SOLVED

Blocking chrome extensions but whitelist specific ones

Steel Contributor

Hi all,

 

Im having issues white listing specific extensions and also blocking others too! 

Iv added the Chrome ADMX and have force deploy on specific apps  which is working but below are the config for the ones that dont work

 

Blocking

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallBlacklist

 

String: 

<enabled/> <data id="ExtensionInstallBlacklistDesc" value="1&#xF000;*"/>

 

Whitelisting

 

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallWhitelist

 

String: <enabled/> <data id="ExtensionInstallWhitelistDesc" value="1&#xF000;alhngdkjgnedakdlnamimgfihgkmenbh&#xF000;2&#xF000;jbldkhfglmgeihlcaeliadhipokhocnm"/>

 

(I used this link: https://www.inthecloud247.com/manage-google-chrome-settings-with-microsoft-intune/ )

 

 Please help!

 

 

33 Replies
hi,

Are you receiving any specific errors when looking at the device management enterprise event log?

Hi @Rudy_Ooms_MVP Do you mean this? 

 

Screenshot 2021-10-06 at 7.32.45 AM.png

@AB21805 

Hi no this event log

 

Rudy_Ooms_0-1633503933722.png

 

I get this: MDM ConfigurationManager: Command failure status. Configuration Source ID: (2F8AAF4A-BBC7-4009-A02F-27F93C36E6DA), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).

@Rudy_Ooms_MVP Hi, Any ideas? Or is it worth trying to do these via powershell/regedit instead? 

I will take a look at it tonight.. This afternoon I am needed at my daughter birthday party... :)
No problem! Thank you!

Happy Birthday to your Daughter!
Hi Rudy, Any help with this would be great im still struggling
I totally forgot... I am creating the configu policies like you did right now to take a look (I really need a todo list.. but than again sometimes i am totally digged into a subject i don't look at my calender i guess)

@AB21805 

 

Hi,

 

Just pushed this config to my test tenant

Rudy_Ooms_1-1634052063313.png

 

 

It looks like its working at my side without any issue... 

 

Rudy_Ooms_0-1634052030797.png

 

Could you check out your chrome admx it contains this part and if it arrived at your device (policymanager /registry)

 

<policy class="Both" displayName="$(string.ExtensionInstallBlacklist)" explainText="$(string.ExtensionInstallBlacklist_Explain)" key="Software\Policies\Google\Chrome" name="ExtensionInstallBlacklist" presentation="$(presentation.ExtensionInstallBlacklist)">
<parentCategory ref="Extensions"/>
<supportedOn ref="SUPPORTED_WIN7"/>
<elements>
<list id="ExtensionInstallBlacklistDesc" key="Software\Policies\Google\Chrome\ExtensionInstallBlacklist" valuePrefix=""/>
</elements>
</policy>

 

Hi @Rudy_Ooms_MVP 

 

So I have checked the ADMX and all is there: 

Screenshot 2021-10-13 at 8.46.35 AM.png

 

Here is the policy I set for blacklist too:

 

Screenshot 2021-10-13 at 8.49.35 AM.png

 

Here is the registry via the device: 

 

new (1).PNG

 

Any ideas where Im going wrong? Is it best we do this via powershell or is it clear where I have made a mistake? 

 

Thanks again for your continued help

 

@AB21805 

Hi could you also post the out put  of this key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\Chrome~Policy~googlechrome~Extensions

 

like

 

Rudy_Ooms_0-1634120668113.png

 

And this one \PolicyManager\Providers\762C2E7F-8C25-4E9E-AA57-D6E805C0E451\default\Device\Chrome~Policy~googlechrome~Extensions

Rudy_Ooms_0-1634120744858.png

 

And this key \SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlacklist

 

Rudy_Ooms_1-1634120785667.png

 

 

 

Hi @Rudy_Ooms_MVP 

 

The first screenshot I have: 

 

1 screen.PNG

 

Second and third I cant seen to find exactly what you want but here are the screnshots: 

 

screen 2.PNGscreen 3.PNG

 

Any ideas? 

The provider id could be different.. there has to be some information about chrome init..

@AB21805 For our extension management in Edge (and Chrome) we use the "Configure extension management settings" option containing a JSON with the all extensions blocked and then the individual ones we want available listed with either "force_installed" for those we want installed and not touchable by the user, "allowed" for those that user can go and install from the Edge store (and/or Chrome store) and "normal_installed" for those that we pre-install but the user can enable/disable as needed. We've found this handles extensions overall better than using the separate settings entries.

 

Below is our JSON as an example and here's the documentation link (and this is also included in Intune): https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#configure-extension-management-s...

