[{"data":1,"prerenderedAt":259},["ShallowReactive",2],{"post-extension-ceiling-2-chrome-sync-and-mdm-scoping":3,"post-next-extension-ceiling-2-chrome-sync-and-mdm-scoping":157,"post-nav-extension-ceiling-2-chrome-sync-and-mdm-scoping":252},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":9,"heading":10,"date":11,"minutes":12,"series":13,"part":14,"parts":15,"summary":16,"short":17,"body":18,"_type":151,"_id":152,"_source":153,"_file":154,"_stem":155,"_extension":156},"\u002Fblog\u002Fextension-ceiling-2-chrome-sync-and-mdm-scoping","blog",false,"","The extension ceiling, part 2: Chrome sync and MDM scoping","Part 1 was about a capability extensions visibly lack. This one is quieter. Nothing fails, nothing prompts, nobody notices anything. Chrome sync just does its job, and its job is moving browser state off the machine.","Chrome sync and MDM scoping","2026-04-09",6,"The extension ceiling",2,3,"Chrome sync will happily carry corporate state into personal profiles. What the MDM scoping rules actually cover, item by item.","Chrome sync moves passwords, history, and open tabs to whatever Google account is signed in, corporate or not. The policies that scope it manage the profile, not the person, and an extension cannot see the channel at all.",{"type":19,"children":20,"toc":145},"root",[21,28,35,40,45,51,56,106,118,124,129,135,140],{"type":22,"tag":23,"props":24,"children":25},"element","p",{},[26],{"type":27,"value":9},"text",{"type":22,"tag":29,"props":30,"children":32},"h2",{"id":31},"what-sync-actually-carries",[33],{"type":27,"value":34},"What sync actually carries",{"type":22,"tag":23,"props":36,"children":37},{},[38],{"type":27,"value":39},"Sync is not one stream, it is a set of typed channels: bookmarks, history, open tabs, passwords, autofill including addresses and payment cards, extensions, settings, and a handful of smaller types. Sign into Chrome with any Google account and every enabled type starts flowing to that account. Encrypted to Google by default, end to end only if the user sets a passphrase, which almost nobody does.",{"type":22,"tag":23,"props":41,"children":42},{},[43],{"type":27,"value":44},"Now picture the standard mixed setup: a corporate machine, a managed work profile, and an employee who signs a personal Gmail into that profile, or just uses the personal profile sitting one click away in the profile switcher. The passwords saved against internal apps, the history of every internal hostname, the open tabs with ticket numbers in their titles, all of it syncs up to the personal account and back down to a personal laptop at home. No upload event, no file, nothing a DLP rule would classify as exfiltration. The traffic is TLS to google.com, which every allowlist on earth permits.",{"type":22,"tag":29,"props":46,"children":48},{"id":47},"the-policies-item-by-item",[49],{"type":27,"value":50},"The policies, item by item",{"type":22,"tag":23,"props":52,"children":53},{},[54],{"type":27,"value":55},"Chrome Enterprise has real controls here, and they are narrower than people assume.",{"type":22,"tag":57,"props":58,"children":59},"ul",{},[60,73,84,95],{"type":22,"tag":61,"props":62,"children":63},"li",{},[64,71],{"type":22,"tag":65,"props":66,"children":68},"code",{"className":67},[],[69],{"type":27,"value":70},"SyncDisabled",{"type":27,"value":72}," kills sync for the profiles it reaches. Total and blunt, and users notice their bookmarks stopped following them.",{"type":22,"tag":61,"props":74,"children":75},{},[76,82],{"type":22,"tag":65,"props":77,"children":79},{"className":78},[],[80],{"type":27,"value":81},"SyncTypesListDisabled",{"type":27,"value":83}," turns off individual types. Most teams disable passwords and autofill, keep bookmarks, and call it scoped.",{"type":22,"tag":61,"props":85,"children":86},{},[87,93],{"type":22,"tag":65,"props":88,"children":90},{"className":89},[],[91],{"type":27,"value":92},"BrowserSignin",{"type":27,"value":94}," can block browser sign-in entirely, or force it so the profile is always managed.",{"type":22,"tag":61,"props":96,"children":97},{},[98,104],{"type":22,"tag":65,"props":99,"children":101},{"className":100},[],[102],{"type":27,"value":103},"RestrictSigninToPattern",{"type":27,"value":105}," is