Browser Phishing Protection extension overrides Chrome Enterprise extensions

Issue

When the ThreatDown agent installs the Browser Phishing Protection (BPP) Chrome extension on endpoints managed by Chrome Enterprise Management (Google Admin), Chrome may remove or stop applying extensions deployed through Google Admin.

Environment

• Google Chrome on Windows endpoints managed with Chrome Enterprise Management (Google Admin)
• Browser Phishing Protection deployed via the ThreatDown agent

Symptoms

After the ThreatDown agent installs the Browser Phishing Protection extension based on policy settings, other Google Admin-managed extensions are removed, stop being redeployed, and chrome://policy shows device-level policies overriding cloud policies.

Cause

The ThreatDown agent installs the Browser Phishing Protection extension using device‑level (registry‑based) Chrome extension policies. Chrome prioritizes device‑level extension policies over cloud‑managed extension policies by default. 

When registry‑managed extension policies are detected, Chrome may ignore cloud‑managed extension policies and rebuild the extension set using only the device‑level configuration. This behavior is expected based on Chrome policy precedence rules.

Resolution

If Browser Phishing Protection is installed via the ThreatDown agent in an environment using Chrome Enterprise Management, Chrome must be configured to allow cloud‑managed and device‑managed extension policies to coexist. 

1. In Google Admin, go to Chrome Browser > Chrome > Settings
2. Locate the Policy mergelist option

3. Add ExtensionInstallBlocklist and ExtensionInstallForcelist on new lines, spelled exactly as displayed.

   

4. Click Save.
5. Go to Nebula and navigate to Configure > Policies.
6. Modify the policy assigned to your affected Windows endpoints.
7. Go to Protection Settings.
8. Disable Prevent endpoint agent from installing web extension on MDM managed endpoints.
9. Click Save.

After applying the configuration, Browser Phishing Protection remains installed via the ThreatDown agent, extensions deployed through Google Admin continue to apply, and chrome://policy shows both cloud and device policy sources without extension overrides.