Blog

New research: SaaS attacks that avoid EDR and network monitoring | Read more →

Ready to help

Managed deployment using Microsoft Endpoint Manager (Intune)

Overview

Deploy the Push browser extension for Google Chrome, Microsoft Edge, and Firefox using Microsoft Endpoint Manager (Intune).

Because the installation requires creating policies and deploying a PowerShell script, we recommend you implement the changes first in a test environment.

Note: If you are deploying the Push browser extension for multiple browsers, review each section of this documentation to avoid missing settings that need to be applied in each instance.

Deploying to Google Chrome

Generate the extension config

The first step is to generate a config file in the Push admin console. Skip to the next step if you've already done so.

1. In the Push admin console, go to Browsers > Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

2. Then select a Managed enrollment.

Managed browser enrollment screen - docs - showing Firefox

3. Select Device Management Software, choose Chrome as the browser, and Windows as the OS. Then click Generate config. This will allow you to download a config file specific to your team.

Push app - Device Management Software Chrome: KB 10054
Generate the config file for your team.

4. Download and extract the zip file.

Create a configuration profile

In Microsoft Endpoint Manager, select Devices (1) > Configuration profiles (2) > Create profile (3).

Select Windows 10 and later (4) as your target platform and Templates (5) as the Profile type. Then select Administrative Templates (6) then click the Create (7) button.

InTune - Create Configuration Profile: KB 10054 10055
Create a configuration profile in Microsoft Endpoint Manager

Enter a descriptive name for the profile (8), and a description if required, then click Next (9).

InTune - Device Management Profile Creation Chrome: KB 10054
Name the profile and add a description.

On the next screen, make sure Computer Configuration is selected (10). In the Setting name listing, click on Google, followed by Google Chrome, then Extensions, and finally Configure the list of force-installed apps and extensions (11).

If a page opens on the right side of your screen, scroll down, click the Enabled radio button (12), and paste the following string into the value field (13):

dljjddkmmcminffjbcmeccgfbjlhmhlm;https://clients2.google.com/service/update2/crx

Finally, click OK (14).

InTune - Device Management Profile Creation Chrome Settings: KB 10054
Configure the Google Chrome administrative template.

Click Next at the bottom of the page and set any scope tags you require.

On the following page, assign target groups (15), or set it to apply to all users and groups, if required. Click Next (16).

InTune - Device Management Profile Creation Assignments: KB 10054 10055
Add groups to target with the profile.

On the final page, review the profile for any errors and finally click Create (17).

InTune - Device Management Profile Creation Chrome Review: KB 10054
Review the profile's settings.

Create a PowerShell script

A few settings can't be configured via configuration profiles, so you'll need to create a PowerShell script that will run on each endpoint to finalize the configuration.

The script will create registry keys and values containing policy settings for the Push browser extension. It is not possible to create those values using administrative templates in Intune.

In Microsoft Endpoint Manager, click on Devices (1) > Scripts (2) > Add (3), and then select Windows 10 and later (4) on the dropdown menu.

InTune - Create PowerShell script step 0: KB 10054 10055

On the Add PowerShell script screen, provide a Name (5) for the script and an optional description. Then click Next (6).

InTune - Device Management Powershell Chrome step 1: KB 10054
Provide a name and description for the PowerShell script.

Next, upload (8) chrome_push_security.ps1. This is included in the config.zip file you generated in the Push admin console.

Once uploaded, locate the option Run script in 64 bit PowerShell Host (8) and click Yes. This is an important step to make sure that the registry keys are created in the correct location on 64-bit hosts. Click Next (9).

InTune - Device Management Powershell Chrome step 2: KB 10054
Configure the script settings.

Click Add groups (10) to specify the group or groups you wish to deploy the settings to, or set it to apply to all users and groups. Click Next (11).

InTune - Device Management Powershell step 3: KB 10054 10055
Assign groups.

On the final page, review the profile for any errors and finally click Create (12).

