In this blog post, we will see how to block or whitelist chrome extensions using Intune. This will give you greater control over which extensions can be used on your organization’s devices, helping to keep your data secure and your employees productive.
Allowing users to install extensions in browsers can cause a security risk and user may unknowingly Install a malicious extension which could be harmful for the device or organization. Therefore, as an Intune administrator, we should control the extensions which are allowed to be installed by the end users.
A best practice is to block all extension installation and allow only specific extensions which are approved by administrator. This way you can make sure that the extensions which are in use are safe and are regularly updated.
If you are managing your organization devices using Microsoft Intune, then you can create a device configuration profile with settings to allow and block extensions for Google chrome and apply this profile to the target devices.
We would be using Google Chrome ADMX template settings to configure block/whitelist of extensions. For creating a block list or whitelist of extensions, Extension ID is required. First we need to find that and then proceed with creating device configuration profile. Let’s check the steps:
| Block/Whitelisting in Edge as well via Intune ? |
|---|
| You can use this step by step guide on how to create a block/whitelist using Intune for Microsoft edge brower: Block/whitelist Edge Extensions Using Intune. |
How to find Extension ID in Google chrome
First thing you need to do is to find the Extensions ID which you want to whitelist. We will use the Extension IDs when creating a policy in intune to create a block list and allow list of extensions.
Please find below steps which will help you find the extension ID.
- Launch Google chrome browser.
- Click on three dots on the top right hand side corner.
- Click on More tools > Extensions.
- Click on Hamburger button and then click on link at the bottom Open Google Web store.
| Alternatively, you can also type chrome://extensions/ to launch the Extensions page and go to Chrome Web store using a shortcut https://chrome.google.com/webstore/category/extensions?hl=en-US |
- Search for the Extension which you want to whitelist and then from address bar of the browser you can copy its Extension ID. For Example: I searched for Super Dark Mode Extension and then clicked on it and copied its Extention ID from the browser address bar URL.
- Similarly search for other Extensions which you want to whitelist or blocklist and copy their Extention ID in a notepad somewhere to be used later in the Intune device configuration policy.
Create Device Configuration Profile
Next step is to create a device configuration profile in Intune. Let’s check the steps:
- Login on Microsoft Intune admin center.
- Go to Devices > Configuration profiles > + Create profile.
- Select Platform as Windows 10 and later.
- Profile type as Templates.
- Click on Administrative Templates > Create.
| If you are unable to find Google Chrome ADMX template in Intune, you can refer for help using my other blog post which provides detailed steps by step guide on how you can Import ADMX file in Intune. |
Basics Tab
- Provide a Name of the profile: Block/Whitelist Chrome Extensions.
- Description: This custom device configuration profile which can be used for blocking or whitelisting chrome extensions
Configuration Settings
- Go to Computer Configuration > Google > Google Chrome > Extensions folder.
- Search for the setting “Configure extension installation blocklist“
- Select Enabled radio button.
- Extension IDs the user should be prevented from installing (or * for all) – Add * in the text box and then click on OK to save.
| Instead of blocking all extensions using a wild card character *. You can also provide the extension IDs to block only specific extensions in chrome. |
- Search for setting “Configure extension installation allow list” and click on Enabled.
- In Extension IDs to exempt from the block list text box, provide one Extention IDs per row which you want to whitelist. In our example, we want to whitelist Super Dark Mode extension therefore we provided the extension ID of Super Dark Mode.
Assignments
Create an Azure AD Security group which contains users or devices where this device configuration profile needs to be deployed. Please note that if you add users into the list, Block/Whitelist Chrome Extensions policy will be applied on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy it to specific devices then you should add devices in the Azure AD security group not users.
To deploy it on all end user devices, You can click on + Add all devices to target all devices which are enrolled into Intune.
Review + Create
On Review + Create tab, review the device configuration profile and click on Create. As soon as you click on create button, The device configuration profile will be created and process to create apply Block/Whitelist Chrome Extensions policy will begin on the targeted devices.
Intune Policy Refresh Cycle
The Device will Sync / Check in to start deployment of this new device configuration profile. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process. You can also use Powershell to force initiate Intune refresh cycle.
Also, you can restart the device first which also starts the device check-in process. Manual sync is not mandatory on user’s devices as the device check-in process happens automatically. But if you are testing the application on a test device then this can speed up your testing and can save some time.
End user Experience
Now, let’s check whats happening on the end user device. After this policy has been deployed successfully. You can launch chrome browser to test if Installation of all extensions in chrome browser is blocked and only specific extension which is Super Dark mode is allowed as per the whitelist.
If you already have some extensions Installed in chrome. As soon as the policy will get applied, it will blocks all extensions except Super Dark Mode. A pop-up message will appear on the top right hand side corner with a message “Some extensions are not allowed“. The following extensions are blocked by your administrator.
This policy blocks all other extensions except Super Dark Mode as per the whitelist.
Let’s now see if we are able to install any other extension in chrome. I tried to Volume master browser extension but it shows a Red button with a message “Blocked by admin“. When you click on this button, you will receive a pop-up message “your admin has blocked <extension name> – App ID <app ID>”
Conclusion
In this blog post, we have seen how to easily create Block list and Whitelist of extentions using Intune for chrome browser. There is no need to use OMA-URI settings, you can use chrome ADMX settings to create a block list and whitelist of chrome extensions and apply it to the end user devices.
READ NEXT
- Block/whitelist Edge Extensions Using Intune
- Set Microsoft Edge Home Page, Startup Page And New Tab Page Using Microsoft Intune.
- Set Microsoft Edge As Default Browser Using Microsoft Intune.
- How To Configure Default Apps On Windows Using Intune.
- How To Import ADMX Templates Into Intune.
- How To Deploy .exe Applications Using Intune.
