In Chrome 39 ExtensionInstallForcelist doesn't seem to work for extensions installed by enterprise policy

778 views
Skip to first unread message

Jimbo Jones

unread,
Nov 21, 2014, 7:05:46 PM11/21/14
to chromium-...@chromium.org
For a year or so I have been creating policies on my classroom Macs to setup Chrome the way I want it.    I want to make sure that students do not have to install this extension manually, and also that they CANNOT remove it.  I also want to disable incognito browsing for all the computers.  Think little kids, and also older kids who like to mess with things.

Previously in my classrooms I have configured Chrome settings on OS X by creating /Library/Preferences/com.google.Chrome.plist.  Notice that this is NOT the per-user preferences folder, this is the global one.

Here's what the file looked like (although it's a binary plist I create with a utility):

{

    ExtensionInstallForcelist =     (

        "jopefhbaobkgbmpbbgihangcllmjcpmb;https://clients2.google.com/service/update2/crx"

    );

    IncognitoModeAvailability = 1;

}

Previously this worked perfectly, but in Chrome 39 the extension no longer installs.  Incognito Mode is set correctly, and chrome://policy shows that my policy is set with status OK but the extension just will not load. So, I know this file is being read and used by Chrome, it's just not loading the extension.

I know I can follow the documentation for "External Extensions" but I've tried that and the students can still remove the extension.  Before the extensions page would say "Installed by enterprise policy" and the Enabled button and trash can were always disabled.  

Anyone know what changed or what I need to do to install an extension with an enterprise policy?  I really don't want to use OS X server to set MCX settings, nor buy any other product to do this.  Thanks in advance.


Jason King

unread,
Dec 4, 2014, 11:26:34 AM12/4/14
to chromium-...@chromium.org
Have you figured anything else about this?  This happened to me as well, and I can't seem to find any indication from Google that they changed anything.

Jimbo Jones

unread,
Dec 4, 2014, 2:55:32 PM12/4/14
to chromium-...@chromium.org
I still haven't figured this out. 


Jason King

unread,
Dec 9, 2014, 4:18:33 PM12/9/14
to chromium-...@chromium.org
Jimbo - I've come up with a way to fixed this.  As of Chrome 39, they require you to use a Managed Profile.  You would need to make a preference payload, that would look like this for you:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
   <dict>
      <key>PayloadIdentifier</key>
      <string>com.yourname.Angrybird</string>
      <key>PayloadRemovalDisallowed</key>
      <false />
      <key>PayloadScope</key>
      <string>System</string>
      <key>PayloadType</key>
      <string>Configuration</string>
      <key>PayloadUUID</key>
      <string>bde4dcb5-d4bf-4943-b992-c30f82eb1468</string>
      <key>PayloadOrganization</key>
      <string>Your Org</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadDisplayName</key>
      <string>Your Name</string>
      <key>PayloadContent</key>
      <array>
         <dict>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadIdentifier</key>
            <string>com.yourname.Angrybird.f13e3b90-6187-0132-2314-685b357e505d</string>
            <key>PayloadUUID</key>
            <string>f13e3b90-6187-0132-2314-685b357e505d</string>
            <key>PayloadEnabled</key>
            <true />
            <key>PayloadDisplayName</key>
            <string>Google Chrome</string>
            <key>PayloadContent</key>
            <dict>
               <key>com.google.Chrome</key>
               <dict>
                  <key>Forced</key>
                  <array>
                     <dict>
                        <key>mcx_preference_settings</key>
                        <dict>
                           <key>IncognitoModeAvailability</key>
                           <integer>1</integer>
                           <key>ExtensionInstallForcelist</key>
                           <array>
                              <string>jopefhbaobkgbmpbbgihangcllmjcpmb;https://clients2.google.com/service/update2/crx</string>
                           </array>
                        </dict>
                     </dict>
                  </array>
               </dict>
            </dict>
         </dict>
      </array>
   </dict>
</plist>

Save that as profile.mobileconfig

To install it on the computer, double click on that file, or run this in terminal:

sudo /usr/bin/profiles -I -F ./profile.mobileconfig

To uninstall it, you can run, with that payload name the same as you set in the file:

sudo profiles -R -p com.yourname.Angrybird -v

This method worked perfectly for me.

Jimbo Jones

unread,
Dec 9, 2014, 7:12:00 PM12/9/14
to chromium-...@chromium.org
That worked perfectly.  Thanks Jason!   

Nathaniel Ring

unread,
Jan 8, 2015, 1:02:21 PM1/8/15
to chromium-...@chromium.org
Is there any documentation as to why Chrome 39 forces us to use Managed Profiles? Does this affect all OS's?
I recently tried to test out a local policy ExtensionInstallForcelist key and I can't get it working.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages