How to deploy the Push browser extension in Google Chrome using Microsoft Endpoint Manager (InTune)

This guide covers how to deploy the Push Security browser extension, including how to configure it to endpoints in your organization using Microsoft Endpoint Manager. We recommend that you deploy it first into a test environment, as you will be required to create policies and deploy a PowerShell script.

Note: Multiple steps in this guide overlap with the instructions in the related Microsoft Edge KB article. If you're following the guides to deploy settings for both browsers in your environment, please be sure to follow the steps closely to avoid missing settings that need to be applied in each instance.

Generating the extension config

Before we get started with configuring InTune, you need to generate a config specific to your team within the Push app. Skip to the next step if you’ve already done so.

In the Push app, head to the Browsers section, and click on Enrollment options.

Push app browser enrollment options: KB 10052/3/4/5/6/8
Access browser enrollment options via the Browsers section.

On the popup frame, click on the Managed button.

Push app - managed browser option: KB 10052/3/4/5/6/8
You'll see all the Push browser extension enrollment options here.

Next, click on the Device Management Software button, make sure Chrome is the selected browser, Windows is the selected OS, and click Generate config. This will provide you with a button to download a config specific to your team.

Push app - Device Management Software Chrome: KB 10054
Generate the config file for your team.

Once you’ve downloaded and extracted the zip file, proceed to the next step.

Creating a Configuration Profile

In Microsoft Endpoint Manager, select Devices (1), Configuration profiles (2) and then Create profile (3). Select Windows 10 and later(4) as your target platform, Templates (5)as the Profile type, and finally select Administrative Templates (6) then click the Create (7) button.

InTune - Create Configuration Profile: KB 10054 10055
Create a configuration profile in Microsoft Endpoint Manager

Enter a descriptive name for the profile (8), and a description if required, then click on the Next (9) button.

InTune - Device Management Profile Creation Chrome: KB 10054
Name the profile and add a description.

On the next screen, make sure Computer Configuration is selected (10). In the Setting name listing, click on Google, followed by Google Chrome, then Extensions, and finally Configure the list of force-installed apps and extensions (11). If a page opens on the right side of your screen, scroll down, click the Enabled radio button (12), and paste the following string into the value field (13):

dljjddkmmcminffjbcmeccgfbjlhmhlm;https://clients2.google.com/service/update2/crx

Finally, click OK (14).

InTune - Device Management Profile Creation Chrome Settings: KB 10054
Configure the Google Chrome administrative template.

Click Next at the bottom of the page and set any scope tags you require. On the following page, assign target groups (15), or set it to apply to all users and groups, if required. Click Next (16) at the bottom of the page.

InTune - Device Management Profile Creation Assignments: KB 10054 10055
Add groups to target with the profile.

On the final page, review the profile for any errors and finally click Create (17).

InTune - Device Management Profile Creation Chrome Review: KB 10054
Review the profile's settings.

Creating a PowerShell Script

There are a few settings we can't configure via configuration profiles, so we'll need to create a PowerShell script that will run on each endpoint to finalize the configuration steps.

The purpose of the script is to create registry keys and values containing policy settings for the Push Security extension, as it's not possible to configure these values via administrative templates in InTune.

In Microsoft Endpoint Manager, click on Devices (1), Scripts (2), Add (3), and then select Windows 10 and later (4) on the dropdown menu.

InTune - Create PowerShell script step 0: KB 10054 10055

On the Add PowerShell script screen, provide a Name (5) for the script, a description (optional), and click Next (6).

InTune - Device Management Powershell Chrome step 1: KB 10054
Provide a name and description for the PowerShell script.

Next, upload (8) chrome_push_security.ps1 included in the config.zip file generated in the Push app. Once uploaded, click on Yes next to the Run script in 64 bit PowerShell Host (8) option. This is an important step to make sure the registry keys are created in the correct location on 64-bit hosts. Click Next (9).

InTune - Device Management Powershell Chrome step 2: KB 10054
Configure the script settings.

As with the previous section, click Add groups (10) to specify the group or groups you wish to deploy the settings to, or set it to apply to all users and groups if required. Click Next (11) at the bottom of the page.

InTune - Device Management Powershell step 3: KB 10054 10055
Assign groups.

On the final page, review the profile for any errors and finally click Create (12).

InTune - Device Management Powershell Chrome step 4: KB 10054

The configuration steps for deploying the Push Security browser extension for Google Chrome via Microsoft Endpoint Manager is complete.

If you have any questions or you need help setting up, contact us and the Push team can help.