On macOS, Chrome extension policies are delivered via macOS “managed preferences” (configuration profiles). You will create a property list (plist) defining customerKey and employeeEmail and load it as a device or user policy. There are two main approaches:
Using an MDM/Configuration Profile (Recommended): If you have a Mac management solution (Jamf, Intune, etc.), create a configuration profile with the Preference Domain set to
for Interactive Browser Extension: com.google.Chrome.extensions.nffjckgmpigfpkmamacllkakieaphfnm
for Silent Browser Extension: com.google.Chrome.extensions.fjambfppaeandondpbbjkggkabeccjmh
Under that, define customerKey and employeeEmail with your customer key and employee email respectively. Deploy this profile to your Macs. (The MDM will handle marking it as a “forced” policy.)
Using Terminal (Manual MCX import): For testing or small deployments without MDM, you can import a plist using the dscl command.
Steps to configure via Terminal (Manual MCX import)
Create the plist: Using a text editor, create a file (e.g., customerKey_policy.plist) with the following content (replace the extension ID and values accordingly):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
<plist version="1.0">
<dict>
<key>com.google.Chrome.extensions.BROWSER_EXTENSION_ID</key>
<!-- Standard Browser Extension ID: nffjckgmpigfpkmamacllkakieaphfnm -->
<!-- Silent Browser Extension ID: fjambfppaeandondpbbjkggkabeccjmh -->
<dict>
<key>customerKey</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>REPLACE_WITH_YOUR_CUSTOMER_KEY</string>
</dict>
<key>employeeEmail</key>
<dict>
<key>state</key>
<string>always</string>
<key>value</key>
<string>REPLACE_WITH_EMPLOYEE_EMAIL</string>
</dict>
</dict>
</dict>
</plist>
In this plist, the top-level key is the Chrome extension’s preference domain (which includes the extension’s ID). Under it, we define customerKey.
Import the plist into Managed Preferences: Run the following in Terminal (with an admin account) to import this as a device policy:
sudo dscl -u <admin_username> /Local/Default -mcximport /Computers/local_computer customerKey_policy.plist
Replace <admin_username> with an administrator’s username, and adjust the path to your plist file. This command attaches the plist as a managed preference for the “local_computer” (i.e. all users on this Mac).
If you get an error about an invalid path or the computer node not existing, you may need to create a local computer record. See steps below.
Steps to create local computer record (if missed)
Run the block below exactly once (replace admin_username with a local administrator’s short name). It creates the record and gives it a GUID and the Mac’s primary MAC address, which macOS expects. (If your primary network interface is not en0—common on some Mac mini/Studio builds—replace en0 with the correct interface, e.g. en1.)
# Collect identifiers
GUID=$(uuidgen)
ETHER=$(ifconfig en0 | awk '/ether/ {print $2}')
# Create the computer record and essential attributes
sudo dscl -u admin_username /Local/Default -create /Computers/local_computer
sudo dscl -u admin_username /Local/Default -create /Computers/local_computer RealName "Local Computer"
sudo dscl -u admin_username /Local/Default -create /Computers/local_computer GeneratedUID "$GUID"
sudo dscl -u admin_username /Local/Default -create /Computers/local_computer ENetAddress "$ETHER"
After that repeat the import (add sudo if you used it above):
sudo dscl -u admin_username /Local/Default -mcximport /Computers/local_computer /path/to/customerKey_policy.plist
You should no longer receive an “Invalid Path” message.
Force macOS to apply the new managed preference by running the following command (or simply log out/in or reboot).
sudo mcxrefresh -n "$USER"
Policy creation validation
Validate that the policy really landed
dscl . -mcxread /Computers/local_computer
It should return created policy similar to
App domain: com.google.Chrome.extensions.fjambfppaeandondpbbjkggkabeccjmh
Key: customerKey
State: always
Value: ABC12345
App domain: com.google.Chrome.extensions.fjambfppaeandondpbbjkggkabeccjmh
Key: employeeEmail
State: always
Value: [email protected]
Validate the browser can see the policy.
Open chrome://policy and verify that a new section with browser extension is presented with the created policy. Note: make sure browser extension is installed in Chrome