Are you running an ad blocker in your environment? If not, your users are more likely to get malware, including ransomware. If they aren’t infected, your computers could still be used to mine digital currencies through a browser. Also, ads are annoying![note]In the case of this site, they do help pay the hosting bill.[/note]
In the past, I would block all ads at the network level, but this created too many false positives. Now, I block the most blatant ads at the network level and use uBlock Origin to block the remaining at the client level. This setup will give you the security of blocking ads and the flexibility to eliminate almost all of your false positives. This article will cover deploying and configuring uBlock for Google Chrome on both Windows clients and Chrome OS clients.
Using Group Policy to Deploy uBlock Origin for Google Chrome
First, you will need to download the Google Group Policy ADMX templates and place them into your Group Policy Central Store. I prefer to keep all of my Chrome settings in a single GPO as it makes management a bit easier. If you aren’t already managing Google Chrome with Group Policy, create a new GPO named something like Default Google Chrome Settings.
Edit your Google Chrome GPO and navigate to Computer Configuration\Policies\Administrative Templates\Google\Google Chrome\Extensions. Enable the Configure the list of force-installs apps and extensions setting. Paste in this value: cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx
The first part of that value is the ID of the extension. We got this value by installing the extension one time manually and then viewing the extension details in Chrome://extensions. The second value is the update URL. As far as I know, this value is the same for all Chrome browser extensions.
Note that this setting is not cumulative across GPOs. If you deploy another extension in another GPO, you will need to add uBlock Origin to it as well so that users get both extensions. If you start listing multiple extensions in a single GPO, be sure to add a comment to the setting detailing which ID belongs to which extension.
Make sure that your GPO is linked to an OU containing computers and that something like Authenticated Users or Domain Computers is listed under the Security Filtering section of the GPO. If you prefer a bit more of a phased rollout, change the security filtering section of your GPO to a specific security group. We did a school at a time in our environment for a few weeks and then deployed it everywhere. We experienced a single false positive that we had to whitelist.
How to whitelist a website in uBlock Origin using Group Policy
In your Chrome GPO, navigate to Computer Configuration\Preferences\Windows Settings\Registry and create a new registry preference. Leave the Action type at Update. In the preference, set the following:
Hive: HKEY_LOCAL_MACHINE Key Path: Software\Policies\Google\Chrome\3rdparty\extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm\policy Value name:adminSettings Value type: REG_SZ Value data: {"autoUpdate":true,"netWhitelist":"about-scheme\nbehind-the-scene\nchrome-extension-scheme\nchrome-scheme\nlocalhost\nloopconversation.about-scheme\nopera-scheme\nWHITELISTWEBSITE.com"}
This value data has the default exclusions plus WHITELISTWEBSITE.com as an allowed website. Be sure to change the last value (WHITELISTWEBSITE.com) to the website that should be whitelisted. Websites should always be preceded with a \n . If you had to add a second website, the value data would look like:
{“autoUpdate”:true,”netWhitelist”:”about-scheme\nbehind-the-scene\nchrome-extension-scheme\nchrome-scheme\nlocalhost\nloopconversation.about-scheme\nopera-scheme\nWHITELISTWEBSITE.com\nSECONDWEBSITE.com”}
These changes will be active after a GPUpdate and after a new Chrome browser sessions starts.
Deploy uBlock Origin to Chrome OS and Chromebooks
Log into Google Admin and navigate to Device Management\Chrome\User Settings. At the root of your organization or to a sub OU, find the Force-installed Apps and Extensions setting and select Manage force-installed apps.
Select Chrome Web Store and search for uBlock Origin and add it to the force install list. Alternatively, you can plug in the ID of the extension (as seen in the Group Policy section above). Save your changes and do a policy refresh on your Chrome device.
How to Configure a uBlock whitelist for Chrome OS and Chromebooks
On a Windows machine, configure uBlock exactly how you want it. After you have changed any settings/added websites for whitelisting, select the Back up to file button – which is at the bottom of the uBlock Settings tab. Open the txt file that is created. Remove the timeStamp and version lines.
