Managing Browsium Client Browser Extensions

If the Browsium Client was installed using the suggested default option to allow for enabling and management of the Browsium extension, this section can be ignored and no additional action is needed. This section is included for customers that opted to control settings manually.

It is important to develop a strategy to properly deploy and manage Browsium Client software on end user PCs. As part of your strategy, two important system configuration options should be considered when using Catalyst.

The first is to ensure Browsium Client browser extensions are enabled for all supported browsers on each client PC. It is recommended that you also block end users from disabling Browsium Client browser extensions once they’ve been enabled.

The second is to ensure that neither Internet Explorer, Edge, Chrome, nor Firefox are selected as the ‘default browser’ or set to prompt to become the default — Catalyst itself (actually Browsium Client Launcher) must be the default so it can route all navigation to the appropriate browser. Catalyst will take over as the default browser automatically, every time the Controller starts.

These important configuration options can be managed by Group Policy in both Internet Explorer and Google Chrome. Mozilla Firefox does not natively support Group Policy today.

Alternatively, you can manage the enforcement of the browser settings for Internet Explorer and Chrome by adding or changing registry settings manually. To modify settings manually in the local PC registry, administrators will need to use a registry editor. The default Windows registry editor which must be launched from the Run command is regedit.exe. For a large organization, registry edits can be scripted and applied using a variety of enterprise management tools.

The remainder of this section covers management of Browsium Client browser extensions.

Enable the Browsium Internet Explorer Extension via Group Policy

A critical element of any Catalyst deployment is ensuring the Browsium Internet Explorer Extension is set to ‘enabled’ in Internet Explorer on all client PCs. To prevent malicious or unwanted add-ons from impacting the user experience, recent versions of Internet Explorer require user confirmation before any new add-on is enabled, unless that add-on is set to ‘enabled’ during the deployment process. In this section, you will learn the procedures for centrally enabling the Browsium Internet Explorer Extension during deployment.

The most common way to enable the Browsium Internet Explorer Extension during deployment is by utilizing Group Policy to make the necessary registry changes on client PCs. Alternative methods to modify the registry on client PCs, such as a Visual Basic Script, can also be employed. The following guidance is adapted from articles on Microsoft’s TechNet website, and includes the process to identify the GUID/CLSID of the Browsium Internet Explorer Extension, which must be located in the registry once it is installed in your environment.

Group Policy - Understanding the ‘Add-on List Policy’

Administrators can control the use of specific add-ons in Internet Explorer through the Add-on List Policy. Administrators can choose to enable or disable an add-on as well as allow a specific add-on to be managed by the user.

Policy Name: add-on list

Path: User Configuration or Computer Configuration node; Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management. To set this policy, an administrator can enable the policy and enter the GUID/CLSID of the Browsium Client add-on to the Add-on List and set the value to 1.

Determining the GUID/CLSID of the Browsium Internet Explorer Extension

After installing Browsium Client, use Internet Explorer Tools menu to choose Manage add-ons.

You’ll then be presented with the Manage Add-ons interface where you will see Browsium Internet Explorer Extension in the list.

Right Click on the Browsium Internet Explorer Extension and choose “More Information” from the dropdown menu.

The CLSID, (Class ID) will appear in the dialog box.

Click the “Copy” button and then paste the contents of this dialog box (including the Class ID) to Notepad for later reference and save the text file. When you make the registry changes documented above, you will need to use the Class ID to identify the extension in the policy.

To set this policy with a manual or automated registry entry, an administrator can create a registry value based on the GUID/CLSID of the extension in either of the following keys and then set the desired value. When you enter the GUID/CLSID be sure to include the open brace at the beginning and the close brace at the end.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{CLSID}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{CLSID}

Each add-on is a value in this registry key with the following properties.

Name: GUID of add on which is {B3A6DA95-9243-48E9-AF2E-52F4FF155B9D}

Type: REG_SZ

Value:

• 0 - Add-on is disabled and cannot be managed by the end user.

• 1 - Add-on is allowed and cannot be managed by the end user.

The Add-on (CLSID) lists are empty by default.

Disable Internet Explorer’s Default Browser Check

By default, some versions of Internet Explorer will prompt the user to select it as the default browser. Since Catalyst becomes the default browser, you will want to prevent this behavior.

