It is possible to deploy Google Chrome Extensions via Group Policy. It is broken up into the following steps:
- Retrieve the extension ID and the update URL of the Chrome extension
- Configure Group Policy settings to deploy the Chrome extension
- Deploy Extensions based on Security Group membership
Retrieve the Extension ID and the Update URL of the Chrome Extension
There are two values that need to be collected, the ‘Extension ID’ and the ‘Update URL’.
These two values have to be entered as one string , but separated by a semicolon (;) [Extension ID];[Update URL].
For example for Grammarly it would something like this;
- From a test machine, open Google Chrome and install the required extension from the Apps Store. As mentioned above we are using Grammarly as the example.
- Once the extension has installed, type the following into the URL bar type
or navigate to the extensions option from the main menu.
- Enable Developer Mode. Now the ID of each individual extension is shown.
- Note down the ID of the extension as you will require this information in the following steps.
- We next need to obtain the Update URL. Chrome extensions are installed on a per-user basis and are located in the following directory:
6. Open the directory that corresponds with the ID of your extension, in this example it was;
7. Open the sub directory representing the version of the extension. In the root of this directory you should find a filename called manifest.json. Open this file in your favorite text editor. Search for the string update_url. Here you will find the update URL.
8. Now you have the two values required to create a GPO, copy them together in one string and make sure to separate them using a semicolon.
Configure Group Policy settings to deploy the Chrome extension
Before continuing, it is assumed at this point that you have imported the Google Chrome ADMX/ ADML templates into the Central Store. If you have not completed this step please use the following reference for assistance. Reference Guide.
- Open up Group Policy Management console, and create a new GPO. Do not assign it to an exisiting OU but rather create it inside the Group Policy Objects container.
- Inside the new GPO, navigate to User Configuration, Administrative Templates, Google, Google Chrome, Extensions. Select the setting Configure the list of force-installed apps and extensions and enable it.
- Click the Show button and add the string you created in the previous steps.
- At this stage if you were to deploy this GPO to a test OU which had test users accounts inside this would work. After a group policy update the user will automatically receive the required extension. As long as the user is authenticated to internet access it should start the download and install in Google Chrome.
Deploy Extensions based on Security Group membership
Up to this point, you could just add users to test OU and the extension would install, however in most cases this is not possible as most users need to be apart of certain OU’s based on the environments requirements especially when using tools like Microsoft Identity Manager (MIM) and alike. To get around this we need to create a security group which we can assign users to while keeping them in their existing OU’s.
- Open up Active Directory and go to your Groups area, in this example I have manually created the following OU’s: Groups, Deployment, Google Chrome Extensions.
- Create a new Group called the name of the Extension. In this case Grammarly.
- Going back to Group Policy, ensure you still have the GPO you just created selected and go to the Delegation tab. Select the Advanced Button at the bottom.
- Select the Authenticated Users and scroll to Apply group policy and un-tick it. We do this because all users in a domain are treated as an authenticated user. By un-ticking this prevents all domain users having this GPO applied to their user account.
- Add the security group you created, in this example its Grammarly and ensure that Allow – Apply group policy is ticked.
- Next we need to advertise the GPO we created to our users. To do this, right click on the OU which has contains your test users and select Link an Existing GPO. Find and select the GPO you created and click OK. In this example we advertised the GPO to our test users OU. Note: As with anything, testing is important to complete. It is best practice to perform any testing in a testing OU rather then a Production OU.
- As long as the user has this security group assigned to the user account inside the Member Of tab, the Grammarly GPO will apply.
After applying the above, lets test to see if the Security Filtering is actually working.
- Login as the test user you have assigned the security group to, and perform a gpupdate. As you can see from running GPResult on the test user account we now see the Deploy Grammarly GPO under applied Group Policy Objects. If you do not see the GPO you created verify that the user is a Member Of the security group.
- Once gpupdate has completed restart the device.
- Once again log in, and open up chrome. Check to see if you now can see the extension installed.
Problems I encountered/ Things to watch out for
- When deploying an Extension, you will need internet access. This is so that the client is able to download any required files to get the Extension to function properly.
- For best results, restarting after running GPUpdate seemed to see the Extension install more reliably. However in some cases I have also seen the Extension install just after running GPUpdate. This could be dependent on the state of Chrome, pending Windows Updates, pending reboot, etc.
- Unofficial versions of Google Chrome will not work. This includes browsers that are built on the Chrome framework like Tor Browser or similar.
- Google Chrome build versions v46 and below will not work reliably or deploy the Extension.
- The ‘Enterprise’ or ‘Education’ editions of Google Chrome must be used as this allows Group Policy to be used.
- You do not need to be signed into Google Chrome, this will work either way. Note: If you are signed in the Chrome Extension you deploy will attached to the signed in Google account.
- The security group needs to be applied to each users AD account. If you are targeting a multi-user device, deploying to one user will not allow other users to see or use the Extension. Instead deploy to all active users of that device to see the Extension.
- Group Policy processing can sometime take a little longer then usual when adding this GPO. To fix this I found restarting the computer helped.