Install the browser extension

Install the Push browser extension to find vulnerabilities across the identities your employees create and access through the browser, including accounts and apps not behind SSO. The extension flags security issues, such as:

• Compromised passwords

• Weak passwords

• Reused passwords

• Shared account credentials

• Lack of MFA

• Lack of password manager use

You can use ChatOps to work directly with employees to fix issues as they arise. See: Configure ChatOps.

Note that in order to gain a full inventory of your cloud identities and apps, you must perform both an API integration and the installation of the Push browser extension on employee browsers in your environment. Refer to Add employees for more information about integrating with your Microsoft 365 or Google Workspace platforms.

Once installed, the extension sits in the background of your employees’ browsers and collects the following information:

• Browser name

• Browser version

• Device OS

• Push browser extension version

When employees log into SaaS applications using their work account, the extension collects:

• The URL of the platform

• The account username

• A shortened salted hash of the password, which is stored locally in the browser and never sent anywhere

Using the shortened salted hash of the password, Push can then determine if a password is shared with any other accounts owned by that user, shared between users, if a password uses terms on your restricted words list or has been compromised, or whether the password is easily guessable. All comparisons are done locally in the browser, not server-side.

If the extension observes an employee visiting an OAuth consent screen for an Microsoft 365 or Google Workspace app integration, it also collects basic telemetry about the integration that Push uses to research the integration, such as establishing whether it has a verified publisher. The data the extension collects in this case is:

• The platform the app was observed on

• The app identifier

• The grant type requested

• The reply URL

• The scopes requested

Finally, the extension collects anonymized performance and error tracking data.

Here are some examples of data the extension collects.

Browser data:

{
    "browserId":"d732c61e-35ea-3bdf-27cd-d37a3fadf6f9",
    "checkinDetails":{
        "browserName":"CHROME",
        "browserVersion":"100.0.4896.75",
        "operatingSystemName":"MACOS",
        "extensionVersion":"1.4.16"
    }
}

Login data:

{
    "browserId":"d732c61e-35ea-3bdf-27cd-d37a3fadf6f9",
    "platform":"TRELLO",
    "username":"person@company.com",
    "weakPassword":true,
    "passwordChanged":false,
    "passwordManuallyTyped":false,
    "trackedAccounts":[
        {
            "username":"person@company.com",
            "platform":"GITHUB",
            "lastLogin":"2022-03-17T14:25:55.000Z",
            "samePassword":false
        },
        {
            "username":"person@company.com",
            "platform":"GOOGLE_WORKSPACE",
            "lastLogin":"2022-04-04T07:49:00.000Z",
            "samePassword":true
        },
    ]
}

Push only monitors logins that match the company email domain you specify on the Settings page of the Push admin console. Push does not monitor logins from personal email addresses.

If your employees prefer to keep their work and personal browsing activity completely separate, they can create a separate browser profile for personal browsing and install the Push browser extension only in their work profile.

In addition, the extension will never send passwords anywhere. All password security checks are performed locally in the browser.

Prerequisites: Complete your integration with Google Workspace or Microsoft 365 to add employees to the Push admin console and assign them a license before inviting them to enroll their browsers using the Push browser extension. See: Add employees for more information.

There are three ways to install the extension and enroll employee browsers:

• Managed: Perform a managed installation to deploy the extension to employee machines using device management software.

• Email: Allow employees to self-enroll by sending them a link to install the extension via email.

• ChatOps: Allow employees to self-enroll by sending them a link to install the extension via ChatOps.

Managed installation

Perform a managed installation of the Push browser extension to add the extension to your employees’ browsers without any action required from them.

Enrolling an employee’s browser in Push via a managed deployment is a two-step process: First, you install the Push browser extension. Next, the extension waits for user login activity to help identify the user of the browser and complete enrollment.

Supported browsers:

• Google Chrome

• Microsoft Edge

• Firefox

• Brave

Deployment options:

• Google Admin Console managed Chrome

• Microsoft Group Policy managed Chrome, Edge, and Firefox

• Device management software on Windows for Chrome, Edge, and Firefox. Documented example is for Microsoft Endpoint Manager (Intune).

• Device management software on macOS for Chrome, Edge, Firefox, and Brave

Tracking your progress

You can check the status of your rollout on the Browsers page in the admin console. The section Installed but not enrolled tracks which browsers haven’t yet identified the user in order to complete enrollment and show up in Push.

You can also use this status to identify browser profiles that the Push extension is avoiding enrolling because they’re a personal browser profile or are being used by an employee without a license in Push.

Self-enrollment via email

Send instructions to employees via email to install the extension and complete enrollment of their browser in a single step. This process takes about a minute.

Supported browsers:

• Google Chrome

• Microsoft Edge

• Safari

• Firefox

• Opera

• Brave

Send enrollment emails:

1. Log into the Push admin console.

2. Go to the Browsers page in the left sidebar and then select Email as the enrollment option.

3. You’ll be taken to a view of all your employees with a license in Push. Select who you’ll send an email enrollment link to. You can also preview the enrollment email on this page by clicking on Preview email.

4. Emails will be sent immediately. To complete installation of the extension, employees should click on the Secure your browser link in the email on each browser they use for work.

5. The link will take them to the extension installation page for their browser where they can install the extension, completing enrollment of their browser in Push.

6. After they install the extension, they’ll see a confirmation message.

Self-enrollment via ChatOps

Send instructions to employees via ChatOps to install the extension and complete enrollment of their browser in a single step. This process takes about a minute.

Prerequisites: You must set up ChatOps by integrating with your Slack or Microsoft Teams workspace before you can send ChatOps enrollment messages. See: Configure ChatOps.

Supported browsers:

• Google Chrome

• Microsoft Edge

• Safari

• Firefox

• Opera

• Brave

Send ChatOps enrollment messages:

1. Log into the Push admin console.

2. Go to the ChatOps page and use the toggle to enable the topic for Browser enrollment.

3. Go to the Employees page to activate ChatOps for all or some of your employees.

Chat messages will be sent as soon as you configure both the topic and the employee chat settings. See an example message in the ChatOps documentation on browser enrollment.

Next steps

To complete your setup and allow employees to self-remediate security issues, select from a list of preconfigured ChatOps workflows and then activate chat for all or some employees.

See: Configure ChatOps for more details.

The Push browser extension automatically updates when new versions are released. You do not need to take any action to apply these updates.

If you want to remove the browser extension, you have two options:

• For self-enrolled extensions completed via email or chat by the employee, the employee will need to manually delete the extension from their browser. Removing the extension this way does not delete their activity data from the Push admin console. If you wish to delete their activity data, you can revoke their account license. This will remove all their data from the Push platform, including data collected via API integrations and the browser extension. Note: If you delete your team on the Settings page of the admin console, this will cause all these browser extensions to unenroll and delete themselves.

• For extensions installed via a managed deployment, you can use your device management software to remove the extension. Depending on the software, this method may remove the extension without deleting it on the Push side. In that case, the browser will still be associated with the employee record and will still appear in the admin console. It will expire and be removed after 90 days, which is the usual inactivity period for browsers. Note: If you delete your team on the Settings page of the admin console, this will also cause all these browser extensions to unenroll. You will need to remove the extension from your managed policy in order to delete the extension from managed browsers.

You can also unenroll a given browser profile for an employee by opening the slide-out panel for that employee and clicking on Browser profiles, then select the trash icon next to the profile you wish to unenroll from the browser extension.

Note that deleting the protected company domain from your Settings page will not remove or unenroll the extension. The domain setting only controls what data the extension monitors.

The Delete everything feature also deletes all your data.