Forum Discussion
Security baseline (DRAFT) for Chromium-based Microsoft Edge, version 79
I dug into edge://policy and found the issue: the format for allowed extensions is not the same as silently extensions so that setting was in an error state ("Value doesn't match expected format.").
Once I fixed that I could turn on the * for "Control which extensions cannot be installed" and the allowed extensions remain on.
- For allowed extensions it is just the extension unique ID.
- For silently installed extensions it is the unique ID semicolon install source
I was able to keep the install sources locked down to Microsoft and Google with those settings on.
Another nice discovery from diving into the https://support.google.com/chrome/a/answer/7532015?hl=en was adding a JSON configuration in "Configure extension management settings" to deliver a more friendly message to users when an extension installation is blocked as well. The formatting of this is limited (it starts on the same line as the built-in message and \n line breaks aren't honoured.) Key to getting this to work was the https://mythic-byway-180716.appspot.com/ to both validate the JSON and compact it into a single line for the GPO.
In case this can help anyone else, I've attached screen shots of my working configuration. (Of course the specific extensions your organization silently pushes and allows will differ!)
Hi ashishpoddar
I gave that a try and the result is the same: the extensions that are not silently pushed get disabled.
For complete clarity I have attached screenshots of the policy and the result.
I dug into edge://policy and found the issue: the format for allowed extensions is not the same as silently extensions so that setting was in an error state ("Value doesn't match expected format.").
Once I fixed that I could turn on the * for "Control which extensions cannot be installed" and the allowed extensions remain on.
- For allowed extensions it is just the extension unique ID.
- For silently installed extensions it is the unique ID semicolon install source
I was able to keep the install sources locked down to Microsoft and Google with those settings on.
Another nice discovery from diving into the https://support.google.com/chrome/a/answer/7532015?hl=en was adding a JSON configuration in "Configure extension management settings" to deliver a more friendly message to users when an extension installation is blocked as well. The formatting of this is limited (it starts on the same line as the built-in message and \n line breaks aren't honoured.) Key to getting this to work was the https://mythic-byway-180716.appspot.com/ to both validate the JSON and compact it into a single line for the GPO.
In case this can help anyone else, I've attached screen shots of my working configuration. (Of course the specific extensions your organization silently pushes and allows will differ!)
ashishpoddarMicrosoft
Glad that you were able to get it to work Doug Howell
Good learnings for us as well, and will see if we can improve the documentation.
Thanks for taking the effort to add the pro-tip to customize error messages.