2

I have a Windows system that is a part of a domain. I've imported the domain GPO chrome .admx file and then created the Chrome GPO policy for 'ExtensionInstallForceList' property by using http://dev.chromium.org/administrators/policy-list-3#ExtensionInstallForcelist as the reference.

Here I've specified the ID for the extension that gets generated when it was loaded in unpacked format. Also, I used the local HTTP server as the place to download. A pseudo value of the property that I used:

eelojgpfkmaaabbbccneneemcahoehjo;http://<some.ip.address>/crx

See attached snapshot for reference:

Chrome GPO policy setting

I've created an IIS server and enabled Directory browsing and then chose the root path of the server to point to the parent folder of 'crx'. I am able to access an xml file present inside crx using this above URL.

However my extension is still not installed. But I also have the extension in the Chrome Webstore and if I use the Webstore URL, the extension is deployed successfully.

As per comments from Xan below and further trials that I performed, I'll add the snapshots for each of the following: 1. Updates.xml 2. Tried FQDN instead of IP address but still couldn't install FQDN-based-GPO 3. Changed the GPO to point to the folder that contains the crx file instead of the update URL. Still not installed 4. I had already packed the extension using the link you mentioned. I dragged-n-dropped this packed crx file and found out the new ID. I then used this ID in my updates.xml file as well as in my Chrome GPO policies. However, extension is still not installed on the domain endpoint. Extension from packing machine

  1. Can someone please help me point out exactly what is missing?
  2. Is there some issue in the way I configured my IIS server? or
  3. Could it be because I used an IP address instead of an FQDN? or
  4. Is it because of some other possible configuration error?
Sumeet Agrawal
  • 25
  • 1
  • 6

2 Answers2

1

You don't specify this well in your question, but I spot a few problems/omissions:

CRXs and IDs

Here I've specified the ID for the extension that gets generated when it was loaded in unpacked format.

This will not work; that ID is just a temporary one based on the hash of the path to the extension.

Chrome needs to generate a keypair and sign the CRX for it to be useable in enterprise deployment.

  1. You need to package it as CRX through chrome://extensions's Developer Mode.

  2. It will generate a private key .pem that you need to save for any future updates (otherwise the ID will change again and you won't be able to use it as an update).

  3. Then, install the CRX on the same machine by dragging it onto chrome://extensions to get its final, signed ID.

    As an alternative to this step, you can use OpenSSL to generate the key from the .pem obtained from the previous steps.

What are you actually hosting?

The URL that you point to in the GPO policy is the Update URL, not the actual CRX file!

See this documentation on Update manifests. Here's an example:

<?xml version='1.0' encoding='UTF-8'?>
<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>
  <app appid='eelojgpfkmaaabbbccneneemcahoehjo'>
    <updatecheck codebase='http://<some.ip.address>/actual_extension.crx' version='1.0' />
  </app>
</gupdate>

Modify the updatecheck.version as needed when updating. Don't touch any of the gupdate properties.

How are you serving files?

There may be a minor issue with content-types your server is sending.

I could not find bulletproof information on what should be the content type for the files, but a good guess is:

  • application/xml for the update manifest
  • application/octet-stream for the CRX file

Still not working?

Perhaps you're on to something with IP vs FDQN. It should be possible for you to create a local DNS entry for the update server - try and see if it helps.

Community
  • 1
  • 1
Xan
  • 74,770
  • 16
  • 179
  • 206
  • Thanks @xan for your help. I'll add the snapshots for each of the following: 1. Updates.xml 2. Tried FQDN instead of IP address but still couldn't install 3. Changed the GPO to point to the folder that contains the crx file instead of the update URL. Still not installed 4. I had already packed the extension using the link you mentioned. However, if I drag-n-drop this new crx file, Chrome doesn't allow me to install it. – Sumeet Agrawal Aug 21 '17 at 04:55
  • Did you drop it in the middle of `chrome://extensions` on the same machine? – Xan Aug 21 '17 at 06:30
  • Of note, it still works on Linux; you can spin a VM and pack there. Or, see the openssl method to extract id from pem. – Xan Aug 21 '17 at 06:32
  • Sorry for the confusion @Xan. I think I might have tried to drag-n-drop on a different system. Now I just tried to repeat the entire process again and I was able to install that packed crx. I've updated my question along with a relevant snapshot. However, the extension is still not deployed through GPO policies. – Sumeet Agrawal Aug 21 '17 at 10:56
  • You are technically still missing `` from the manifest. What I'd also recommend is trying to enable verbose logging for Chrome and see if it complains about anything. – Xan Aug 21 '17 at 10:58
  • I think you intended updates.xml since manifest is the json file. I added that already but it still didn't help. – Sumeet Agrawal Aug 22 '17 at 04:01
  • Well, it's called an "update manifest", technically. Sadly, I'm out of ideas. – Xan Aug 22 '17 at 06:01
-1

Here's an Alternative Extension Distribution Options documentation for the possible ways on how to distribute Chrome extensions.

All Chrome extensions must be distributed either directly from the Chrome Web Store, using inline installation, or using the mechanisms described below. Failure to comply with one of these distribution methods constitutes a violation of the Chrome extension policy and may result in the extension and/or the software distributing it to be flagged as unwanted software.

You may also check this support page if you want to force install Chrome extensions on corporate-managed Windows devices via machine and OS-user policies.

abielita
  • 13,147
  • 2
  • 17
  • 59
  • 1
    As you can see from my description, I've already used 'ExtensionInstallForceList' property which is described in the 'https://support.google.com/chrome/a/answer/188453?hl=en' link that you described. Also, I've already gone through the 'https://developer.chrome.com/extensions/external_extensions' link. That link mentions that if an Administrator doesn't want to use Chrome Webstore to distribute the extension, then they can use AD GPO based policies. I've done that already. I seek to know if I've done anything wrong in creating the setup or the GPO policies. – Sumeet Agrawal Aug 18 '17 at 04:21