[w0de0]

Chrome extensions shouldn’t be in the hands of users, no matter their title. CEO included. As a device sysadmin I feel this strongly. None of you can be trusted to vet extensions. Honestly anyone who uses vanilla Chrome has a suspect threat model.

On the rest I rather agree with you. General-purpose computers are key tools over which users should be admin. Sysadmins provide a security backstop. Full lock down is the sign of an unhealthy understanding of how the org’s value is actually created.

[w0de0]

Also if you can’t figure out how to get around the Chrome extension restriction, you either have remarkably competent CPEs (not me, so unlikely), or you’re not trying hard enough. Go download Canary to start.

[donatj]

Canary respects the systems MDM rules.

[w0de0]

Depends on the OS and the “MDM rules.” For instance, it resides in a separate preference domain identifier on macOS. Your sysadmin must deploy “MDM rules” - a profile - which applies to Canary specifically.

They often don’t. Moreover some of the most common implementations of Apple’s MDM protocol also don’t do so automatically.

If they have remembered Canary, just compile your own Chromium with an amusing identifier.

[donatj]

Well, I'm on macOS, and Canary very much respects the non-Canary specific

    /Library/Managed Preferences/{username}/com.google.Chrome.plist