In this blog post, we will see how to block or whitelist Chrome extensions using Intune. This will give you greater control over which extensions can be used on your organization’s devices, helping to keep your data secure and your employees productive.
Allowing users to install extensions in browsers can cause a security risk and users may unknowingly Install a malicious extension which could cause Issues. Therefore, as an Intune administrator, we should control the extensions that are allowed to be installed by the end users.
A best practice is to block all extension installations and allow only specific extensions that are approved by the administrator. This way you can make sure that the extensions which are in use are safe and are regularly updated.
If you are managing your organization devices using Microsoft Intune, then you can create a device configuration profile with settings to allow and block extensions for Google Chrome and apply this profile to the target devices.
We’ll be utilizing the Google Chrome ADMX template settings to configure the block or whitelist of extensions. To create a Block list or Whitelist, you’ll need the Extension ID. Let’s go through the steps to find the Extension ID and then proceed with creating the device configuration profile.
Block/Whitelist Extensions in Microsoft Edge: Block/whitelist Chrome Extensions Using Intune
Block/Whitelisting Extensions in Microsoft Edge
Table of Contents
Step 1 – Find the Extension ID that you want to Whitelist
To find the Extension ID in Chrome, follow the below steps:
- Launch the Google Chrome browser.
- Go to Google Webstore.
- Search for the Extension that you want to whitelist and then from the address bar of the browser you can copy its Extension ID.
- Repeat this process for any other extensions you wish to whitelist or block, copying their respective Extension IDs into a notepad for later use in the Intune device configuration policy.
Step 2 – Create a Device configuration profile
The next step is to create a device configuration profile in Intune. Let’s check the steps:
- Login on Microsoft Intune admin center
- Go to Devices > Configuration profiles > + Create profile
- Select Platform as Windows 10 and later
- Profile type as Templates
- Click on Administrative Templates > Create
If you are unable to Import Chrome ADMX template in Intune, you can refer to my other blog post, which provides a detailed, step-by-step guide on how to Import an ADMX file into Intune.
Note
Basics Tab
Provide a Name and Description of the Policy and click Next.
Configuration Settings
- Go to Computer Configuration > Google > Google Chrome > Extensions folder.
- Search for the setting “Configure extension installation blocklist“
- Select the Enabled radio button.
- Extension IDs the user should be prevented from installing – Add * in the text box and then click on OK to save.
Instead of blocking all extensions using a wild card character *. You can also provide the extension IDs to block only specific extensions in Chrome.
In this scenario, we are Blocking All Chrome Extensions and using Configure extension installation allow list setting to Whitelist specific Extensions.
Note
- Search for the setting “Configure extension installation allow list” and click on Enabled.
- In Extension IDs to exempt from the block list text box, provide one Extension ID per row that you want to Whitelist. In our example, we want to whitelist Super Dark Mode extension therefore we provided the extension ID of Super Dark Mode. [Skip this step if you do not want to whitelist any Extensions in Google Chrome].
Assignments
Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices.
Review + Create
On the Review + Create tab, review the device configuration profile and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
End-user Experience
Now, let’s see how this policy affects the end user’s device. After successfully deploying this policy, open the Chrome browser to test whether the installation of all extensions is blocked, and whether only the specific extension (in this case, Super Dark Mode) is allowed according to the whitelist.
If there are any existing Extensions that were already Installed when this policy was applied, those will be blocked as well. Only the extensions that you whitelist from Intune will be allowed. An error may show up on Chrome: Blocked by admin. When you click on this button, you will receive a pop-up message “Your admin has blocked <extension name> – App ID <app ID>”
Conclusion
In this blog post, we’ve explored a simple method for creating block lists and whitelists of extensions using Intune for the Chrome browser. You don’t need to utilize OMA-URI settings; instead, you can use Chrome ADMX settings to establish block lists and whitelists for Chrome extensions and apply them to end-user devices
Chrome becomes total crap browser. Google has on New Chrome Web Store began to block all extensions install on chrome based browser (update to the last browser doesn’t help). Naked Chrome browser is USELESS (try to browse without any extensions installed).
Hi,
First thanks for all your posts ! Very usefull !
About browser extensions it can be interesting to first get from devices the list of current extensions that are installed… Do you know how to pull these informations from devices managed by intune ?
All the best
T.