We now need to convert that backup file to a JSON file. The uBlock developer has a tool to do that! Paste your settings in on this website: http://raymondhill.net/ublock/adminSetting.html and copy the output from the second box (JSON-encoded settings to be used for adminSettings
as a JSON string value)
In the Google Admin console, navigate to Device Management\Apps and Extensions.
Select uBlock Origin from the app list. In the Policy for extensions section, paste in the text that you previously copied and press save.
And there you go! You now have uBlock deployed to your Windows and Chrome OS machines. You can also deploy a whitelist to eliminate false positives. If needed, there are similar guides for Firefox and Internet Explorer. Here are additional security settings for Chrome that you will probably want to set as well.
Thanks for this. Helped me to deploy uBlock and other extensions on Chrome
Thank you for this blog entry. It’s been so useful! 🙂
Manged to get this going with the Edge deployed extension too, though, as “Daryl” said in the comments, the syntax appears to be slightly different. I don’t understand the difference between the “whitelist” and the “netWhitelist”, so i just added my site to the end of both.
Registry Path for Edge deployment:
Software\Policies\Microsoft\Edge\3rdparty\extensions\odfafepnkmbhccpbejgmiehpchacaeak\policy
Registry Value Data for Edge Deployment:
{“userSettings”: {“autoUpdate”: true},”whitelist”: [“about-scheme”, “chrome-extension-scheme”, “chrome-scheme”, “edge-scheme”, “moz-extension-scheme”, “opera-scheme”, “vivaldi-scheme”, “wyciwyg-scheme”,”NEWWEBSITE.COM”],”netWhitelist”: “about-scheme\nchrome-extension-scheme\nchrome-scheme\nedge-scheme\nmoz-extension-scheme\nopera-scheme\nvivaldi-scheme\nwyciwyg-scheme\nNEWWEBSITE.COM”}
Thanks very much 🙂
I’m strugging to get usersettings to apply on Chromebooks we manage and have deployed the extension to. adminsettings seem to apply fine (only pushing some whitelisted sites right now), but other options, such as:
“userSettings”: {
“colorBlindFriendly”: true,
“contextMenuEnabled”: false,
“importedLists”: [],
“showIconBadge”: false
are not getting pushed. Any suggestions?
The registry entry is a little bit different now, it should look something like this, just add your entries under whitelist and netWhitelist:
{
“userSettings”: {
“autoUpdate”: true
},
“whitelist”: [“about-scheme”, “chrome-extension-scheme”, “chrome-scheme”, “edge-scheme”, “moz-extension-scheme”, “opera-scheme”, “vivaldi-scheme”, “wyciwyg-scheme”],
“netWhitelist”: “about-scheme\nchrome-extension-scheme\nchrome-scheme\nedge-scheme\nmoz-extension-scheme\nopera-scheme\nvivaldi-scheme\nwyciwyg-scheme”
}
Has anything changed? I have tried to whitelist a couple of sites using the method above for group policy but they are not taking effect.
Thanks for the great documentation!
Does anyone know if we whitelist some websites via group policy registry preference, will that wipe out any uBlock origin whitelisting the user has already done – or might do in the future?
These settings are treated as policies and overwrite custom user lists.
Thank you for this tutorial! Have you been able to ascertain how to deploy specific filter lists and other ubclock settings other than whitelists?
Thanks for the write-up. Quick question: Should the JSON file have all the quotation marks (particularly the surrounding two around the entire object)? I ran it through a validator and it said it expected a string when it saw the quotes. Only bothered validating it because uploading the file with my whitelisted sites added in isn’t whitelisting any of the sites.
Can the user still add their own entries to the whitelist if you deploy one?
They can add sites for the session. When the list of sites is loaded again, their changes are removed.
This is interesting, thank you for the info! What do you use to block at the network level?
No problem! We have a content filter from LightSpeed systems. It has a few built-in categories for these items.
I’m curious why you chose uBlock instead of the other common adblockers. I’ve never heard of uBlock before.
I like ublock origin because it is an open-source solution and is not resource heavy. A few of the other adblockers are for profit and will still allow some crap through.