Deployment via Microsoft Endpoint Manager [Intune]

Note:

  • This page describes in detail how to deploy the extension on Google Chrome and Microsoft Edge - on Windows computers.

  • This page provides links to information about how to deploy the extension on Firefox - on Windows computers.

  • It is possible to use Intune to deploy the extension on all three of these browsers on MacOS systems. The required procedures are not included on this page.

  • For important additional information about deploying the extension, see Deploying the extension [Managed deployment].

This page includes:

About deployment via Microsoft Endpoint Manager

This page describes the 3-step procedure for using Microsoft Endpoint Manager [Intune] to deploy the extension on Google Chrome and Microsoft Edge browsers - on Windows computers. This page also includes links to information about deploying the extension on Firefox.

The deployment procedure includes the following steps:

Step 1

Installing the extension on endpoints

Step 2

Connecting the extension to the ABS organization

Step 3

Activating the extension

For other extension deployment options, manual and managed, see Deploying the extension [Managed deployment].

Note:

  1. To deploy the extension on any Windows device, the device must be joined to your Microsoft Entra ID with a UEM license.

  2. The deployment procedure below force-installs the extension on all target devices - users will not be able to remove or disable the extension.

Step 1: Install the extension

Step 1 uses the Microsoft Endpoint Manager to install the extension. The procedure below force-installs the extension on all target devices - users will not be able to remove or disable the extension.

Note:

To install the extension [Google Chrome and Microsoft Edge]:

  1. Open the Microsoft Endpoint Manager admin center.

    [https://endpoint.microsoft.com/ ]

  2. Go to Devices > "Configuration profiles"

  3. Click Create profile.

  4. Under Create a profile:

    1. Platform: Select "Windows 10 and later"

    2. Profile type: Select "Settings catalog"

  5. Click Create.

  6. In the Basics tab, give a descriptive name to the profile, such as Perception Point Browser Extension, and then click Next.

  7. In the Configuration settings tab, click Add settings.

    For Google Chrome

    1. In the Settings picker search box, search for "extensions" [without the quotes]

    2. Select "Google Google Chrome Extensions"

    3. Select "Configure the list of force-installed apps and extensions", and then click Next.

    4. Under Google Chrome > Extensions, enable Configure the list of force-installed apps and extensions

    5. Into the text field that opens, copy and paste the following:

      kpehlcnleoaejbmmgncofcgpjnojlfbn;https://clients2.google.com/service/update2/crx

      Note: If you are not able to enter the above string (for example, it breaks after the semicolon), you may need to use the import function to import a file that contains the string.

    8. For Microsoft Edge

    1. Click Add settings.

    2. In the Settings picker search box, search for "extensions" [without the quotes]

    3. Select "Microsoft Edge\Extensions"

    4. Select "Control which extensions are installed silently", and then click Next.

    5. Under Extensions, enable Control which extensions are installed silently

    6. In the text field on the left, add the following:

      jcllaekmhcebhkjmmlnbcdmbbpiidnhf;https://edge.microsoft.com/extensionwebstorebase/v1/crx

    7. Click Next.

  8. In the Scope tags tab: Click Next. (There is no need to add or change anything in this tab.)

  9. In the Assignments tab: Under "Included groups", click "Add groups"

    1. Select the group or groups in which the Entra ID users exist.

    2. Click Select, and then click Next.

  10. In the Review + create tab: Verify that your details are correct, and then click Create.

    Once you have created your profile, you'll need to wait until your endpoints sync with Microsoft Endpoint Manager [Intune].

    Important: After installing the extension, any browsers that were open during the installation should be restarted. This will enable all open tabs in the browser to be protected by Advanced Browser Security.

To install the extension [Firefox]:

Important: After installing the extension, any browsers that were open during the installation should be restarted. This will enable all open tabs in the browser to be protected by Advanced Browser Security.

Step 2: Connect the extension

Step 2 applies to Google Chrome, Microsoft Edge, and Firefox

Step 2 includes the following sub-steps:

Step 2

Connect the extension

Step 2A

Get the organization token

Step 2B

Create an Intune package

Step 2C

Push the Intune package

In this step, you'll download the required organization token from the Advanced Browser Security console.

  1. Download the Microsoft Win32 Content Prep Tool from here

    [https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool ]

  2. Download the organization token from Advanced Browser Security console.

    • Make sure to download the token in a Windows PowerShell (.ps1) file. The perception-point-organization-token.ps1 file will be downloaded to your computer.

    • For download details, see Organization tokens .

  3. Save the PowerShell script in a new folder, for example:

    c:\scripts\PS1

You are now ready to perform Step 2B - create an Intune package - as described below.

 

In this step, you'll use the Microsoft Win32 Content Prep Tool to convert the organization token PowerShell script, that contains the required organization token, into an Intune package [a file with the .intunewin format].

  1. Create a new folder for the generated Intune package [i.e. the output file], for example:

    c:\scripts\output

  2. Run CMD as an administrator, and navigate to the folder into which you downloaded the Microsoft Win32 Content Prep Tool.

  3. Run the command below, and follow the online instructions:

    IntuneWinAppUtil.exe

    Specify "n" in response to "Do you want to specify catalog folder?"

  4. Once the Intune package is created, you should be able to see the token.intunewin file in the output folder that you created above.

You are now ready to perform Step 2C - to push the Intune package to endpoint devices - as described below.

 

After you have created the Intune package in Step 2A above, you are ready to use Microsoft Endpoint Manager [Intune] to push the Intune package to endpoint devices, as described below.

  1. Open the Microsoft Endpoint Manager admin center, and log in with your Entra ID admin account.

    [https://endpoint.microsoft.com/ ]

  2. Go to Apps > Windows and then click Add.

  3. Under App type, select "Windows app (win32)" and then click Select.

  4. Click "Select app package file".

  5. In the "App package file" side box, click on the blue folder icon [] to browse to the location of the Intune package that you created in Step 2A above.

    (For example c:\scripts\output)

  6. Locate the Intune package (for example c:\scripts\output\token.intunewin), select it, click Open, and then click OK.

  7. In the App information tab, fill in the following mandatory fields:

    • Name: perception-point-organization-token.ps1

    • Description: Deploys the extension organization token

    • Publisher: Perception Point. Click Next.

  8. In the Program tab, fill in the following fields:

    1. Install command: Powershell.exe -ExecutionPolicy ByPass -File .\perception-point-organization-token.ps1

      [Remember to change .\perception-point-organization-token.ps1 if necessary.]

    2. Uninstall command: Powershell.exe -ExecutionPolicy ByPass -File .\perception-point-organization-token.ps1 -uninstall

      [Remember to change .\perception-point-organization-token.ps1 if necessary.]

    3. Install behavior: Select "System"

    4. Device restart behavior: Select No specific action and then click Next.

  9. In the Requirements tab, fill in the following fields:

    1. Operating system architecture: Select 64-bit.

    2. Minimum operation system: Select Windows 10 1607 [or any other operating system that you prefer], and then click Next.

  10. In the Detection rules tab:

    1. Rules format: Select "Manually configure detection rules" and then click Add.

    2. Under Detection rule, select:

      1. Rule type: File

      2. Path: C:\ProgramData\PerceptionPoint

      3. File or folder: org-token-installed.txt

      4. Detection method: File or folder exists

      5. Associated with a 32-bit app on 64-bit clients: No

      6. Click OK and then click Next.

  11. In the Dependencies tab: Click Next. (There is no need to add or change anything in this tab.)

  12. In the Supersedence tab: Click Next. (There is no need to add or change anything in this tab.)

  13. In the Assignments tab: Under "Required", click "Add group"

    1. Select the group or groups in which the Entra ID users exist.

    2. Click Select, and then click Next.

  14. In the Review + create tab: Verify that your details are correct, and then click Create.

    Once you have created your Intune app, you'll need to wait until your endpoints sync with Microsoft Endpoint Manager [Intune] and download the app.

  15. Once your devices have received and installed the Intune app, you can verify if the installation was completed successfully by opening the registry on a device and going to:

    HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\kpehlcnleoaejbmmgncofcgpjnojlfbn\policy

     

Step 3: Activate the extension

For details on activating the extensions, see Step 3: Activating the extension on endpoints.

See also: