Enterprise Chrome Extension Deployment Guide
Enterprise Chrome Extension Deployment Guide
A comprehensive guide to force-installing the ProtectedAI Chrome extension across your entire organization. Covers industry-standard deployment channels, BYOD scenarios, and compliance detection strategies.
Audience: IT administrators at enterprise clients, and as an internal reference for public documentation.
Deployment methods overview
| Method | Cost | OS | Browsers | BYOD | User can uninstall |
|---|---|---|---|---|---|
| Google Workspace Admin Console | Included with Workspace | Win/Mac/Linux/ChromeOS | Chrome | Corporate login only | No |
| Chrome Enterprise Core | Free | Win/Mac/Linux | Chrome | Requires enrollment token | No |
| Microsoft Intune | Included with M365 E3+ | Win/Mac | Chrome + Edge | With Intune enrollment | No |
| GPO (Active Directory) | No additional cost | Windows only | Chrome + Edge | No | No |
| Jamf / macOS MDM | ~$4-8/device/month | macOS only | Chrome + Edge | With MDM enrollment | No |
| Cloud MDMs (JumpCloud, Rippling, etc.) | From $1/device/month | Win/Mac | Chrome + Edge | With enrollment | No |
| Managed Chrome Profiles | Included with Workspace | Win/Mac/Linux | Chrome | Yes (no MDM needed) | No (within profile) |
1. Google Workspace Admin Console
The most straightforward method for organizations already using Google Workspace.
Path: admin.google.com > Devices > Chrome > Apps & extensions > Users & browsers
Steps:
- Search for the extension by ID or by name in the Chrome Web Store.
- Select the target Organizational Unit (OU).
- Set the installation policy to "Force install".
- The extension deploys automatically to all users in the OU.
Requirements:
- Google Workspace license (any tier: Business Starter, Standard, Plus, Enterprise).
- Users must have managed accounts (
@yourdomain.com) and sign into Chrome with them.
Limitations:
- Does not apply if the user uses Chrome without signing in or with a personal account.
- Chrome only — not Edge or other Chromium browsers.
Result: The extension appears as "Managed by your organization" and the remove option is disabled.
2. Chrome Enterprise Core (free)
A free Google platform for centralized Chrome browser management, without requiring Google Workspace.
How it works:
- Sign up for Chrome Enterprise Core at
admin.google.com/ac/chrome/enrollment. - Generate an enrollment token from the console.
- Deploy the token to devices via MDM, GPO, or script.
- Enrolled browsers receive machine-level policies, including extension force-install.
Requirements:
- Sign up for Chrome Enterprise Core (free).
- Deploy the enrollment token to devices.
- Chrome installed.
Advantages over Admin Console:
- No Google Workspace or managed Google accounts required.
- Policies apply at the machine/browser level, not the profile level.
- Centralized visibility: Chrome versions, installed extensions, patch status.
Limitations:
- The enrollment token must be deployed through some mechanism (MDM, GPO, manual script).
- Chrome only.
- Advanced features (native DLP, malware scanning) require upgrading to Chrome Enterprise Premium ($6 USD/user/month).
3. Microsoft Intune
For organizations within the Microsoft ecosystem. Manages both Chrome and Edge from a single place.
Chrome (via ADMX)
Steps:
- Import the Google Chrome ADMX templates into Intune.
- Create a configuration profile > Settings Catalog.
- Search for
ExtensionInstallForcelist. - Add:
EXTENSION_ID;https://clients2.google.com/service/update2/crx
Edge (native)
Steps:
- Create a configuration profile > Settings Catalog.
- Search for "Control which extensions are installed silently".
- Add the extension ID with the Edge update URL.
Requirements:
- Microsoft 365 license with Intune (E3, E5, Business Premium, or Intune standalone).
- Devices enrolled in Intune.
Limitations:
- For Chrome you need to import Google's ADMX templates (extra step).
- More complex configuration than Google Admin Console.
4. Group Policy (GPO) — Windows
For Windows environments with on-premises Active Directory.
Configuration:
Machine-level registry path:
HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
User-level registry path:
HKEY_CURRENT_USER\Software\Policies\Google\Chrome\ExtensionInstallForcelist
Value (REG_SZ):
1 = EXTENSION_ID;https://clients2.google.com/service/update2/crx
For Edge, the path changes to Software\Policies\Microsoft\Edge\ExtensionInstallForcelist.
Steps:
- Download and import the Chrome ADMX templates on the domain controller.
- Create or edit a GPO linked to the desired OU.
- Navigate to: Computer Configuration > Administrative Templates > Google Chrome > Extensions.
- Configure "Configure the list of force-installed apps and extensions".
Requirements:
- Active Directory with a Windows domain.
- Chrome ADMX templates imported.
- Domain-joined devices.
Limitations:
- Windows only.
- Does not work with non-domain-joined devices.
5. Jamf / MDM — macOS
For Mac fleets managed with Jamf Pro, Mosyle, Kandji, or another MDM.
Configuration:
Deploy a configuration profile with the com.google.Chrome domain:
<dict>
<key>ExtensionInstallForcelist</key>
<array>
<string>EXTENSION_ID;https://clients2.google.com/service/update2/crx</string>
</array>
</dict>
Steps:
- Create a configuration profile in Jamf Pro.
- Add a "Custom Settings" payload with the
com.google.Chromedomain. - Include the
ExtensionInstallForcelistkey with the extension array. - Assign the profile to the target device group.
Requirements:
- Jamf Pro or another macOS-compatible MDM.
- Devices enrolled in the MDM.
Limitations:
- macOS only.
- If the user has a managed Google account, Google Admin Console policies take precedence over MDM policies.
6. Cloud MDMs — JumpCloud, Rippling, Hexnode, Mosyle, and others
Cloud-based device management platforms, widely used in startups and mid-market companies. All use the same underlying mechanism (ExtensionInstallForcelist) but differ in whether they offer a native UI or require manual profiles/scripts.
JumpCloud
The most complete option for extension management: has a dedicated native policy.
- Mechanism: Native "Chrome Force-Installed Extension List" policy in the console (Device Management > Policy Management). Also has a separate policy for Edge.
- OS: Windows 10+, Windows 11, macOS.
- Chrome + Edge: Yes, both with dedicated policies.
- Price: From $9/user/month (Device Management).
Rippling
Popular for unified IT + HR management. No native UI for extensions — requires manual profiles and scripts.
- Mechanism: Custom profiles (
.mobileconfigon macOS), PowerShell scripts on Windows that write to the registry. - OS: macOS, Windows.
- Chrome + Edge: Yes, both via separate profiles/scripts.
- Price: ~$8/device/month (Rippling IT module).
Hexnode
Affordable option with native Windows support.
- Mechanism: Native "Browser Settings" policy with a "Force Install Extensions" field on Windows (writes to registry at device level). On macOS: custom profile.
- OS: Windows, macOS, iOS, Android, ChromeOS.
- Chrome + Edge: Chrome native on Windows. Edge via analogous mechanism.
- Price: From $1/device/month.
Mosyle
The most affordable option for Apple fleets. Has a native Chrome management feature.
- Mechanism: "Chrome Management for Mac" as a native feature + custom profiles. Supports Chrome Enterprise Core integration via enrollment token.
- OS: macOS/iOS only.
- Chrome + Edge: Only Chrome documented.
- Price: Free up to 30 devices. Premium from $1/device/month.
Kandji (now Iru)
Apple-focused MDM, with recent Windows support (2025).
- Mechanism: Custom
.mobileconfigprofile withExtensionInstallForcelist. Supports Chrome Enterprise Core integration. - OS: macOS (native), Windows (new support).
- Chrome + Edge: Chrome via custom profile.
- Price: From ~$4/device/month.
Scalefusion
Cross-platform with native Chrome and Edge support.
- Mechanism: Native feature via Custom Settings for Chrome and Edge on Windows. "Configure extensions to be force installed" field in the console.
- OS: Windows, macOS, Linux, Android, ChromeOS.
- Chrome + Edge: Yes, both explicitly documented.
- Price: From $2/device/month.
Cloud MDM comparison table
| MDM | Native extension UI | Chrome | Edge | macOS | Windows | Starting price |
|---|---|---|---|---|---|---|
| JumpCloud | Yes (dedicated policy) | Yes | Yes | Yes | Yes | $9/user/month |
| Scalefusion | Yes (Custom Settings) | Yes | Yes | Yes | Yes | $2/device/month |
| Hexnode | Yes (Windows) | Yes | Partial | Yes | Yes | $1/device/month |
| Rippling | No (scripts/profiles) | Yes | Yes | Yes | Yes | ~$8/device/month |
| Kandji/Iru | No (custom profile) | Yes | Partial | Yes | New | ~$4/device/month |
| Mosyle | Partial (Chrome Mgmt) | Yes | No | Yes | No | $0 (30 devices) |
Note: All MDMs use the same underlying mechanism (
ExtensionInstallForcelist). The difference lies in the configuration experience: some have dedicated UIs (JumpCloud, Hexnode) while others require manually creating profiles/scripts (Rippling, Kandji).
