Blocking Chrome extensions with custom messages on macOS using Intune

-

 


When it comes to managing third party browser extensions for macOS, there is no easy way. While Intune has the settings added for Google Chrome in settings catalog for Windows, the same is missing for macOS. Now that organizations are using a mixture of OS platforms between Windows and macOS, it is becoming increasingly important to have consistency in management of enterprise devices. Until such time, administrators will have to find ways to configure such settings in a supported manner. Luckily in case of macOS, one can configure .plist and\or .mobileconfig files to manage most of the settings if note all. In this blog, I will quickly demonstrate how to block Google Chrome extension and display a custom message to the end user. I am using Google Drive as an example.

First we need to identify the extension ID and the easiest way is to access https://chromewebstore.google.com/ and search for the application. In this case we are searching for Google Drive. The search result will display the extension id in the url. We are going to use the same to prepare the .mobileconfig.


The .mobileconfig needs to be in the right syntax or it will fail to apply. Google has provided templates for Chrome extensions that can be downloaded from here. Once downloaded, you can edit in any text editor. Here are the values I modified.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

  <key>PayloadContent</key>

    <array>

      <dict>

        <key>PayloadContent</key>

          <dict>

            <key>com.google.Chrome</key>

              <dict>

                <key>Forced</key>

                <array>

                  <dict>

                    <key>mcx_preference_settings</key>

                    <dict>

<key>ExtensionSettings</key>

<dict>

  <key>gmbmikajjgmnabiglmofipeabaddhgne</key>

  <dict>

    <key>blocked_install_message</key>

    <string>Your organization doesn't allow use of Google Drive.</string>

    <key>installation_mode</key>

    <string>blocked</string>

  </dict>

</dict>

              </dict>

            </dict>

          </array>

        </dict>

      </dict>

      <key>PayloadDisplayName</key>

      <string>Chrome ExtensionSettings blocked_install_message example</string>

      <key>PayloadEnabled</key>

      <true/>

      <key>PayloadIdentifier</key>

      <string>com.example.Chrome.example.blocked_install_message</string>

      <key>PayloadType</key>

      <string>com.apple.ManagedClient.preferences</string>

      <key>PayloadUUID</key>

      <string>EF547B75-4A82-49D2-BD20-A83FFC690D72</string>

      <key>PayloadVersion</key>

      <integer>1</integer>

    </dict>

  </array>

  <key>PayloadDescription</key>

  <string>Example of blocked_install_message.</string>

  <key>PayloadDisplayName</key>

  <string>Chrome ExtensionSettings blocked_install_message example</string>

  <key>PayloadIdentifier</key>

  <string>com.example.Chrome.example.blocked_install_message</string>

  <key>PayloadOrganization</key>

  <string>therjmdmlab</string>

  <key>PayloadRemovalDisallowed</key>

  <true/>

  <key>PayloadScope</key>

  <string>System</string>

  <key>PayloadType</key>

  <string>Configuration</string>

  <key>PayloadUUID</key>

  <string>59E01D237C8743879F46EBD9F8752EE13956836221F1422D98AE4650B2B9D13E</string>

  <key>PayloadVersion</key>

  <integer>1</integer>

</dict>

</plist>

Now we create a policy in Intune to import the above .mobileconfig file. Here are the steps -

1. Sign-in to the Microsoft Intune admin center

2. Browse to Devices –> Configuration

3. Click Create -> New Policy

4. Select Platform as macOS

5. Select Profile type as Templates > Custom

6. Provide a Name and hit next.

7. Configure similar to as shown below & pull the .mobileconfig file created earlier in this blog post -

Note: You can give any configuration profile name as long as it is unique and easy to spot on the targeted devices.

8. Assign to a device or user based group. I normally use Intune virtual groups and use filters.

End User Experience

At the next sync, the policy should apply and show up under Privacy & Security > Profiles

When the user tries to install the Google Drive application from Chrome webstore, the action will be blocked and the custom message will be displayed.

That's it. We have successfully blocked a chrome extension and displayed a custom message.

Until next time..

Comments

Post a Comment

Popular posts from this blog

How to force escrowing of BitLocker recovery keys using Intune

-
Image
Every now and then it so happens that BitLocker recovery keys do not escrow in AAD. The usual culprits are incorrect BitLocker policies and\or the device hardware configuration failing to meet the minimum requirements. The other scenario and something I recently experienced is when everything is setup right and still the recovery key doesn’t escrow in AAD. As I understand, this can happen if the escrow process got interrupted the first time due to network or local devices related issues and the process could not resume. To circumvent this issue, one can simply push a PowerShell script to the devices to force the escrow of the recovery keys to AAD. Here is a script to do so. try{ $BitlockerVol = Get-BitLockerVolume -MountPoint $env:SystemDrive         $KPID=""         foreach($KP in $BitlockerVol.KeyProtector){             if($KP.KeyProtectorType -eq "RecoveryPassword"){                 $KPID=$KP.KeyProtectorId                 break;             }         }        $o
Read more

Intune: Configure Printers for Non-Administrative Users

-
Image
Configuring printers for end users or giving them the ability to do it themselves is a normal requirement for organizations. Now if your users are Administrators, then the configuration can be straight forward, but in case of Non-Administrators there are additional steps required as Non-Administrators will not be able to add a driver in the driver store despite being able to install a printer. In this blog, I will cover the steps that I took to address this requirement using Intune. The setup involves 2 steps -  1. Setup registries. 2. Install the driver and configure the printer Setting up registries – The registries that need to be configured are actually part of a GPO setting – Allow non-administrators to install drivers for these device setup classes It can be found under: Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation I used a Powershell script to set the values and wrapped it in a Win32 application. $Path1
Read more

Configure CloudAPAuthEnabled to support Conditional Access in Google Chrome natively

-
Image
Starting with version 111 of Google Chrome, organizations can leverage conditional access policies natively using  CloudAPAuthEnabled . Before this release, Conditional access policies were only supported on Google Chrome by using additional extensions like Windows Accounts and Office Online . If you want to know more about the use of these extensions, then you can read all about it over here . Let's see the new policy involving  CloudAPAuthEnabled in a little detail and how can organization configure it using enterprise device management solutions. CloudAPAuthEnabled   is a setting that can be configured using the policy  Configures automatic user sign-in for accounts backed by a Microsoft® cloud identity provider .  By setting this policy to 1 (Enabled), users who sign into their computer with an account backed by a Microsoft cloud identity provider or who have added a work or school account to Microsoft Windows, can be signed into web properties using that identity automatical
Read more