Skip to main content

Extension Setup For Chrome

This guide is for IT administrators enabling the Third Loop Tools extension for users in their organization.

Overview

The Third Loop Tools extension is not published to the Chrome Web Store. We host signed .crx artifacts on our own CDN at extensions.thirdloop.ai. By default, Chrome refuses to install extensions from outside the Web Store on managed devices — this is intentional Chrome behavior and is independent of any Third Loop product configuration.

To enable installation, a one-time enterprise policy must be pushed to managed devices. This guide covers six common deployment surfaces. After the policy is in place, end users navigate to our Downloads page and install the extension themselves with a single click. They retain the ability to disable or remove the extension at any time — unlike a force-install, which removes user agency.

Required values

Three values are referenced throughout this guide. Configure them as described in the per-platform sections below.

ValueSetting
Extension IDmgidfhlbcpionpmhnnphhphdjebopcdn
Update URLhttps://extensions.thirdloop.ai/chrome/updates.xml
Install Source patternhttps://*.thirdloop.ai/*

The Install Source pattern covers both the page that hosts the install link (app.thirdloop.ai/downloads) and the host that serves the .crx (extensions.thirdloop.ai). Chrome enforces that both the referrer and the download URL match a pattern in the policy.

Per-platform instructions

The same three values are configured everywhere; only the surface differs. Pick the section that matches the device-management stack used in your organization.

Google Admin Console / Chrome Browser Cloud Management

For organizations whose Chrome browsers are enrolled in CBCM or whose ChromeOS devices are managed through Google Workspace.

  1. Sign in to https://admin.google.com as a super-admin.
  2. Navigate to Devices → Chrome → Apps & extensions → Users & browsers (or Managed browsers for CBCM).
  3. Select the Org Unit that should receive the extension.
  4. Click the + button → Add Chrome app or extension by ID.
  5. Paste the Extension ID.
  6. Set source to From a custom URL, paste the Update URL.
  7. Set Installation policy to Allow install (not Force install — this preserves the user's ability to remove the extension).
  8. Open Additional settings → Allowed types of extension installation and ensure Extensions is checked.
  9. Open Extension install sources and add the Install Source pattern.
  10. Save. Policies propagate within ~24 hours, or immediately if the user opens chrome://policy and clicks Reload policies.

Windows Group Policy

For Active Directory–joined fleets. Requires Chrome's ADMX policy templates to be loaded into the domain's Central Store.

One-time setup (per domain):

  1. Download the Chrome ADMX bundle from https://chromeenterprise.google/browser/download/ (look for the "Chrome Bundle" link).
  2. Copy chrome.admx and chrome.adml into \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions\.

Configure the policies:

  1. Open Group Policy Management and edit the GPO targeted at the right OU.
  2. Navigate: Computer Configuration → Policies → Administrative Templates → Google → Google Chrome → Extensions.
  3. Configure these three settings:
    • Configure extension installation allow list → Enabled → add the Extension ID.
    • Configure extension, app, and user script install sources → Enabled → add the Install Source pattern.
    • Extension management settings → Enabled → paste the JSON below as a single line, replacing <EXTENSION_ID> with the real value: 
      {"<EXTENSION_ID>":{"installation_mode":"allowed","update_url":"https://extensions.thirdloop.ai/chrome/updates.xml"}}
  4. Run gpupdate /force on a test machine and verify at chrome://policy.

Registry-only equivalent (if you don't use the ADMX templates):

HKLM\Software\Policies\Google\Chrome\ExtensionInstallAllowlist\1 = "<EXTENSION_ID>"
HKLM\Software\Policies\Google\Chrome\ExtensionInstallSources\1   = "https://*.thirdloop.ai/*"

Microsoft Intune (Endpoint Manager)

For organizations on Intune. Chrome's ADMX must be ingested as a one-time setup if you use the Administrative Templates path; the Settings catalog path can be used immediately without ingestion.

  1. Endpoint Manager admin center → Devices → Configuration profiles → Create profile.
  2. Platform: Windows 10 and later. Profile type: Settings catalog. Search "Google Chrome".
  3. Add three settings:
    • Configure extension installation allow list → add the Extension ID.
    • Configure extension, app, and user script install sources → add the Install Source pattern.
    • Extension management settings → paste the JSON shown in the Group Policy section above.
  4. Assign to the appropriate device or user group.

macOS plist (Jamf, Kandji, manual defaults)

Chrome on macOS reads enterprise policy from a managed plist at com.google.Chrome.

Jamf: Computers → Configuration Profiles → New → Application & Custom Settings. Upload the plist below targeting com.google.Chrome.

Kandji or other MDMs: use the equivalent "Custom Profile" / "Managed Preferences" feature targeting com.google.Chrome.

