Rogue browser extensions are growing as a source of information leakage and cookie stealing.
In a corporate environment it is best practice to take a whitelist approach to browser extensions. Luckily Intune has an inbuild Administrative Template setting to block all browser extensions except those that are explicitly allowed.
-
Use an existing Administrative template profile or create a new profile by going to Devices > Configuration Profiles > Create profile > Platform (Windows 10 and later) > Profile type Templates > Administrative Templates
-
Search for a setting called Control which extensions cannot be installed. Device or User targeted depends on your specific scenario. I prefer User targeted.
-
Set to Enabled with an Extension ID of * to block all extensions.
-
It is recommended to also configure the settings below
|
Setting |
Recommended State |
Value |
|---|---|---|
|
Blocks external extensions from being installed |
Enabled |
N/A |
|
Control which extensions cannot be installed |
Enabled |
* |
|
Allow specific extensions to be installed |
N/A |
Obtain extension ID’s from Edge or Chrome Extension Store |
|
Control which extensions are installed silently |
N/A |
Obtain extension ID’s from Edge or Chrome Extension Store |