the precise one: a pattern over which accounts may sign in, usually anchored to the corporate domain.",{"type":22,"tag":23,"props":107,"children":108},{},[109,111,116],{"type":27,"value":110},"The catch is scope. A policy attaches to whatever is managed: the device, the browser install, or the account. Applied at the machine or browser level, ",{"type":22,"tag":65,"props":112,"children":114},{"className":113},[],[115],{"type":27,"value":103},{"type":27,"value":117}," does reach every profile on that install, and that is the strict setup. Applied through the managed account, it governs that account's profile and says nothing about the personal profile next to it. BYOD, unmanaged home installs of the same browser, and half-enrolled fleets fall through exactly this gap. The data follows the account, and the account is the one thing MDM does not own.",{"type":22,"tag":29,"props":119,"children":121},{"id":120},"where-the-extension-sits",[122],{"type":27,"value":123},"Where the extension sits",{"type":22,"tag":23,"props":125,"children":126},{},[127],{"type":27,"value":128},"Below all of it. There is no extensions API for sync. An extension can read bookmarks and history, but it cannot tell synced from local, cannot see the sync queue, and cannot observe a personal account attaching itself to the profile. Extension-based DLP does not have a degraded view of this channel. It has none.",{"type":22,"tag":29,"props":130,"children":132},{"id":131},"closing-it-for-real",[133],{"type":27,"value":134},"Closing it for real",{"type":22,"tag":23,"props":136,"children":137},{},[138],{"type":27,"value":139},"Strict policy gets you most of the way if you are willing to pay for it: force managed sign-in, restrict the pattern at the browser level, disable secondary profiles, accept the tickets. In our fork we went one layer further, because we could reach the layer policy cannot: the sync client itself. The browser knows which profile is corporate, so it can refuse to start typed channels for the wrong account, log what would have left, and leave personal Chrome on the same machine alone. That is not cleverness, it is just owning the code that runs.",{"type":22,"tag":23,"props":141,"children":142},{},[143],{"type":27,"value":144},"Part 3 needs no account and no API gap at all, only a keyboard shortcut: the incognito window.",{"title":7,"searchDepth":14,"depth":14,"links":146},[147,148,149,150],{"id":31,"depth":14,"text":34},{"id":47,"depth":14,"text":50},{"id":120,"depth":14,"text":123},{"id":131,"depth":14,"text":134},"markdown","content:blog:extension-ceiling-2-chrome-sync-and-mdm-scoping.md","content","blog\u002Fextension-ceiling-2-chrome-sync-and-mdm-scoping.md","blog\u002Fextension-ceiling-2-chrome-sync-and-mdm-scoping","md",{"_path":158,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":159,"description":160,"heading":161,"date":162,"minutes":163,"series":13,"part":15,"parts":15,"summary":164,"short":165,"body":166,"_type":151,"_id":249,"_source":153,"_file":250,"_stem":251,"_extension":156},"\u002Fblog\u002Fextension-ceiling-3-the-incognito-bypass","The extension ceiling, part 3: the incognito bypass","Part 1 needed a missing API. Part 2 needed a signed-in account. This one needs Ctrl+Shift+N. Open an incognito window and every extension the user has not individually allowed in is gone: no content scripts, no webRequest listeners, no DLP.","The incognito bypass","2026-05-28",5,"Every extension-based DLP I tested loses sight of the user the moment an incognito window opens. The mechanism, and why policy can't fully close it.","Extensions are off in incognito unless the user opts each one in, and no enterprise policy flips that switch for them. Every extension-based control on the machine is one keyboard shortcut from blind.",{"type":19,"children":167,"toc":244},[168,172,178,183,188,194,223,228,234,239],{"type":22,"tag":23,"props":169,"children":170},{},[171],{"type":27,"value":160},{"type":22,"tag":29,"props":173,"children":175},{"id":174},"the-mechanism",[176],{"type":27,"value":177},"The mechanism",{"type":22,"tag":23,"props":179,"children":180},{},[181],{"type":27,"value":182},"Extensions are disabled in incognito by default. The