We'd like to develop a Google Chrome extension that is managed centrally, e.g. by MS Active Directory Group Policies.
How do we centrally distribute domain/customer specific configuration for such an extension?
Our users are mostly Windows users in the same domain, but we can not assume that they're logged in to any particular G-Suite organisation.
It does seem possible to create Active Directory Group Policies to install a particular extension for all users. That same article does however say:
Unfortunately I was not able to come up with a solution concerning the centralized management of Chrome extension settings. Some extensions, for example The Great Suspender, come with additional options for the user to configure. As said, I was not able to find a way how to manage or configure these centrally.
So now that the extension is installed, how do we configure it?
Since it is our own extension, there is more freedom. I'm thinking with a Group Policy, one could install C:\some\extension-file.json and then run
google-chrome --headless file:///some/extension-file.json
If the extension intercepts that (as e.g. ViolentMonkey does) but only if it is a file:// URL, I guess that could be brought to work. But I'm hoping: Can you come up with something more elegant?
How do we centrally distribute domain/customer specific configuration for such an extension?
chrome.storage.managed is the specific answer for that need. Quoting the docs:
Enterprise policies configured by the administrator for the extension can be read (using storage.managed with a schema).
With that in mind, you have to do the following:
Provide a schema for the storage via the storage.managed_schema key in the manifest. An example is given in the documentation.
Present values expected by the schema via GPO / registry as described in admin docs.
You can verify that the policy-mandated values are loaded by observing chrome://policy.
You can then use chrome.storage.managed as you would any other chrome.storage (though it is read-only), including watching for changes with onChanged.
Related
I need some advice about Chromium extension possibilities. Can the extension change configs of the browser such as: home page, default behavior for protocol handlers (tel, mailto), security settings ("protect from dangerous websites" for example), disable sending statistics to Google, etc.?
Which configs from chrome://settings/ can be changed and how to do it if it's possible?
The Chrome API index is a good place to start.
From it, you can glean the following capabilities:
accessibilityFeatures API that deals with accessibility settings.
browsingData API that deals with clearing browsing data.
contentSettings API that deals with allowed content, site permissions and plugins.
downloads API can at least partially influence download settings.
fontSettings API can manage fonts used by Chrome.
management API can manage (but not install) other extensions.
privacy API deals with privacy-related settings (that includes some security settings).
proxy API can manage proxy settings.
In addition, there's a lot of Chrome OS specific APIs I won't list here.
There are also some manifest keys that can influence Chrome settings on install - such as the home page. See chrome_settings_overrides (note: not available on Linux) and to a lesser extent Override Pages.
See also Protecting user settings on Windows with the new Settings API (which announced the above).
Other than those, no, you can't override Chrome settings. You cannot dynamically change the home or search provider, you can't control protocol handlers (that's on OS level anyway), etc.
Note that you can't inject scripts into chrome://* pages, so you won't be able to just fiddle with the UI.
We have created a Chrome Extension that is a companion to web sites that we host for our customers. These web sites are hosted under our domain name and interact with the extension using external messaging and relying on the sites being configured in the manifest similar to the following (abcdefg.com is a ficticious domain name):
"externally_connectable": {
"matches": [ "http://*.abcdefg.com/*", "https://*.abcdefg.com/*"]
}
This works great in these cases. However, we have a subset of customers that prefer to host the website themselves under their own domain. The problem is that we do not want to update the extension manifest for the published extension to include all of these sites.
Is there any option of distributing a version of the extension (on Windows) where the "externally_connectable" site list can be set upon installation?
Thanks to kzahel for highlighting the obstacles I was facing and thanks to wOxxOm for providing a solution that will work.
Rather than trying to find a way to override the "externally_connectable" matches configuration upon installation, we found the easiest alternative was to avoid external messaging and use messaging via a content script instead.
The following is a copy of the solution posted above by wOxxOm:
chrome extension - alternative to externally_connectable?
Unfortunately there's no way to do this. You'll need to create a custom extension for every customer with their own domain name. Luckily, there is an API for updating the extension, so you would be able to at least update multiple extensions without too much difficulty. However, the 20 extension limit per account would be a little annoying. I think you can get more extension allowed per account by creating a publishing group and assigning the extensions there.
