WIXLIB

Getting started:a guide to managingChrome Browser EnterpriseExtensionsUpdated November 2021IntroductionThere are thousands of Chrome Browserextensions available, and many of them doamazing things that save people time,improve business workflows, and enhanceefficiency. From optimizing RAM utilization toincreasing browser speeds and editing yourgrammar, extensions are built to improve ourproductivity at work – but it’s important toremember that they can also introduce riskand vulnerabilities to an enterpriseenvironment if they’re not properly managed.For this reason, enterprise IT teamsmust balance users’ productivity needs withthe company’s security needs.When it comes to extension management,enterprise IT teams have three main priorities:1.2.3.Protecting user and company dataPreventing the installation of maliciousextensionsEnsuring users have access to the extensionsthey need to improve productivity andefficiency1

With so many new and existing extensionsand constant updates being made, it’s crucialadministrators follow best practices tomonitor, manage, and secure their users’Chrome extensions.This technical paper will explain variousextension management options and help youchoose the method that best fits your needs.Criteria to considerBefore you jump into managing extensions,you should first identify the parameters yourorganization will use to assess and approvethem. To do this, you’ll want to answer thefollowing questions: What are the security regulations andcompliance measures our organizationneeds to adhere to? What user and corporate data is beingstored on users’ devices? What data is being requested byextensions?Once you have your answers clearly defined,you’re ready to consider your extensionmanagement options.The traditionalapproach:For a long time, the only way to manage browserextensions was to manually evaluate eachextension and then create allow lists and blocklists to dictate which extensions could and couldnot be installed on users’ devices. Someorganizations still use this approach today.In the Google Admin console, you can choose to: Allow all extensions except those youwant to block Block all extensions except those youwant to allow Block or allow individual extensions Force-install one or several extensionsIn Microsoft1 Group Policy you can use templatesto achieve similar protections that are applied tocertain groups or the entire organization,including: Allow all extensions except those youwant to block Block or allow one extension Force-install an extensionBoth of these approaches work to a certain. Theydo have their limitations and they’re very manual– which means they require a lot of human effort.Their review times can negatively impact bothuser and admin productivity. And, perhaps mostimportantly from a security perspective, alreadyallow listed extensions can be sold to and/orupdated by entities that you have not vetted.1Microsoft , Windows , and Internet Explorer are registeredtrademarks of Microsoft Corporation in the United States and/orother countries.2

A modern approach:managing extensionsby permissionsTo make enterprise extension management moreefficient, scalable, and secure, Chrome alsoallows you to manage extensions requested bypermission. Managing extensions by permissionsmake it possible for IT teams to give their usersthe extensions they want without puttingcorporate data at risk. It’s the method Google’sIT team uses and recommends for otherenterprises.Permissions give an extension the ability tomake changes to website or device. For anextension to run properly, specific permissionsare often required.There are two main categories of extensionpermissions: site permissions and devicepermissions. Many extensions use both.SitepermissionsRequires extension todeclare any websites itwill view or modifyBothDevicepermissionsGives extension rightsto run specific actionson the machineSome examples of site permissions includeallowing an extension to block images or allowingan extension to control how much you can zoominto/out of a site. Examples of device permissionsinclude accessing USB ports, viewing the screen,and interfacing with programs.To further mitigate risk, consider managingextensions with the following policies: Blocked/allowed permissions: Blocksextensions with permissions you don'twant running in your environment. Also, ifextensions that are already installedupdate asking for permissions that youdon't allow, the extension will be blocked. Runtime block hosts: Blocks extensionsfrom running on your most sensitive siteswhile allowing them to work elsewhere. Force installed extensions: Silentlyinstalls extensions on your users'machines so they have the tools theyneed to be productive Allow list/block list: If requiredThis Chrome extension management method ismore secure, easier to manage, and scales wellfor large organizations. It protects users fromcompromised extensions and saves IT timebecause they no longer have to manageexcessively long allow lists/block lists, reviewupdates, or individually vet each extension.It’s truly a win-win.3

