Resource

SaaS Attack Matrix: Understand how modern attackers operate | Learn more →

Ready to help

Managed deployment using Microsoft Group Policy

Overview

Deploy the Push browser extension for Google Chrome, Microsoft Edge, or Firefox using Microsoft Group Policy.

Because the installation requires adding administrative template files to your Microsoft Active Directory and altering your Group Policy configuration, we recommend you implement the changes first in a test environment.

Note: If you are deploying the Push browser extension for more than one browser, review each section of this documentation to avoid missing settings that need to be applied in each instance.

Deploying to Google Chrome

Install the administrative templates

Google Chrome requires additional administrative templates be added to Active Directory to deploy configurations via group policy. The required files can be downloaded from the following link.

Google Admin Templates: KB 10052
Download the Google Chrome administrative templates.
1. In the extracted policy files folder, locate the admx folder and copy chrome.admx to the following location:
%systemroot%\sysvol\domain\policies\PolicyDefinitions
2. In the same extracted policy files location, open the language folder appropriate to your location (eg. en-US) and copy the chrome.adml file to the matching folder under PolicyDefinitions:
%systemroot%\sysvol\domain\policies\PolicyDefinitions\en-US

Your folder structure should resemble the following:

Policy definitions folder: KB 10052
Group policy definitions folder with ADMX templates.

You can confirm that the administrative templates have been installed correctly by opening Group Policy Management Editor and expanding Computer Configuration > Policies > Administrative Templates.

3. You should be able to see nodes labeled Google Chrome:

Group policy management editor showing installed ADMX templates: KB 10052
Group policy management editor with installed templates.

Generate the extension config

Before configuring Group Policy, we need to generate a config file in the Push admin console. Skip to the next step if you've already done so.

1. In the Push admin console, go to Browsers > Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

2. Then select a Managed enrollment.

Managed browser enrollment screen - docs - showing Firefox

3. Select Group Policy and make sure that Chrome is the selected browser. Then click Generate config. This will allow you to download a config file specific to your team.

Push app - Managed Chrome GPO: KB 10052
Generate and download the configuration for Group Policy.

4. Download and extract the zip file.

Configure Group Policy to automatically deploy and configure the Push extension

In the Microsoft Group Policy Management Editor, go to your templates folder, then Google Chrome > Extensions > Configure the list of force-installed apps and extensions.

Chrome configure list of force-installed extensions: KB 10052
Configuring force-installed apps and extensions policy location.

1. Open the configuration setting and set the policy to Enabled. This will allow you to click the Show ... button to access the extension ID value.

2. Paste the Push Security extension ID value into the Value field.

dljjddkmmcminffjbcmeccgfbjlhmhlm;https://clients2.google.com/service/update2/crx
Chrome force install group policy settings: KB 10052
Set the extension ID and update URL for Google Chrome.

3. Then click OK and close the configuration item by clicking OK again. You should now see Enabled next to the setting of Configure the list of force-installed apps and extensions.

4. Next, under Computer Configuration, expand Preferences > Windows Settings and select Registry.

5. Right-click in the window pane on the right and select New > Registry Item.

Group Policy New Registry Item: KB 10052/3/8
Create a new registry item in group policy editor.

6. Leave all the default options in place and paste the following into the Key Path field. Then click OK.

SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\dljjddkmmcminffjbcmeccgfbjlhmhlm\policy
New Registry Item - step 1: KB 10052
Create the extension policy registry key.

7. To create the next registry key, right click in the window pane again and select New > Registry Item. Leave all the default options in place, and paste the following into the Key Path field. Do not click OK yet.

SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\dljjddkmmcminffjbcmeccgfbjlhmhlm\policy

8. Next, enter the word token into the Value name field. Note: Extension policies are case-sensitive. Make sure that the value token is all lowercase.

9. Change the Value type to REG_SZ and set the Value data field to the value provided in the token.txt file generated in the Push app:

cd3ab3c1-g1y4-44d3-adq7-h2yc5e13gc1c

Finally, click OK.

New Registry Item - 2nd step: KB 10052
Configure the policy token value.

10. Verify that the Group Policy Management Editor window looks like the image below, showing the two registry entries created in the previous steps:

Group Policy editor - registry settings final: KB 10052
The final configuration of the Google Chrome policy registry settings.

