Add or update the ExtensionSettings key.
  2. Set your desired app and extension policies (details below).

Step 3: Get Chrome app or extension IDs

Skip this step if you're not going to customize policies for specific apps or extensions.

To apply policies and settings to a specific Chrome app or extension, you need to identify it. Every app and extension in the Chrome Web Store has its own unique identification (ID) that doesn’t change across versions. So, if a user installs a specific app or extension on multiple devices, it has the same ID on all devices. Each ID is 32 characters long. 

To find an app or extension ID:

  1. Open the Chrome Web Store.
  2. Find and select the app or extension you want.
  3. Look at the URL. The ID is the long string of characters at the end of the URL.
    For example, gmbgaklkmjakoegficnlkhebmhkjfich is the ID for Google Calendar.

Step 4: Set app and extension policies

For each implementation (sample code below):
  • Set a default policy that applies for all apps and extensions. Use the * value.
  • (Optional) Customize the policy for individual apps or extensions. Use the app or extension ID (details above).
Set installation policies (automatically install, force install, allow, or block)

You can control whether an app or extension is blocked, allowed, or automatically installed on devices. This overrides the ExtensionInstallForcelist policy.

In the ExtensionSettings policy, set the installation mode to:

  • allowed—Users can install apps and extensions from the Chrome Web Store. If no installation mode is defined, this is the default.
  • blocked—Users can’t install apps or extensions from the Chrome Web Store. You can define a custom error message that lets users know it’s blocked (details below).
  • force_installed—Automatically install extensions that you specify without user interaction. Users can’t disable or remove them. You also need to define the extension download location (details below).
  • normal_installed—Automatically install extensions that you specify without user interaction. Users can disable them. You also need to define the extension download location (details below).

Example installation code

Download the complete configuration profile that contains the example. You can edit it using a text editor.

The example shows how to:

  • Automatically install Google Docs Offline (ghbmnnjooekpmoecnnnilnnbdlolhkhi) and Google Keep (lpcaedmchfhocbbapmcbpinfpgnhiddi) on user devices.
  • Allow users to disable Keep but not Docs Offline.
  • Allow users to install Google Calendar (gmbgaklkmjakoegficnlkhebmhkjfich) from the Chrome Web Store.
  • Prevent users from installing any other apps or extensions.

<key>ExtensionSettings</key>
<dict>
 <key>*</key>
 <dict>
   <key>installation_mode</key>
   <string>blocked</string>
 </dict>
 <key>ghbmnnjooekpmoecnnnilnnbdlolhkhi</key>
 <dict>
   <key>installation_mode</key>
   <string>force_installed</string>
   <key>update_url</key>
   <string>https://clients2.google.com/service/update2/crx</string>
 </dict>
 <key>lpcaedmchfhocbbapmcbpinfpgnhiddi</key>
 <dict>
   <key>installation_mode</key>
   <string>normal_installed</string>
   <key>update_url</key>
   <string>https://clients2.google.com/service/update2/crx</string>
 </dict>
 <key>gmbgaklkmjakoegficnlkhebmhkjfich</key>
 <dict>
   <key>installation_mode</key>
   <string>allowed</string>
 </dict>
</dict>

Pin app or extension updates

You can pin the latest version of a Chrome app or extension to control when they are updated to a newer version. In the ExtensionSettings policy, set override_update_url to:

  • True—Chrome browser uses the update_URL that you specify in this policy, or the URL that you specify in the ExtensionInstallForcelist policy.
  • False—This is the default. Chrome browser uses the URL specified in the extension's manifest.
  

Example extension download location code

This example shows you how to:
  • Automatically install Google Docs Offline (ghbmnnjooekpmoecnnnilnnbdlolhkhi) on user devices.
  • Always install and update Google Docs Offline using the update_URL specified in this policy.
<key>ExtensionSettings</key>
<dict>
 <key>ghbmnnjooekpmoecnnnilnnbdlolhkhi</key>
 <dict>
   <key>installation_mode</key>
   <string>force_installed</string>
   <key>update_url</key>
   <string>https://clients2.google.com/service/update2/crx</string>
   <key>override_update_url</key>
   <boolean>true</boolean>
 </dict>
</dict>
Define the extension download location

Only applies to force_installed and normal_installed.

If you automatically install an extension on devices, you need to specify where Chrome should download it.