InTune - Device Management Powershell Chrome step 4: KB 10054

Deploying to Microsoft Edge

Generate the extension config

The first step is to generate a config file in the Push admin console. Skip to the next step if you've already done so.

1. In the Push admin console, go to Browsers > Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

2. Then select a Managed enrollment.

Managed browser enrollment screen - docs - showing Firefox

3. Select Device Management Software, choose Edge as the browser, and Windows as the OS. Then click Generate config. This will allow you to download a config file specific to your team.

Push app - Device Management Software Edge: KB 10055
Generate the config file for your team.

4. Download and extract the zip file.

Create a configuration profile

In Microsoft Endpoint Manager, select Devices (1) > Configuration profiles (2) > Create profile (3).

Select Windows 10 and later (4) as your target platform and Templates (5) as the Profile type. Then select Administrative Templates (6) then click the Create (7) button.

InTune - Create Configuration Profile: KB 10054 10055
Create a configuration profile in Microsoft Endpoint Manager

Enter a descriptive name for the profile (8), and a description if required, then click Next (9).

InTune - Device Management Profile Creation Edge: KB 10055
Name the profile and add a description.

On the next screen, select Computer Configuration (10).

In the Setting name list, go to Microsoft Edge > Extensions > Control which extensions are installed silently (11). If a page opens on the right side of your screen, scroll down, click the Enabled radio button (12), and paste the following string into the value field (13):

dljjddkmmcminffjbcmeccgfbjlhmhlm;https://clients2.google.com/service/update2/crx

Finally, click OK (14).

InTune - Device Management Profile Creation Edge Settings: KB 10055
Configure the Microsoft Edge administrative template.

Note: The URL following the extension is one associated with Google Chrome. This is intentional and should be configured as defined in this documentation for the extension to be successfully rolled out to Microsoft Edge browsers.

Click Next at the bottom of the page and set any scope tags you require.

On the following page, assign target groups (15), or set it to apply to all users and groups, if required. Click Next (16).

InTune - Device Management Profile Creation Assignments: KB 10054 10055
Add groups to target with the profile.

On the final page, review the profile for any errors and click Create (17).

InTune - Device Management Profile Creation Edge Review: KB 10055
Review the profile's settings.

Create a PowerShell script

A few settings can't be configured via configuration profiles, so you'll need to create a PowerShell script that will run on each endpoint to finalize the configuration.

The script will create registry keys and values containing policy settings for the Push browser extension. It is not possible to create those values using administrative templates in Intune.

In Microsoft Endpoint Manager, click on Devices (1) > Scripts (2) > Add (3), and then select Windows 10 and later (4) on the dropdown menu.

InTune - Create PowerShell script step 0: KB 10054 10055

On the Add PowerShell script screen, provide a Name (5) for the script and an optional description. Then click Next (6).

InTune - Device Management Powershell Edge step 1: KB 10055
Provide a name and description for the PowerShell script.

Next, upload (8) chrome_push_security.ps1. This is included in the config.zip file you generated in the Push admin console.

Once uploaded, locate the option Run script in 64 bit PowerShell Host (8) and click Yes. This is an important step to make sure that the registry keys are created in the correct location on 64-bit hosts. Click Next (9).

InTune - Device Management Powershell Edge step 2: KB 10055
Configure the script settings.

Click Add groups (10) to specify the group or groups you wish to deploy the settings to, or set it to apply to all users and groups if required. Click Next (11).

InTune - Device Management Powershell step 3: KB 10054 10055
Assign groups.

On the final page, review the profile for any errors and finally click Create (12).

InTune - Device Management Powershell Edge step 4: KB 10055

Deploying to Firefox

Generate the extension config

The first step is to generate a config file in the Push admin console. Skip to the next step if you've already done so.

1. In the Push admin console, go to Browsers > Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

2. Then select a Managed enrollment.

Managed browser enrollment screen - docs - showing Firefox

3. Select Device Management Software, choose Firefox as the browser, and Windows as the OS. Then click Generate config. This will allow you to download a config file specific to your team.