Plist contents (replace EXTENSION_ID):

<dict>
  <key>ExtensionInstallAllowlist</key>
  <array>
    <string>EXTENSION_ID</string>
  </array>
  <key>ExtensionInstallSources</key>
  <array>
    <string>https://*.thirdloop.ai/*</string>
  </array>
  <key>ExtensionSettings</key>
  <dict>
    <key>EXTENSION_ID</key>
    <dict>
      <key>installation_mode</key>
      <string>allowed</string>
      <key>update_url</key>
      <string>https://extensions.thirdloop.ai/chrome/updates.xml</string>
    </dict>
  </dict>
</dict>

Manual single-machine test (for verification on one Mac before broad rollout):

sudo defaults write com.google.Chrome ExtensionInstallAllowlist -array "EXTENSION_ID"
sudo defaults write com.google.Chrome ExtensionInstallSources   -array "https://*.thirdloop.ai/*"

Restart Chrome and check chrome://policy.

Linux managed JSON

Drop a JSON file into /etc/opt/chrome/policies/managed/ (Chrome) or /etc/chromium/policies/managed/ (Chromium). The filename is arbitrary; we recommend third-loop.json. The file must be readable by all users; Chrome reads it on launch.

{
  "ExtensionInstallAllowlist": ["<EXTENSION_ID>"],
  "ExtensionInstallSources":   ["https://*.thirdloop.ai/*"],
  "ExtensionSettings": {
    "<EXTENSION_ID>": {
      "installation_mode": "allowed",
      "update_url": "https://extensions.thirdloop.ai/chrome/updates.xml"
    }
  }
}

Microsoft Edge

Edge is Chromium-based and accepts the same policy names as Chrome under its own namespace. The values are identical. The surfaces are:

  • Windows registry: HKLM\Software\Policies\Microsoft\Edge\ (substitute for Google\Chrome\ in the GPO/registry instructions above).
  • macOS plist domain: com.microsoft.Edge (substitute for com.google.Chrome).
  • Linux managed JSON: /etc/opt/edge/policies/managed/ (substitute for /etc/opt/chrome/...).
  • Intune / Endpoint Manager: search "Microsoft Edge" in the Settings catalog instead of "Google Chrome".
  • Edge ADMX: download from https://www.microsoft.com/en-us/edge/business/download.

The Downloads page on app.thirdloop.ai shows a separate Edge tile that points at the same .crx artifact — Edge installs Chrome CRX files natively.

Verification

On a managed device after the policy has been pushed:

  1. Open chrome://policy (or edge://policy).
  2. Click Reload policies.
  3. Confirm ExtensionInstallAllowlist and ExtensionInstallSources appear with status OK and the values from the Required values section.
  4. Navigate to https://app.thirdloop.ai/downloads.
  5. Click Install on the Chrome (or Edge) tile.
  6. The browser shows the standard install prompt — click Add Extension.
  7. Open chrome://extensions and confirm the extension is installed and the displayed ID matches the Extension ID.

Troubleshooting

"This extension is blocked by your administrator" / "blocked by enterprise policy"

The ExtensionInstallSources pattern does not cover one of: (a) the page hosting the install link, (b) the host serving the .crx. Both must match. The https://*.thirdloop.ai/* pattern in Required values covers both. If you used a more restrictive pattern, broaden it or add the missing host.

"Package is invalid: 'CRX_FILE_NOT_READABLE'" / "Package corrupted"

The CDN is serving the .crx with an X-Content-Type-Options: nosniff header. Chrome requires either Content-Type: application/x-chrome-extension or a permissive content-type without nosniff. Open DevTools → Network → click the failed .crx request → inspect response headers. Our CDN does not inject nosniff; if you see this header, it is being added by an intermediate proxy (corporate web filter, SSL inspection appliance) — exempt extensions.thirdloop.ai from header rewriting.

"The extension does not include a 'key' field" / install succeeds but extension ID does not match policy

The signed .crx was built with a private key whose derived ID does not match what's in your ExtensionInstallAllowlist. This indicates a mismatch on our side — please open a support ticket. In the meantime, the Extension ID in the deployment summary of our latest release is authoritative.

Policies don't appear in chrome://policy after pushing

GPO and Intune propagate on Chrome's policy refresh cycle. Force a policy refresh:

  • Windows: gpupdate /force, then restart Chrome (close all windows, including background processes via Task Manager).
  • macOS: log out and back in, or run sudo profiles renew -type=enrollment for MDM-pushed profiles.
  • Linux: restart Chrome (the JSON is read once at launch).
  • CBCM / Google Admin: click "Reload policies" at chrome://policy. If still missing after 24 hours, verify the user is in the targeted Org Unit.