This is the multi-page printable view of this section. Click here to print.
Installation
Steps for IT administrators to deploy Protegrity Browser Protector on end-user devices.
1 - Testing the Protegrity Browser Protector Extension Locally
Set up and test the Browser Protector extension locally.
Test the Protegrity Browser Protector Extension Locally
For testing and validation purposes, it is necessary to run the Protegrity Browser Protector extension locally. This allows developers and administrators to ensure the extension works as expected in a controlled environment before deploying it in production. In this section, we will outline the steps to load and use a local configuration file.
Load the Extension in the Chrome Browser
- Open Google Chrome.
- Navigate to the Extensions page:
- Enter
chrome://extensionsin the address bar and press Enter.
- Enter
- Enable Developer Mode:
- Toggle the Developer mode switch in the top-right corner of the Extensions page.
- Click Load unpacked:
- Click the Load unpacked button in the top-left corner.
- Select the Protegrity Browser Protector Extension Folder:
- In the file dialog, navigate to the folder containing the extension’s source code and select it.
- Verify the Extension:
- Ensure the extension appears in the list with its name and icon. Check for any errors or warnings in the extension details.
Load the Extension JSON configuration file
- Use the JSON configuration from the
Configuration Summarystep and save it to a file on your local machine, e.g.config.json. - Open Google Chrome.
- From the top-right portion of the browser click on Extensions menu, select
Protegrity Browser Protector. - Click
Select Fileand specify theconfig.jsonfile. - Test the extension following the instructions in the Using Protegrity Browser Protector Extension section.
Reviewing Logs
- Open the browser’s Developer Tools:
- Press
Ctrl + Shift + I(Windows/Linux) orCmd + Option + I(Mac) to open Developer Tools.
- Press
- View the Console:
- Navigate to the Console tab to view any logs or errors produced by the extension.
Unloading the Extension
Once testing is complete, remove the extension from the browser:
- Navigate to the Extensions page.
- Locate the Protegrity Browser Protector extension and click Remove.
2 - Installing Browser Protector on Windows Devices Using Intune
Deploy Protegrity Browser Protector remotely on Windows end-user devices using Intune and Administrative Templates.
Deploy Protegrity Browser Protector Extension with Intune
Follow these steps to configure and deploy the Administrative Template files for the Protegrity Browser Protector policy using Intune.
For more information Administrative Templates, refer to Microsoft Intune Administrative Templates.
Import ADMX and ADML Files
- Sign in to the Microsoft Intune admin center.
- Navigate to:
- Devices > Manage devices > Configuration > Import ADMX tab > Import.
- Or: Devices > By platform > Windows > Manage devices > Configuration > Import ADMX tab.
- Upload the ADMX File:
- Replace
pty_extension_idwith the extension’s ID generated in pre-configuration steps. - Save the file with a recognizable name, such as
ProtegrityBrowserProtector.admx
- Replace
<?xml version="1.0"?>
<policyDefinitions revision="1.0" schemaVersion="1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<policyNamespaces>
<target namespace="Protegrity.Policies.BrowserProtector" prefix="ptyBrowserProtector" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
</policyNamespaces>
<supersededAdm fileName="" />
<resources minRequiredRevision="1.0" fallbackCulture="en-US" />
<categories>
<category name="Protegrity_Browser_Extension_Configuration" displayName="$(string.Protegrity_Browser_Extension_Configuration)" />
</categories>
<policies>
<!-- Protegrity Browser Protector Configuration -->
<policy name="POL_ProtegrityBrowserProtector"
displayName="$(string.Protegrity_Browser_Extension_Configuration)"
explainText="$(string.Protegrity_Browser_Extension_Configuration_HELP)"
class="Machine" key="SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\pty_extension_id\policy" presentation="$(presentation.POL_ProtegrityBrowserProtector)">
<parentCategory ref="Protegrity_Browser_Extension_Configuration" />
<supportedOn ref="windows:SUPPORTED_Windows10" />
<elements>
<text id="TXT_ProtegrityBrowserProtector" valueName="ProtegrityBrowserProtector" />
</elements>
</policy>
<!-- Protegrity Browser Protector Installation/Updates -->
<policy name="POL_ExtensionSettings"
displayName="$(string.ExtensionSettings)"
explainText="$(string.POL_ExtensionSettings_HELP)"
class="Machine" key="SOFTWARE\Policies\Google\Chrome" presentation="$(presentation.POL_ExtensionSettings)">
<parentCategory ref="Protegrity_Browser_Extension_Configuration" />
<supportedOn ref="windows:SUPPORTED_Windows10" />
<elements>
<text id="TXT_ExtensionSettings" valueName="ExtensionSettings" />
</elements>
</policy>
</policies>
</policyDefinitions>
- Upload the ADML File:
- Replace
https://s3.region.amazonaws.com/s3-bucket-name/update.xmlwith the actual URL to a manifest.xml hosted on a private server. - Replace all placeholder values (e.g.,
app_registration_client_id,protector_endpoint_url, etc.) with configuration values recorded in pre-configuration chapter. - Save the file with a recognizable name, such as
ProtegrityBrowserProtector.adml.
