I've developed an extension to be used by my organization and have already hosted the files such that the signed .crx file can be accessed/downloaded with the appropriate http content-type header.
The final hurdle is getting the extension distributed throughout our organization. I don't manage the enterprise policies. All the documentation I've read involves going to the group policy manager on Windows, but it seems we're using some Azure Active Directory service to manage such policies instead. IT has shown me that they have successfully added the required policies, which I believe is simply setting the ExtensionInstallAllowList to the app's ID, and the ExtensionInstallSources to be the domain (https://www.example.com/*).
Navigating to the link to install it still doesn't seem to work on the organization linked browsers, throwing a CRX_REQUIRED_PROOF_MISSING error in the browser before promptly deleting the downloaded file. I'm wondering even if these policies are correctly set, is it intentional that Chrome still doesn't allow you to install via a link to a crx file? And if so would adding the extension to the ExtensionInstallForcelist properly install it on organization controlled browsers or will it run into the same issues?
Are there any other nuances I need to check for, on either my end as the one managing the extensions manifest and site configuration settings, or on ITs end managing the policy via Azure?
For anyone else coming across this with this rather specific issue, you apparently CANNOT test your extension by pasting the link to your .crx into the browser url bar. It will simply try to download it and on a company managed browser will give the CRX_REQUIRED_PROOF_MISSING error.
One thing that did work, if you have ExtensionInstallAllowList and ExtensionInstallSources set, is to trigger the link to the .crx via an href tag on a button in html. For some reason this allows you to do the one click install for a self hosted extension.
I spent close to a week troubleshooting and debugging for such a dumb nuance that wasn't in any documentation that I came across, so hopefully this helps at least one other person not make that same mistake.