The registry keys should now start propagating to client machines affected by this group policy object.

You can verify that the keys are recognized by Google Chrome by loading the chrome://policy page and clicking on the Reload Policies button.

Google Chrome policy settings page: KB 10052
The Google Chrome policy page showing the applied policies.

Deploying to Microsoft Edge

Install the administrative templates

Microsoft Edge requires additional administrative templates to be added to Active Directory to deploy configurations via Group Policy.

1. To begin, download the required files from Microsoft.

Select the current version, or select your channel/version, build, and platform for older versions of Edge.

MS Edge ADMX Templates download: KB 10053
Download the Microsoft Edge policy files.
2. Extract the policy files and locate the admx folder. Copy msedge.admx to the following location:
%systemroot%\sysvol\domain\policies\PolicyDefinitions
In the same extracted policy files location, open the language folder appropriate for your location (e.g. en-US) and copy the msedge.adml file to the matching folder under PolicyDefinitions:
%systemroot%\sysvol\domain\policies\PolicyDefinitions\en-US

Your folder structure should resemble the following:

Policy definitions folder: KB 10053
Group policy definitions folder with ADMX templates.

3. Confirm that the administrative templates have been installed correctly by opening the Group Policy Management Editor and expanding Computer Configuration > Policies > Administrative Templates.

You should be able to see nodes labeled Microsoft Edge:

Group policy management editor showing installed ADMX templates: KB 10053
Group policy management editor with installed templates.

Generate the extension config

Before configuring Group Policy, we need to generate a config file within the Push admin console. Skip to the next step if you've already done so.

1. In the Push admin console, go to the Browsers section, and click on Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

2. On the modal, click Managed.

Managed browser enrollment screen - docs - showing Firefox

3. Then select Group Policy and make sure Edge is the selected browser. Then click Generate config. This will provide you with a button to download a config specific to your team.

Push app - Managed Edge GPO
Generate and download the configuration for Group Policy.

4. Download and unzip the config file.

Configure Group Policy to automatically deploy and configure the Push extension

In the Microsoft Group Policy Management Editor, go to your templates folder, then Microsoft Edge > Extensions > Control which extensions are installed silently.

1. Open the configuration setting and set the policy to Enabled. This will allow you to click the Show ... button to access the extension ID value.

2. Paste the Push Security extension ID value into the Value field. Then click OK and close the configuration item by clicking OK again. The Configure the list of force-installed apps and extensions setting should now show as enabled.

dljjddkmmcminffjbcmeccgfbjlhmhlm;https://clients2.google.com/service/update2/crx
Edge silently install extension group policy settings: KB 10053
Set the extension ID and update URL for Microsoft Edge.

Note: The URL following the extension is one associated with Google Chrome. This is intentional and should be configured as described in order for the extension to successfully roll out to Microsoft Edge browsers.

3. Next under Computer Configuration, expand Preferences > Windows Settings and select the Registry entry.

Right-click on the window pane to the right and select New > Registry Item.

Group Policy New Registry Item: KB 10052/3/8
Create a new registry item in group policy editor.

4. Leave the default options unchanged and paste the following registry key into the Key Path field. Then click OK.

Software\Policies\Microsoft\Edge\3rdparty\Extensions\dljjddkmmcminffjbcmeccgfbjlhmhlm\policy
New Registry Item - step 1: KB 10052
Create the extension policy registry key.

5. To create the next registry key, right-click in the window pane again and select New > Registry Item. Leave all the default options unchanged and paste the following registry key into the Key Path field. Do not click OK yet.

Software\Policies\Microsoft\Edge\3rdparty\Extensions\dljjddkmmcminffjbcmeccgfbjlhmhlm\policy

6. Next, enter the word token into the Value name field. Note: Extension policies are case-sensitive. Make sure that the value token is all lowercase.

7. Change the Value type to REG_SZ and set the Value data field to the value provided in the token.txt file generated in the Push app:

cd3ab3c1-g1y4-44d3-adq7-h2yc5e13gc1c

Finally, click OK.

New Registry Item - 2nd step: KB 10052
Configure the policy token value.

8. Verify that the Group Policy Management Editor window looks like the image below, showing the two registry entries created in the previous steps:

Group Policy editor - MS Edge registry settings final: KB 10053
The final configuration of the Microsoft Edge policy registry settings.

