Forum Discussion

dandirk's avatar
dandirk
Copper Contributor
Feb 28, 2020

Edge Policy REQ: Allow Extensions from other stores

An Edge policy to enable/disable "Allow extensions from other stores." would be very helpful.   We currently use the allow extensions policy, in addition to allowed lists, and url/store restriction...
narutards's avatar
narutards
Iron Contributor
Mar 17, 2020

ashishpoddar 

I've reviewed the thread you link and I got three issues with the workflow described in it.

 

1. There is no way to prevent users from enabling the "Allow extensions from other stores" switch. The only way to actually prevent the installation itself is to blacklist the extension GUID "*". Currently there is no way for us to limit users to just the Microsoft store.

 

2. As part of the case I opened I was asked to test the "ExtensionInstallSources" policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallsources) but it appears that this is completely unrelated to the "Allow extensions from other stores" switch too. 

 

Setting the following two policies will still prompt you to enable the installation from other stores even when you are on the Chrome store's website:

  • HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources\1 = https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmicrosoftedge.microsoft.com%2Faddons%2F*&data=02%7C01%7CAndre.Oliveira%40microsoft.com%7Cc96b09842d974dfdb4e708d7c69ced71%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637196249621702170&sdata=Z5PbZQvd8ZDJwO%2BwIaHXrSNVjDJaICTTWDLNht%2FAuKQ%3D&reserved=0
  • HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallSources\2 = https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fchrome.google.com%2Fwebstore%2F*&data=02%7C01%7CAndre.Oliveira%40microsoft.com%7Cc96b09842d974dfdb4e708d7c69ced71%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637196249621702170&sdata=dgGZ9XJjLWDRsEv%2B7ooqaAAOzzihDLPgz9A3lP6x9b4%3D&reserved=0

I'd kind of expect the switch to be toggled if there already is a policy in place to allow another store. Maybe that's just me.

Likewise I'd expect to user to be unable to install extensions from _any other_ store if I already provide a whitelisted set of stores. The user should not be allowed to install from any other sources than the whitelisted ones.

 

3. Having the user manually enable the installation from other stores might seem like a security measure but in reality there are just two things that will happen. Group 1 clicks "OK" on everything without thinking anyway, regardless of consequences. And group 2 will call the IT hotline and ask what it all means and whether they can safely click the button. Being able to take away this decision from our users would save everyone some time, especially if we had the ability to both either disable or enable it permanently with a GPO. Bundle that with the ability to explicitly whitelist sources through the "ExtensionInstallSources" and in turn automatically blacklisting all other sources we'd have everything we need.

ashishpoddar's avatar
ashishpoddar
Icon for Microsoft rankMicrosoft
Apr 06, 2021

Now there is a way to prevent users from installing extensions from 3rd party store - including Chrome Web Store. You can use the ExtensionSettings policy for this.

To block extensions from a particular third party store, you only need to block the update_url for that store. For example, if you want to block extensions from Chrome Web Store, you can use the following JSON.

{"update_url:https://clients2.google.com/service/update2/crx":{"installation_mode":"blocked "}}

For more details refer to: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensionsettings

We also developed a tool for IT Admins to generate the ExtensionSettings JSON file. It is still in early stages (and its open sourced ) but any feedback will be helpful. Use it here: https://microsoft.github.io/edge-extension-settings-generator/minimal