Blog
A Custom LaunchAgent for Nudge

A Custom LaunchAgent for Nudge

Why we needed to deploy a custom LaunchAgent for our school
On Hugo, the static site generator

On Hugo, the static site generator

So, I published a little blog post about browser extensions to write down how we’re currently doing it, and I thought it went well, since I didn’t look at the site on mobile at all.
How to Enforce Browser Extensions Across your Org

How to Enforce Browser Extensions Across your Org

If you’re a sysadmin or sysengineer at an organization that supports multiple browsers and platforms, this is for you.
Dash Cameras

Dash Cameras

I’ve been using the Viofo A119 Plus Duo for about 3 years now, until…
Working with Jamf School

Working with Jamf School

I’ve been using Jamf School at work for 3 years now. This is the first year (2024) in which I believe ALL of our faculty and staff Macs are enrolled in JS. Previously to the 21-22 school year, the school paid for Jamf Pro to manage the iPads for the K-5th graders and used imaging to deploy the Macs. I arrived in 2021, and that summer we began to move our devices and configurations to Jamf School.
Pfsense Https V2

Pfsense Https V2

Yesterday, I learned how to get Let’s Encrypt working on our PfSense router.
Unifi Controller HTTPS

Unifi Controller HTTPS

Here’s another HTTPS certificate story. This time, a self-hosted Unifi Controller was the invalid certificate annoyance.
A Real pfsense HTTPS Certificate

A Real pfsense HTTPS Certificate

Yesterday, I learned how to get Let’s Encrypt working on our PfSense router.

Hello World

First post!

How to Enforce Browser Extensions Across your Org

Planted January 24, 2025

How to Enforce Browser Extensions Across your Org

If you’re like us, your organization has multiple operating systems and multiple browsers to support. We encourage our users to use Chrome and sign in with their org login, and many do, but some opt for Safari on Mac or the very few Firefox and Edge. Specifically, we use Jamf School to manage our Mac and iPad fleet, but we don’t have a MDM solution for our Windows devices.

If I had to guess, we have approx. 50 Windows devices and somewhere around 250 Macs including the labs. Here, I’m hoping to describe how we use Google Workplace (admin console), Jamf School and our local AD server to add a browser extension (uBlock Origin and/or uBlock Lite) to all managed devices.

I don’t believe this will be a comprehensive guide, but my hope is that it will provide some insight into this multi-device multi-architecture multi-browser situation.

Gather Intel

Here’s what we’re going to need:

  1. Google Workplace/Admin settings
    • For everyone who’s logged into Chrome with their org account and has Sync turned on
  2. MacOS Profile(s)
    • For everyone who’s not logged in with the org account or uses a different browser
  3. Windows AD Settings
    • For everyone on Windows who’s not logged in with the org account or uses a different browser
  4. Browser Extension information
    • What extensions do you want to push? Do you want to push other settings like Org bookmarks?

Google Workplace Setup

In my opinion, this is the easy part. (Specifically, this is for non-Chromebooks.)

From this Google support article

screenshot from the Google support link

Just follow those instructions!

At this point, we’ve covered most of our users. Now, we can focus on the smaller group of users who don’t use Chrome signed into Sync.

Jamf School / MacOS Profiles Setup

Depending on the situation, Jamf School has a lot of profile templates for you to enable and tinker with. For everything else that’s not there, iMazing Profile Editor comes to play. (iMazing is the spiritual successor to ProfileCreator, according to some people on the internet.)

alt text a screenshot of iMazing Profile Editor with my multi-browser profile for uBlock Origin and org bookmarks

Chrome Browser Settings

Enroll Chrome Managed Browser:

#!/bin/bash
if [ -f "/Library/Google/Chrome/CloudManagementEnrollmentToken" ]; then
    echo "No update needed"
else 
    mkdir -p /Library/Google/Chrome 
    echo "long-random-uuid-probably" > /Library/Google/Chrome/CloudManagementEnrollmentToken
fi

#Title in Jamf School:
#[All][MacOS] enroll chrome managed browser (Faculty OU)

This script places a file in /Library/Google/Chrome on your enrolled Macs to make sure the Chrome browser is Managed by your Org. You’ll be able to see the browser in the admin console and apply settings from there, if you want.

alt text a screenshot of Google Admin showing a bunch of my Loaner machines with enrolled Chrome broswers

Here are two resources to read over for more options for managing Chrome.

Or, you could just open iMazing Profile Editor, search for Chrome, and see what settings you can manage with a config profile. I often find that learning by doing is better. Be curious.

alt text And here is my example from above setting Google Chrome to silently install an extension (I think this is uBlock Origin or Lite): alt text Using this means that anyone who uses Chrome on a computer with this policy will have that extension forcefully installed whether or not they’re signed into Chrome at all.

