Deploy the Incydr browser extension

Updated

Overview

The Incydr browser extension works alongside the insider risk agent to improve browser activity monitoring and to enforce preventative controls.

Specifically, the extension provides:

  • More accurate source and destination details in some situations, such as when users switch between multiple tabs while uploads and downloads are in progress
  • Monitoring of pasting clipboard contents into the browser
  • Blocking of uploads and pastes into the browser via preventative controls

This article explains how to deploy the extension via Google Admin console, Microsoft Intune, and Jamf Pro. For assistance deploying the extension with other tools, contact your Customer Success Manager (CSM) to engage our Professional Services team. 

Considerations

  • To use the Incydr browser extension, user devices must be running:
    • A supported Windows, macOS, or Linux operating system.
    • The Firefox extension is currently an early access release and is only available for Windows and macOS.
    • The most recent version of the Google Chrome, Microsoft Edge, Firefox, Prisma, or Island web browser.
    • Insider risk agent version:
      • 1.9.2 or later for Windows and macOS
      • 1.12.0 or later for Linux
      • 2.4.1 for Firefox
  • The Incydr browser extension can only be deployed in a managed browser environment.

Download links

  • Chrome web store: Download the Incydr extension for Chrome, Edge, Prisma, and Island browsers.
  • Firefox add-ons: Download the Incydr extension for Firefox.

Deployment options

Choose the steps below appropriate for your environment.

Chrome via Google Admin console

Step 1: Enroll browsers

To force-install the Incydr browser extension for all user profiles, you must first enroll browsers for management:

  1. Sign in to your Google Admin console as a user with Google Workspace Super Admin permissions.
  2. Ensure Chrome Browser Management is enabled. See Google support for more details.
  3. Select Devices.
  4. Navigate to Chrome > Managed Browsers
  5. Select the appropriate Organizational Unit.
  6. Click Enroll.
  7. Enroll browsers with the enrollment token. See Google support for more details.
  8. Restart the Google Chrome browser and confirm enrollment was successful.

Step 2: Set policies for enrolled browsers

After employee browsers are enrolled, configure the user and browser policy to force-install the Incydr browser extension.

  1. Navigate to Chrome > Apps and Extensions > Users & Browsers.
  2. Select the appropriate Organizational Unit.
  3. Click the plus (+) icon and select the Add Chrome app or extension by ID icon.
  4. In the View app by ID field, enter: hamlakigaoomkpddnpnbjkhdfppbnjjh
  5. Select the Incydr extension.
  6. In the extension settings, change Allow install to Force install.
  7. Click Save.

Chrome or Edge via Microsoft Intune

Managed environment required
To deploy the Incydr browser extension, Windows devices must be joined to a Microsoft Active Directory domain. macOS devices must be managed via a mobile device management (MDM) tool or joined to a domain via MCX.

This section applies to using Intune to deploy the Incydr extension to: Chrome and Edge on Windows Edge on macOS For Chrome on macOS, see the next section instead

  1. Sign in to your Microsoft Intune.
  2. Select Devices.
  3. Select Configuration.
  4. Select Create > New Policy.
  5. Select a platform ("macOS" or "Windows 10 and later").
  6. In the Profile type dropdown, select Settings catalog.
  7. Click Create.
  8. Enter a name and description, then click Next.
  9. From the Configuration settings tab, click Add settings.
    • For Windows:
      1. Select either:
        • Chrome: Google Google Chrome Extensions
        • Edge: Microsoft Edge \ Extensions
      2. In the list of setting names, select either:
        • Chrome: Extension management settings (Device)
        • Edge: Configure extension management settings
      3. Close the Settings picker.
      4. Enable Extension management settings (Device) for Chrome, or Configure extension management settings for Edge.
      5. In the Configure extension management setting field, enter:
        {"hamlakigaoomkpddnpnbjkhdfppbnjjh": {"installation_mode": "force_installed","update_url": "https://clients2.google.com/service/update2/crx" }}
      6. Click Next.
    • For Mac:
      1. Select Microsoft Edge. (For Chrome, follow the steps in the Deploy to Chrome via Microsoft Intune for macOS section below instead.)
        A list of settings appear below.
      2. Select the setting Control which extensions are installed silently.
      3. Close the Settings picker window.
      4. In the empty text field, enter: hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx
      5. Click Next.
  10. In the Scope tags tab, click Select scope tags.
  11. Select Default and click Next.
  12. In the Assignments tab, select the groups to receive the extension. We recommend adding all users and/or devices.
  13. Click Next.
  14. Click Create.

