Deploying Google Chrome extensions using Group Policy

This article is about deploying Google Chrome extensions using Group Policy. Find out how to retrieve the extension ID and update URL.

Before reading this article, I recommend you to read the article Google Chrome on Citrix deep-dive to gain an in-depth understanding of all facets of Google Chrome for both Citrix and traditional environments.

Deploying Google Chrome extensions using Group Policy

A user can add extensions to the Chrome browser by downloading them from the Chrome Web Store:

Deploying Google Chrome extensions using Group Policy - Chrome Web Store

This works great for individual users, but what if you want to deploy an extension to a large number of users in your organization? The solution is to deploy the extension via Group Policy.

Deploying extensions via Group Policy consists of two parts:

  1. Retrieve the extension ID and the update URL of the Chrome extension
  2. Enable and configure Chrome extensions in a Group Policy

Retrieve the extension ID and update URL of the Chrome extension

To be able to add an extension to a Group Policy, two values need to be known: the extension ID and an "update" URL. These two values have to be entered as one string, but separated by a semicolon (;). For example, the concatenated string of the extension ID and update URL for the Office Online extension version 1.5.2. is as follows:

ndjpnladcallmjemlbaebfadecfhkepb;https://clients2.google.com/service/update2/crx

The first thing to do, is to manually install the extension directly from the Chrome Web Store on your (test) system. You need to do this, otherwise you will not be able to retrieve the ID and update URL.

Note: the URL of the Chrome extension also contains the extension's ID, so technically speaking you could copy it directly from the browser's address bar. Secondly, the update URL seems to be the same for all extensions, namely: https://clients2.google.com/service/update2/crx. What I am saying is that installing the extension on a (test) system is not absolutely necessary, but I still recommend it. At the very least, you will be able to test the extension before deploying it to your users and you can check if any additional settings (options) can be configured. You may want to inform your users about these additional options.

The extension ID can be retrieved by opening the extensions tab in Chrome. Either enter chrome://extensions in the address bar or open the extensions tab via the menu:

Deploying Google Chrome extensions using Group Policy - Chrome view extensions

Enable developer mode. Now the ID of each individual extension is shown.

Deploying Google Chrome extensions using Group Policy - Chrome view extensions and retrieve the ID

Copy this ID somewhere (for example in Notepad); you will need this information in the next step.

Chrome extensions are installed on a per-user basis. The installation directory is:

C:\Users\%UserName%\AppData\Local\Google\Chrome\User Data\Default\Extensions

Deploying Google Chrome extensions using Group Policy - Chrome view extensions in file directory

The extension ID is equal to the name of the folder. Open the directory that corresponds with the ID of your extension, in our case ndjpnladcallmjemlbaebfadecfhkepb (= the ID of the Office Online extension). Open the subdirectory representing the version of the extension. In the root of this directory you should find the file manifest.json. Open this file in your favorite text editor (e.g. Notepad). Search for the string update_url. Here you will find the update URL:

Deploying Google Chrome extensions using Group Policy - Extension manifest.json update URL

Reference: https://developer.chrome.com/extensions/autoupdate

Now you have the values you need. Copy them together in one string and make sure to separate them using a semicolon (as shown in the beginning of this paragraph):

ndjpnladcallmjemlbaebfadecfhkepb;https://clients2.google.com/service/update2/crx

In the following paragraph you will enter this string in a Group Policy setting.

Configure the Group Policy setting to deploy the Chrome extension

Before you continue reading, please make sure that you have imported the Google Chrome ADMX files in your environment as described in the section Using Microsoft Group Policies (preferred) in the article Google Chrome on Citrix deep-dive.

To force-install extensions, open your Group Policy Management console (dsa.msc) and go to User Configuration \ Administrative Templates \ Google\  Google Chrome \ Extensions. Go to the setting Configure the list of force-installed apps and extensions and enable it.

