Search
Clear search
Close search
Google apps
Main menu
true

Are your Chrome devices having WiFi connection problems? Fix now

Set extension policies for Mac

As an administrator, you can control the behavior of Chrome apps and extensions on Apple® Mac® computers. To configure app and extension policies, you need to set the ExtensionsSettings policy on each computer where you want the new settings to take effect.

Before you begin

Check policies you already set

Before you set the ExtensionSettings policy, you need to check to make sure it's functionally equivalent to extension policies that you’ve already set. The ExtensionSettings policy overrides the following extension policies:

  • ExtensionAllowedTypes
  • ExtensionInstallBlacklist
  • ExtensionInstallForcelist
  • ExtensionInstallSources
  • ExtensionInstallWhitelist

Update configuration policy

You can set the ExtensionSettings policy on Mac computers using configuration profiles. When you install the configuration profile on a device, the settings are applied. To set specific app and extension policies for the profile, see Customize app and extension policies.

Customize app and extension policies

When you're updating the configuration profile, you can customize app and extension policies to suit your organization.

Before you begin: For any customization, you'll need to note the Chrome app or extension ID.

Choose how apps or extensions are installed

You can control whether an app or extension is blocked, allowed, or automatically installed on devices. This overrides the ExtensionInstallForcelist policy.

In the ExtensionSettings policy, you can set the installation mode to:

  • allowed—Users can install apps and extensions from the Chrome Web Store. If no installation mode is defined, this is the default.
  • blocked—Users can’t install apps or extensions from the Chrome Web Store. You can define a custom error message that lets users know it’s blocked.
  • force_installed—Automatically install extensions that you specify without user interaction. Users can’t disable or remove them. You also need to define the extension download location.
  • normal_installed—Automatically install extensions that you specify without user interaction. Users can disable them. You also need to define the extension download location.

Example installation code

Download the complete configuration profile that contains the example. You can edit it using a text editor.

The example shows you how to:

  • Automatically install Google Hangouts (nckgahadagoaajjgafhacjanaoiihapd) and Google Keep (lpcaedmchfhocbbapmcbpinfpgnhiddi) on user devices.
  • Allow users to disable Keep but not Hangouts.
  • Allow users to install Google Calendar (gmbgaklkmjakoegficnlkhebmhkjfich) from the Chrome Web Store.
  • Prevent users from installing any other apps or extensions.

<key>ExtensionSettings</key>
<dict>
 <key>*</key>
 <dict>
   <key>installation_mode</key>
   <string>blocked</string>
 </dict>
 <key>nckgahadagoaajjgafhacjanaoiihapd</key>
 <dict>
   <key>installation_mode</key>
   <string>force_installed</string>
   <key>update_url</key>
   <string>https://clients2.google.com/service/update2/crx</string>
 </dict>
 <key>lpcaedmchfhocbbapmcbpinfpgnhiddi</key>
 <dict>
   <key>installation_mode</key>
   <string>normal_installed</string>
   <key>update_url</key>
   <string>https://clients2.google.com/service/update2/crx</string>
 </dict>
 <key>gmbgaklkmjakoegficnlkhebmhkjfich</key>
 <dict>
   <key>installation_mode</key>
   <string>allowed</string>
 </dict>
</dict>

Define the extension download location

If you automatically install an extension on devices, you need to specify where Chrome should download it. You only need to do this if you set installation_mode to force_installed or normal_installed.

To define the extension download location, choose an option:

  • If the extension is hosted in the Chrome Web Store, enter https://clients2.google.com/service/update2/crx.
  • If you host the extension on your own server, enter the URL where Chrome can download the packed extension (.crx file).

Example extension download location code

This example shows you how to automatically install Google Hangouts (nckgahadagoaajjgafhacjanaoiihapd).

<key>ExtensionSettings</key>
<dict>
 <key>nckgahadagoaajjgafhacjanaoiihapd</key>
 <dict>
   <key>installation_mode</key>
   <string>force_installed</string>
   <key>update_url</key>
   <string>https://clients2.google.com/service/update2/crx</string>
 </dict>
</dict>

Set custom message for blocked apps and extensions

If your policy blocks users from installing certain apps or extensions, you can specify a custom message to display on devices if users try to install them. For example, you can tell users how to contact their IT department or why a particular extension is unavailable. The message can be up to 1,000 characters long.

Example custom-message code

Download the complete configuration profile that contains the example. You can edit it using a text editor.

The example shows you how to:

  • Display a specific message for Google Calendar (gmbgaklkmjakoegficnlkhebmhkjfich).
  • Display a generic message for all other apps and extensions.

<key>ExtensionSettings</key>
<dict>
  <key>*</key>
  <dict>
    <key>blocked_install_message</key>
    <string>Contact IT admin for help.</string>
  </dict>
  <key>cdacconmaakjimmfgnblocblbcdcpbkn</key>
  <dict>
    <key>blocked_install_message</key>
    <string>Instead, please call IT for help.</string>
    <key>installation_mode</key>
    <string>blocked</string>
  </dict>
</dict>

Prevent users from running apps or extensions based on permissions

You can prevent users from running apps or extensions that request certain permissions that your organization doesn’t allow. For example, you can block extensions that connect to USB devices or access cookies. For a list of available permissions, see Chrome app and extension permissions.

Example prevent permission code

Download the complete configuration profile that contains the example. You can edit it using a text editor.

The example shows you how to:

  • Only allow Chrome Remote Desktop (gbchcmhmhahfdphkhkmpfmihenigjmpp), which requires USB permission.
  • Block all other apps that require USB permission.

<key>ExtensionSettings</key>
<dict>
  <key>*</key>
  <dict>
    <key>blocked_permissions</key>
    <array>
      <string>usb</string>
    </array>
  <dict>
  <key>gbchcmhmhahfdphkhkmpfmihenigjmpp</key>
  <dict>
  </dict>
</dict>

Prevent apps and extensions from altering webpages

You can prevent extensions on devices from modifying websites that you specify. Modifications include blocking script injection, cookie access, and web-request modifications. This setting doesn’t prevent users from installing or removing extensions.

You can use 2 settings:

  • runtime_blocked_hosts—Prevents extensions from interacting with specified websites.

  • runtime_allowed_hosts—Allows extensions to interact with specified websites, even if they’re also defined in runtime_blocked_hosts.

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required.
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://*.* All Urls  
Invalid host patterns    

http://t.*.example.com

http*://example.com

http://*example.com

http://example.com/

http://example.com/*

   

Example code to prevent webpage modification

Download the complete configuration profile that contains the example. You can edit it using a text editor.

The example shows you how to:

  • Block extensions from accessing *.example.com webpages.
  • Block extensions that require USB permission.

<key>ExtensionSettings</key>
<dict>
  <key>*</key>
  <dict>
    <key>runtime_blocked_hosts</key>
    <array>
      <string>*://*.example.com</string>
    </array>
    <key>blocked_permissions</key>
    <array>
      <string>usb</string>
    </array>
  </dict>
</dict>

Validate policies

Check Chrome policies on devices

After you apply any Chrome extension policy, you should check all user devices to make sure the policy was applied correctly.

  1. On a managed Chrome device, browse to chrome://policy.

  2. Click Reload policies.

  3. In the top right, in the Filter policies by field box, enter ExtensionSettings.

  4. Check the Show policies with no value set box.

  5. Under the Chrome policy name next to each extension setting, make sure Status is set to OK.

  6. Click Show value and make sure the value field isn’t empty.

Was this article helpful?
How can we improve it?