Jamf Nation Community

lpadmin · ‎02-02-2017

I have users that have installed the Browsec VPN extension on the Chrome browser. This is allowing them to get around our filtering and monitoring software. Does any know if there is a way to block Chrome extensions. I have tried setting it as a restricted software using the app id name, but that has not worked. Any suggestions are greatly appreciated.

Merkley · ‎02-02-2017

I created a computer level configuration profile for chrome. I just used TextWrangler to create the .mobileconfig and upload it to the JSS. This also allows me to allow students to installed approved extensions. The website I used to help me set this up, besides finding random threads here and there was this Chrome site. If I had some extensions that teachers wanted their students to have, I had to add them to the InstallWhitelist so the students could download the extensions from the Chrome Web Store. The other part that I found I needed was the InstallBlacklist and just included everything with the wildcard. Here is a modified version of the mobileconfig I upload to the JSS and set it as a Computer Level Profile.

Hope this helps you for what you are trying to do.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadIdentifier</key>
    <string>com.your.org</string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>2016-09-12-07-13</string>
    <key>PayloadOrganization</key>
    <string>Name of Org</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadDisplayName</key>
    <string>Google Chrome Policy</string>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadIdentifier</key>
            <string>com.normandale</string>
            <key>PayloadUUID</key>
            <string>121-qasd</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadDisplayName</key>
            <string>Custom: (com.google.Chrome)</string>
            <key>PayloadContent</key>
            <dict>
                <key>com.google.Chrome</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>ExtensionInstallWhitelist</key>
                                <array>
                                    <string>ghbmnnjooekpmoecnnnilnnbdlolhkhi</string>
                                </array>
                                <key>ExtensionInstallBlacklist</key>
                                <array>
                                    <string>*</string>
                                </array>
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
        </dict>
    </array>
</dict>
</plist>

View solution in original post

Merkley · ‎02-02-2017

I created a computer level configuration profile for chrome. I just used TextWrangler to create the .mobileconfig and upload it to the JSS. This also allows me to allow students to installed approved extensions. The website I used to help me set this up, besides finding random threads here and there was this Chrome site. If I had some extensions that teachers wanted their students to have, I had to add them to the InstallWhitelist so the students could download the extensions from the Chrome Web Store. The other part that I found I needed was the InstallBlacklist and just included everything with the wildcard. Here is a modified version of the mobileconfig I upload to the JSS and set it as a Computer Level Profile.

Hope this helps you for what you are trying to do.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadIdentifier</key>
    <string>com.your.org</string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>2016-09-12-07-13</string>
    <key>PayloadOrganization</key>
    <string>Name of Org</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadDisplayName</key>
    <string>Google Chrome Policy</string>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PayloadIdentifier</key>
            <string>com.normandale</string>
            <key>PayloadUUID</key>
            <string>121-qasd</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadDisplayName</key>
            <string>Custom: (com.google.Chrome)</string>
            <key>PayloadContent</key>
            <dict>
                <key>com.google.Chrome</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>ExtensionInstallWhitelist</key>
                                <array>
                                    <string>ghbmnnjooekpmoecnnnilnnbdlolhkhi</string>
                                </array>
                                <key>ExtensionInstallBlacklist</key>
                                <array>
                                    <string>*</string>
                                </array>
                            </dict>
                        </dict>
                    </array>
                </dict>
            </dict>
        </dict>
    </array>
</dict>
</plist>

lpadmin · ‎02-03-2017

Thanks, I will try this out.

lpadmin · ‎02-03-2017

I am getting the following error

Script result: /Library/Application Support/JAMF/tmp/BlacklistEXT: line 1: syntax error near unexpected token `newline'
/Library/Application Support/JAMF/tmp/BlacklistEXT: line 1: `'

Merkley · ‎02-03-2017

Sorry, I wasn't clear. This isn't a script to be ran, but a configuration profile that gets installed at a computer level. Copy and paste the text above to a new file in TextWrangler or another text editing application, then save it. Change the file extension to .mobileconfig and then you can then upload it to the JSS in the Configuration Profiles. Once you've uploaded it to the JSS, you can see your settings in the newly created configuration profile and all the settings will be placed in the Custom Settings payload of that configuration profile.

lpadmin · ‎02-03-2017

That worked, thanks

lpadmin · ‎02-03-2017

Okay so another question is how do I do more than an app id. Looking on the Chrome page you linked above it looks like I just do this.

<array>
      <string>omghfjlpggmjjaagoclmmobgdodcjboh</string>
      <string>pfmgfdlgomnbgkofeojodiodmgpgmkac</string>
</array>

But when I upload it, the policy does not recognize that there is more than one listed.

Merkley · ‎02-03-2017

That's how I have it setup for my profile. Sometimes it took a little while for the old profile to get uninstalled and the new one installed. I also had to remember to disable the old one before scoping out the new configuration to my test machines, and that's because if you have two profiles doing the same thing, only one of the profile settings gets applied.

jchurch · ‎02-06-2017

this is huge, thanks. is there anyway to do the same with Firefox?

Merkley · ‎02-06-2017

For Firefox I use the CCK2 add-on to create settings that are needed for my district. I did find a guide for the initial setup and how to do certain things which is here. This is an older guide, but should still be similar for the newest version of CCK2. There are also a bunch of discussions on JAMF Nation about using CCK2 and locking down Firefox, if you run into any issues.

wallis_isaac · ‎03-19-2017

Using @Merkley s answer, I added some automation to the process by making a python script that'll generate a plist with the whitelist

It's Here for anyone that's interested

Once the config profile is made, you can just update the plist file for com.google.Chrome and push the update out to the scope, rather than making new profiles all the time

juhill · ‎07-11-2019

This worked great for me thanks!