macOS forced installation policy now visible in Chrome, scaring users

[eeror]

While setting a macOS system policy to forcefully install the token signing extension (as requested in #29) is a rather rude thing to do without the user's permission, the benefits of this might have overweighed the negative sides so far.

However, starting from a recent Chrome update (most likely Chrome 73), the fact that a system policy has been set shows up in Chrome's main menu as a rather visible statement "Managed by your organization" (some identical-looking screenshots here).

I've already witnessed a few people getting confused and scared by this message, only to find out this was due to having installed this browser extension. I hereby suggest repeating the cost-benefit analysis of setting unsolicited system policies.

[Counter178]

It would be more beneficial to simple users, not to enable Token signing plugin after every install or upgrade. Also a lot of users don't know anything about web extensions, so it would be more easier to them. Thanks to that kind of solution, many e-signing issues have been resolved.

There is also option to add chrome Token signing through google chrome store.

In order to remove "Managed by your organization" message, please go to: remove system preferences -> profiles -> remove Token signing profile. Restart chrome. Now the message shouldn't display.

[eeror]

Could there perhaps be more information about this before or during the installation process? A regular user would really like to know that the scary message about some organization managing their computer is okay to see, while a more experienced user might appreciate a warning that a new system policy will be set.

Just to recap, the users I witnessed seeing that message were downright concerned. Even if this is not a technical issue, it's definitely a UX issue, if not a matter of ethics.

(Also, I believe one still needs to run the regular installer in addition to using the Chrome Web Store as the extension depends on native messaging to function.)

[mudcrab]

Why is this forced? By forcing the policy, the Token Signin extension is no longer uninstallable. Even after removing the stupid "Token signing" profile.

I installed the id card package only to use DigiDoc client with mID, not eID auth in browser.

[metsma]

Because to many users are calling to support, why signing does not work and extension is disabled by default. You don't need browser package for using DigiDoc client

[mudcrab]

I know, but this was installed automatically when I installed https://installer.id.ee/ package.

And now I can't uninstall it, as I was previously able (before the forced group policy change).

[hexcon]

We are also struggling with it. This policy disables ability to use G suite for manage chrome applications via Google Admin dashboard. Right now we cannot deploy chrome extensions to employee laptops which are under Google Business domain simply because Token Signing is using a policy for users so they cannot disable it which cripples and locks down browsers which are managed by Google admins. Please rethink the solution and remove the policy which make the extension look as malware right now.

[martinpaljak]

There could be two versions of it: "dummyuser" (default) and "enterprise" (no such weirdnesses)

[metsma]

There is option disable policy enforcement on windows msi package #121

[mudcrab]

There should just be a customize button in the installer to choose which components to install and possibly to choose if the policy should be enforced. Then it would be fine if the annoying policy would be enforced by default.

@metsma what use is the msi option if we are talking about macOS here?

So what should the users do in the meantime to restore Chrome's previous state before this policy was enforced?

[miteshashar]

I had installed this extension on my macOS, while I was playing around with an ePass2003 token.

It has appeared on all my Chrome profiles. I do not need it for any purpose whatsoever. But I am completely at loss in finding a way to remove it.

It says "Installed by your Administrator".

[Counter178]

I had installed this extension on my macOS, while I was playing around with an ePass2003 token.

It has appeared on all my Chrome profiles. I do not need it for any purpose whatsoever. But I am completely at loss in finding a way to remove it.

It says "Installed by your Administrator".

Download https://installer.id.ee/media/osx/Open-EID_19.2.0.1822.dmg and run uninstall.sh .

[hexcon]

@Counter178 Is there a way to install the working software without the policy right now?

What we did was we removed the extension from all the machines in the domain (Asked users to reinstall it from chrome store) and blocked the Open-EID_19.2.0.1822.dmg entirely so users cannot install it anymore just because of that policy which locks us out. This method does not work for people who are trying to install the software. It seems that they still need to use it to get the certs so ID card would still function but this is not the case as of this moment. I did not find a way to install the components for the client and chrome extension and I still have no feedback on how this is going to be resolved by the id.ee developers.

Tried asking help from official support as well but they are not able to solve it. Only feedback was to wait for the summer release which dates are unknown. Summer is here now so... we are still stuck in the water.

[Counter178]

@Counter178 Is there a way to install the working software without the policy right now?

What we did was we removed the extension from all the machines in the domain (Asked users to reinstall it from chrome store) and blocked the Open-EID_19.2.0.1822.dmg entirely so users cannot install it anymore just because of that policy which locks us out. This method does not work for people who are trying to install the software. It seems that they still need to use it to get the certs so ID card would still function but this is not the case as of this moment. I did not find a way to install the components for the client and chrome extension and I still have no feedback on how this is going to be resolved by the id.ee developers.

Tried asking help from official support as well but they are not able to solve it. Only feedback was to wait for the summer release which dates are unknown. Summer is here now so... we are still stuck in the water.

@hexcon

Installing without the policy isn't available but you can remove it after.

Remove chrome policy:

1. System Preferences -> Security & Privacy -> Accessibility
2. sudo profiles -R -p ee.ria.chrome-token-signing -u 56789

Also uninstall.sh has line "ckj.." with what you can rm -rf the component and install token through chrome store - it works for me. I still recommend talking to support and ask them directly these answers.

[ademidun]

I have read every comment in this thread and I can't find a response to my simple question.

Can someone please help me with the following?

How can I completely uninstall this extension on my MacOS?

I tried the following as suggested here:https://github.com/open-eid/chrome-token-signing/issues/143#issuecomment-622985758 but it seems to have no effect

sudo profiles -R -p ee.ria.chrome-token-signing -u 56789
sudo rm –rf /Library/Application\ Support/Google/Chrome/External\ Extensions/ckjefchnfjhjfedoccjbhjpbncimppeg.json \

[metsma]

sudo profiles remove --identifier ee.ria.chrome-token-signing sudo rm -rf \ /Library/Google/Chrome/NativeMessagingHosts/chrome-token-signing.app \ /Library/Google/Chrome/NativeMessagingHosts/ee.ria.esteid.json \ /Library/Application\ Support/Google/Chrome/External\ Extensions/ckjefchnfjhjfedoccjbhjpbncimppeg.json \ /Library/Application\ Support/Mozilla/NativeMessagingHosts/ee.ria.esteid.json