Typo fix

Signed-off-by: Tommy <contact@tommytran.io>

Linux/managed.json

@@ -13,6 +13,14 @@
   "SpotlightExperiencesAndRecommendationsEnabled": false,
   "FeatureFlagOverridesControl": 1,
   "ExtensionInstallBlocklist": [ "*" ],
+  "ExtensionSettings": {
+    "ddkjiahejlhfcafbddmgiahcphecmpfh": {
+      "installation_mode": "allowed",
+      "update_url": "https://clients2.google.com/service/update2/crx",
+      "override_update_url": true,
+      "sidebar_auto_open_blocked": true
+    }
+  },
   "GamerModeEnabled": false,
   "WindowsHelloForHTTPAuthEnabled": false,
   "ImmersiveReaderGrammarToolsEnabled": false,
@@ -56,6 +64,7 @@
   "ConfigureDoNotTrack": true,
   "DefaultShareAdditionalOSRegionSetting": 2,
   "DiagnosticData": 0,
+  "Disable3DAPIs": true,
   "Edge3PSerpTelemetryEnabled": false,
   "EdgeCollectionsEnabled": false,
   "EdgeEDropEnabled": false,

README.md

@@ -8,14 +8,17 @@ For corporate environments, you will need make approprieate changes, including b
 - Disable `DeveloperToolsAvailability`. Users can be tricked into running malicious code in the browser console otherwise.
 - Set `DefaultWebUsbGuardSetting` to "Block". In most cases, the websites will never need to use this API. I need it to flash GrapheneOS and StockOS on my phones.
 - Set `DefaultJavaScriptJitSetting` to "Block". This will prevent users from adding exceptions to Enhanced Security Mode.
+- Remove the uBlock Origin Lite extension whitelist. I am not aware of any way to block users from granting uBlock Origin Lite access to all content on a website, which is a security risk. If you know of a way to enforce that the extension runs permission-less, please let me know.
 - Further restrict permissions that websites can prompt for.
-- Consider enabling `Disable3DAPIs`. This will break sites that depend on WebGL, so whether to do this highly depends on your organization.
+- Consider removing the `Disable3DAPIs` policy. Currently, WebGL is disabled in my policies and a few sites will break, so whether to do this highly depends on your organization.
 - Consider mandating that `SmartScreenEnabled` is set to disabled. `TyposquattingCheckerEnabled` is also potentially invasive, though I have not confirmed this. Please make an issue to let me know of your findings.
 
 ## Linux
 
 The mandatory prolicies should be put in `/etc/opt/edge/policies/managed/managed.json`, and the recommended policies should be put in `/etc/opt/edge/policies/recommended/recommended.json`
 
+The
+
 ## macOS
 
 The mandatory prolicies should be put in `/Library/Managed Preferences/com.microsoft.Edge.plist`, and the recommended policies should be put in `/Library/Preferences/com.microsoft.Edge.plist`

macOS/Managed Preferences/com.microsoft.Edge.plist

@@ -34,6 +34,20 @@
     <array>
       <string>*</string>
     </array>
+    <key>ExtensionSettings</key>
+    <dict>
+      <key>ddkjiahejlhfcafbddmgiahcphecmpfh</key>
+      <dict>
+        <key>installation_mode</key>
+        <string>allowed</string>
+        <key>update_url</key>
+        <string>https://clients2.google.com/service/update2/crx</string>
+        <key>override_update_url</key>
+        <true />
+        <key>sidebar_auto_open_blocked</key>
+        <true />
+      </dict>
+    </dict>
     <key>GamerModeEnabled</key>
     <false />
     <key>WindowsHelloForHTTPAuthEnabled</key>
@@ -120,6 +134,8 @@
     <integer>2</integer>
     <key>DiagnosticData</key>
     <integer>0</integer>
+    <key>Disable3DAPIs</key>
+    <true />
     <key>Edge3PSerpTelemetryEnabled</key>
     <false />
     <key>EdgeCollectionsEnabled</key>