In this blog post, we will see how to block or whitelist Edge extensions using Intune. This will give you greater control over which extensions can be used on your organization’s devices, helping to keep your data secure and your employees productive.
Permitting users to install browser extensions can pose a security risk, as they may inadvertently add a malicious extension that could harm the device or the organization. As an Intune administrator, it’s essential to manage and control the extensions that end users are allowed to install.
A best practice is blocking all extension installations and only permitting specific extensions that have been approved by the administrator. This approach ensures that the extensions in use are both secure and regularly updated.
If you’re managing your organization’s devices through Microsoft Intune, you have the option to create a device configuration profile that includes settings for allowing or blocking extensions in Microsoft Edge. You can then apply this profile to the target devices.
We’ll be utilizing the Microsoft Edge ADMX template settings to configure the block or whitelist of extensions. To create a block list or whitelist, you’ll need the Extension ID. Let’s go through the steps to find the Extension ID and then proceed with creating the device configuration profile.
Block/Whitelist Extensions in Google Chrome: ‘Block/whitelist Chrome Extensions Using Intune
Block/Whitelisting Extensions in Google Chrome
Table of Contents
Step 1 – Find the Extension ID that you want to Whitelist
To find the Extension ID in Microsoft Edge, follow the below steps.
- Launch the Microsoft Edge browser.
- Click on the three dots on the top right-hand side corner.
- Click on Extensions.
- Click on Manage extensions > “Get extensions for Microsoft Edge“.
- Search for the Extension that you want to whitelist. Let’s take an example as Adobe Acrobat. Search for the Extension and then click on it.
- At the top of the page, in the browser’s address bar, you should be able to locate the Extension ID as a part of the URL. Simply copy the Extension ID and paste it into a notepad.
- Repeat this process for all other extensions you want to whitelist, copying their Extension IDs into the notepad. You’ll need these Extension IDs when creating a policy in Intune.
Step 2 – Create a Device configuration profile to block Edge Extensions
The next step is to create a device configuration profile in Intune. Let’s check the steps:
- Login on Microsoft Intune admin center
- Go to Devices > Configuration profiles > + Create profile
- Select Platform as Windows 10 and later
- Profile type as Templates
- Click on Administrative Templates > Create
If you can’t find the Microsoft Edge ADMX template in Intune, you can refer to my other blog post, which provides a detailed, step-by-step guide on how to Import an ADMX file into Intune.
Note
Basics Tab
Provide a Name and Description of the Policy and click Next.
Configuration Settings
- Go to Computer Configuration > Microsoft Edge > Extensions folder.
- Search for the setting “Control which extensions cannot be installed“
- Select the Enabled radio button.
- Extension IDs the user should be prevented from installing (or * for all) – Add * in the text box and then click on OK to save.
Instead of blocking all extensions using a wild card character *. You can also provide the extension IDs to block only specific extensions in Microsoft Edge.
In this scenario, we are Blocking All Edge Extensions and using Extension IDs to exempt from the block list setting to whitelist specific Extensions.
Note
- Search for a setting “Allow specific extensions to be installed” and click on Enabled.
- In the ‘Extension IDs to exempt from the block list‘ text box, enter one Extension ID per row for the extensions you want to whitelist. In our example, we are whitelisting the Adobe Acrobat extension, so we have provided the Extension ID for Adobe Acrobat.
Assignments
Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices.
Review + Create
On the Review + Create tab, review the device configuration profile and click on Create.
Sync Intune Policies
The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart the Intune sync either from the device itself or remotely through the Intune admin center.
Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.
End-user Experience
Now, let’s see how this policy affects the end user’s device. After successfully deploying this policy, open the Edge browser to test whether the installation of all extensions is blocked, and whether only the specific extension (in this case, Adobe Acrobat) is allowed according to the whitelist.
If there are any existing Extensions that were already Installed when this policy was applied, those will be blocked as well. Only the extensions that you whitelist from Intune will be allowed. An error may show up on Edge: Some extensions are not allowed.
Now, let’s check if we are able to install any other extension in Edge. When attempting to install the Nord VPN browser extension, an error message is displayed, indicating: ‘Your admin has blocked <extension name> for Privacy and Security – App ID <AppID>‘.
Conclusion
In this blog post, we’ve explored the straightforward process of creating block lists and whitelists for extensions using Intune for the Microsoft Edge browser. You don’t need to use OMA-URI settings; you can leverage Edge ADMX settings to establish block lists and whitelists for Edge extensions and apply them to end-user devices.
What is the best way to remove extensions already installed?
Hey Tom, Is there any particular reason for removing the extension? Blocking it makes it unusable anyway. The best way to manage is to Block All Edge extensions and Whitelist only the ones that are approved by your organization.