Extensions Settings Policy

TomS · January 14, 2020, 1:38pm

Trying to create a policy that says all extensions are blacklisted except for ones on the whitelist, but I do not want the extensions to auto install for users. From the documentation, it seems I can just add this to ExtensionsSettings. However, when I do, it seems that the allow statement overrides the default entry and allows install of any extension.

Example:
{
“*”: {
“blocked_install_message”: “Custom error message.”,
“install_sources”: [“https://addons.mozilla.org/”],
“installation_mode”: “blocked”,
“allowed_types”: [“extension”]
},
“uBlock0@raymondhill.net”: {
“installation_mode”: “allowed”,
“install_url”: “https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi”
}
“d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d”: {
“installation_mode”: “allowed”,
“install_url”: “https://addons.mozilla.org/firefox/downloads/latest/adblock-plus/latest.xpi”
}
}

mkaply · January 14, 2020, 11:03pm

Are you saying that if you remove allowed_types, it works?

mkaply · January 14, 2020, 11:04pm

Also, you don’t need install_urls if you are just allowing certain extensions, we’ll check the IDs when they are installed to make sure it’s the right extension.

TomS · January 15, 2020, 2:41am

Maybe its my syntax, I am not use to working with Json files in a GPO. Basically, I am looking for an example that blacklists all extensions unless I put the extension on the whitelist and that seems to not be working correctly when I try to change the “installation_mode”: line in the policy. I am not looking for a forced install of the extensions, just the ability for the end user to do this. If this was chrome, this is what I would be doing:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlacklist]
“1”="*"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist]
“1”=“cjpalhdlnbpafiamejdnhcphjbkeiagm”
“2”=“cfhdojbkjhnklbpkdaibdccddilifddb”

mkaply · March 13, 2020, 12:54pm

I’m sorry I missed this. I never got a notification. You were very close with your JSON. You actually had more than you needed:

{
	"*": {
		"blocked_install_message": "Custom error message.",
		"installation_mode": "blocked"
	},
	"uBlock0@raymondhill.net": {
		"installation_mode": "allowed"
	},
	"{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}": {
		"installation_mode": "allowed"
	}
}

And FYI, Chrome is moving towards using JSON for this as well. See:

https://support.google.com/chrome/a/answer/7532015?hl=en