I wanted a browser extension to auto-update in Edge. That’s it. The whole ask. Two hours later, I was writing XML plists and pretending to be a corporate IT department. On my own laptop.
Here’s every wrong turn on the way there, and what they taught me about the walls that Microsoft, Apple, and Google have built between you and your own computer.
The enterprise policy maze
I installed the extension from a .crx file with a proper update_url. Auto-update should have just worked. It didn’t. Edge disabled the extension immediately. Not from the Microsoft Store, so Edge won’t let it run.
Fine. I went into the enterprise policy system. The mechanism corporations use to manage browser extensions across thousands of devices. To install one extension. On one laptop. That I own.
ExtensionInstallForcelist is the policy that force-installs extensions and keeps them updated. Set it, restarted Edge: blocked. Edge won’t force-install from non-store URLs on an “unmanaged device.” My personal Mac, apparently, lacks the proper corporate credentials.
Fine. ExtensionInstallSources lets you allowlist domains for extension installs. Set it, restarted Edge. Checked edge://policy and the sources policy showed OK. The forcelist was still blocked. Turns out these are completely independent code paths. The allowlist doesn’t influence the forcelist at all.
One more try: these policies were at the “Recommended” level because they lived in ~/Library/Preferences/. Mandatory policies go in /Library/Managed Preferences/. Surely the stronger level would work. Moved the plist, restarted Edge. Still blocked. The path wasn’t quite right. Three different policy mechanisms, three different behaviors, zero helpful error messages.
Hacking the browser directly
At this point I abandoned the “right” way and started going around Edge entirely.
Opened edge://extensions, found my disabled extension, clicked the toggle to enable it. The toggle animated on, then snapped right back off. Edge let me click the button and then said no. On my own computer.
Quit Edge, found its Secure Preferences file, opened it in a text editor. Set the extension to enabled, cleared the disable reasons, saved. Reopened Edge. It detected that the file had been modified, decided I had tampered with it (I had), and reverted everything. Edge maintains cryptographic checksums on its own preferences specifically to prevent you from changing your own settings.
Becoming the IT department
The .mobileconfig route, Apple’s official way to install configuration profiles, was a dead end. The command-line profiles tool no longer supports installs, and the System Settings UI for profiles is buried enough that I wasted ten minutes looking for it in the wrong app.
The thing that actually worked: writing a plist directly to /Library/Managed Preferences/ with three policies at the Mandatory level:
ExtensionInstallAllowlistto whitelist the extension IDExtensionInstallSourcesto whitelist the update URL domainBlockExternalExtensionsset to false
That’s it. The extension enabled, auto-update started working, and Edge stopped fighting me. The solution to “make this extension update itself” was to impersonate an enterprise management system on my own computer.
The punchline
A 30-second task required learning that Edge’s policy system is a maze of independent code paths, that Chromium maintains cryptographic checksums to prevent you from editing your own preferences, and that the only way to override all of it is to pretend you’re a corporation.
Three policies. One plist. Your computer, but only if you speak enterprise.