How to block un-installation of extensions in Chrome/Chromium, using ExtensionInstallForcelist?
In order to prevent de-installation of the chrome extension "stayfocusd" In a windows 10 pc with both Chrome Version 67.0.3396.62 (Official Build) (64-bit) and chromium Version 67.0.3396.62 (Official Build) (64-bit) installed, I took the following steps:
Downloaded the synced version of Chromium from: https://chromium.woolyss.com/
Went to: https://chrome.google.com/webstore/search/ and installed stayfocusd
- Pressed start, typed> "regedit">enter
- In the registry browsed to:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies - Right mouse Button (RMB) clicked on "Policies"
- Clicked: New>Key>
- Named the new Key "Google"
repeated the process untill I created the following path in the registry:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelistThen in the white field next to it RMB>New>string value
- Named the string
1 - Gave the string the following value: laankejkbhbdhmipfmgcngdelahlfoji (That is the 32 character-ID of the stayfocusd extension)
- repeated the process for the following folder in the registry:
Computer\HKEY_CURRENT_USER\Software\Policies\Chrome\ExtensionInstallForcelist - Yielding:
This picture but then for both folders to illustrate the process.
- Closed Chromium
- Rebooted the pc.
Then I opened Chromium again, but I was still able to uninstall stayfocusd without any problems.
Does anyone have any suggestions on what I did wrong, or what I forgot, or another way to prevent de-installation of the stayfocusd extension?
Problem analysis:
0. Currently I think the problem might be that I do not add a reference to the location where the stayfocusd extension is hosted as in some of the examples of the documentation is done here:
Windows (Windows clients): Software\Policies\Google\Chrome\ExtensionInstallForcelist\1 = "gbchcmhmhahfdphkhkmpfmihenigjmpp;https://clients2.google.com/service/update2/crx"
Software\Policies\Google\Chrome\ExtensionInstallForcelist\2 = "abcdefghijklmnopabcdefghijklmnop"
However I do not understand/cannot find how to supply that equivalent link for the stayfocusd extension. And I would think that its source to perform a re-installation should not be a determining factor in whether it would be able to prevent de-installation, but that is an assumption, which I am currently not able to test because I did not find that equivalent hosting link yet.
- Another cause of the problem might be that I had to manually create the policy folders for google, which could be an indication that the chromium browser does not look at that location for its policies at a different registry location.
To test this I have searched for the "ExtensionInstallForcelist" but was unable to locate the folder in the registry before I had manually created them. Now that I have created them I do not know how to continue searching after it finds the first instance that I have created, so I cannot check if there is an additional location where the "ExtensionInstallForcelist" folder existst which I did not create.
Any suggestions are much appreciated!
Solution 1:
Preventing un-installation of any webstore extension in Chrome, not Chromium. Using the example of stayfocusd!: I am currently not sure if step 1 is needed, you can first try it without step 1 to see if it works. If it does please leave a comment with confirmation or not.
As explained in: https://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist
downloaded the following templates from: https://www.chromium.org/administrators/policy-templates "ZIP file of ADM/ADMX/JSON templates and documentation"= https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
copied:
C:\Users\<Your username>\Downloads\policy_templates\windows\admx\en-US\chrome.adml
C:\Users\<Your username>\Downloads\policy_templates\windows\admx\en-US\Google.adml
to:
C:\Windows\PolicyDefinitions\en-US
and
C:\Users\<Your username>\Downloads\policy_templates\windows\admx\chrome.admx
C:\Users\<Your username>\Downloads\policy_templates\windows\admx\google.admx
to:
C:\Windows\PolicyDefinitions\
- Then opened Local Group Policy Editor with:
start>"run">gpedit.msc
Computer Configuration>Administrative tools>add/remove templates>add
opened:
C:\Users\<Your username>\Downloads\policy_templates\windows\adm\en-US\chrome.adm
- That adds the "Google" folder in the subfolder:
Computer configuration\Administrative Templates\
Yielding
Computer configuration\Administrative Templates\Google Chrome
Computer configuration\Administrative Templates\Google Chrome - Default Settings(user can override)
- Then opened:
Computer configuration\Administrative Templates\Google Chrome\Extensions
Example screenshot
in the window on the right (still in Local Group Policy Editor) I double clicked: Configure the list of force-installed apps and extensions
Then in the new popped up window I changed:
Not Configured
to:
Enabled
Example screenshot
In the "Options" Pane, I clicked
add, orshow:-
In the value screen I added the following value(s) (ID(s) of the extension I want to force Install) Stayfocusd:
laankejkbhbdhmipfmgcngdelahlfoji;https://clients2.google.com/service/update2/crxrequestlymdnleldcmiljblolnjhpnblkcekpdkpa;https://clients2.google.com/service/update2/crxad block pluscfhdojbkjhnklbpkdaibdccddilifddb;https://clients2.google.com/service/update2/crx*Note that just the ID without hosting url: laankejkbhbdhmipfmgcngdelahlfoji does NOT work. (Also if you are on a windows computer that is not part of a domain you cannot apply this method to InstallForceList extensions that are not in the Chrome Webstore.)
Example screenshot
then I rebooted the system
The policy can be checked by browsing to: chrome://policy
there you should see the InstallForceList extension.
Now that you cannot un-install the extensions anymore