Whether you use Edge, Chrome, Firefox, or some other obscure browser, managing extensions is a crucial part of protecting your users and assets.

Window Shopping

There are over 150,000 web extensions available in the Chrome Web Store. If you’re using Edge, you’ll have Chrome + Edge extensions, but there also are options for both to download from 3rd party sources.

By comparison, Firefox has fewer than 20,000 extensions in its proprietary store.

Extension use-cases

There are only 13 extensions that have over 10 million active installs in the Chrome web store, and most people want the same basic things:

  • Ad blocking
  • Spell checking
  • Shopping discount codes
  • Video meeting companion apps
  • Web protection
  • Translation services
  • Remote Desktop Services like Chrome Remote Desktop

If you are the person responsible for endpoint security, take a look at that list and think of some of the basic security problems that might come from allowing people to have free access to tools with such capabilities.

Security Concerns

When an extension like a spell checker is installed, it will ask the user to consent to a prompt that might look similar to this:

If the website it can read from is your company’s SaaS platform (software as a service), who knows where that data is going?

There are several tech articles which report on malicious extensions within easy reach of users.

The Solution

Quite simply, we want to prevent the installation of unapproved browser extensions.

In the below examples, I will allow uBlock Origin to be installed. Be aware that there are settings for each browser that support silent install if you require all users to have certain tools to do their jobs.

Manage Extension Install Behaviour using Intune

Microsoft Edge

You need to find the ID of the extensions you wish to allow – this is at the end of the URL when you view it in the webstore

In Intune, create a Device Configuration profile using Settings Catalog, locate and configure the settings as shown:

The ID is pasted in as an exemption to the block list, which is configured with the setting “Control which extensions cannot be installed” being set to all (*).

When finished, apply to target devices.

Note: There is a user-based option for this setting too, if device targeting doesn’t work in your use-case.

Chrome

Visit the extension page on the webstore:

Create Intune policy as shown:

Firefox

If you haven’t imported the Firefox ADMX templates, you’ll need to do that first.

When you create your Device Configuration Profile, select “Imported Administrative templates”

Look for Extension Management

And in the box that pops up, you will need to paste JSON:

{
  "*": {
    "blocked_install_message": "You can't install extensions. Contact your helpdesk.",
    "install_sources": ["about:addons","https://addons.mozilla.org/"],
    "installation_mode": "blocked",
    "allowed_types": ["extension"]
  },
  "[email protected]": {
    "installation_mode": "allowed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
  },
  "@testpilot-containers": {
    "installation_mode": "allowed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/multi-account-containers/latest.xpi"
  }
}

The above JSON will only allow uBlock Origin and Firefox Containers to install, adjust to suit and apply to your target devices.

Grabbing the info for a Firefox extension is a little different and you will need to do some digging to find the correct info for what you use.

Verifying

Each browser has an internal URL to see which policies have been applied to it:

Chrome: chrome://policy

Edge: edge://policy/

Firefox: about:policies#active

Getting visibility into extension usage

If your company’s devices are onboarded to Defender for Endpoint, and you have the Microsoft Defender Vulnerability Management add-on, you’ll have access to a ‘browser extensions’ view in the Inventories section of the Microsoft Security Portal:

Closing Thoughts

Browser security is such an overlooked area of endpoint security, and extensions are only one element of it.

Can users sign into personal accounts in Edge/Chrome/Firefox? You should perhaps block that too!