Deploying Google Chrome extensions using Group Policy - Group Policy enable extensions

Click the Show button and enter the string you created in the previous paragraph:

ndjpnladcallmjemlbaebfadecfhkepb;https://clients2.google.com/service/update2/crx

Deploying Google Chrome extensions using Group Policy - Group Policy configure extensions

Now the policy setting is configured. On the next Group Policy refresh the user will automatically receive the required extension. To summarize, this policy will automatically install one or more extensions for all users to whom the Group Policy applies. The installation is executed silently and without user interaction.

As stated in the previous paragraph, after the extension has been installed you will find it in the directory C:\Users\%UserName%\AppData\Local\Google\Chrome\User Data\Default\Extensions.

Note: make sure that developer mode is disabled on the extensions tab. During my tests, extensions were not automatically installed with developer mode enabled.

Please be aware that when you remove the extension from the Configure the list of force-installed apps and extensions policy setting, the extension is automatically removed from Chrome for all users to whom the Group Policy applies.

Future updates of the extension are automatically installed through the update URL specified in the manifest file.

Unfortunately I was not able to come up with a solution concerning the centralized management of Chrome extension settings. Some extensions, for example The Great Suspender, come with additional options for the user to configure. As said, I was not able to find a way how to manage or configure these centrally.

Share this post:
Dennis Span on EmailDennis Span on LinkedinDennis Span on Twitter
Dennis Span
Dennis Span
Dennis Span works as a Senior Citrix Architect for a large insurance company in Vienna, Austria. He holds multiple certifications such as CCE-V, CCIA and CCEA. In 2017, Dennis became a Citrix Technology Advocate (CTA). Besides his interest in virtualization technologies and blogging, he loves spending time with his family as well as snowboarding, playing basketball and rowing. He is fluent in Dutch, English, German and Slovak and speaks some Spanish.

29 thoughts on “Deploying Google Chrome extensions using Group Policy

  1. Pingback: Google Chrome on Citrix deep-dive - Dennis Span

  2. The ADMX files I downloaded on 3-Oct-2017, under Computer Configuration/Administrative Templates/Google/Google Update/Applications/Google Chrome, do not have the options you show. I only have:

    Allow installation
    Target version prefix override
    Update policy override

    I checked under all 53 nodes and not see the settings for Chrome Extensions. All 53 nodes have the same three settings listed above.

  3. I see what the difference is. If you download just the ADM/ADMX bundle, you do not get all the admx files. You have to download the Chrome Bundle to get all the needed ADMX files.

    The ADMX download is just google.admx and googleupdate.admx. The Chrome Bundle gives you:

    chrome.admx
    ChromeUSASwitcher.admx
    google.admx
    GoogleUpdate.admx
    LegacyBrowserSupport.admx
    PasswordAlert.admx

    • Hi Carl,

      Nice to see you visiting my blog! 🙂 You are right, there is a difference in the downloads. Does it work for you now after you downloaded the Chrome Bundle?

      • Worked perfectly. Your instructions were crystal clear and easy to follow. I am working with a customer this morning who is having issues installing Chrome extensions for users on his XenApp servers. They will be pleased to see they do not have to alter the master image.

        I will have to make sure their user profile solution is tracking the necessary folder.

        BTW, I figured out my issue on the ADMX downloads. There are two links for "Download Chrome ADM/ADMX Templates". The bottom one does NOT work. I clicked the "Download Google Update ADMX template" assuming that was what I needed. Obviously not. The top "Download Chrome ADM/ADMX Templates" link does work.

        Thanks for your very clear and easy to understand and follow articles on the Chrome stuff.

        • Hi Carl. I am happy to hear that all went well and that the instructions were clear. I like the Chrome browser a lot, but the installation and configuration can be a bit tricky, especially in an enterprise environment and especially on Citrix hosted-shared or VDI. But I guess you realized that already. 😉

  4. Thank you for the great tutorials. We have enforced couple of extensions for a group of users using com.google.chrome plist file. We have added "ExtesnionInstallForcelist" key with a value of "extensionID;https://clients2.google.com/service/update2/crx" with an always value. It has been working great except for one issue is that some of these extensions opens a welcome tab many times while the user is using Chrome. Do you have any clue how we can stop this? Thank you so much!