Brave Browser Settings

In general, the Chrome Enterprise Management settings also apply to Brave, as Brave is based on Chromium.

Brave Help Center –> Desktop Browser –> Settings management

Group Policy

Firefox Settings

Mozilla Firefox Enterprise link

Again, I’d just use iMazing to see what all the settings are.

Here are the settings for Firefox Extensions (add-ons): Extensions

Here is uBlock Origin for Firefox as an example Add-On.

alt text To get the .xpi file required in settings, right click “Remove” (will probably say something else if not installed!) and “Copy Link” which will result in something like:

https://addons.mozilla.org/firefox/downloads/file/4412673/ublock_origin-1.62.0.xpi

Which you can go use to deploy.

Windows AD Settings

So, you’re in a position without a Windows MDM tool like us but you have a handful of Windows devices that need some managed settings. Eventually, if we ever figure out the M$ licensing system, maybe we’ll use Intune (but not for Macs) but for now let’s figure out how to do this the old fashioned way. No, not <em>that</em> old fashioned.

Alright, go ahead and remote into your primary AD server. We’re running Windows Server 2019 still, which is fine. Open up the Server Manager. Navigate to Group Policy Management. alt text

Microsoft Edge

Use group policies to manage Microsoft Edge extensions

alt text screenshot of Group Policy Manager in my Windows Server 2019 VM which manages our AD for a dozen Windows laptops showing adding an extension to Microsoft Edge forcefully via the Registry

In my case, I couldn’t find what the MS article I linked above was talking about

In the Group Policy Editor, go to Administrative Templates> Microsoft Edge > Extensions > and then select Control which extensions are installed silently.

So, I had to find another way, hence the Registry workaround.

I attempted to update the Administrative Templates via this link but it doesn’t seem to have updated anything.

SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist\1

is the registry location and the value is the same as the json values from that MS link:

Note

For extensions hosted in the Chrome web store use a string such as:

pckdojakecnhhplcgfflhndiffaohfah;https://clients2.google.com/service/update2/crx

For self-hosted extensions use the pattern extension_id;update_url where update_url points to the location of the update manifest XML file. For example,

mfjlfjaknfckffgjgmdfeheeealceoak;https://file_location.azurewebsites.net/picture_of_the_day.xml

Another example:

bfgjjammlemhdcocpejaompfoojnjjfn;https://clients2.google.com/service/update2/crx

Here is another example of adding PrinterLogic to Edge:

Additional Information additional information to the Value data: “bfgjjammlemhdcocpejaompfoojnjjf” is the ID from PrinterLogic extension “clients2.google.com/service/update2/crx” is the download source. In this case the Google Chrome Web Store

Browser Extension information

Finally, what extensions should you push to your Org?

I’m a big support of adblocking for general internet usage, which is one reason I’ve chosen Brave as my personal browser. But, since we officially support Chrome as the organization’s browser, we should be pushing uBlock to everyone every way we can.

We also use PrinterLogic to (despite its name) deploy copiers and PrinterLogic requires an extension, hence the above example.

The main pieces of information you’ll need are the extension ID and for Windows AD GPO the store URL.

Extension Name Extension ID Extension Store
PrinterLogic extension bfgjjammlemhdcocpejaompfoojnjjf https://clients2.google.com/service/update2/crx
uBlock Origin cjpalhdlnbpafiamejdnhcphjbkeiagm https://clients2.google.com/service/update2/crx
uBlock Lite ddkjiahejlhfcafbddmgiahcphecmpfh https://clients2.google.com/service/update2/crx

In any example, if you visit the Chrome Web store page, you can get the Extension ID from the URL.

A note from uBlock Origin vs uBlock Lite

Chrome updated its extension system (Manifest V3) with stricter security rules. This significantly impacted uBlock Origin, which relies heavily on features restricted by these new rules. As a result, uBlock Origin cannot function properly in Chrome under the new system.

uBlock Lite, on the other hand, was specifically designed to comply with Manifest V3. It uses alternative methods that work within the new restrictions, allowing it to continue blocking ads effectively in the updated Chrome environment.

Basically, deploy uBlock Lite to Chrome, now, and uBlock Origin to other browsers that still support Manifest V2, like Brave.

Was this guide helpful?

Consider using my Amazon referral code to purchase something you were already going to purchase! Just add my tag to the Amazon product URL:

?tag=starbuckstech-20

For example, here’s an awesome USB-C retractable charging cable with my affiliate code:

https://www.amazon.com/dp/B0CZDJTRPZ?tag=starbuckstech-20

Thank you!!

Written in Markdown on Obsidian.md - January 2025