For Chrome version 92 or later.
Applies to computers that are managed using Chrome Enterprise Core and managed ChromeOS devices. This feature is not currently available for Enterprise accounts on unmanaged browsers or unmanaged ChromeOS devices.
As an admin, you can use the Google Admin console to let users request the extensions that they need in the Chrome Web Store. Then, you can allow, block, or automatically install extensions that users request.
Things to consider
- We recommend that first you apply settings to a small number of users and devices in a test organizational unit. Then, after you verify that devices are working correctly, you can apply them to your entire organization.
- Allowing users to request extensions on their personal devices needs more discussion. For now, only include users with company owned devices in your test organizational unit.
- When you complete these steps to turn the feature on, users can only install the extensions that you allow in the Apps & extensions list and requested extensions that you approve. All other apps are disabled or blocked. In steps 2 and 3 below, make sure that you approve or automatically install all of the apps that your users need.
- To manage extension requests for a specific group of users or enrolled Chrome browsers, put the user accounts or browsers in an organizational unit. You can’t set the installation policy for individual users or browsers.
- To make sure that you can service the extension requests, verify that this privilege is enabled:
ServicesChrome ManagementSettingsManaged Application Settings.- Learn more about Admin roles for businesses.
- Learn how to View a user’s roles and privileges.
How to
Step 1: Turn on reporting
For details, about how to receive daily profile and system state data in your Admin console, see Enable Chrome browser reporting.
Before you proceed to the next step, verify that reports are populated with data. It can take up to 48 hours for data to show up in reports.
Step 2: Get a list of currently installed extensions
There are two ways to get a list of all the extensions that are currently installed on users’ enrolled Chrome browsers and ChromeOS devices:
- Admin Console—View app and extension usage details
- Takeout API—How to use Chrome Browser Takeout API Service Script
Step 3: Specify the apps you want to allow
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeApps & extensionsUsers & browsers.
If you signed up for Chrome Browser Cloud Management, go to Menu Chrome browserApps & extensionsUsers & browsers.
- (Users only) To apply the setting to a group, do the following:
- Select Groups.
- Select the group to which you want to apply the setting.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- Add the apps that appear in the list that you already obtained in Step 2:
- Point to Add and click Add from Chrome Web Store.
- Find the app and click Select.
- If prompted, accept the app permissions on behalf of your organization.
For details about setting policies for a specific Chrome extension, go to View and configure apps and extensions.
Step 4: Allow users to request extensions
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeApps & extensionsUsers & browsers.
If you signed up for Chrome Browser Cloud Management, go to Menu Chrome browserApps & extensionsUsers & browsers.
- (Users only) To apply the setting to a group, do the following:
- Select Groups.
- Select the group to which you want to apply the setting.
- (Optional) To apply the setting to a department or team, at the side, select an organizational unit. Show me how
- On the right, click Additional settings.
- Scroll down to Allow/block mode.
- Under Chrome Web Store, select Block all apps, admin manages allowlist, users may request extensions.
- Click Save.
Step 5: Enable privileges
Before you can view and manage user extension requests, make sure you are assigned specific privileges in the Admin console. For more details, see View a user’s roles and privileges.
Note: If you cannot assign these privileges in the Privileges page, contact your admin.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu AccountAdmin roles.
- Click the link of the role you want to change.
- Click Privileges.
- Under Admin Console Privileges, scroll to ServicesChrome ManagementSettings.
- Enable the following privileges:
- Scroll to Managed Browsers and check Read.
- Scroll to View Reports and check View Extensions List Report.
- Scroll to Manage User Settings and check Manage Application Settings.
- Click Save.
Step 6: Manage extension requests
View and manage extensions that users have requested on the extension request page.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
-
In the Admin console, go to Menu DevicesChromeApps & extensionsRequests.
If you signed up for Chrome Browser Cloud Management, go to Menu Chrome browserApps & extensionsRequests.
- Click on the row of the extension that you want to set the installation policy for.
- Set the installation policy. Choose an option:
- To let admins automatically install and pin the extension, choose the option that is available for the selected extension:
- Force install + pin
- Force install + pin to ChromeOS taskbar
- Force install + pin to browser toolbar
- Force install—Lets admins automatically install the extension.
- Allow install—Lets users install the extension.
- Block—Prevents users from installing the extension. Removes the extension from users that have it installed. Add a customized message to explain to users why you’re blocking the extension.
- To let admins automatically install and pin the extension, choose the option that is available for the selected extension:
- Select the organizational unit you want to force install, allow install, or block the extension for.
- Click Save.
What users can do
Request an extension
- Open the Chrome Web Store.
- In the left column, click Extensions.
- Browse or search for the extension you want to add.
- Click Request. Sometimes you might see one of the following buttons instead:
- Pending—You have already requested the extension and are waiting for approval.
- Blocked by admin—Admin has rejected the request.
- Installed—Admin has already force-installed the extension.
- Do one of the following:
- If you’re requesting the extension for the first time, confirm that you want to send a request to your admin. Review the types of data that the extension will be able to access and click Send.
- If you already requested the extension, you’ll see a message that lets you know you already requested it. Click OK.
- If the admin blocked the extension, you’ll see a message that lets you know it’s blocked. Click OK.