    • Hi Mona, unfortunately, I am no expert on MacOS. I do not know why the welcome messages appear. Perhaps you can contact the developer of the plugin directly. I think this would the best course of action. I am sorry I cannot be of more help to you.

  5. Hi, I have pushed the GPO for pushing windows 10 accounts chrome extension as above. but it applies to only one system in the OU and fails for rest of the machines.

    • Hi Raghavva,

      Do I understand it correctly that you assigned the policy to the machine? The Chrome extensions should be applied to the users, not machines. Also, the Chrome extensions are configured under User Configuration, not Computer Configuration. Please correct me if I misunderstood your comments.

  6. Here's a scenario I would like to do.. Have a GPO (lets call it 'domain wide GPO') deploying a chrome extension to every system in the domain. And then another GPO (accounting) applying to only a subset of computers in the domain. However, without doing anything special, all machines, including the accounting ones would receive the 'domain wide GPO'. When the accounting machines refresh, they will get the 'domain wide GPO' as well as the 'accounting' one, but the domain wide one will win therefore ONLY applying the extensions set up in that. Is there a way to get the policies to 'stack' or 'combine' rather than having to create several GPOs with different lists of extensions applied to different sets of systems? And still have one that you can use to apply to ALL machines.

    • Hi Brian, my apologies for the late reply, but I was on holiday. First of all, Chrome extensions are not installed on the machine level. They are installed within the user profile (in the path "C:\Users\%UserName%\AppData\Local\Google\Chrome\User Data\Default\Extensions" to be exact). So you should use a user-based GPO and not a machine-based GPO. Secondly, in your example, the 'accounting policy' would win, not the domain wide GPO. And thirdly, I believe that the settings from both policies, when it comes to the list of extensions, are merged. I just did a quick with the Site to Zone Assignment list for Internet Explorer, which is also a "list based policy item" just like the one for Chrome extensions. I added different Trusted Sites to two policies; the Default Domain Policy and a lower-level policy on a child OU. The result was that my test user received a combined Trusted Site list consisting of both the list from the Default Domain Policy and the lower-level policy. So the lower level policy did not "win" or overwrite the Trusted Sites listed in the Default Domain Policy. So to answer your question and based on my quick test with the Site to Zone Assignment list, I would say that all extension settings from all policies will be applied to the user's profile. Just make sure to test this before going into production.

  7. B"H

    Hi Dennis,

    Please could you tell me if there is way to install a chrome extension in a closed internet environment where we do not have access to Google store ?

    Thank you

    Yechezkel

      • B"H

        Hi Dennis, thank you for your reply. I need a way to install the extension automatically, the only method that I have seen so far is to build an internal IIS site and to put the extension on the site.
        If you have a better idea I would be very grateful to hear from you.

        • Hi Yeckezkel, let me reach out to my contacts of the Chrome development team, ok? Perhaps they have a solution to automatically install the CRX file in an offline environment. I will contact you as soon as I have more information.

  8. Hello Dennis,

    Great article and very intuitive. My only question is there any way of hosting this .crx file somewhere other than the webstore with a custom url?. My company has security concerns so we hosted privately. I followed instructions to the t but it will not work. Tell me if wont or maybe I'm doing something wrong?!
    Thanks!!!

    • Hi Ivan. Thanks! Unfortunately, extensions cannot be customized using GPO, unless the developer of the extension would release an custom ADMX file for your Group Policies. So far I have never seen this.

  9. I want to black list all extensions, which I have and add a whitelist.

    The whitelist should be separated into two sections

    Mandatory - Configure the list of force-installed apps and extensions
    Subscribed - Whitelisted but not appear on Browser.

    If i try to add some in the "Configured extension installation whitelist" and that did not work.

    I then tried not configure the force-installed apps and extension and added them to the configured extnesion installation whitelist setting and that still didn't work.

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.