{"*":{"installation_mode":"blocked","blocked_install_message":"Installation of Edge extensions requires approval"},"jmfbfggikgbdccejjilikgnfdjnpmlfe":{"installation_mode":"normal_installed","update_url":"https://clients2.google.com/service/update2/crx"},"lfmcehohgifnaodaogknapedjiaoebgo":{"installation_mode":"allowed"},"ekhagklcjbdpajgpjgmbionohlpdbjgc":{"installation_mode":"allowed"},"pjjladfifbaokjdckiedipnkaemnjffa":{"installation_mode":"allowed"},"oiigbmnaadbkfbmpbfijlflahbdbdgdf":{"installation_mode":"allowed"},"mooikfkahbdckldjjndioackbalphokd":{"installation_mode":"allowed"},"ddaloccgjfibfpkalenodgehlhkgoahe":{"installation_mode":"allowed"},"jbbplnpkjmmeebjpijfedlgcdilocofh":{"installation_mode":"allowed"},"fjgncogppolhfdpijihbpfmeohpaadpc":{"installation_mode":"allowed"},"glnpjglilkicbckjpbgcfkogebgllemb":{"installation_mode":"allowed"},"dpncpimghfponcpjkgihfikppbbhchil":{"installation_mode":"allowed"},"dkgencfabioofgdmhhjljpkbbchbikbh":{"installation_mode":"allowed"},"bomfdkbfpdhijjbeoicnfhjbdhncfhig":{"installation_mode":"allowed"},"ikdddppdhmjcdfgilpnbkdeggoiicjgo":{"installation_mode":"normal_installed","update_url":"https://edge.microsoft.com/extensionwebstorebase/v1/crx"},"nffeahffadlikbdfgngjocbcicdbikpa":{"installation_mode":"normal_installed","update_url":"https://clients2.google.com/service/update2/crx"},"pbnfcaobikkbealhienfilklacghhgoi":{"installation_mode":"allowed"},"hdgegmlancchhhlkkddoiedlklgocffm":{"installation_mode":"allowed"},"lhdoppojpmngadmnindnejefpokejbdd":{"installation_mode":"allowed"},"inahogkhlkbkjkkaleonemeijihmfagi":{"installation_mode":"allowed"},"elgalmkoelokbchhkhacckoklkejnhcd":{"installation_mode":"allowed"},"pbjjkligggfmakdaogkfomddhfmpjeni":{"installation_mode":"allowed"},"hbfacnnpimgddoojjaonnnbeljegicfl":{"installation_mode":"normal_installed","update_url":"https://edge.microsoft.com/extensionwebstorebase/v1/crx"},"maafgiompdekodanheihhgilkjchcakm":{"installation_mode":"normal_installed","update_url":"https://outlook.office.com/owa/SmimeCrxUpdate.ashx"},"mbcgpelmjnpfbdnkbebdlfjmeckpnhha":{"installation_mode":"allowed"},"llnckjibglpbknibkglkapgkcioabomp":{"installation_mode":"allowed"},"jaleebmaoohbjjohjlfmihkkopgfibne":{"installation_mode":"allowed"},"cdgjgpahklmdkojkkdgmckgmbnheolnl":{"installation_mode":"allowed"},"mbopgmdnpcbohhpnfglgohlbhfongabi":{"installation_mode":"allowed"},"ghbhpcookfemncgoinjblecnilppimih":{"installation_mode":"allowed"},"jalhapcnkijacfbnbcicimhafnllongh":{"installation_mode":"allowed"},"gpphkfbcpidddadnkolkpfckpihlkkil":{"installation_mode":"allowed"},"nnkgneoiohoecpdiaponcejilbhhikei":{"installation_mode":"allowed"},"gjpfobpafnhjhbajcjgccbbdofdckggg":{"installation_mode":"allowed"},"ggknodeapenofhidkfgfncfoeclcfoom":{"installation_mode":"allowed"},"ifoakfbpdcdoeenechcleahebpibofpc":{"installation_mode":"allowed"},"ndaciljfdnekbnmcpjidoebejglcjidc":{"installation_mode":"allowed"},"ogcgkffhplmphkaahpmffcafajaocjbd":{"installation_mode":"allowed"},"pmapbmihblakhgodloklimjbaoohkiop":{"installation_mode":"allowed"},"gmhjclgpamdccpomoomknemhmmialaae":{"installation_mode":"allowed"},"lajjpilliikppcbaghjehndpfdiiphbe":{"installation_mode":"allowed"},"pjocddipjlkokifpnnbmjemienmelhak":{"installation_mode":"allowed"},"feolagkacappiaieohahjkeaikhjjcfa":{"installation_mode":"allowed"},"ildbfpaelempeokjfldpclbfggjkhdhl":{"installation_mode":"allowed"},"nhdogjmejiglipccpnnnanhbledajbpd":{"installation_mode":"allowed"},"hicljaeiiajaecppcpfphnibmddpehlk":{"installation_mode":"allowed"},"kpjldaeddnfokhmgdlmpdlecmobaonnj":{"installation_mode":"allowed"},"banejkelfpdmmmfobepfdnbmbbnecnol":{"installation_mode":"allowed"}}

 

Ahh. its indeed missing the "knowhow" /settings.
Did you create a separate policy/csp for it or did you add it to the existing csp?

Hi @Rudy_Ooms_MVP 

 

I have added to existing: 

 

Screenshot 2021-10-14 at 8.32.52 AM.png

What happens when you create a separate policy/csp for it?
1 best response

Accepted Solutions
best response confirmed by AB21805 (Steel Contributor)
Solution
You could try to download this admx file (just uploaded it)
https://github.com/Call4cloud/Enrollment/blob/main/DU/ADMX/chromeadmx.xml

And try to ingest that one... to see what happens?

View solution in original post