Configure ExtensionSettings policy

Applies to managed Chrome Browsers on Windows, Mac, and Linux.

The ExtensionSettings policy controls multiple settings, including settings that are controlled by existing extension-related policies. The ExtensionSettings policy overrides those policies if they're also set.

To apply custom policies for an individual extension, use the extension ID. Use the * value to set the default policy for all extensions that you haven’t set custom configurations for.

To find an app or extension ID:

  1. Open the Chrome Web Store.
  2. Find and select the app or extension you want.
  3. Look at the URL. The ID is the long string of characters at the end of the URL.
    For example, nckgahadagoaajjgafhacjanaoiihapd is the ID for Google Hangouts.

The ExtensionSettings policy can contain the fields listed in the table.

Field Description and settings

allowed_types

Can be used only to configure the default configuration, *.

Specifies what types of app or extension users are allowed to install on Chrome Browser. Choose one or more of the following options:

blocked_install_message

If you block users from installing certain extensions, you can specify a custom message to display in the browser if users try to install them.

Append text to the generic error message that is displayed on the Chrome Web Store. For example, you can tell users how to contact their IT department or why a particular extension is unavailable. The message can be up to 1,000 characters long.

blocked_permissions

Prevents users from installing and running extensions that request certain API permissions that your organization doesn’t allow. For example, you can block extensions that access cookies.

If an extension requires a permission that you blocked, the user can’t install it. If users previously installed the extension, it will no longer load. If an extension contains a blocked permission as an optional requirement, it installs as usual. Then, while the extension is running, blocked permissions are automatically declined.

For a list of available permissions, see the Chrome developer site.

installation_mode

Controls if and how extensions that you specify are added to Chrome Browser. You can set the installation mode to:

  • allowed—Users can install the extension. If no installation mode is defined, this is the default.
  • blocked—Users can’t install the extension.
  • force_installed—Automatically install the extension without user interaction. Users can’t remove it. You also need to define the extension download location using update_url.
    Note: You can’t use * to set the default configuration. Chrome Browser wouldn't know which extension to automatically install.
  • normal_installed—Automatically install the extension without user interaction. Users can disable it. You also need to define the extension download location using update_url.
    Note: You can’t use * to set the default configuration. Chrome Browser wouldn't know which extension to automatically install.
  • removed(Chrome version 75 or later) Users can’t install the extension. If users previously installed the extension, Chrome Browser removes it.

install_sources

Can be used only to configure the default configuration, *.

Specifies which URLs are allowed to install extensions. You need to allow the location of the *.crx file and the page where the download starts from, the referrer.

For URL pattern examples, see the Chrome developer site.;

minimum_version_required

Chrome Browser disables extensions, including force-installed extensions, with a version older than the specified minimum version.

The format of the version string is the same as the one used in the extension manifest. For details, see Chrome developer documentation.

update_url

Applies only to force_installed and normal_installed.

Specifies where Chrome Browser should download an extension.

If the extension is hosted in the Chrome Web Store, enter https://clients2.google.com/service/update2/crx.

Chrome Browser uses the URL that you specify for the initial extension installation. For subsequent extension updates, Chrome Browser uses the URL in the extension's manifest.

runtime_allowed_hosts

Allows extensions to interact with specified websites, even if they’re also defined in runtime_blocked_hosts.

You can specify up to 100 entries. Additional entries are discarded.

The host pattern format is similar to match patterns except you can’t define the path. For example:

  • *://*.example.com
  • *://example.*—eTLD wildcards are supported

runtime_blocked_hosts

Prevent extensions from interacting with or modifying websites that you specify. Modifications include blocking javascript injection, cookie access, and web-request modifications.

You can specify up to 100 entries. Additional entries are discarded.

The host pattern format is similar to match patterns except you can’t define the path. For example:

  • *://*.example.com
  • *://example.*—eTLD wildcards are supported

Related topics

Was this helpful?
How can we improve it?