This page includes:
About enforcing the browser extension
Ensuring that the ABS browser extension is active in all browsers on managed devices is essential to maintain robust cybersecurity protection. This page details the recommended best practices to enforce the usage of the extension on supported browsers while preventing the use of unsupported browsers and Incognito/Private/InPrivate and guest modes.
Prerequisites
Before proceeding with the steps outlined in this guide, make sure that you have the necessary administrative access and permissions on the managed devices (such as access to Intune, Group Policy Management editor, etc).
Recommendations
1. Force-install the extension on all supported browsers
We recommend that you force-install the extension on all relevant browsers - via one of the managed deployment options. This will ensure that users can't remove the extension, and that their browsers are therefore always protected by the extension.
For information about how to force-install the extension, see Sample managed deployment procedures.
2. Disable Incognito/InPrivate/Private and guest modes
We recommend that you prevent access to Incognito mode [Google Chrome], InPrivate mode [Microsoft Edge], Private mode [Firefox and Safari] and guest mode [Google Chrome and Microsoft Edge] on all end-user devices.
|
To disable... |
See here... |
|---|---|
|
Incognito mode [Google Chrome] |
https://chromeenterprise.google/policies/?policy=IncognitoModeAvailability |
|
Guest mode [Google Chrome] |
https://chromeenterprise.google/policies/?policy=BrowserGuestModeEnabled |
|
InPrivate mode [Microsoft Edge] |
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#inprivatemodeavailability |
|
Guest mode [Microsoft Edge] |
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#browserguestmodeenabled |
Instead of disabling Incognito/InPrivate/Private modes, it is possible to deploy the extension in these modes too. For details, see Incognito mode, InPrivate mode, and Private mode.
3. Disable the Microsoft Edge sidebar
The Microsoft Edge sidebar enables end users to bypass many of the ABS extension security features. Therefore, it is recommended that you disable the Microsoft Edge sidebar on all end user devices. For details, see Disabling the Microsoft Edge sidebar.
4. Enable local files to be scanned
The Browser Extension can scan local HTML files only if access to file URLs has been allowed by the end-user. For details, see Scanning local HTML files.
5. Remove local administrator rights
Removing local administrator rights on managed Windows devices is important for enhancing your organization's security and stability. By restricting local administrator privileges, you can mitigate the risks associated with unauthorized software installations, malicious attacks, and unintentional system configuration changes. This proactive approach helps prevent data breaches, malware infections, and system vulnerabilities - ultimately safeguarding your sensitive information and maintaining the integrity of your network.
To achieve this, you can use tools like Microsoft's Active Directory, Group Policy, or third-party endpoint management solutions. These tools allow you to control user permissions, monitor system activities, and enforce least privilege access - helping you strike a balance between user productivity and security and reducing the potential for costly security incidents.
6. Block user-level app installations
To block users from installing apps on Windows devices, follow these Microsoft instructions to disable user-level installations.
After the above procedure has been performed, any attempt to perform an installation in the per-user installation context will cause the Windows installer to display an error message and stop the installation.
In combination with the removal of local admin rights, this will prevent users from installing browser apps on the device.
7. Use AppLocker to allow only specific apps
You can use the built-in Windows AppLocker feature to allow users to run only specific apps that are included in a pre-defined list.
You can read here about AppLocker, and how to configure its rules.
8. Deploy on the device level
It is recommended that you install the extension and the associated organization token on the device level. This will enable the extension to be automatically added to all browser profiles of all users on each target device. This includes both corporate profiles and personal profiles. It also includes profiles that are added in the future.
If you don't install the extension and the organization token on the device level, but rather on the user level or on a profile level, then the extension will be installed on the specified browser profiles only. The extension will not be added to other browser profiles on a target device - which then won' be fully protected by the extension. However, installing on the user level or on a profile level gives you additional flexibility. For example, you could choose to add the extension to corporate browser profiles, but not to personal browser profiles.
See also:
