11.3. Locking Down Enabled Extensions

In GNOME Shell, you can prevent the user from enabling or disabling extensions by locking down the org.gnome.shell.enabled-extensions and org.gnome.shell.development-tools keys.
Locking down the org.gnome.shell.development-tools key ensures that the user cannot use GNOME Shell's integrated debugger and inspector tool (Looking Glass) to disable any mandatory extensions.

Procedure 11.3. Locking down enabled extensions

  1. Create a local database file for machine-wide settings in /etc/dconf/db/local.d/00-extensions:
    [org/gnome/shell]
    # List all extensions that you want to have enabled for all users
    enabled-extensions=['myextension1@myname.example.com', 'myextension2@myname.example.com']
    # Disable access to Looking Glass
    development-tools=false
    
    The enabled-extensions key specifies the enabled extensions using the extensions' uuid (myextension1@myname.example.com and myextension2@myname.example.com).
    The development-tools key is set to false to disable access to Looking Glass.
  2. Override the user's setting and prevent the user from changing it in /etc/dconf/db/local.d/locks/extensions:
    # Lock the list of mandatory extensions and access to Looking Glass
    /org/gnome/shell/enabled-extensions
    /org/gnome/shell/development-tools
    
  3. Update the system databases:
    # dconf update
  4. Users must log out and back in again before the system-wide settings take effect.
After locking down the org.gnome.shell.enabled-extensions and org.gnome.shell.development-tools keys, any extensions installed in ~/.local/share/gnome-shell/extensions or /usr/share/gnome-shell/extensions that are not listed in the org.gnome.shell.enabled-extensions key will not be loaded by GNOME Shell, thus preventing the user from using them.