How Google manages Chrome extensions without manually white/blacklisting each one
The key is to make policies based on permissions or runtime actions, not manually whitelisting each one.
We’ve kept our eyes peeled for anything regarding Chrome extensions over the past year, and were rewarded for it in April. At Google Cloud Next 2019, Google had a session that outlined how the company itself managed Chrome browser extensions across its workforce.
They also announced GA for the previously announced Chrome Browser Cloud Management, which helps IT admin manage Chrome browser extensions and more.
Chrome management options
First, let’s review how admins can manage Chrome extensions. There are three options available to enterprises: traditional endpoint management, Chrome user profiles, and Google Cloud Platform. Google considers the first two options to rely heavily on compiling a whitelist and blacklist, which can become difficult to keep organized over time. Additionally, there isn’t always a lot of customization available, potentially creating a frustrating user experience.
Existing platforms
For a while, it’s been possible to manage Chrome via Group Policy, or with plist files on macOS. While this might be a perfectly adequate solution, it does require IT admin to coordinate with your organization’s Mac admins and other platform admins (if you have them) to ensure policies are enforced across all platforms.
User profiles
From the Google Admin Console, admin can set policies directly against Chrome user profiles, where they can limit extension access. The challenge with this is that it requires users to log into Chrome. Admin can actually make Chrome force users to login, but that requires everyone to have G Suite.
Google Cloud Platform
To get around managing via user profiles, Google recently released Chrome Browser Cloud Management (accessed through Google Admin Console), which provides a hybrid experience. Instead of dealing with users signing in and everyone having G Suite, admins (who will need G Suite) can request a unique enrollment token that they provision onto a user’s Chrome using endpoint management. Once enrolled, Chrome will connect to Google Admin console and download policies.
How Google manages Chrome extensions
Given the challenges provided by traditional management methods, what does Google do internally? Instead of keeping blacklists and whitelists, admins manage by permissions and runtime actions. (They liked to call it “enhanced management.”) This allows Google to consider user experience while mitigating risk and scaling up easily.
Admin can manage Chrome extensions by permissions and runtime actions three different ways. On Windows, admins can use Group Policies (example JSON string: {“*”:{”blocked_permissions”:[“usb”]}}) and through Windows Registry for the more code averse (instructions can be found here). The third option is with the Chrome Browser Cloud Management, which works across Windows, Mac, and Linux.
Blocking only by permissions can result in a poor user experience, though, as it simply disables Chrome extensions. This is where blocking by runtime actions can be a potential compromise between security and UX. Many extensions are harmless, but may still request permissions that could be too invasive on sensitive enterprise websites. Rather than disabling the extension altogether, just block API calls on certain sites. This allows users to install Chrome browser extensions they like, but disables them on certain sites.
One additional nice feature of Chrome Browser Cloud Management is the ability to pin allowed permissions. This prevents extensions from potentially updating with newer permissions and harming your organization. Instead, the new permissions remain blocked until an admin goes in and approves the new permissions.
Transitioning tips
Google offered some quick tips for organizations interested in implementing enhanced management. First, admin should audit the current extensions needed or are commonly used by employees. Then, they should create a master list of all hosts that must be secure and permissions to block, as well as determine how to go about adding new extensions into the organization as necessary. With those three pieces in place, pilot test to determine the user experience. Review feedback from the test run and then start the normal production rollout.
Exciting, but still need more
We find it very exciting to see progress regarding security issues we’ve discussed in the past. It’s good that we have all these management options, but we could still use more help with vetting Chrome extensions. Extensions may not have access to sensitive enterprise sites if admins use Google’s management method, but that doesn’t mean they are safe for general use.
We did notice a recently released free tool from Duo Security called CRXcavator that helps vet Chrome browser extensions. It looks a lot like the mobile app reputation functionality that comes with a lot of MTD products, and we plan to look into it more.