opt-in is a per-extension toggle, Allow in Incognito on the chrome:\u002F\u002Fextensions page, and it belongs to the user. Force-installing the extension by policy does not flip it. Pinning the version, blocking uninstall, hiding the toolbar icon, none of that flips it either. Chrome's position is the same one from part 1, applied consistently: incognito is a promise made to the user, and silently installing a watcher inside it would break the promise, even for an administrator.",{"type":22,"tag":23,"props":184,"children":185},{},[186],{"type":27,"value":187},"So the coverage of your security product is a user preference. That sentence is worth sitting with during a vendor evaluation, because every extension-based DLP I tested behaves exactly this way, and none of the datasheets mention it.",{"type":22,"tag":29,"props":189,"children":191},{"id":190},"the-obvious-fix-and-what-lines-up-behind-it",[192],{"type":27,"value":193},"The obvious fix, and what lines up behind it",{"type":22,"tag":23,"props":195,"children":196},{},[197,199,205,207,213,215,221],{"type":27,"value":198},"The standard answer is ",{"type":22,"tag":65,"props":200,"children":202},{"className":201},[],[203],{"type":27,"value":204},"IncognitoModeAvailability",{"type":27,"value":206}," set to disabled, kill the feature entirely. It works, and then the gaps queue up behind it. Guest mode needs ",{"type":22,"tag":65,"props":208,"children":210},{"className":209},[],[211],{"type":27,"value":212},"BrowserGuestModeEnabled",{"type":27,"value":214}," set to false, it is a fresh profile with no extensions. Adding new profiles needs ",{"type":22,"tag":65,"props":216,"children":218},{"className":217},[],[219],{"type":27,"value":220},"BrowserAddPersonEnabled",{"type":27,"value":222}," set to false, same reason. And once this browser is fully sealed, the user opens Edge, or Firefox, or the Chrome they unzipped into their home directory, none of which carry your extension at all.",{"type":22,"tag":23,"props":224,"children":225},{},[226],{"type":27,"value":227},"Each closure is real and worth doing. The sum of them is also an admission: the enforcement boundary was never the extension. It was the inventory of browsers you can keep people inside, which is an endpoint problem, not a browser problem, and the extension was never going to solve it.",{"type":22,"tag":29,"props":229,"children":231},{"id":230},"what-it-looks-like-when-you-own-the-browser",[232],{"type":27,"value":233},"What it looks like when you own the browser",{"type":22,"tag":23,"props":235,"children":236},{},[237],{"type":27,"value":238},"A fork does not have an incognito problem, it has an incognito decision. The private window is your code. Policy can state plainly what a corporate session allows: incognito exists and DLP stays active in it, disclosed in the window itself. Or incognito is unavailable for managed profiles. Or it works untouched for personal browsing and corporate sites simply refuse to load in it. Any of those is a defensible design. The difference is that the choice is made by policy and disclosed to the user, instead of being made by a toggle the user controls and the admin cannot even see.",{"type":22,"tag":23,"props":240,"children":241},{},[242],{"type":27,"value":243},"That closes the series. The ceiling is not one missing API, it is a pattern. Pixels in part 1, the sync channel in part 2, the private window here. Extensions are guests, and Chrome is a good host that protects its users from its guests. When the requirement needs the host's keys, the requirement is a browser.",{"title":7,"searchDepth":14,"depth":14,"links":245},[246,247,248],{"id":174,"depth":14,"text":177},{"id":190,"depth":14,"text":193},{"id":230,"depth":14,"text":233},"content:blog:extension-ceiling-3-the-incognito-bypass.md","blog\u002Fextension-ceiling-3-the-incognito-bypass.md","blog\u002Fextension-ceiling-3-the-incognito-bypass",{"newer":253,"older":254},{"_path":158,"title":159,"heading":161,"date":162},{"_path":255,"title":256,"heading":257,"date":258},"\u002Fblog\u002Fextension-ceiling-1-mandatory-screen-recording","The extension ceiling, part 1: mandatory screen recording","Mandatory screen recording","2026-02-17",1781170135582]