Content of the material
Block extensions based on their permissions
You can control what extensions your users can install based on permissions using the ExtensionSettings policy. If an installed extension needs a permission that’s blocked, it just won’t run. The extension isn’t removed, just disabled.
The blocked permissions setting can only be set within the extension settings policy.
Use the following steps as a guide for blocking an extension.
Open the group policy management editor and go to Administrative Templates > Microsoft Edge > Extensions and then select Configure extension management settings.
Enable the policy, then enter the permissions that you want allowed or blocked, by using a JSON string that gets compressed. The next screenshot shows how to block an extension that uses the permission “usb”.
The following example shows the JSON to block any extension that needs the use of permission “usb” and its compressed string.
To block all extensions that use the permission, use an asterisk for the extension ID, as shown in the previous example. If you specify one extension ID, the policy will only apply to that extension. You can block more than one, but they need to be separate entries.
Configure using the Windows Registry
The ExtensionSettings policy should be written to the registry under this key:
[!NOTE] It’s possible to use HKCU instead of HKLM. The equivalent path can be configured with Group Policy Object (GPO).
For Microsoft Edge, all settings will start under this key:
The next key that you will create is either the Extension ID for individual scope or an asterisk (*) for the Default Scope. For example, you’d use the following location in the registry for settings that apply to Google Hangouts:
For settings that apply to the Default Scope (asterisk), use the following location in the registry:
Different settings will require different formats, depending on whether they are a string or an array of strings. Array values require [＂value＂]. String values can be entered as is. The following list shows which settings are arrays or strings:
- Installation_mode = String
- update_url = String
- blocked_permissions = Array of strings
- allowed_permissions = Array of Strings
- minimum_version_required = String
- runtime_blocked_hosts = Array of strings
- runtime_allowed_hosts = Array of Strings
- blocked_install_message = String
8.Freedom for iOS and Android
Blocking websites on a Mac and Windows computers can boost your productivity, however that productivity will be short-lived if it means you can just turn to your phone or tablet when your brain starts to crave your blocked distractions.
We offer Freedom on iOS and Android devices so that you can sync your block sessions across all of your devices because distractions aren’t always device-specific. The Freedom iOS app will block apps and websites based on your custom blocklist, and can be used simultaneously in sessions with your Mac or Windows computer or any number of other devices.
Pros: Freedom is the only complete multi-platform website and app blocker solution. So even if you have every popular device on the market (iPhone, iPad, Android phone or tablet, Mac and Windows computers) – Freedom has you covered on all of them, at the same time if you’d like!
Price: Included in Freedom Premium (see Freedom for Mac and Windows above)
Block extensions from a specific store or update URL
To block extensions from a particular store or URL, you only need to block the update_url for that store using the ExtensionSettings policy.
Use the following steps as a guide to block extensions from an particular store or URL.
- Open the group policy management editor and go to Administrative Templates > Microsoft Edge > Extensions > and then select Configure extension management settings.
- Enable the policy, then enter the permissions that you want allowed or blocked, compressing it to a single JSON string.
The next example shows the JSON and compressed JSON string to block from the Chrome Web Store using its update URL (
JSON example for blocking on update URL
You can still use ExtensionInstallForceList and ExtensionInstallAllowList to allow/force install specific extensions even if the store is blocked using the JSON in the previous example.
ExtensionSettings policy fields
This policy can control settings such as Update URL, where the extension will be downloaded from for initial install, and Blocked permissions. You can also use this policy to identify which permissions aren’t allowed to run. The available policy fields are described in the following table.
|allowed_types||Can only be used to configure the default configuration, *. Specifies what types of app or extension users are allowed to install on Microsoft Edge. The value is a list of strings, each of which should be one of the following types: “extension”, “theme”, “user_script”, and “hosted_app”|
|blocked_install_message||If you block users from installing certain extensions, you can specify a custom message to display in the browser if users try to install them.Append text to the generic error message that is displayed on the Microsoft Edge Add-ons website. For example, you can tell users how to contact their IT department or why a particular extension is unavailable. The message can be up to 1,000 characters long.|
|blocked_permissions||Prevents users from installing and running extensions that request certain API permissions that your organization doesn’t allow. For example, you can block extensions that access cookies. If an extension requires a permission that you blocked, the user can’t install it. If users previously installed the extension, it will no longer load. If an extension contains a blocked permission as an optional requirement, it installs as usual. Then, while the extension is running, blocked permissions are automatically declined.For a list of available permissions, see declare permissions.|
|installation_mode||Controls if and how extensions that you specify are added to Microsoft Edge. You can set the installation mode to one of the following options:- allowed: Users can install the extension. If no installation mode is defined, this setting is the default.- blocked: Users can’t install the extension.- force_installed: Automatically install the extension without user interaction. Users can’t remove it. You also need to define the extension download location using update_url. Note: You can’t use this setting with * because Microsoft Edge wouldn’t know which extension to automatically install.- normal_installed: Automatically install the extension without user interaction. Users can disable it. You also need to define the extension download location using update_url. Note: You can’t use this setting with * because Microsoft Edge wouldn’t know which extension to automatically install.- removed: Users can’t install the extension. If users previously installed the extension, Microsoft Edge removes it.|
|install_sources||Can be used only to configure the default configuration, *. Specifies which URLs are allowed to install extensions. Both the location of the *.crx file and the page where the download is started from (the referrer) must be allowed by these patterns. For URL pattern examples, see the match patterns.|
|minimum_version_required||Microsoft Edge disables extensions, including force-installed extensions, with a version older than the specified minimum version.The format of the version string is the same as the one used in the extension manifest.|
|update_url||Only applies to force_installed and normal_installed. Specifies where Microsoft Edge should download an extension from. If the extension is hosted in the Microsoft Edge Add-ons website, use this location: |
|runtime_allowed_hosts||Allows extensions to interact with specified websites, even if they’re also defined in runtime_blocked_hosts. You can specify up to 100 entries. Extra entries are discarded.The host pattern format is similar to match patterns except you can’t define the path. For example:- ://.example.com- ://example.—eTLD wildcards are supported|
|override_update_url||Available from Microsoft Edge 93If this field is set to |
|toolbar_state||Available from Microsoft Edge 94This policy setting lets you force show an installed extension to the toolbar. The default state is |
The following keys are allowed at the global scope (*):
- installation_mode – only
"removed"are the valid values in this scope.
The following keys are allowed at an individual extension scope:
- installation_mode –
"normal_installed"are the possible values.
The following keys are allowed at an update URL scope:
- installation_mode – only
"removed"are the valid values in this scope.
Chrome browser on Windows (managed on premise)
- Set Chrome app and extension policies (Windows)
- Chrome app and extension permissions
- Managing Extensions in Your Enterprise
- Automatically install web apps
- Configure ExtensionSettings policy