Applies to Mac users who sign in to a managed account on Chrome browser.
As an administrator, you can automatically install Chrome apps and extensions on users' computers. You can also control which apps or extensions users can install. You set the default policies for all apps and extensions. Then, if you want to customize policies for specific apps or extensions, you can override your defaults.
Step 1: Review the policy
Policy | Description and settings |
ExtensionSettings |
Manage the apps and extensions users can install. Overrides the following extension policies (which might already be set): |
Step 2: Update the configuration profile
In your Chrome configuration profile,
- Add or update the ExtensionSettings key.
- Set your desired app and extension policies (details below).
Step 3: Get Chrome app or extension IDs
Skip this step if you're not going to customize policies for specific apps or extensions.
To apply policies and settings to a specific Chrome app or extension, you need to identify it. Every app and extension in the Chrome Web Store has its own unique identification (ID) that doesnât change across versions. So, if a user installs a specific app or extension on multiple devices, it has the same ID on all devices. Each ID is 32 characters long.
To find an app or extension ID:
- Open the Chrome Web Store.
- Find and select the app or extension you want.
- Look at the URL. The ID is the long string of characters at the end of the URL.
For example, gmbgaklkmjakoegficnlkhebmhkjfich is the ID for Google Calendar.
Step 4: Set app and extension policies
- Set a default policy that applies for all apps and extensions. Use the * value.
- (Optional) Customize the policy for individual apps or extensions. Use the app or extension ID (details above).
You can control whether an app or extension is blocked, allowed, or automatically installed on devices. This overrides the ExtensionInstallForcelist policy.
In the ExtensionSettings policy, set the installation mode to:
- allowedâUsers can install apps and extensions from the Chrome Web Store. If no installation mode is defined, this is the default.
- blockedâUsers canât install apps or extensions from the Chrome Web Store. You can define a custom error message that lets users know itâs blocked (details below).
- force_installedâAutomatically install extensions that you specify without user interaction. Users canât disable or remove them. You also need to define the extension download location (details below).
- normal_installedâAutomatically install extensions that you specify without user interaction. Users can disable them. You also need to define the extension download location (details below).
Example installation code
Download the complete configuration profile that contains the example. You can edit it using a text editor.
The example shows how to:
- Automatically install Google Docs Offline (ghbmnnjooekpmoecnnnilnnbdlolhkhi) and Google Keep (lpcaedmchfhocbbapmcbpinfpgnhiddi) on user devices.
- Allow users to disable Keep but not Docs Offline.
- Allow users to install Google Calendar (gmbgaklkmjakoegficnlkhebmhkjfich) from the Chrome Web Store.
- Prevent users from installing any other apps or extensions.
<key>ExtensionSettings</key>
<dict>
<key>*</key>
<dict>
<key>installation_mode</key>
<string>blocked</string>
</dict>
<key>ghbmnnjooekpmoecnnnilnnbdlolhkhi</key>
<dict>
<key>installation_mode</key>
<string>force_installed</string>
<key>update_url</key>
<string>https://clients2.google.com/service/update2/crx</string>
</dict>
<key>lpcaedmchfhocbbapmcbpinfpgnhiddi</key>
<dict>
<key>installation_mode</key>
<string>normal_installed</string>
<key>update_url</key>
<string>https://clients2.google.com/service/update2/crx</string>
</dict>
<key>gmbgaklkmjakoegficnlkhebmhkjfich</key>
<dict>
<key>installation_mode</key>
<string>allowed</string>
</dict>
</dict>
You can pin the latest version of a Chrome app or extension to control when they are updated to a newer version. In the ExtensionSettings policy, set override_update_url to:
- TrueâChrome browser uses the update_URL that you specify in this policy, or the URL that you specify in the ExtensionInstallForcelist policy.
- FalseâThis is the default. Chrome browser uses the URL specified in the extension's manifest.
Example extension download location code
- Automatically install Google Docs Offline (ghbmnnjooekpmoecnnnilnnbdlolhkhi) on user devices.
- Always install and update Google Docs Offline using the update_URL specified in this policy.
<key>ExtensionSettings</key>
<dict>
<key>ghbmnnjooekpmoecnnnilnnbdlolhkhi</key>
<dict>
<key>installation_mode</key>
<string>force_installed</string>
<key>update_url</key>
<string>https://clients2.google.com/service/update2/crx</string>
<key>override_update_url</key>
<boolean>true</boolean>
</dict>
</dict>
Only applies to force_installed and normal_installed.
If you automatically install an extension on devices, you need to specify where Chrome should download it.
To define the extension download location, choose an option:
- If the extension is hosted in the Chrome Web Store, enter https://clients2.google.com/service/update2/crx.
