Blocking browser extensions across an enterprise fleet sounds straightforward until you try to do it. Each browser has a different enforcement mechanism, personal profiles bypass most organizational policy, and simply removing an extension from a device does not prevent a user from reinstalling it minutes later.

This guide covers how to block browser extensions across Chrome, Edge, Firefox, and Brave on Windows and macOS, the difference between removal and true prevention, and where native tools fall short.

Two Modes: Blocklist vs Allowlist

Before configuring any extension policy, decide which enforcement mode fits your organization.

Blocklist Mode

Block specific extensions, allow everything else

The easier starting point. You identify extensions you know are risky or prohibited, block them by ID, and let everything else run. Good for organizations that want to act on known threats without restricting user flexibility.

Allowlist Mode

Allow only approved extensions, block everything else

More restrictive and more secure. Only extensions on your approved list can be installed. Everything else is blocked at the browser level before it can run. Better suited for high-security or compliance-heavy environments.

Most organizations start with blocklist mode and migrate toward allowlist mode as they develop a clearer picture of what their users actually need.

How to Block Browser Extensions on Windows

Chrome, Edge, and Brave all support extension blocking via Windows registry keys under their respective policy paths. You can block specific extension IDs to remove them and prevent reinstallation, and configure the browser to show a "blocked by administrator" message when a user attempts to reinstall a blocked extension.

Firefox on Windows uses a separate JSON-based enterprise policy format rather than registry keys, and requires its own configuration. Brave follows the same Chromium-based registry approach as Chrome and Edge but uses a different registry path.

Each browser requires its own policy to be configured independently, which is one of the reasons blocking extensions across a mixed-browser environment quickly becomes difficult to manage at scale without a dedicated tool.

How to Block Browser Extensions on macOS

On macOS, extension policy is applied through managed preferences, with each browser reading from its own separate configuration. Both blocklist mode and allowlist mode are supported for Chrome, Edge, and Brave. Firefox on macOS uses its own enterprise policy format.

Correctly configuring macOS extension blocking requires getting the policy structure right for each browser. A common issue is that blocking an extension removes it but does not prevent reinstallation unless the policy is configured properly to enforce the block at install time as well.

The Gap: What Native Blocking Does Not Cover

Blocking requires knowing what to block. Registry keys and plist entries only block extensions by ID. They cannot identify which extensions across your fleet are high risk, detect when a previously-trusted extension has been updated with malicious code, or alert you when a new high-risk extension appears on a device.

Native browser blocking also does not cover personal browser profiles. A policy applied to Chrome on a managed profile has no effect on a personal Chrome profile on the same device. And any browser not covered by your policy configuration has no restrictions at all.

How Extensight Handles Extension Blocking

Extensight automates the entire blocking workflow. When you add an extension to the blocklist in the dashboard, the agent writes the appropriate registry keys on Windows or plist entries on macOS automatically. The extension is removed from affected devices and the reinstallation block is enforced via native browser mechanisms.

When an extension is added to the blocklist or removed, the change is logged in the audit trail with the actor, timestamp, and IP address. If a user attempts to reinstall a blocked extension, the browser shows the blocked message immediately without waiting for the next agent collection cycle.

Risk scoring runs automatically across your entire extension inventory, so you can identify high-risk extensions before adding them to your blocklist rather than reacting after a problem is reported.

Start blocking risky extensions across your fleet

Extensight makes it simple to block specific extensions or enforce an allowlist across Chrome, Edge, Firefox, and Brave on Windows and macOS. No Group Policy, no MDM, no manual registry edits.

Request a Free Trial More articles