Get started:managing extensionsby permissionTo begin managing your enterprise extensionsby permission, follow these steps:Setting permissionsYou can easily control which extensions yourusers are allowed to install. You simply have todesignate which permissions are acceptableand flag the permissions that are not.Google admin console1. Make a list of what extensions your usersalready have installed (use Chrome BrowserCloud Management reporting or surveyyour end users). Tip: Consider using an API toexport your data directly into a spreadsheet.For more information, check out thisYouTube video.In Windows, Chrome OS, Mac2, and Linuxenvironments you can use the Google Adminconsole to set these controls. If an extensionrequires access or permissions that violate yoursecurity policies, it won’t be installed. Forexample, you can block an extension thatconnects to your users’ USB devices or preventsaccess to reading cookies. If an installed2. Identify what websites/hosts must be secure extension needs permission that is blocked,Determine which permissions pose potential it simply won't run. The extension isn't removed;risks and need to be restrictedit’s disabled. For more information on managingextension in the admin console, check out this3. Build a list of all of the data you’ve collected YouTube video.and share it with essential stakeholders toget buy-in4. Test your new policies in a test environmentor with a small pilot group, then roll the newsets of policies to employees in phases5. Review feedback from usersGroup Policy6. Repeat and fine-tune the process ona monthly, quarterly, or annual basis(whatever is appropriate for yourorganization)Another common way to manage extensions inWindows is to use the extensions settings policy.The group policy management editor allows youto set multiple policies in one place using a JSONstring or in the Windows Registry. The extensionssetting policy can control things like installationWith this strategy, not only is your enterpriseautomatically more secure, your users also get abetter experience.Employees may even be able to install extensionsthat they couldn't before, they just won't be ableto run them on sensitive business sites.2Mac and macOS are trademarks of Apple Inc., registered in the U.S. and other countries.4

mode, update URL, blocked permissions, installsources, allowed types, blocked install, andruntime blocked and allowed hosts. You candecide if you want to set all extensionmanagement settings here, or you can set thesecontrols through other individual policies. Thesetting is set using either Windows registry orJSON string in Windows Group Policy Editor.AdditionalconsiderationsIf you decide that managing an allow/block list isfor you, you should consider using the ExtensionWorkflow feature of Chrome Browser Cloudmanagement. This feature works with your existingallow list and enables users to request extensionsdirectly from the Chrome Web Store. Thoserequests show up in the Google Admin Console,where you can review them for security andproductivity requirements and allow or block themwith a click of a button. For more information onthis feature check out this YouTube video.Chrome Browser Cloud Management is a capabilitythat allows you to manage your Chrome Browsersettings for your Windows, Mac, and Linuxmachines all in one place. The console offers anin-depth view of the state of Chrome Browser inyour environment, providing instant insight into: Current Chrome Browser versions deployedacross your fleet of desktops and laptops,regardless of desktop or laptop type Extensions installed on each browser Policies being applied to each browserThe console also allows you to block a suspiciousextension on all of your machines with the clickof a button.Manage Chromeextensions like wedo at GoogleAfter using traditional allow list and block listextension management method on its300,000 endpoints for years, Google’sinternal IT team knew they wanted to createa less cumbersome approach that balancesthe needs of enterprise IT and security withemployee productivity. Their solution,managing extensions by permissions andwebsite access, is a scalable, secure solutionthat greatly reduces overhead.Like Google, you can make the switch fromallow lists to block lists to the more securemethod described in this technical paper.You’ll get the security your enterprise needswhile still allowing users to install safe,productivity-boosting extensions.Start managing your extensions bypermissions today.To deepen your understanding ofChrome Browser extensionmanagement, consider the followingresources:Read the Managing Extensions in YourEnterprise guideWatch Chrome Insider, Managing Extensionsin Chrome Browser Cloud Management, andthe Extension Workflow demoExplore Chrome Browser Cloud ManagementoptionsView Chrome Browser downloads for yourenterpriseLearn more about Chrome BrowserEnterprise SupportExplore the Chrome Browser Policy ListVisit the Chrome Browser Enterprise HelpCenter and Chrome Browser Help Forum5

extension to run properly, specific permissions are often required. There are two main categories of extension permissions: site permissions and device permissions. Many extensions use both. Some examples of site permissions include allowing an extension to block images or allowing an extension to control how much you can zoom into/out of a site.