You could if you are willing to have customers install this in developer mode. That would bypass the 20-extension limit.
We have authored a Chrome extension and would like to ensure that our extension does not at any time participate in being sync'd using Google Account synchronization, even if the user has specified in the Advanced sync settings dialog that extensions be sync'd. Is there a way to prevent this sync'ing on a per-extension basis? Is there some setting we could place in the extension manifest file to accomplish this? Or other way to accomplish this?
If that is not possible, can we force the Extensions checkbox to always be unchecked and unalterable by the user, using enterprise-level techniques such as Group Policy Update? This is not optimal, since we only want to stop the sync'ing of our extension, and not prevent sync'ing of all extensions.
We do see that the SyncDisabled policy registry setting is available to us, but that looks like it will disable ALL data synchronization including Apps, Extensions, Settings, History, etc. This is even less desirable to us, since we don't want to affect other synchronization -- we just want to prevent only our extension from being sync'd.
The use case for this involves the following:
A corporate user installs Chrome on his work computer. Our extension is useful in the enterprise environment and is installed on Chrome.
At some point, using the Chrome browser, this user logs into his personal Gmail account. He has set up his Google Account to turn synchronization on.
Now when this user, using his home computer and Chrome browser, logs in to Google, he will find that our extension has also been installed on his Chrome browser at home -- this is not desirable, since our extension has no usefulness in the home environment. Moreover, the user may consider the presence of our extension an unwanted intrusion into his home computing environment.
The only remedy for this user would seem to be that he could go to the Advanced sync settings and uncheck the Extensions checkbox, but then he would lose the benefit of extension sync'ing of other extensions, which he may want.
Well, if you're doing it in a corporate / managed environment, you don't need to publish your extension on Web Store at all (thus preventing the sync) if you can use Group Policy.
Any extension in ExtensionInstallForcelist will be installed even if it (and its update manifest) is hosted outside Web Store. This will prevent the extension itself from syncing (though will probably still allow chrome.storage.sync to function for it, which is a plus).
Other than that, I don't think there's a way to prevent an individual Store-hosted extension from syncing.
My question is how do third party installer installs addons in the browser like toolbars and able to set homepage and other browser properties??
I want to make an addon which get installed in browser in same way..
is it possible??
In principle, installing extensions along with other software is possible. I'm describing the procedure for Windows.
The following conditions have to be met:
You must be able to write to the HKLM registry subtree (needs Admin rights)
The extension must be published on Chrome Web Store
The machine must be able to download the extension from Web Store
If those conditions are met, you can do it according to the procedure described here. Basically, the installer must create a registry key that will trigger Chrome to download the extension on next launch.
That said, Google has gone to great pains to prevent silent installs and avoid browser settings hijack. Such setting overrides are a weapons race and Chrome is tightening its defenses. Ask yourself whether it's ethical to install your extension this way.
It will probably annoy your users and will flag your extension for more meticulous checks by Google. Remember that Google can disable any extension hosted by the Web Store if it violates its policies.
Also, be mindful of the single purpose policy. A toolbar that also overrides search/homepage/settings will be frowned upon. At a minimum it should be separated into several extensions, at a maximum - don't do it.
An extension can override, say, a homepage, but it's very restrictive. The extension must be in the Web Store as above, and any override pages must be verified for ownership for the Web Store developer account. All in the name of security and comfort of the users.
I have a chrome extension that i built for my company employees,
we have our own instance of google apps #ourcompany.com
I have a gae app that tells the extension that it needs to be updated but the actual update process has to be done manually.
is there a way where i can do this update automatically once it's available?
You should publish your app to Chrome Web Store, and enjoy the auto-update process it offers, unless it's impossible due to CWS policies or packaging complications like Native Hosts/NPAPI.
When you do, you have an option to restrict installs to users of your Google Apps domain.
There are legitimate cases when you don't want to migrate over to CWS.
If you have a way to force install of your extension (ideally via Group Policy) and not concerned by tightening of security for Windows, you can just use update_url field in the manifest.