The registry keys should now start propagating to client machines affected by this group policy.

You can verify that the keys are created as intended by launching gpupdate.exe from a Run prompt. Then open regedit.exe and browse to the following location:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\
3rdparty\Extensions\dljjddkmmcminffjbcmeccgfbjlhmhlm\policy

If the configured registry settings were applied successfully, the policy and token registry items configured in the previous steps will be visible.

Deploying to Firefox

Install the administrative templates

Firefox requires additional administrative templates to be added to Active Directory to deploy configurations via Group Policy. Note that this guide also applies to Firefox ESR.

1. To begin, download the required files from Mozilla.

Download the policy_templates_vX.YY.zip file associated with the latest release.

2. Extract the policy files and locate the windows folder. Copy firefox.admx to the following location:

%systemroot%\sysvol\domain\policies\PolicyDefinitions

In the same extracted policy files location, open the language folder appropriate for your location (e.g. en-US) and copy the firefox.adml file to the matching folder under PolicyDefinitions:

%systemroot%\sysvol\domain\policies\PolicyDefinitions\en-US

Your folder structure should resemble the following:

Firefox file structure group policy - docs

3. Confirm that the administrative templates have been installed correctly by opening the Group Policy Management Editor and expanding Computer Configuration > Policies > Administrative Templates.

You should be able to see a node labeled Firefox:

Firefox install group policy - administrative templates - docs

Generate the extension config

Before configuring Group Policy, we need to generate a config file within the Push admin console. Skip to the next step if you've already done so.

1. In the Push admin console, go to the Browsers section, and click on Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

2. On the modal, click Managed.

Managed browser enrollment screen - docs - showing Firefox

3. Then select Group Policy and make sure Firefox is the selected browser. Then click Generate config. This will provide you with a button to download a config specific to your team.

Firefox install group policy - managed deployment config screen - docs

4. Download and unzip the config file.

Configure Group Policy to automatically deploy and configure the Push extension

In the Microsoft Group Policy Management Editor, go to your Administrative Templates folder, then Firefox > Extensions > Extensions to Install.

1. Open the configuration setting and set the policy to Enabled. This will allow you to click the Show ... button to access the extension value.

2. Paste the Push Security extension value into the Value field. Then click OK and close the configuration item by clicking OK again. The Extensions to Install setting should now show as enabled.

https://addons.mozilla.org/firefox/downloads/latest/push-security/latest.xpi
Firefox install group policy - extensions to install - docs

3. Next under Computer Configuration, expand Preferences > Windows Settings and select the Registry entry.

Right-click on the window pane to the right and select New > Registry Item.

Firefox install group policy - new registry item - docs

4. Leave the default options unchanged and paste the following registry key into the Key Path field. Then click OK.

Software\Policies\Firefox\3rdparty\Extensions\{7c4c19b9-2441-4942-873e-cb9eeee18a97}
Firefox install group policy - policy properties - docs

5. To create the next registry key, right-click in the window pane again and select New > Registry Item. Leave all the default options unchanged and paste the following registry key into the Key Path field. Do not click OK yet.

Software\Policies\Firefox\3rdparty\Extensions\{7c4c19b9-2441-4942-873e-cb9eeee18a97}

6. Next, enter the word token into the Value name field. Note: Extension policies are case-sensitive. Make sure that the value token is all lowercase.

7. Change the Value type to REG_SZ and set the Value data field to the value provided in the token.txt file generated in the Push console:

example-token-value-this-wont-work

Finally, click OK.

Firefox install group policy - token properties - docs

8. Verify that the Group Policy Management Editor window looks like the image below, showing the two registry entries created in the previous steps:

Firefox install group policy - group policy management editor - docs

The registry keys should now start propagating to client machines affected by this group policy.

You can verify that the keys are created as intended by launching gpupdate.exe from a Run prompt. Then open regedit.exe and browse to the following location:

HKEY_LOCAL_MACHINE\Software\Policies\Mozilla\Firefox\3rdparty\Extensions\{7c4c19b9-2441-4942-873e-cb9eeee18a97}

If the configured registry settings were applied successfully, the extension ID and token registry items configured in the previous steps will be visible.