To define the extension download location, choose an option:

  • If the extension is hosted in the Chrome Web Store, enter https://clients2.google.com/service/update2/crx.
  • If you host the extension on your own server, enter the URL where Chrome can download the packed extension (.crx file).

Example extension download location code

This example shows you how to automatically install Google Docs Offline (ghbmnnjooekpmoecnnnilnnbdlolhkhi).

<key>ExtensionSettings</key>
<dict>
 <key>ghbmnnjooekpmoecnnnilnnbdlolhkhi</key>
 <dict>
   <key>installation_mode</key>
   <string>force_installed</string>
   <key>update_url</key>
   <string>https://clients2.google.com/service/update2/crx</string>
 </dict>
</dict>

Set custom message for blocked apps and extensions

If your policy blocks users from installing certain apps or extensions, you can specify a custom message to display on devices if users try to install them. For example, you can tell users how to contact their IT department or why a particular extension is unavailable. The message can be up to 1,000 characters long.

Example custom-message code

Download the complete configuration profile that contains the example. You can edit it using a text editor.

The example shows how to:

  • Display a specific message for Google Calendar (gmbgaklkmjakoegficnlkhebmhkjfich).
  • Display a generic message for all other apps and extensions.

<key>ExtensionSettings</key>
<dict>
  <key>*</key>
  <dict>
    <key>blocked_install_message</key>
    <string>Contact IT admin for help.</string>
  </dict>
  <key>cdacconmaakjimmfgnblocblbcdcpbkn</key>
  <dict>
    <key>blocked_install_message</key>
    <string>Instead, please call IT for help.</string>
    <key>installation_mode</key>
    <string>blocked</string>
  </dict>
</dict>

Prevent users from running apps or extensions based on permissions

You can prevent users from running apps or extensions that request certain permissions that your organization doesn’t allow. For example, you can block extensions that connect to USB devices or access cookies.

For a list of available permissions, see Chrome app and extension permissions.

Example prevent permission code

Download the complete configuration profile that contains the example. You can edit it using a text editor.

The example shows you how to:

  • Only allow Chrome Remote Desktop (gbchcmhmhahfdphkhkmpfmihenigjmpp), which requires USB permission.
  • Block all other apps that require USB permission.

<key>ExtensionSettings</key>
<dict>
  <key>*</key>
  <dict>
    <key>blocked_permissions</key>
    <array>
      <string>usb</string>
    </array>
  <dict>
  <key>gbchcmhmhahfdphkhkmpfmihenigjmpp</key>
  <dict>
  </dict>
</dict>

Prevent apps and extensions from altering webpages

You can prevent extensions on devices from modifying websites that you specify. Modifications include blocking script injection, cookie access, and web-request modifications. This setting doesn’t prevent users from installing or removing extensions.

You can use 2 settings:

  • runtime_blocked_hosts—Prevents extensions from interacting with specified websites.

  • runtime_allowed_hosts—Allows extensions to interact with specified websites, even if they’re also defined in runtime_blocked_hosts.

The format of host patterns is [http|https|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|*], [hostname|*], and [eTLD|*] are required
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://* All Urls  

 

Invalid host patterns

  • http://t.*.example.com
  • http*://example.com
  • http://*example.com
  • http://example.com/
  • http://example.com/*

Example code to prevent webpage modification

Download the complete configuration profile that contains the example. You can edit it using a text editor.

The example shows how to:

  • Block extensions from accessing *.example.com webpages.
  • Block extensions that require USB permission.

<key>ExtensionSettings</key>
<dict>
  <key>*</key>
  <dict>
    <key>runtime_blocked_hosts</key>
    <array>
      <string>*://*.example.com</string>
    </array>
    <key>blocked_permissions</key>
    <array>
      <string>usb</string>
    </array>
  </dict>
</dict>

Step 5: Deploy to users and validate policies

After you deploy any Chrome extension policy, check user devices to make sure the policy was applied correctly.

  1. On a managed ChromeOS device, browse to chrome://policy.

  2. Click Reload policies.

  3. In the top right, in the Filter policies by field box, enter ExtensionSettings.

  4. Check the Show policies with no value set box.

  5. Under the Chrome policy name next to each extension setting, make sure Status is set to OK.

  6. Click Show value and make sure the value field isn’t empty.

Related topics

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu