Edge Policy REQ: Allow Extensions from other stores

Copper Contributor

An Edge policy to enable/disable "Allow extensions from other stores." would be very helpful.

 

We currently use the allow extensions policy, in addition to allowed lists, and url/store restrictions.  Some allowed extensions are from the Chrome store. 

 

Though using these requires this additional manual step to actually install the extension.

16 Replies

@dandirk Thanks for reaching out! To confirm, are you using Microsoft Edge on an Enterprise account? And if so, can you provide some more details about how an enable/disable policy would be beneficial?

 

Fawkes (they/them)
Project & Community Manager - Microsoft Edge

@Deleted 

 

Correct yes we are using Edge with our Azure/Enterprise accounts (hybrid join, MEMCM co-managed etc).

 

We currently white list approved extensions...  In order to install an approved extension from Chrome Web Store, users need to turn that flag on manually.

 

We would like the option to set this for them, reduce one more self-config step and secure with other methods (allowed extensions/stores etc).

 

Another option would be to exclude approved extensions from that security check so the option could still be off but still allow installation.  This is the behavior for forced extension installations...

 

 

@dandirk 

What a coincidence. I was just looking at exactly this today and was met with the exact same issue ... no way to enable that switch.

 

There was already another discussion over at https://techcommunity.microsoft.com/t5/enterprise/gpo-for-quot-allow-extensions-from-other-store-quo... about this but they never came to anything close to a solution.

 

I've also opened a case regarding this, if that helps anyone.

@narutards @dandirk 

 

We have explained the current workflow for the preference"Allow extensions from other stores" in this post https://techcommunity.microsoft.com/t5/microsoft-security-baselines/edge-extensions-developer-and-ot...

 

Could you please review it and let us know your feedback on that thread please? 

@ashishpoddar 

I've reviewed the thread you link and I got three issues with the workflow described in it.

 

1. There is no way to prevent users from enabling the "Allow extensions from other stores" switch. The only way to actually prevent the installation itself is to blacklist the extension GUID "*". Currently there is no way for us to limit users to just the Microsoft store.

 

2. As part of the case I opened I was asked to test the "ExtensionInstallSources" policy (https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensioninstallsources) but it appears that this is completely unrelated to the "Allow extensions from other stores" switch too. 

 

Setting the following two policies will still prompt you to enable the installation from other stores even when you are on the Chrome store's website:

I'd kind of expect the switch to be toggled if there already is a policy in place to allow another store. Maybe that's just me.

Likewise I'd expect to user to be unable to install extensions from _any other_ store if I already provide a whitelisted set of stores. The user should not be allowed to install from any other sources than the whitelisted ones.

 

3. Having the user manually enable the installation from other stores might seem like a security measure but in reality there are just two things that will happen. Group 1 clicks "OK" on everything without thinking anyway, regardless of consequences. And group 2 will call the IT hotline and ask what it all means and whether they can safely click the button. Being able to take away this decision from our users would save everyone some time, especially if we had the ability to both either disable or enable it permanently with a GPO. Bundle that with the ability to explicitly whitelist sources through the "ExtensionInstallSources" and in turn automatically blacklisting all other sources we'd have everything we need.

@narutards Thanks for the detailed explanation of the requirements. We are exploring various options with respect to this. 

 

I just want to clarify that as of now ExtensionInstallSources policy cannot be used to block extensions from the Chrome Web Store. 

@ashishpoddar 

Any update on adding this policy?

 

We would like this switch as well.

 

Having issues with this as well.

My goal is to silently install an extension from Chrome Web Store.

 

I have added to the Extension ID to the ExtensionInstallAllowlist.

Configured ExtensionInstallAllowlist to *

And added the Extension ID to ExtensionInstallForcelist.

But the extension isn't installed automatically.

 

If I do the same with an extension that is published in the Microsoft Edge Store, then its silently installed.

In addition I tried to manually configure ExtensionInstallSources via registry with https://microsoftedge.microsoft.com/addons/* and https://chrome.google.com/webstore/* but it didn't help.

 

The user can manually install the extension after enabling Allow extensions from other store.

 

Is there more to it?

We are looking for the same solution like in the Answers written before.


Our Company want a silent installation of one single Chrome Store Add-On by Policy on the customers computer. 
This Add-On should not be editable or removable from customers side. Customer should also be able to install other Add-On from Edge and Chrome Store for his own.

We tested already the "ExtensionInstallSources" linked to Chrome Store and also the "ExtensionInstallForcelist" to the needed Add-On.

It was not working in our configuration.

There are a lot more articles about this topic inside the Web.
Is there actually a working solution for this?

Thank you for the reply.

@DataWarrior21 is it allowed at to have silent install at chrome? Reason for my ask is that google chrome deprecated this a while ago (https://developer.chrome.com/docs/webstore/inline_installation/).

@Daniel Persson 

For force installing an extension hosted in the Chrome web store use a string such in the the ExtensionInstallForcelist policy. Remember to use a separate line for each extension that you want to forceinstall.  as: pckdojakecnhhplcgfflhndiffaohfah;https://clients2.google.com/service/update2/crx.

 
You are correct, the inline install method is not supported as per the link referred by you. However, note that inline installation is different from silent install.

@ashishpoddar, sorry I misread it, so to give the full answer in-line installs are deprecated (sehttps://developer.chrome.com/docs/webstore/inline_installation/) and silent installs were deprecated even before that (see https://blog.chromium.org/2012/12/no-more-silent-extension-installs.html?m=1) 

Now there is a way to prevent users from installing extensions from 3rd party store - including Chrome Web Store. You can use the ExtensionSettings policy for this.

To block extensions from a particular third party store, you only need to block the update_url for that store. For example, if you want to block extensions from Chrome Web Store, you can use the following JSON.

{"update_url:https://clients2.google.com/service/update2/crx":{"installation_mode":"blocked "}}

For more details refer to: https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#extensionsettings

We also developed a tool for IT Admins to generate the ExtensionSettings JSON file. It is still in early stages (and its open sourced ) but any feedback will be helpful. Use it here: https://microsoft.github.io/edge-extension-settings-generator/minimal




We have added some details on how to manage extensions and that convers the use case to disable extensions from Chrome Web Store. Check out these links and share your feedback.
1. Getting ready to manage extensions: https://aka.ms/Gettingreadytomanageextensions
2. Policies to manage extensions in your enterprise https://aka.ms/ExtensionsGroupPolicies
3. Creating your own extension store https://aka.ms/EnterpriseStore

@ashishpoddar 

This switch still appears to be off by default.  Is there any way to toggle the switch to "enabled"?  This would help reduce issues many are seeing.