Chrome extensions are small software programs that customize and enhance the functionality of the Google Chrome browser. They can perform a variety of tasks, such as blocking ads, managing passwords, translating web pages, and integrating with other services and applications, etc.
In a corporate environment, controlling the installation of these extensions is crucial for several reasons:
- Security Risks: Extensions can serve as attack vectors. Malicious extensions can steal sensitive data, install additional malware, or hijack user sessions.
- Data Privacy: Extensions can access data on visited websites, which may include sensitive information, raising privacy concerns.
- Resource Management: Some extensions can consume significant system resources, leading to slower browsing speeds and reduced performance.
- Compliance: Unauthorized extensions could lead to compliance violations, especially regarding data protection laws.
- Distraction: In educational or professional settings, certain extensions can be distracting and reduce productivity.
By managing and restricting the installation of extensions, organizations can enhance security, protect sensitive data, ensure compliance, and maintain a productive work environment.
If you are managing your Windows corporate fleet with Microsoft Intune, you can easily do so with Settings Catalog.
With Intune Setting Catalog profile, you can either
- Block All Extensions in Chrome and Whitelist only the ones you want to allow, or
- Block specific Extensions only while allowing the rest of the Extensions.
The first approach is more controlled as it allows only the approved extensions to be accessible to users while remaining ones remain blocked.
Table of Contents
How to Blacklist/Whitelist Extensions in Chrome with Intune
Block all extensions in Google Chrome
In the Intune Admin portal,
- Go to Devices > Configuration and create a New Policy.
- Select Platform as Windows 10 and later.
- Profile type as Settings catalog.
- Click on Create.
- Provide a Name and Description (optional) for the Policy and click Next.
- In the Configuration settings page, click on Add Settings and use the Settings picker to search using the keyword Chrome. Click on the category Google Google Chrome Extensions and select subcategory Configure extension installation blocklist.
- Set Configure extension installation blocklist to Enabled and add wildcard ‘*‘ (without quotes) in the text box.
Now with this configuration, it is enough to block all extensions in Chrome.
If your requirement is this, then you can go ahead, click on Next, and go through the next steps of adding Scope Tag and Assignment to finally review the configuration to confirm the creation and deployment of the profile.
Block all extensions in Google Chrome while allowing some specific extensions
However, if you want to allow some specific extensions to work in Chrome while blocking all others, then you will need to add the subcategory configuration item Configure extension installation allow list to the above configuration we made.
Once you add the subcategory settings item to configure, set it to Enabled and provide the Extension ID(s) of the extension(s) you want to allow/whitelist.
Thus your configuration will look something like below where I have blocked all extensions while allowing two specific extensions by their extension ID’s.
If this meets your requirement, then again, you can go ahead, click on Next, and go through the next steps of adding Scope Tag and Assignment to finally review the configuration to confirm the creation and deployment of the profile.
How to find the Extension ID of the extension that you want to allow/block in Chrome?
Open the Chrome browser, go to the Google webstore and search for the extension that you want to allow/block, and then from the address bar of the browser, you can get the Extension ID. For example, if I would want to allow/block DeepSeek AI extension in Chrome, I need to search for the extension in the Chrome webstore and then get its Extension ID from the browser URL address bar.
But now, for the purpose of this blog, I will be creating a settings catalog profile to block only the Adobe Acrobat extension in Chrome browser.
How to block only some specific extension(s) in Chrome browser
So for my case, the configuration looks like this below.
Verify policy application
From Intune, if the policy is correctly delivered, you can see it from within the registry location HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager as below.
To view applied policies in effect on the Chrome browser, you can open the Chrome browser and in the URL bar type in “chrome://policy” without quotes to see the policies getting applied to the browser.
From here you can see the extensionInstallBlacklist configuration being applied as configured via the policy in Intune.
End-user Experience
If the policy has applied successfully on the device, when you try to add the extension which is blocked as per policy configuration, you get to see a screen like this below. The option to add the extension will be greyed out.
But what if the extension was already added to Chrome before the policy was applied?
If the policy configuration defines any extension as a blacklist, even if the extension was added to Chrome before the policy was applied, those existing extension(s) will also get blocked. Read more.
Be the first to comment