Set Chrome app and extension policies (Windows)

Applies to Windows users who sign in to a managed account on Chrome Browser.

As an administrator, you can automatically install Chrome apps and extensions on users' computers. You can also control which apps or extensions users can install. You set the default policies for all apps and extensions. Then, if you want to customize policies for specific apps or extensions, you can override your defaults.

Step 1: Review the policy

Policy Description and settings
ExtensionSettings

Manage the apps and extensions users can install. 

Overrides the following extension policies (which might already be set):

Step 2: Update your Group Policies

In your Microsoft Windows Group Policy Editor (Computer or User Configuration folder):

  1. Go to Administrative Templates and then Google and then Google Chromeand then Extensions.
  2. Open Extension management settings.
    Tip: If you don’t see the policy, download the latest policy template.
  3. Enable the policy and enter its compact JavaScript® Object Notation (JSON) data in the text box.
    Note: Enter JSON data as a single line with no line breaks. You can use this third-party JSON compression tool to validate policies and compact them into a single line (example JSON data below).
  4. Set your desired app and extension policies (details below).
Example JSON data
{
  "*": {
    "runtime_blocked_hosts": ["*://*.example.com"],
    "blocked_permissions": ["usb"]
  }
}
Compact JSON data
{"*":{"runtime_blocked_hosts":["*://*.example.com"],"blocked_permissions":["usb"]}}

Step 3: Get Chrome app or extension IDs

Skip this step if you're not going to customize policies for specific apps or extensions.

To apply policies and settings to a specific Chrome app or extension, you need to identify it. Every app and extension in the Chrome Web Store has its own unique identification (ID) that doesn’t change across versions. So, if a user installs a specific app or extension on multiple devices, it has the same ID on all devices. Each ID is 32 characters long. 

To find an app or extension ID:

  1. Open the Chrome Web Store.
  2. Find and select the app or extension you want.
  3. Look at the URL. The ID is the long string of characters at the end of the URL.
    For example, nckgahadagoaajjgafhacjanaoiihapd is the ID for Google Hangouts.

Step 4: Set app and extension policies

For each implementation (sample code below):
  • Set a default policy that applies for all apps and extensions. Use the * value.
  • (Optional) Customize the policy for individual apps or extensions. Use the app or extension ID (details above).
Set installation policies (automatically install, force install, allow, or block)

To automatically install an app or extension that’s not in the Chrome Web Store, computers must be joined to a domain using Microsoft® Active Directory®

You can control whether an app or extension is blocked, allowed, or automatically installed on devices. This overrides the ExtensionInstallForcelist policy.

In the ExtensionSettings policy, set the installation mode to:

  • allowed—Users can install apps and extensions from the Chrome Web Store. If no installation mode is defined, this is the default.
  • blocked—Users can’t install apps or extensions from the Chrome Web Store. You can define a custom error message that lets users know it’s blocked (details below).
  • force_installed—Automatically install extensions that you specify without user interaction. Users can’t disable or remove them. You also need to define the extension download location (details below).
  • normal_installed—Automatically install extensions that you specify without user interaction. Users can disable them. You also need to define the extension download location (details below).

Example installation code

Download an example JSON file here. You can edit it using a text editor.

The example shows how to:

  • Automatically install Google Hangouts (nckgahadagoaajjgafhacjanaoiihapd) and Google Keep (lpcaedmchfhocbbapmcbpinfpgnhiddi) on user devices.
  • Allow users to disable Keep but not Hangouts.
  • Allow users to install Google Calendar (gmbgaklkmjakoegficnlkhebmhkjfich) from the Chrome Web Store.
  • Prevent users from installing any other apps or extensions.
Define the extension download location

Only applies to force_installed and normal_installed.

If you automatically install an extension on devices, you need to specify where Chrome should download it.

To define the extension download location, choose an option:

  • If the extension is hosted in the Chrome Web Store, enter https://clients2.google.com/service/update2/crx.
  • If you host the extension on your own server, enter the URL where Chrome can download the packed extension (.crx file).

Example extension download location code

This example shows you how to automatically install Google Hangouts (nckgahadagoaajjgafhacjanaoiihapd).
{
  "nckgahadagoaajjgafhacjanaoiihapd": {
    "installation_mode": "force_installed",
      "update_url":
      "https://clients2.google.com/service/update2/crx"
  }
}
Set custom message for blocked apps and extensions

If your policy blocks users from installing certain apps or extensions, you can specify a custom message to display on devices if users try to install them. For example, you can tell users how to contact their IT department or why a particular extension is unavailable. The message can be up to 1,000 characters long.

Example custom-message code

Download an example JSON file here. You can edit it using a text editor.

The example shows how to:

  • Display a specific message for Google Calendar (gmbgaklkmjakoegficnlkhebmhkjfich).
  • Display a generic message for all other apps and extensions.
Prevent users from running apps or extensions based on permissions

You can prevent users from running apps or extensions that request certain permissions that your organization doesn’t allow. For example, you can block extensions that connect to USB devices or access cookies.

For a list of available permissions, see Chrome app and extension permissions

Example prevent permission code

Download an example JSON file here. You can edit it using a text editor.

The example shows how to:

  • Only allow Chrome Remote Desktop (gbchcmhmhahfdphkhkmpfmihenigjmpp), which requires USB permission.
  • Block all other apps that require USB permission.
Prevent apps and extensions from altering webpages

You can prevent extensions on devices from modifying websites that you specify. Modifications include blocking script injection, cookie access, and web-request modifications. This setting doesn’t prevent users from installing or removing extensions.

You can use 2 settings:

  • runtime_blocked_hosts—Prevents extensions from interacting with specified websites.

  • runtime_allowed_hosts—Allows extensions to interact with specified websites, even if they’re also defined in runtime_blocked_hosts.

The format of host patterns is [http|https|ftp|*]://[subdomain|*].[hostname|*].[eTLD|*], where

  • [http|https|ftp|*], [hostname|*], and [eTLD|*] are required, and
  • [subdomain|*] is optional.
Valid host patterns Matches Doesn't match
 *://*.example.* http://example.com
https://test.example.co.uk
https://example.google.com
http://example.google.co.uk
http://example.* http://example.com http://example.ly https://example.com
http://test.example.com
http://example.com http://example.com https://example.com
http://test.example.co.uk
http://*.example.com http://example.com
http://test.example.com
http://t.t.example.com
https://example.com
https://test.example.com
http://example.co.* http://example.co.com
http://example.co.co.uk
http://example.co.uk
http://*.test.example.com http://t.test.example.com
http://test.example.com
http://not.example.com
*://* All Urls  

 

Invalid host patterns

  • http://t.*.example.com
  • http*://example.com
  • http://*example.com
  • http://example.com/
  • http://example.com/*

Example code to prevent webpage modification

Download an example JSON file here. You can edit it using a text editor.

The example shows how to:

  • Block extensions from accessing *.example.com webpages.
  • Block extensions that require USB permission.

Step 5: Deploy to users and validate policies

After you deploy any Chrome extension policy, check user devices to make sure the policy was applied correctly.

  1. On a managed Chrome device, browse to chrome://policy.

  2. Click Reload policies.

  3. In the top right, in the Filter policies by field box, enter ExtensionSettings.

  4. Check the Show policies with no value set box.

  5. Under the Chrome policy name next to each extension setting, make sure Status is set to OK.

  6. Click Show value and make sure the value field isn’t empty.

Related topics

Was this article helpful?
How can we improve it?