Intune - Firefox - config generation screen in Push - docs

4. Download and extract the zip file.

Import the Firefox ADMX templates

Intune includes ADMX templates for Google Chrome and Microsoft Edge by default. However, for Firefox, we’ll need to import the templates before we can apply any of the deployment settings.

1. To begin, get the required files from Mozilla. Download the policy_templates_vX.YY.zip file associated with the latest release.

2. Extract the policy files. Remember the location of these files as you'll be importing them into InTune in the next step.

3. In Microsoft Endpoint Manager, select Devices (1) > Configuration Profiles (2) > Import ADMX (3) > Import (4).

Intune - Firefox - import admx screen - docs

4. Import the ADMX templates. This is a two-part process because you need to import both the mozilla.* and firefox.* templates.

First, click on the ADMX file selector and browse to the location where the policy templates were extracted. Select and import mozilla.admx.

Next, in the ADML file selector, locate the mozilla.adml file underneath the language locale policy templates folder.

Finally, click Next.

Intune - Firefox - admx import settings screen - docs

On the following screen, select Create.

Intune - Firefox - import settings for Mozilla admx - docs

Note: Before proceeding, wait for InTune to finish importing the template. This is an important step because the Firefox templates are dependent on these being imported.

Intune - Firefox - Mozilla admx upload confirmed - docs

Next, repeat the previous steps, but import the firefox.admx and firefox.adml template files instead.

Once complete, the page should show that both templates have been successfully imported.

Intune - Firefox - mozilla and firefox admx imported - docs

You're now ready to create a configuration profile for Firefox.

Create a configuration profile

In Microsoft Endpoint Manager, select Devices (1) > Configuration profiles (2) > Create profile (3).

Select Windows 10 and later (4) as your target platform and Templates (5) as the Profile type. Then select Imported Administrative Templates (Preview) (6) then click the Create (7) button.

Intune - Firefox - create a profile screen - docs

Enter a descriptive name for the profile (8), and a description if required, then click Next (9).

Intune - Firefox - administrative template profile name - docs

On the next screen, make sure Computer Configuration is selected (10). In the Setting name listing, click on Mozilla, then Firefox, then Extensions, and finally Extensions to Install (11).

When a page opens on the right side of your screen, scroll down, click the Enabled radio button (12), and paste the following string into the value field (13):

https://addons.mozilla.org/firefox/downloads/latest/push-security/latest.xpi

Finally, click OK (14).

Intune - Firefox - create profile config settings - docs

Click Next at the bottom of the page and set any scope tags you require.

On the following page, assign target groups (15), or set it to apply to all users and groups, if required. Click Next (16).

Intune - Firefox - create profile group assignments - docs

On the final page, review the profile for any errors and finally click Create (17).

Intune - Firefox - create profile review included groups - docs

Create a PowerShell script

A few settings can't be configured via configuration profiles, so you'll need to create a PowerShell script that will run on each endpoint in order to finalize the configuration.

The script will create registry keys and values containing policy settings for the Push browser extension. It is not possible to create those values using administrative templates in Intune.

In Microsoft Endpoint Manager, click on Devices (1) > Scripts (2) > Add (3), and then from the dropdown menu, select Windows 10 and later (4).

Intune - Firefox - script configuration - docs

On the Add PowerShell script screen, provide a Name (5) for the script and an optional description. Then click Next (6).

Intune - Firefox - PowerShell script name screen - docs

Next, upload firefox_push_security.ps1 (7). This is included in the config.zip file you generated in the Push admin console.

Once uploaded, locate the option Run script in 64 bit PowerShell Host (8) and click Yes. This is an important step to make sure that the registry keys are created in the correct location on 64-bit hosts. Click Next (9).

Intune - Firefox - add powershell script - docs

Click Add groups (10) to specify the group or groups you wish to deploy the settings to, or set it to apply to all users and groups. Click Next (11).

Intune - Firefox - create powershell script assignments - docs

On the final page, review the profile for any errors and finally click Create (12).

Intune - Firefox - review settings and add powershell script - docs