Watch: Deploy via Microsoft Edge and Intune (Windows)

Watch: Deploy via Google Chrome and Microsoft Intune (Windows)

Chrome via Microsoft Intune for macOS

Managed environment required
To deploy the Incydr browser extension, macOS devices must be managed via a mobile device management (MDM) tool or joined to a domain via MCX.

Step 1: Create a .plist file

To deploy the Incydr browser extension via Intune for macOS, you must first create a .plist file, which you will use to complete the steps in the next section.

To create the file:

  1. Open a new blank document in a plain text editor.

  2. Copy the text below and paste it into the text editor:

    <key>ExtensionInstallForcelist</key>
      <array>
        <string>hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx</string>
      </array>
  3. Save the file with the .plist extension. For example: Code42IncydrChromeExtension.plist
  4. Note the location of the saved file. You will need it to complete the configuration steps in the next section.

Step 2: Configure Intune

  1. Sign in to your Microsoft Intune.
  2. Select Devices.
  3. Select Manage devices > Configuration.
  4. Select Policies.
  5. Select Create > New Policy.
  6. In the Platform dropdown, select macOS.
  7. In the Profile type dropdown, select Templates.
  8. For the Template Name, select Preference file.
  9. Click Create.
  10. Enter a name and description (for example: "Incydr Browser Extension - Chrome"), then click Next.
  11. On the Configuration settings tab:
    1. For the Preference domain name, enter: com.google.Chrome
    2. For the Property list file, select the .plist file you created above in Step 1.
    3. Click Next.
  12. In the Assignments tab, select the groups to receive the extension. We recommend adding all users and/or devices.
  13. Click Next.
  14. Click Create.

Watch: Deploy via Google Chrome and Microsoft Intune (Mac)

 

Watch: Deploy via Microsoft Edge and Intune (Mac)

Chrome or Edge via SCCM

Step 1: Create a configuration item

  1. Sign in to Microsoft Configuration Manager.
  2. Select Assets and Compliance > Create Configuration Item.
    The Create Configuration Item Wizard appears.
  3. Enter a name and description. For example: Incydr Chrome Browser Extension
  4. Under Settings for devices managed with Configuration Manager client, select Windows Desktops and Servers (custom), then click Next.
  5. Select the platforms where the extension will be installed, then click Next.
  6. From General > Settings, click New. Enter the following settings values, then click OK:
    • Name: ExtensionInstallForcelist
    • Description: Incydr Chrome Browser Extension
    • Setting type: Registry value
    • Data type: String
    • Hive Name: HKEY_LOCAL_MACHINE
    • Key Name:
      • Chrome: Software\Policies\Google\Chrome\ExtensionInstallForcelist
      • Edge: Software\Policies\Microsoft\Edge\ExtensionInstallForcelist
    • Value Name: 1
      The Value Name must be a unique number. If you deploy other extensions via SCCM, use a different number for each.
  7. Select the Compliance Rules tab and click New. Enter the following settings values:
    • Name/Description: Incydr Browser Extension Compliance Rule
    • For the following values: hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx
    • Select Remediate noncompliant rules when supported
    • Select Report noncompliance if this setting instance is not found
  8. Click OK and close the Create Configuration Item Wizard.

Step 2: Create a configuration baseline

  1. Navigate to Assets and Compliance > Compliance Settings > Configuration Baselines.
  2. Create a new configuration baseline.
  3. Enter a name and description. For example: Incydr Chrome Browser Extension.
  4. In the Configuration data section, select Add > Configuration items.
  5. Select the Incydr Chrome Browser Extension configuration item you created above and click Add.
  6. Click OK.

Step 3: Deploy the configuration baseline

  1. Navigate to Assets and Compliance > Compliance Settings > Configuration Baselines.
  2. Select the Incydr Chrome Browser Extension baseline and click Deploy.
    The Deploy Configuration Baseline wizard appears.
  3. Confirm that the Incydr Chrome Browser Extension baseline is selected. If not, add it.
  4. Select Remediate noncompliant rules when supported.
  5. Select the collection to deploy to.
  6. Set the compliance evaluation schedule. For testing or immediate deployment, set to 1 minute.
  7. Click OK.