- If you host the extension on your own server, enter the URL where Chrome can download the packed extension (.crx file).
Example extension download location code
This example shows you how to automatically install Google Docs Offline (ghbmnnjooekpmoecnnnilnnbdlolhkhi).
<key>ExtensionSettings</key>
<dict>
<key>ghbmnnjooekpmoecnnnilnnbdlolhkhi</key>
<dict>
<key>installation_mode</key>
<string>force_installed</string>
<key>update_url</key>
<string>https://clients2.google.com/service/update2/crx</string>
</dict>
</dict>
If your policy blocks users from installing certain apps or extensions, you can specify a custom message to display on devices if users try to install them. For example, you can tell users how to contact their IT department or why a particular extension is unavailable. The message can be up to 1,000 characters long.
Example custom-message code
Download the complete configuration profile that contains the example. You can edit it using a text editor.
The example shows how to:
- Display a specific message for Google Calendar (gmbgaklkmjakoegficnlkhebmhkjfich).
- Display a generic message for all other apps and extensions.
<key>ExtensionSettings</key>
<dict>
<key>*</key>
<dict>
<key>blocked_install_message</key>
<string>Contact IT admin for help.</string>
</dict>
<key>cdacconmaakjimmfgnblocblbcdcpbkn</key>
<dict>
<key>blocked_install_message</key>
<string>Instead, please call IT for help.</string>
<key>installation_mode</key>
<string>blocked</string>
</dict>
</dict>
You can prevent users from running apps or extensions that request certain permissions that your organization doesnât allow. For example, you can block extensions that connect to USB devices or access cookies.
For a list of available permissions, see Chrome app and extension permissions.
Example prevent permission code
Download the complete configuration profile that contains the example. You can edit it using a text editor.
The example shows you how to:
- Only allow Chrome Remote Desktop (gbchcmhmhahfdphkhkmpfmihenigjmpp), which requires USB permission.
- Block all other apps that require USB permission.
<key>ExtensionSettings</key>
<dict>
<key>*</key>
<dict>
<key>blocked_permissions</key>
<array>
<string>usb</string>
</array>
<dict>
<key>gbchcmhmhahfdphkhkmpfmihenigjmpp</key>
<dict>
</dict>
</dict>
You can prevent extensions on devices from modifying websites that you specify. Modifications include blocking script injection, cookie access, and web-request modifications. This setting doesnât prevent users from installing or removing extensions.
You can use 2 settings:
-
runtime_blocked_hostsâPrevents extensions from interacting with specified websites.
-
runtime_allowed_hostsâAllows extensions to interact with specified websites, even if theyâre also defined in runtime_blocked_hosts.
The format of host patterns is [http|https|*]://[subdomain|*].[hostname|*].[eTLD|*], where
- [http|https|*], [hostname|*], and [eTLD|*] are required
- [subdomain|*] is optional.
Valid host patterns | Matches | Doesn't match |
---|---|---|
*://*.example.* | http://example.com https://test.example.co.uk |
https://example.google.com http://example.google.co.uk |
http://example.* | http://example.com http://example.ly | https://example.com http://test.example.com |
http://example.com | http://example.com | https://example.com http://test.example.co.uk |
http://*.example.com | http://example.com http://test.example.com http://t.t.example.com |
https://example.com https://test.example.com |
http://example.co.* | http://example.co.com http://example.co.co.uk |
http://example.co.uk |
http://*.test.example.com | http://t.test.example.com http://test.example.com |
http://not.example.com |
*://* | All Urls |
Invalid host patterns
- http://t.*.example.com
- http*://example.com
- http://*example.com
- http://example.com/
- http://example.com/*
Example code to prevent webpage modification
Download the complete configuration profile that contains the example. You can edit it using a text editor.
The example shows how to:
- Block extensions from accessing *.example.com webpages.
- Block extensions that require USB permission.
<key>ExtensionSettings</key>
<dict>
<key>*</key>
<dict>
<key>runtime_blocked_hosts</key>
<array>
<string>*://*.example.com</string>
</array>
<key>blocked_permissions</key>
<array>
<string>usb</string>
</array>
</dict>
</dict>
Step 5: Deploy to users and validate policies
After you deploy any Chrome extension policy, check user devices to make sure the policy was applied correctly.
-
On a managed ChromeOS device, browse to chrome://policy.
-
Click Reload policies.
-
In the top right, in the Filter policies by field box, enter ExtensionSettings.
-
Check the Show policies with no value set box.
-
Under the Chrome policy name next to each extension setting, make sure Status is set to OK.
-
Click Show value and make sure the value field isnât empty.
Related topics
- Chrome app and extension permissions
- Set Chrome app and extension policies (Windows)
- Set Chrome app and extension policies (Linux)
Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.