With Group Policy settings and local registry settings, you can remove the ability for end users to change the default browser to Internet Explorer. Depending on which Group Policy template is on the system, this policy will vary. This policy allows you to prevent Internet Explorer from checking to see whether it is the default browser and prevents the user from changing it.

Before you enable this policy, you will want to uncheck the box “Tell me if Internet Explorer is not the default browser”. The check box is on the Program tab in the Internet Options dialog box. You can uncheck the box with a registry setting in the HKCU hive. The path to the registry key is below. The value for “Check Associations” should be “no”.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]“Check_Associations”=“no”

The Group Policy settings are listed below. All of them can be found at the following path:

Path: User Configuration\Administrative Templates\Windows Components\Internet Explorer

For IE8 & IE9:

Policy Name: Prevent changing default browser check

For IE10:

Policy Name: Disable changing default browser check

For IE11:

Policy Name: Notify users if Internet Explorer is not the default web browser

If you enable this policy, the Internet Explorer Should Check to See Whether It Is the Default Browser. Also, the check box on the Programs tab in the Internet Options dialog box appears dimmed and the user cannot change the default browser to IE. If you disable this policy or do not configure it, users can determine whether Internet Explorer will check to see if it is the default browser. When Internet Explorer performs this check, it prompts the user to specify which browser to use as the default.

Enable Browsium Client Extension for Microsoft Edge (Legacy)

Microsoft Edge (Legacy) requires systems to be domain joined and logged in with a domain user account to use the Browsium Client extension. In addition, application sideloading needs to be enabled.

To do this, you will need to configure the following Group Policy setting:

Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\App Package Deployment\Allow all trusted apps to install

This setting must be set to ‘Enabled’ or the Browsium Client extension will not be installed and enabled for Microsoft Edge.

Enable Browsium Client Extension for Microsoft Edge (Chromium)

Microsoft provides Group Policy templates that allow you to force installation of extensions based on a provided list of extension IDs and sources.

1. Download the Edge (Chromium) Group Policy templates if you do not already have them imported — (https://www.microsoft.com/en-us/edge/business/download — You will need to list a version/build before the “Get Policy” link will become enabled.)

2. Locate the ExtensionInstallForceList policy, configure it and add the extension ID 

adociibhpcfhbfkahfbdkakmehnmnkgd;http://crx.browsium.com/browsium-chrome-4.9.1.xml

Enable Browsium Client Extension for Google Chrome

To ease your Group Policy setup, several templates can guide you through the configurable options. Group Policy templates, and associated guidance, are provided by Google and can be found on Google’s support site. You may find additional settings (beyond those documented here) that you may wish to enforce or enable based upon your organization’s preferences.

By default, Chrome automatically disables all extensions that are side-loaded (installed by a 3^rd^ party program, like Browsium Client installation package), requiring users to enable them manually. The only way to centrally enable Browsium Client Extension for Chrome for enterprise deployment is via Group Policy for domain-joined systems.

The policy Configure the list of force-installed extensions (a.k.a. ExtensionInstallForcelist) allows you to specify a list of extensions that will be installed silently and enabled by default, without user interaction. This policy also works for side-loaded extensions, effectively overriding the default behavior in Chrome.

Each item of the list is a string that contains an extension ID and an update URL, separated by a semicolon (;). The extension ID is the 32-letter string found e.g. on chrome://extensions when in ‘Developer mode’. The update URL must point to an Update Manifest XML document as described at http://code.google.com/chrome/extensions/autoupdate.html. Note that the update URL set in this policy is only used for the initial installation; subsequent updates of the extension will use the update URL indicated in the extension’s manifest.

For each item, Google Chrome will retrieve the extension specified by the extension ID from the update service at the specified update URL and silently install it. Users will be unable to uninstall extensions that are specified by this policy. If you remove an extension from this list, it will be automatically uninstalled by Google Chrome. Extensions specified in this list are also automatically whitelisted for installation; the Configure extension installation blacklist (a.k.a. ExtensionInstallBlackList) does not affect them.

A by-product of the ExtensionInstallForceList policy is that managed extensions are silently installed in Chrome, enabled by default, and block users from disabling or removing them. This is desired for enterprise deployment of Browsium Client. If this policy is ‘Not Configured’, users can delete any extension in Chrome, including Browsium Client Extension, from the Extensions page. This is undesirable, as side-loaded extensions that are deleted are automatically blacklisted and re-enabling them is tricky (but achievable). Contact Browsium Support if this happens.