Step 4: Confirm deployment to user devices

  1. From a user’s device, open Google Chrome.
  2. In the address bar, enter chrome://policy to view all applied policies.
  3. Alternatively, enter chrome://extensions to verify if the Incydr Chrome Browser Extension is installed.

Chrome or Edge via Jamf Pro (Mac only)

Use the same profile for all browser extensions
If you manage multiple browser extensions, include the configuration details for all extensions in one profile to reduce the risk of unintended behavior. Deploying separate profiles for each extension can lead to conflicts that prevent extensions from functioning properly.

  1. Sign in to your Jamf Pro console.
  2. Select Computers.
  3. Select Content Management > Configuration Profiles.
  4. Update an existing configuration profile, or create a new one.
    1. Select Application & Custom Settings.
    2. Select External Applications.
  5. For Google Chrome:
    1. Add a new application for com.google.Chrome
    2. Use the following key/value pairs:
{
  "title": "Google Chrome Extensions (com.google.Chrome)",
  "description": "Install extensions in Google Chrome",
  "properties": {
    "ExtensionInstallForcelist": {
      "title": "Extension Install Forcelist",
      "description": "Add extension IDs. Paste the extension ID in front of the default text.",
      "property_order": 5,
      "type": "array",
      "items": {
        "title": "Extension ID",
        "default": "hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx",
        "type": "string"
      }}}}
  1. For Microsoft Edge:
    1. Add a new application for com.microsoft.Edge
    2. Use the following key/value pairs:
{
  "title": "Microsoft Edge Extensions (com.microsoft.Edge)",
  "description": "Install extensions in Microsoft Edge",
  "properties": {
    "ExtensionInstallForcelist": {
      "title": "Extension Install Forcelist",
      "description": "Add extension IDs. Paste the extension ID in front of the default text.",
      "property_order": 5,
      "type": "array",
      "items": {
        "title": "Extension ID",
        "default": "hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx",
        "type": "string"
      }
    }
  }
}

Firefox via browser policy

Early access

If you manage Firefox extensions via the policies.json file on user devices, add the Incydr extension details to the ExtensionSettings section to automatically deploy the extension to users. Copy and paste the code below to install the Incydr extension with these settings:

  • The extension must be installed
  • Users cannot uninstall or disable the extension
  • The extension runs in private browsing mode
{
  "policies": {
    "ExtensionSettings": {
      "{2e0d1041-8b91-445c-8e94-c0de42df6251} ": {
        "install_url": https://addons.mozilla.org/firefox/downloads/latest/{2e0d1041-8b91-445c-8e94-c0de42df6251}/latest.xpi,
        "installation_mode": "force_installed",
        "private_browsing": "allowed",
        "updates_disabled": false
     }
  },
    "Preferences": {
      "extensions.openPopupWithoutUserGesture.enabled": {
        "Value": true,
        "Status": "default"
      }
    }
  }
}

Firefox via InTune (Windows only)

Early access

  1. If you have not used Firefox with InTune before, follow these steps to create a Firefox configuration profile: https://support.mozilla.org/en-US/kb/managing-firefox-intune. If you already have a Firefox Intune profile, skip this step.
  2. Sign in to your Microsoft Intune Admin Center.
  3. Select Devices > Configuration.
  4. Select the Firefox policy you created above in Step 1 (or your pre-existing Firefox policy if you skipped step 1).
  5. Next to Configuration settings, click Edit.
  6. On the Configuration settings tab, click Add.
  7. Enter the following values into the form fields:
    1. Name: Incydr Browser Extension - Firefox
    2. Description: Optional - no value required
    3. OMA-URI:
      ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings
    4. Data type: String 
    5. Value: 
      <enabled/>
      <data id="ExtensionSettings" value='
      {
        "{2e0d1041-8b91-445c-8e94-c0de42df6251}": {
          "installation_mode": "force_installed",
          "install_url": "https://addons.mozilla.org/firefox/downloads/latest/{2e0d1041-8b91-445c-8e94-c0de42df6251}/latest.xpi",
          "updates_disabled": false,
          "private_browsing": true
        }
      }'/>
      <data id="Preferences" value='
      {
        "extensions.openPopupWithoutUserGesture.enabled": {
          "Value": true,
          "Status": "default"
        }
      }'/>
    6. Click Save.
  8. On the Configuration settings tab, click Review + save, then click Save again.
  9. Next to Assignments, click Edit.
  10. In the Assignments tab, select the groups to receive the extension. We recommend adding all users and/or devices.
  11. Click Review + save, then click Save again.

