managed storage MacOS MCX
266 views
Skip to first unread message
David
Jul 3, 2023, 6:22:12 AM7/3/23
to Chromium Extensions
Our extension uses a custom policy that reads from managed storage.
As the guide instructs here: https://www.chromium.org/administrators/configuring-policy-for-extensions/#mac
Macs are expected to write the policy to the local directory service and load the configuration with MCX. As I understand, configuring Macs with MCX is deprecated/discouraged in favor of writing preferences with profiles (MDM) or simply modifying those in /Library/Preferences or ~/Library/Preferences.
Macs are expected to write the policy to the local directory service and load the configuration with MCX. As I understand, configuring Macs with MCX is deprecated/discouraged in favor of writing preferences with profiles (MDM) or simply modifying those in /Library/Preferences or ~/Library/Preferences.
I'm looking for a way to have Chromium-based browsers detect the extension policy from a preference file instead of MCX.
Example extension policy
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>device_id</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>...some value...</string>
</dict>
<key>hostname</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>...some value...</string>
</dict>
<key>username</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>...some value...</string>
</dict>
</dict>
</plist>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>device_id</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>...some value...</string>
</dict>
<key>hostname</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>...some value...</string>
</dict>
<key>username</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>...some value...</string>
</dict>
</dict>
</plist>
Oliver Dunk
Jul 3, 2023, 6:32:21 AM7/3/23
to David, Chromium Extensions
Hi,
If I'm understanding correctly, could a tool like mcxToProfile help?
https://github.com/timsutton/mcxToProfile
This generates an equivalent profile that can be installed for a given MCX input.
As an example, here's an point in the update testing tool we open sourced where we generate a mobileconfig file to force install an extension: https://github.com/GoogleChromeLabs/extension-update-testing-tool/blob/main/server/routes/policy.js#L24
If I'm understanding correctly, could a tool like mcxToProfile help?
https://github.com/timsutton/mcxToProfile
This generates an equivalent profile that can be installed for a given MCX input.
As an example, here's an point in the update testing tool we open sourced where we generate a mobileconfig file to force install an extension: https://github.com/GoogleChromeLabs/extension-update-testing-tool/blob/main/server/routes/policy.js#L24
--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/839dd6d8-be90-439f-9a46-5cf3246d09b2n%40chromium.org.
David
Jul 3, 2023, 7:24:56 AM7/3/23
to Chromium Extensions, Oliver Dunk, Chromium Extensions, David
Almost, we create those mobileconfig files to force install the extension, and that's working well.
<dict>
<key>hostname</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<key>device_id</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
</dict>
<key>username</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
I'm referring to a custom extension policy that isn't part of the browser policy. In the example XML I posted there are three values. When this configuration is imported to the local directory service under mcx_application_data, the browser will load it under the extension policy and it will be available to be read from managed storage.
This configuration will differ between devices/hosts so it needs to be generated and configured by a shell script (usually run by an MDM tool). However, using the local directory service / MCX to configure the browser is not encouraged anymore. Is there support for this configuration in other configuration methods?
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.google.Chrome.Browser.extensions.${EXTENSION_ID}</key>
<dict>
<key>hostname</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>${HOSTNAME}</string>
</dict>
</dict>
<key>device_id</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>${DEVICE_ID}</string>
</dict>
<key>username</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>${USERS}</string>
</dict>
</dict>
</dict>
</plist>
</dict>
</dict>
</dict>
</plist>
Oliver Dunk
Jul 3, 2023, 8:13:21 AM7/3/23
to David, Chromium Extensions
Hmm, I think I mostly understand what you're looking for but not quite.
Would using the mcxToProfile tool to convert the plist you just shared work? Or are you not looking for a mobileconfig file?
It would be useful if you could share the specific file format or tool you'd like to use to load policies.
Reply all
Reply to author
Forward
0 new messages