- To check the status of extensions that you requested, in your browser window, go to chrome://extensions.
You'll see your installed extensions in Chrome as buttons on the taskbar. When your admin approves, automatically installs, or blocks the extension you requested, you’ll get a Chrome notification letting you know.
Verify policies are applied
Check users’ devices to make sure the policy was applied correctly.
- On a users’ device, go to chrome://policy.
- Click Reload policies.
- Check the Show policies with no value set box.
- For the CloudExtensionRequestEnabled policy, make sure that Status is set to OK and Policy value is True.
- For the CloudReportingEnabled policy, make sure that Status is set to OK and Policy value is True.
Set up alerts and rules for emails
Some admins want to be alerted by email when there is an extension request. You can do this by creating a rule. For details, see Create and manage rules from the Rules page.
You can create reporting rules or activity rules depending on your Google Workspace edition, your administrative privileges, and the data source. For more details, see Admin access to reporting rules & activity rules.
Before you begin
- To receive email notifications, you must activate Gmail for your domain. Go to AccountDomainsManage Domains, click Activate Domain, and follow the instructions. For more details, see Google Domains: Activate Gmail for Google Workspace.
You can create reporting rules if you have non-premium editions such as Business Starter, Business Standard, and Education Standard.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Do one of the following:
- From the Admin console Home page, on the left, go to Rules.
- Click Create RuleReporting.
- From the Admin console Home page, on the left, go to ReportingAudit and investigationChrome log events.
- Click Create reporting rule.
- From the Admin console Home page, on the left, go to Rules.
- Under Rule Details and Scope, enter a name for the rule.
- Click Next: View Conditions.
- Under Conditions, do the following:
- From Data Source, select Chrome Log Events.
- Click Add a filter and select Event.
- In the Event box, do the following:
- From the top list, select Is.
- From the bottom list, select Extension Request.
- Click Apply.
- Click Next: Add Actions.
- Under Actions, do the following:
- Make sure that Send to Alert Center is selected.
- Click Send email notifications.
- Click Add email recipients. The Select recipients box is displayed.
- Select the email recipients.
- Click Done.
- Click Next: Review.
- Under Review, do the following:
- Review the rule to make it is setup correctly.
- Click Create Rule.
See or modify the rule
- Do one of the following:
- On the left, go to Rules.
- On the left, go to ReportingManage Reporting Rules.
The rule you created should appear in the list.
See existing extension requests
- Go to ReportingAuditing and investigation.
- Click the Data Source list.
- Click Chrome log events.
- Click Add filter.
- Select Event.
- In the Event box, do the following:
- From the top list, select Is.
- From the bottom list, select Extension Request.
- Click Apply.
- Click Search.
A list of extension request events is displayed.
You can create activity rules if you have premium editions such as Business Plus, Enterprise Plus, and Enterprise Essentials.
-
Sign in to your Google Admin console.
Sign in using your administrator account (does not end in @gmail.com).
- Do one of the following:
- From the Admin console Home page, on the left, go to Rules.
- Click Create RuleActivity.
- From the Admin console Home page, on the left, go to ReportingAudit and investigationChrome log events.
- Click Create activity rule.
- From the Admin console Home page, on the left, go to Rules.
- Under Rule Details and Scope, enter a name for the rule.
- Click Next: View Conditions.
- Under Conditions, do the following:
- From Data Source, select Chrome Log Events.
- Select Event, Is, and Extension Request.
- Click Apply.
- Click Next: Add Actions.
- Under Actions, do the following:
- For Threshold, do the following:
- Select a time period, every 1 hour or every 24 hours.
- Select a comparator.
- Add a count.
For example, you can select Every 24 hours, >,100. This means for any given period of 24 hours, if your search returns more than 100 results, this rule is triggered.
- (Optional) Under Action, click Add action and select an action.
- (Optional) Under Severity, select a severity.
- Make sure that Send to Alert Center is selected.
- Click Send email notifications.
- Click Add email recipients. The Select recipients box is displayed.
- Select the email recipients.
- Click Done.
- Click Next: Review.
- For Threshold, do the following:
- Under Review, do the following:
- Review the rule to make it is setup correctly.
- Click Create Rule.
See or modify the rule
Do one of the following:
- On the left, go to Rules.
- On the left, go to ReportingManage Reporting Rules.
- Remove the Reporting filter.
The rule you created should appear in the list.
See existing extension requests
Do one of the following:
- On the left, go to Rules.
- Click the rule you want to view.
- Click Investigate.
A tab is displayed with the conditions of your rule. - For the conditions, ensure Chrome log events, Is, and Extension request are selected.
- Click Search.
- On the left, go to ReportingAuditing and investigation.
- Click the Data Source list.
- Click Chrome log events.
- Click Add filter.
- Select Event.
- In the Event box, do the following:
- From the top list, select Is.
- From the bottom list, select Extension Request.
- Click Apply.
- Click Search.
A list of extension request events is displayed.
Troubleshooting
Verify requests are sent
Check users’ devices to make sure the request was sent.
- On a users’ device, go to chrome://prefs-internals.
- Search for enterprise_reporting. You'll see a list of extension IDs and timestamps.
Known Issues
Newly enrolled browsers and ChromeOS devices can take up to 24 hours to send their requests to the Admin console.