Firefox via Jamf Pro (Mac only)

Early access

Use the same profile for all browser extensions
If you manage multiple browser extensions, include the configuration details for all extensions in one profile to reduce the risk of unintended behavior. Deploying separate profiles for each extension can lead to conflicts that prevent extensions from functioning properly.

  1. Sign in to your Jamf Pro console.
  2. Select Computers.
  3. Select Content Management > Configuration Profiles.
  4. Update an existing configuration profile, or create a new one.
  5. Select Application & Custom Settings.
  6. Select External Applications > Upload.
  7. Click Add.
  8. In the Preference Domain field, enter org.mozilla.firefox.
  9. In the Property List, enter: 
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
      <key>EnterprisePoliciesEnabled</key>
      <true/>
      <key>ExtensionSettings</key>
      <dict>
        <key>{2e0d1041-8b91-445c-8e94-c0de42df6251}</key>
        <dict>
          <key>installation_mode</key>
          <string>force_installed</string>
          <key>install_url</key>
          <string>https://addons.mozilla.org/firefox/downloads/latest/{2e0d1041-8b91-445c-8e94-c0de42df6251}/latest.xpi</string>
          <key>private_browsing</key>
          <string>allowed</string>
          <key>updates_disabled</key>
          <string>false</string>
        </dict>
      </dict>
      <key>Preferences</key>
      <dict>
        <key>extensions.openPopupWithoutUserGesture.enabled</key>
        <dict>
          <key>Value</key>
          <string>true</string>
          <key>Status</key>
          <string>default</string>
        </dict>
      </dict>
    </dict>
    </plist>
  10. Choose if you want to push the update to all computers set in the scope or only to newly assigned endpoints.
  11. Click Save.

Deploy to Prisma Access Browser (formerly Talon)

  1. Sign in to the Prisma or Talon management console.
  2. Go to Policy > Rules.
  3. Add/create a new Browser Security rule.
  4. Select the scope of users/users groups to receive the Incydr browser extension.
  5. Go to Browser Customization controls and add the Extension Force Install rule to the policy.
  6. Enter the Incydr browser extension ID or URL:
  7. Save the rule.
  8. Go to Browser Hardening > Native Messaging Hosts.
  9. Select Allow or Allow only hosts with installed with admin permissions.
    If Native Messaging Hosts is set to Block, the Incydr browser extension cannot send data to the insider risk agent installed on the device. A connection to the agent is required to report file activity to the Incydr cloud.

Deploy to Island

  1. Sign in to the Island management console.
  2. Go to Browser > Extension Management.
  3. Select Create to add a new rule.
  4. Enter a descriptive name (for example: "Incydr browser extension").
  5. Select Any source to deploy to all users, or Specific Sources to deploy to specific users or groups.
  6. Click Create.
  7. From the list of all extension management rules, select the rule you just created.
  8. Go to Extensions > Manage extensions > Force-installed extensions.
  9. Enter the Incydr browser extension ID: hamlakigaoomkpddnpnbjkhdfppbnjjh
  10. Click Add.
  11. Click Save changes.

Browser permissions

The Incydr browser extension requires the following permissions.

Permission Usage
Read your browsing history

Allows the extension to view which websites are visited and when files are uploaded to those sites.

The extension does not read the contents of uploaded files.
Read data you copy and paste

Allows the extension to see when and where a paste action occurs.

The extension does not access the content of the copied/pasted data.
Manage your downloads

Used to monitor files downloaded to the user's endpoint.

The extension does not read the contents of downloaded files.
Know your email address

Used to identify if the logged-in user belongs to a personal or corporate account.

  • The email address is especially helpful for sites that use the same URL for both personal and corporate accounts.
  • The email address is also used for identifying trusted activity and applying preventative controls.
Communicate with cooperating native applications Required for the extension to communicate with the insider risk agent installed on the endpoint. Chromium extensions operate in a sandbox unless given explicit access to system-level applications.

The extension's permission requests are limited to Google's set of pre-defined permissions. While we make every effort to adhere to the principle of least privilege, in some cases, Incydr may request a permission that provides more access than is used by the extension. For example, Incydr only uses the Read data you copy and paste permission to identify the destination of a paste event. Incydr does not access, read, or store the content of the copied/pasted data. However, Google does not provide a permission scoped to only read the existence and destination of a paste event.

External resources

Downloads
Jamf Pro guides
Microsoft Intune

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.