Monthly Archives: November 2014

Using Managed Preferences (MCX) to Block or Uninstall Chrome Extensions

All your base are belong to us!

Since I posted about using a Windows GPO to manage Google Chrome’s extensions, I didn’t want to leave out OS X admin’s from Google Chrome management fun.

Before we dive in too deep let’s get this out of the way. Google offers two options for managing Chrome’s settings:

  1. Master Preferences (Think of these as default settings or suggestions)
  2. User and Machine Policy (These are NOT changeable by the user. This will block or uninstall any extension added to this list). This is what I will focus on in this article.

To use policy on a Mac, Google provides each copy of Google Chrome with a Managed Preference Manifest file buried deep within the application bundle:

(Yes, that’s two /Contents/Resources/com.google.Chrome.manifest’s deep. Don’t ask me why)

However, Google decided to leave out many of the description field (pfm_title) so if you pull this into your Casper Server (Or Workgroup Manager, etc) you will either be presented with an error or have a long list of blank preferences. Luckily Ben Courtade was kind enough to update all these fields and upload them to JAMFNation for download here: Google Chrome Managed Preference Manifest.

If you have enabled Managed Preference This can easily be imported in the JSS as a Manual Setting in a Managed Preference profile.

First, create a new Managed Preference by logging in, clicking on the Computers top tab, then the Managed Preference side tab. Once in the Managed preference window, click the (+) sign next to New to begin.

Then, scroll all the way down in the options to find the Custom tab. Click the (+) sign next to Upload Manifest and upload the downloaded Google Chrome manifest into the new manifest window.

You will then be presented with all of the options that Google allows to be managed through a preference manifest. The one we are interested in is ExtensionBlacklist. Tap the (+) sign and then the (+) next to Add ExtensionBlacklist to configure further.

From here, you can do one of two things:

  1. Disable plugins completely. Simply type in an asterisk “*
  2. Configure individual blocked plugins by Extension ID

How do you find the extension id? It’s fairly easy. Take this extension for example:

Google Chrome Store Extension ID

The highlighted section of the URL is the Extension ID. It’s that simple. Find the unwanted Extension, copy the last part of the URL into the Managed Preference and apply to your managed machines.

Blacklist Detail

You can have multiple extensions in this list. Just compile the ID’s, click edit and add all that you need.

My only complaint is you will have to keep an external list to keep a human-readable list of which ID’s go with with extensions.

The next thing that has been added to my to-do list is to try converting this to a Configuration Profile using Tim Sutton’s MCX to Profile utility. I will post an update when/if I get around to testing this more thoroughly.

Edit: It appears there are some issues with Yosemite and managed preferences with mobile directory accounts. I haven’t verified this on my own setup at this time, but be aware it is out there.

Disable Built in Google Chrome PDF Plugin using GPO

If you’re tasked with managing Google Chrome in your environment, Google has provided several ways to manage the browser. One of these options is using a Group Policy Administrative Template.

In my particular case, we had some PDF’s that were not working correctly with a subscription service the school was using. Part of the issue was some were using Chrome while others were using IE. In order for both to have similar actions when downloading PDF’s I was asked to disable the built-in PDF Viewer in Chrome.

Relevant Links:

Google’s Chrome Policy Information Page

Download the Google Chrome Admin Templates and Docs here

Continue reading