Lock down enabled extensions

In GNOME Shell, you can prevent the user from enabling or disabling extensions by locking down the org.gnome.shell.enabled-extensions and org.gnome.shell.development-tools keys. This allows you to provide a set of extensions that the user has to use.

Locking down the org.gnome.shell.development-tools key ensures that the user cannot use GNOME Shell’s integrated debugger and inspector tool (Looking Glass) to disable any mandatory extensions.

Lock down the org.gnome.shell.enabled-extensions and org.gnome.shell.development-tools keys

  1. Create a user profile in /etc/dconf/profile/user:

    user-db:user
system-db:local

  2. Create a local database for machine-wide settings in /etc/dconf/db/local.d/00-extensions:

    [org/gnome/shell]
# List all extensions that you want to have enabled for all users
enabled-extensions=['myextension1@myname.example.com', 'myextension2@myname.example.com']
# Disable access to Looking Glass
development-tools=false

    The enabled-extensions key specifies the enabled extensions using the extensions’ uuid (myextension1@myname.example.com and myextension2@myname.example.com).

    The development-tools key is set to false to disable access to Looking Glass.

  3. Override the user’s setting and prevent the user from changing it in /etc/dconf/db/local.d/locks/extensions:

    # Lock the list of enabled extensions
/org/gnome/shell/enabled-extensions
/org/gnome/shell/disabled-extensions
/org/gnome/shell/development-tools

  4. Update the system databases:

    # dconf update

After locking down the org.gnome.shell.enabled-extensions and org.gnome.shell.development-tools keys, any extensions installed in ~/.local/share/gnome-shell/extensions or /usr/share/gnome-shell/extensions that are not listed in the org.gnome.shell.enabled-extensions key will not be loaded by GNOME Shell, thus preventing the user from using them.