To force-enable Browsium Client Extension for Chrome and lock it down so users can’t disable or delete it, you will use the Configure the list of force-installed extensions policy. This process requires an XML Manifest, which references the Proton extension’s .crx file. Both must be available on a server or in the Chrome web store. Browsium is hosting these files for all customers on browsium.com.

Follow these steps to ensure that this method is properly configured using Group Policy for your domain-joined systems. These instructions assume you’re using the ADM template. The Group Policy location will change if using ADMX.

As of Chrome 33, the ExtensionInstallForceList policy is only enforced for domain-joined systems. All client PCs in your environment must be joined to a Windows domain or you will not be able to centrally manage Browsium Client Extension. Attempting to configure ExtensionInstallForceList via the Local Policy Editor will result in unpredictable behavior of the extension.

1. Install Browsium Client software.

2. Download the Group Policy templates for Chrome from the Google support site.

3. Import the Google Chrome Group Policy template into your Group Policy editor.

4. Enable the policy Configure the list of force-installed extensions.http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip

5. Enter the following value by selecting the ‘Show…’ button in the Options window and apply the setting.\

   (This is the Browsium Client Extension ID followed by the URL for the manifest XML document, with no spaces in the string.)

adociibhpcfhbfkahfbdkakmehnmnkgd;http://crx.browsium.com/browsium-chrome-4.9.1.xml

Browsium Client Extension for Chrome may have a different version number from the other Browsium Client and Catalyst components as maintenance versions are released. See the version number section of the Catalyst Version History KB article for details on the release date and version number for the Browsium Client Extension for Chrome.

Disable Chrome’s Default Browser Check

Group policy can be used to configure the default browser checks in Google Chrome and prevent users from changing them. If you ‘Enable’ this setting, Chrome will always check on startup whether it is the default browser and automatically register itself if possible. If this setting is ‘Disabled’, Chrome will never check if it is the default browser and will disable user controls for setting this option (the desired state when using Catalyst). If this setting is ‘Not Configured’, Chrome will allow the user to control whether it is the default browser and whether user notifications should be shown when it isn’t.

For all users running Catalyst, the Set Chrome as Default Browser setting (a.k.a. DefaultBrowserSettingEnabled) should be “Disabled” in your Group Policy editor. The path for this setting in the Local Group Policy Editor is Local Computer Policy\Administrative Templates\Classic Administrative Templates (ADM)\Google\Google Chrome.

Enable the Browsium Client Extension for Mozilla Firefox

Mozilla Firefox does not allow client software to install an extension and enable it by default. Nor does it contain a centralized management facility to keep users from tampering with extensions like Internet Explorer and Chrome. However, Browsium Client includes a facility to automatically enable the extension every time the user logs onto the system, so administrators can ensure that the Firefox extension is always enabled.

To enable Browsium Client Extension for Firefox automatically, create the registry value:

… for 32-bit Windows systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Enable Browsium Extension (REG_SZ) = “C:\Program files\Browsium\Client\BrowsiumController.exe” /ef

… for 64-bit Windows systems:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Enable Browsium Extension (REG_SZ) = “C:\Program Files (x86)\Browsium\Client\BrowsiumController.exe” /ef

Disable Firefox’s Default Browser Check

This policy configures the default browser checks in Mozilla Firefox and prevents users from changing them. If you enable this setting, Firefox will not check on startup whether it is the default browser and also will not allow the user to change this setting.

For all users on a PC, the Disable Firefox Default Browser Check setting should be “enabled” in your Group Policy editor. The path for this setting is Local Computer Policy\Administrative Templates\Classic Administrative Templates (ADM)\Mozilla Firefox.

This setting will make the following changes to the PC’s registry once the policy is propagated:

Data type: REG_DWORD

Windows registry location: HKEY_LOCAL_MACHINE\Software\Policies\Firefox\FirefoxCheckDefault

Example value: 0x00000001

The value in this case should set be “0”

Data type: REG_SZ

Windows registry location: HKEY_LOCAL_MACHINE\Software\Policies\Firefox\FirefoxCheckDefaultType

The value in this case should be “Locked”