How to deploy the Push browser extension in Google Chrome using Group Policy

This guide covers the installation and set up of Google Chrome group policy settings. We recommend that you deploy it first into a test environment, as you'll be required to add administrative template files to your Active Directory, and alter your Group Policy configuration.

Note: Multiple steps in this guide overlap with the instructions in the Microsoft Edge KB article. If you are following the guides to deploy settings for both browsers in your environment, please be sure to follow the steps closely to avoid missing settings that need to be applied in each instance.

Installing the administrative templates

Google Chrome requires additional administrative templates be added to Active Directory to deploy configurations via group policy. The required files can be downloaded from the following link.

Google Admin Templates: KB 10052
Download the Google Chrome administrative templates.

In the extracted policy files folder, locate the admx folder and copy chrome.admx to the following location: %systemroot%\sysvol\domain\policies\PolicyDefinitions

In the same extracted policy files location, open the language folder appropriate to your location (eg. en-US) and copy the chrome.adml file to the matching folder under PolicyDefinitions: %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-US

Your folder structure should resemble the following:

Policy definitions folder: KB 10052
Group policy definitions folder with ADMX templates.

You can confirm that the administrative templates have been installed correctly by opening Group Policy Management Editor and expanding Computer Configuration > Policies > Administrative Templates.

You should be able to see nodes labeled Google Chrome:

Group policy management editor showing installed ADMX templates: KB 10052
Group policy management editor with installed templates.

Generate the extension config

Before configuring Group Policy, we need to generate a config file within the Push app. Skip to the next step if you've already done so.

In the Push app, head to the Browsers section, and click on Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

On the popup frame, click on the Managed button.

Push app - managed browser option: KB 10052/3/4/5/6/8
You'll see all the Push browser extension enrollment options here.

Next, click on the Group Policy button, make sure Chrome is the selected browser, and click Generate config. This will provide you with a button to download a config specific to your team.

Push app - Managed Chrome GPO: KB 10052
Generate and download the configuration for Group Policy.

Once you’ve downloaded and extracted the zip file, proceed to the next step.

Configuring Group Policy to automatically deploy and configure the Push Security extension

Expanding the Google Chrome node provides a few additional items, including Extensions. Clicking on this item shows a handful of configuration options. The one we're interested in is Configure the list of force-installed apps and extensions.

Chrome configure list of force-installed extensions: KB 10052
Configuring force-installed apps and extensions policy location.

Open the configuration setting and set the policy to Enabled. This will allow you to click the Show… button and to enter the extension ID value. Paste the Push Security extension ID value into the Value field:

dljjddkmmcminffjbcmeccgfbjlhmhlm;https://clients2.google.com/service/update2/crx
Chrome force install group policy settings: KB 10052
Set the extension ID and update URL for Google Chrome.

Once done, click OK, and close the configuration item by clicking OK again. The Configure the list of force-installed apps and extensions setting should display enabled.

Next, under Computer Configuration, expand Preferences > Windows Settings, and click on the Registry node.

Right click in the window pane on the right and select New > Registry Item.

Group Policy New Registry Item: KB 10052/3/8
Create a new registry item in group policy editor.

Leave all the options at their defaults, and paste the following into the Key Path field, and click OK:

SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\dljjddkmmcminffjbcmeccgfbjlhmhlm\policy
New Registry Item - step 1: KB 10052
Create the extension policy registry key.

To create the next registry key, right click in the window pane again and select New > Registry Item. Leave all the options at their defaults, and paste the following into the Key Path field. Do not click OK yet:

SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\dljjddkmmcminffjbcmeccgfbjlhmhlm\policy

Next, enter token into the Value name field. Change the Value type to REG_SZ and set the Value Data field to the value provided in the token.txt file generated in the Push app eg. cd3ab3c1-g1y4-44d3-adq7-h2yc5e13gc1c, and click OK.

Note: Extension policies are case sensitive. When configuring the policy in this part of the guide, please make sure that the value "token" is all lowercase.

New Registry Item - 2nd step: KB 10052
Configure the policy token value.

The Group Policy Management Editor Window should now resemble the following, showing the two registry entries created in the previous steps:

Group Policy editor - registry settings final: KB 10052
The final configuration of the Google Chrome policy registry settings.

The registry keys should now start propagating to client machines affected by this group policy object. You can verify that the keys are recognized by Google Chrome by loading the chrome://policy page and clicking on the Reload Policies button.

Google Chrome policy settings page: KB 10052
The Google Chrome policy page showing the applied policies.

The configuration steps for deploying the Push Security browser extension for Google Chrome into your Active Directory environment is complete.

If you have any questions or you need help setting up, contact us and the Push team can help.