Blocking Chrome extensions with custom messages on macOS using Intune
When it comes to managing third party browser extensions for macOS, there is no easy way. While Intune has the settings added for Google Chrome in settings catalog for Windows, the same is missing for macOS. Now that organizations are using a mixture of OS platforms between Windows and macOS, it is becoming increasingly important to have consistency in management of enterprise devices. Until such time, administrators will have to find ways to configure such settings in a supported manner. Luckily in case of macOS, one can configure .plist and\or .mobileconfig files to manage most of the settings if note all. In this blog, I will quickly demonstrate how to block Google Chrome extension and display a custom message to the end user. I am using Google Drive as an example.
First we need to identify the extension ID and the easiest way is to access https://chromewebstore.google.com/ and search for the application. In this case we are searching for Google Drive. The search result will display the extension id in the url. We are going to use the same to prepare the .mobileconfig.
The .mobileconfig needs to be in the right syntax or it will fail to apply. Google has provided templates for Chrome extensions that can be downloaded from here. Once downloaded, you can edit in any text editor. Here are the values I modified.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>com.google.Chrome</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>ExtensionSettings</key>
<dict>
<key>gmbmikajjgmnabiglmofipeabaddhgne</key>
<dict>
<key>blocked_install_message</key>
<string>Your organization doesn't allow use of Google Drive.</string>
<key>installation_mode</key>
<string>blocked</string>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDisplayName</key>
<string>Chrome ExtensionSettings blocked_install_message example</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.example.Chrome.example.blocked_install_message</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadUUID</key>
<string>EF547B75-4A82-49D2-BD20-A83FFC690D72</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>Example of blocked_install_message.</string>
<key>PayloadDisplayName</key>
<string>Chrome ExtensionSettings blocked_install_message example</string>
<key>PayloadIdentifier</key>
<string>com.example.Chrome.example.blocked_install_message</string>
<key>PayloadOrganization</key>
<string>therjmdmlab</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>59E01D237C8743879F46EBD9F8752EE13956836221F1422D98AE4650B2B9D13E</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Now we create a policy in Intune to import the above .mobileconfig file. Here are the steps -
1. Sign-in to the Microsoft Intune admin center
2. Browse to Devices –> Configuration
3. Click Create -> New Policy
4. Select Platform as macOS
5. Select Profile type as Templates > Custom
6. Provide a Name and hit next.
7. Configure similar to as shown below & pull the .mobileconfig file created earlier in this blog post -
Note: You can give any configuration profile name as long as it is unique and easy to spot on the targeted devices.8. Assign to a device or user based group. I normally use Intune virtual groups and use filters.
End User Experience
At the next sync, the policy should apply and show up under Privacy & Security > Profiles
When the user tries to install the Google Drive application from Chrome webstore, the action will be blocked and the custom message will be displayed.
That's it. We have successfully blocked a chrome extension and displayed a custom message.
Until next time..
Comments
Post a Comment