<?xml version="1.0"?>
<policyDefinitionResources revision="1.0" schemaVersion="1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<displayName>Protegrity Browser Extension Configuration</displayName>
<description>Protegrity Browser Extension Configuration</description>
<resources>
<stringTable>
<string id="Protegrity_Browser_Extension_Configuration">Protegrity Browser Protector</string>
<string id="Protegrity_Browser_Extension_Configuration_HELP">Configures Protegrity Browser Protector settings.</string>
<string id="POL_ProtegrityBrowserProtector_HELP">Configures the JSON value for Protegrity Browser Protector settings.</string>
<string id="ExtensionSettings">Google Chrome Extension Settings</string>
<string id="POL_ExtensionSettings_HELP">Configures the settings for Google Chrome extensions.</string>
</stringTable>
<presentationTable>
<presentation id="POL_ProtegrityBrowserProtector">
<textBox refId="TXT_ProtegrityBrowserProtector">
<label>ProtegrityBrowserProtector</label>
<defaultValue>{"serviceEndpoint":{"authentication":{"type":"oauth2","identityProvider":"microsoft_entra_id","settings":{"msal_api":{"clientId":"app_registration_client_id","authority":"https://login.microsoftonline.com/app_registration_tenant_id"},"scopes":["app_registration_client_id/.default"]}},"url":"protector_endpoint_url"},"dataElements":[{"value":"data_element_1","label":"data_element_1_label"},{"value":"data_element_2","label":"data_element_2_label"}],"adminContactInfo":{"url":"extension_admin_page_url","phone":"extension_admin_phone","email":"extension_admin_email"}}</defaultValue>
</textBox>
</presentation>
<presentation id="POL_ExtensionSettings">
<textBox refId="TXT_ExtensionSettings">
<label>ExtensionSettings</label>
<defaultValue>{"pty_extension_id":{"installation_mode":"normal_installed","override_update_url":true,"update_url":"https://s3.region.amazonaws.com/s3-bucket-name/update.xml"}}</defaultValue>
</textBox>
</presentation>
</presentationTable>
</resources>
</policyDefinitionResources>
- Click Next.
- In Review + Create, verify your selections and click Create.
Notes
- Once imported, ADMX templates will appear in the list.
- Use Refresh to update the list or Delete to remove templates.
Create a Profile Using Imported ADMX Files
For more details on the steps or configuration, refer to:
- Sign in to the Microsoft Intune admin center.
- Navigate to:
- Devices > Manage devices > Configuration > Create > New policy.
- Enter the following properties:
- Platform: Select Windows 10 and later.
- Profile Type: Select Templates > Imported Administrative Templates (Preview).
- Click Create.
- In Basics, enter:
- Name: Provide a descriptive name, e.g.,
ADMX: Protegrity Browser Protector for Windows Devices. - Description: (Optional) Add a brief description about the profile’s purpose, e.g., “Configures Protegrity Browser Protector security policies for managed devices.”
- Name: Provide a descriptive name, e.g.,
- Click Next.
- In Configuration Settings, configure the policies using the imported ADMX files specific to Protegrity Browser Protector.
- Click Next.
- Assign scope tags to filter the profile to specific IT groups, e.g.,
Security TeamorCompliance Department. - Click Next.
- Assign the profile to users or device groups:
- User Groups: Configured settings apply to devices where users sign in.
- Device Groups: Configured settings apply to all users on the assigned device.
- For more information, refer to User Groups vs. Device Groups.
- Click Next.
- In Review + Create, verify your settings.
- Click Create to save and assign the profile.
Assign the Profile to Devices
After creating the profile, go to the Assignments section. Assign the profile to the appropriate users or devices groups in Intune. Click Save to finalize the deployment.
Verify Deployment
On a managed device, sign in with a user account assigned to the policy. Open Chrome and navigate to chrome://policy to verify the ExtensionSettings policy is applied. Check that the extension is installed and updated from the private server.
3 - Installing Browser Protector on macOS Using Kandji
Deploy Protegrity Browser Protector remotely on macOS end-user devices Using Kandji.
Deploy Protegrity Browser Protector Extension Using Kandji
Follow these steps to configure and deploy the .mobileconfig files for the Protegrity Browser Protector policy using Kandji.
Testing .mobileconfig
- Test the
.mobileconfigfile on a single device before deploying it to a large number of devices. - If modifications are needed, edit the
.mobileconfigfile, re-upload it to Kandji, and reassign it to the blueprint.
Prepare the Browser Extension installation/update .mobileconfig File
- Use the
.mobileconfigfile below. Make sure to:- Replace
https://s3.region.amazonaws.com/s3-bucket-name/update.xmlwith the actual URL to a manifest.xml hosted on a private server.
