Google Chrome Extension MDM Profiles

We've recently had an increase in requests for managing the deployment of Google Chrome extensions. This is a fairly simple process, but worth quickly reviewing. One thing to bear in mind here is that you can elect to manage Google Chrome across your fleet with Google Chrome Cloud Management, but we'll look at this from a platform-agnostic standpoint, leveraging Chrome's support of MDM profile payloads.

The first thing you'll need is some information on the extension you want to have your devices automatically install. Head to the Chrome Web Store's Extensions section and find your target. Click on it to view the extension's page and copy the URL. As an example, here's the URL for 1Password's browser extension:

https://chrome.google.com/webstore/detail/1password-%E2%80%93-password-mana/aeblfdkhhhdcdjpifhhbdiojplfjncoa

See the long string at the very end of this URL? That's your Extension ID - take note of it.

Next, you'll want to create an MDM Profile for Chrome. If you're using ProfileCreator or iMazing Profile Editor, bring up the entry for Google Chrome, add the payload, and then head into the Extensions tab:

Scroll through the available keys and look for Extension/App IDs and update URLs to be silently installed, the plaintext name for the key ExtensionInstallForcelist. Add as many entries as you need for this payload, one for each extension you want to be automatically installed (and unremovable). Remember the Extension ID you found earlier? This is where it goes.

Once you've listed all your extensions, you can export the .mobileconfig file and prepare it for distribution. The extension IDs are saved in an array:

<key>ExtensionInstallForcelist</key>
<array>
	<string>aeblfdkhhhdcdjpifhhbdiojplfjncoa</string>
</array>

This structure makes adding and removing additional extensions a simple task. Here's an example of a simple profile that just installs the 1Password extension:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>ExtensionInstallForcelist</key>
			<array>
				<string>aeblfdkhhhdcdjpifhhbdiojplfjncoa</string>
			</array>
			<key>PayloadDescription</key>
			<string>Configures Google Chrome settings</string>
			<key>PayloadDisplayName</key>
			<string>Google Chrome</string>
			<key>PayloadIdentifier</key>
			<string>com.github.erikberglund.ProfileCreator.439B4EAD-8E18-45EB-8C53-05320C68CF5A.com.google.Chrome.7BE4017E-134D-414C-801D-99408935A3DB</string>
			<key>PayloadOrganization</key>
			<string></string>
			<key>PayloadType</key>
			<string>com.google.Chrome</string>
			<key>PayloadUUID</key>
			<string>7BE4017E-134D-414C-801D-99408935A3DB</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDescription</key>
	<string>Installs the 1Password Google Chrome Browser Extension</string>
	<key>PayloadDisplayName</key>
	<string>Google Chrome - Extensions - 1Password</string>
	<key>PayloadIdentifier</key>
	<string>com.github.erikberglund.ProfileCreator.439B4EAD-8E18-45EB-8C53-05320C68CF5A</string>
	<key>PayloadOrganization</key>
	<string>Sudoade</string>
	<key>PayloadScope</key>
	<string>System</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>439B4EAD-8E18-45EB-8C53-05320C68CF5A</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Some final notes about distribution... once the profile is deployed and the extension is installed, your users will not be able to delete it. If they try, they'll see that the option to remove the extension is replaced by the text Installed by Your Administrator:

Changes you make via MDM Profile may not take effect until the browser is quit and re-opened. This is relevant both for the installation and removal of extensions via profile - always instruct your users to relaunch their browser if important management changes are going live.