7. Managed Chrome Profiles — BYOD without MDM
The most relevant method for unmanaged personal devices.
How it works: When a user signs in with their corporate Google account in Chrome, a separate work profile is automatically created. Organization policies (including extension force-install) apply only to that profile, without affecting the user's personal profile.
Configuration (Admin Console):
admin.google.com> Devices > Chrome > Settings > Users & browsers.- Enable "Force users to create a separate profile on sign-in".
- Configure extension force-install in the same OU.
Requirements:
- Google Workspace.
- The user must sign in with their corporate account.
Does not require:
- MDM.
- Device enrollment.
- Manual installation.
Limitations:
- The user might not sign in with their work account.
- Chrome only.
- Mitigation: combine with conditional access — "you can only access work apps from the managed profile."
BYOD scenarios
| Method | Works on BYOD | Condition |
|---|---|---|
| Google Admin Console | Yes | Corporate account login |
| Chrome Managed Profiles | Yes | Corporate account login |
| Chrome Enterprise Core | Partial | Enrollment token must be installed on device |
| Intune (MAM) | Yes | Device must be enrolled in Intune |
| GPO | No | Requires AD domain |
| Jamf | Partial | Requires MDM enrollment |
| Cloud MDMs (JumpCloud, Rippling, etc.) | Partial | Requires device enrollment in MDM |
Recommended strategy for pure BYOD: Managed Chrome Profiles + conditional access. The user signs in with their corporate account > the work profile is created > the extension is automatically installed. If they don't sign in, they can't access work apps.
Compliance detection without MDM
Methods to determine which users have the extension installed without requiring device management.
Extension registration via API
ProtectedAI registers each extension on login via POST /v1/extension/register. Admins can see in the dashboard which users have the extension active and which don't, displaying a compliance rate (e.g., "8/10 users protected").
externally_connectable (web-based detection)
The extension can declare in its manifest.json which domains can communicate with it:
{
"externally_connectable": {
"matches": ["https://app.protectedai.com/*"]
}
}
From the dashboard, a message is sent to the extension:
chrome.runtime.sendMessage(EXTENSION_ID, { type: "ping" }, (response) => {
if (response) {
// Extension installed and active
} else {
// Not installed — show installation banner
}
});
Chrome Enterprise Core Reporting
If browsers are enrolled in Chrome Enterprise Core, the console shows which extensions each managed browser has installed.
Endpoint detection (osquery / Defender)
Tools like osquery or Microsoft Defender for Endpoint can scan the filesystem and detect installed extensions by searching for their IDs in Chrome profile folders.
Reference: ExtensionInstallForcelist policy
This is the base policy used by all methods above. Format:
EXTENSION_ID;https://clients2.google.com/service/update2/crx
| Platform | Where to configure |
|---|---|
| Google Admin Console | Devices > Chrome > Apps > Force install |
| Chrome Enterprise Core | Same console, at browser enrollment level |
| Intune | Settings Catalog > ExtensionInstallForcelist |
| GPO (Windows) | Registry or ADMX template |
| Jamf (macOS) | Configuration profile com.google.Chrome |
| JumpCloud | Device Management > Policy Management > Chrome Force-Install |
| Rippling | Custom profile (macOS) / PowerShell script (Windows) |
| Hexnode | Browser Settings policy (Windows) / Custom profile (macOS) |
| Scalefusion | Custom Settings > Force install extensions |
| Mosyle | Chrome Management / Custom profile |
| Linux | /etc/opt/chrome/policies/managed/*.json |
For Microsoft Edge, the equivalent policy is ExtensionInstallForcelist under Software\Policies\Microsoft\Edge\.
Competitive landscape
Reference on how other enterprise browser security products deploy.
| Product | Model | Deployment channels |
|---|---|---|
| Nightfall AI | Extension + endpoint agent | Admin Console, Intune, MDM |
| Polymer DLP | Chrome extension | Admin Console, one-click |
| LayerX | Chrome/Edge/Safari extension | Admin Console, MDM, GPO |
| Push Security | Chrome/Edge extension | Admin Console, MDM, GPO |
| Cyberhaven | Extension + endpoint agent | Admin Console, MDM |
| Island | Enterprise browser (Chromium) | Replaces Chrome — absolute control |
Common pattern: All extension-based competitors use the same deployment channels. None solve the BYOD gap without user cooperation (corporate account login or device enrollment).