- Replace
- Save the file with a recognizable name, such as
ProtegrityBrowserProtector.mobileconfig.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.protegrity.browserprotector.install</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadDisplayName</key>
<string>Protegrity Browser Protector Management</string>
<key>PayloadContent</key>
<dict>
<key>com.google.Chrome</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>ExtensionSettings</key>
<dict>
<!-- Protegrity Browser Protector Installation/Updates -->
<key>pty_extension_id</key>
<dict>
<key>installation_mode</key>
<string>normal_installed</string>
<key>update_url</key>
<string>https://s3.region.amazonaws.com/s3-bucket-name/update.xml</string>
<key>override_update_url</key>
<true/>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Configuration for managing the Protegrity Browser Protector Chrome extension.</string>
<key>PayloadDisplayName</key>
<string>Protegrity Browser Protector Management</string>
<key>PayloadIdentifier</key>
<string>com.protegrity.browserprotector.install</string>
<key>PayloadOrganization</key>
<string>Protegrity Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Prepare the Browser Extension Configuration .mobileconfig File
- Use the
.mobileconfigfile below. Make sure to:- Replace
pty_extension_idwith the extension id. - Replace all placeholder values (e.g.,
app_registration_client_id,protector_endpoint_url, etc.) with configuration values recorded in pre-configuration chapter.
- Replace
- Save the file with a recognizable name, such as
ProtegrityBrowserProtectorSettings.mobileconfig.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.protegrity.browserprotector.settings</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadDisplayName</key>
<string>Protegrity Browser Protector Management</string>
<key>PayloadContent</key>
<dict>
<!-- Protegrity Browser Protector Configuration -->
<key>com.google.Chrome.extensions.pty_extension_id</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>ProtegrityBrowserProtector</key>
<dict>
<key>serviceEndpoint</key>
<dict>
<key>authentication</key>
<dict>
<key>type</key>
<string>oauth2</string>
<key>identityProvider</key>
<string>microsoft_entra_id</string>
<key>settings</key>
<dict>
<key>msal_api</key>
<dict>
<key>clientId</key>
<string>app_registration_client_id</string>
<key>authority</key>
<string>https://login.microsoftonline.com/app_registration_tenant_id</string>
</dict>
<key>scopes</key>
<array>
<string>app_registration_client_id/.default</string>
</array>
</dict>
</dict>
<key>url</key>
<string>protector_endpoint_url</string>
</dict>
<key>dataElements</key>
<array>
<dict>
<key>value</key>
<string>data_element_1</string>
<key>label</key>
<string>data_element_1_label</string>
</dict>
<dict>
<key>value</key>
<string>data_element_2</string>
<key>label</key>
<string>data_element_2_label</string>
</dict>
</array>
<key>adminContactInfo</key>
<dict>
<key>url</key>
<string>extension_admin_page_url</string>
<key>phone</key>
<string>extension_admin_phone</string>
<key>email</key>
<string>extension_admin_email</string>
</dict>
</dict>
</dict>
</dict>
</array>
</dict>
</dict>
</dict>
</array>
<key>PayloadDescription</key>
<string>Configuration for managing the Protegrity Browser Protector Chrome extension.</string>
<key>PayloadDisplayName</key>
<string>Protegrity Browser Protector Management</string>
<key>PayloadIdentifier</key>
<string>com.protegrity.browserprotector.settings</string>
<key>PayloadOrganization</key>
<string>Protegrity Inc.</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Log In to Kandji
Visit the Kandji dashboard and log in with your administrative credentials.
Create a New Library Item
- Navigate to the Library section in the Kandji dashboard.
- Click Add New in the upper-right corner.
- Select Custom Profile from the list of options.
Upload the .mobileconfig Files
- In the Custom Profile section:
- Click Upload Profile.
- Select your
ProtegrityBrowserProtector.mobileconfigfile.
- Kandji will parse the
.mobileconfigfile and display its configuration details.
Review and Verify the Profile
- Carefully review the uploaded configuration:
- Ensure the
Payload Display Name,Payload Description, and other details match the intended configuration. - Confirm that the policy enforces the Protegrity Browser Protector settings correctly.
- Ensure the
- Click Save to save the profile.
Assign the Profile to a Blueprint
- Go to the Blueprints section in the Kandji dashboard.
- Select the blueprint for the devices you want to apply this policy to.
- Click Edit Blueprint.
- Scroll to the Custom Profiles section and click Add.
- Select the newly created Protegrity Browser Protector profile from the list.
- Click Save Changes to update the blueprint.
Deploy the Policy
- Devices assigned to the blueprint will automatically receive the new configuration the next time they check in with Kandji.
- To enforce the policy immediately:
- Go to the Devices section.
- Select a device assigned to the blueprint.
- Click Sync Device to push the updated configuration.
Verify Policy Deployment
- On a target device, open System Preferences > Profiles to confirm the new configuration profile (
Protegrity Browser Protector Management) is installed. - Open Google Chrome on the device and confirm:
- The Protegrity Browser Protector extension is installed.
- The enforced settings (OAuth2 authentication, service endpoint, etc.) are applied.
Optional: Monitor Compliance
- Navigate to the Devices section in Kandji to view the compliance status.
- Look for any deployment errors or issues and resolve them as necessary.