1. Code42 Support
  2. Incydr
  3. Incydr administration
  4. Planning and installing

Deploy the Code42 Incydr browser extension

Updated

Overview

The Code42 Incydr browser extension works alongside the insider risk agent to improve browser activity monitoring and to enforce preventative controls.

Specifically, the extension provides:

  • More accurate source and destination details in some situations, such as when users switch between multiple tabs while uploads and downloads are in progress
  • Monitoring of pasting clipboard contents into the browser
  • Blocking of uploads and pastes into the browser via preventative controls

This article explains how to deploy the extension via Google Admin console, Microsoft Intune, and Jamf Pro. For assistance deploying the extension with other tools, contact your Customer Success Manager (CSM) to engage our Professional Services team.

Considerations

  • To use the Code42 Incydr browser extension, user devices must be running:
    • A supported Windows, macOS, or Linux operating system
    • Insider risk agent version 1.9.2 or later for Windows and macOS
    • Insider risk agent version 1.12.0 or later for Linux
    • The Google Chrome or Microsoft Edge web browser (most recent version)
  • The Code42 Incydr browser extension can only be deployed in a managed browser environment.

Options for deploying the extension

Choose the steps below appropriate for your environment.

Deploy to Chrome via Google Admin console

Step 1: Enroll browsers

To force-install the Code42 Incydr browser extension for all user profiles, you must first enroll browsers for management:

  1. Sign in to your Google Admin console as a user with Google Workspace Super Admin permissions.
  2. Ensure Chrome Browser Management is enabled. See Google support for more details.
  3. Select Devices.
  4. Navigate to Chrome > Managed Browsers
  5. Select the appropriate Organizational Unit.
  6. Click Enroll.
  7. Enroll browsers with the enrollment token. See Google support for more details.
  8. Restart the Google Chrome browser and confirm enrollment was successful.

Step 2: Set policies for enrolled browsers

After employee browsers are enrolled, configure the user and browser policy to force-install the Code42 Incydr browser extension.

  1. Navigate to Chrome > Apps and Extensions > Users & Browsers.
  2. Select the appropriate Organizational Unit.
  3. Click the plus (+) icon and select the Add Chrome app or extension by ID icon.
  4. In the View app by ID field, enter: hamlakigaoomkpddnpnbjkhdfppbnjjh
  5. Select the Code42 Incydr extension.
  6. In the extension settings, change Allow install to Force install.
  7. Click Save.

Deploy to Chrome or Edge via Microsoft Intune

Managed environment required
To deploy the Code42 Incydr browser extension, Windows devices must be joined to a Microsoft Active Directory domain. macOS devices must be managed via a mobile device management (MDM) tool or joined to a domain via MCX.
This section applies to using Intune to deploy the Incydr extension to:
  • Chrome and Edge on Windows
  • Edge on macOS
  • For Chrome on macOS, see the next section instead
  1. Sign in to your Microsoft Intune.
  2. Select Devices.
  3. Select Configuration.
  4. Select Create > New Policy.
  5. Select a platform ("macOS" or "Windows 10 and later"). 
  6. In the Profile type dropdown, select Settings catalog.
  7. Click Create.
  8. Enter a name and description, then click Next.
  9. From the Configuration settings tab, click Add settings.
    • For Windows:
      1. Select either:
        • Chrome: Google Google Chrome Extensions
        • Edge: Microsoft Edge > Extensions
      2. In the list of setting names, select either:
        • Chrome: Extension management settings (Device)
        • Edge: Configure extension management settings
      3. Close the Settings picker.
      4. Enable Extension management settings (Device) for Chrome, or Configure extension management settings for Edge.
      5. In the Configure extension management setting field, enter:
        {"hamlakigaoomkpddnpnbjkhdfppbnjjh": {"installation_mode": "force_installed","update_url": "https://clients2.google.com/service/update2/crx" }}
      6. Click Next.
    • For Mac:
      1. Select Microsoft Edge. (For Chrome, follow the steps in the Deploy to Chrome via Microsoft Intune for macOS section below instead.)
        A list of settings appear below.
      2. Select the setting Control which extensions are installed silently.
      3. Close the Settings picker window.
      4. In the empty text field, enter: hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx 
      5. Click Next.
  10. In the Scope tags tab, click Select scope tags.
  11. Select Default and click Next.
  12. In the Assignments tab, select the groups to receive the extension. We recommend adding all users and/or devices.
  13. Click Next.
  14. Click Create.

Watch: Deploy via Microsoft Edge and Intune (Windows)

 

Watch: Deploy via Google Chrome and Microsoft Intune (Windows)

Deploy to Chrome via Microsoft Intune for macOS

Managed environment required
To deploy the Code42 Incydr browser extension, macOS devices must be managed via a mobile device management (MDM) tool or joined to a domain via MCX.

Step 1: Create a .plist file

To deploy the Incydr browser extension via Intune for macOS, you must first create a .plist file, which you will use to complete the steps in the next section.

To create the file:

  1. Open a new blank document in a plain text editor.
  2. Copy the text below and paste it into the text editor:
    <key>ExtensionInstallForcelist</key>
      <array>
        <string>hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx</string>
      </array>
  3. Save the file with the .plist extension. For example: Code42IncydrChromeExtension.plist
  4. Note the location of the saved file. You will need it to complete the configuration steps in the next section.

Step 2: Configure Intune

  1. Sign in to your Microsoft Intune.
  2. Select Devices.
  3. Select Manage devices > Configuration.
  4. Select Policies.
  5. Select Create > New Policy.
  6. In the Platform dropdown, select macOS.
  7. In the Profile type dropdown, select Templates.
  8. For the Template Name, select Preference file.
  9. Click Create.
  10. Enter a name and description (for example: "Code42 Incydr Browser Extension - Chrome"), then click Next.
  11. On the Configuration settings tab:
    1. For the Preference domain name, enter: com.google.Chrome
    2. For the Property list file, select the .plist file you created above in Step 1.
    3. Click Next.
  12. In the Assignments tab, select the groups to receive the extension. We recommend adding all users and/or devices.
  13. Click Next.
  14. Click Create.

Watch: Deploy via Google Chrome and Microsoft Intune (Mac)

Watch: Deploy via Microsoft Edge and Intune (Mac)

Deploy to Chrome or Edge via SCCM

Step 1: Create a configuration item

  1. Sign in to Microsoft Configuration Manager.
  2. Select Assets and Compliance > Create Configuration Item.
    The Create Configuration Item Wizard appears.
  3. Enter a name and description. For example: Code42 Incydr Chrome Browser Extension
  4. Under Settings for devices managed with Configuration Manager client, select Windows Desktops and Servers (custom), then click Next.
  5. Select the platforms where the extension will be installed, then click Next.
  6. From General > Settings, click New. Enter the following settings values, then click OK:
    • Name: ExtensionInstallForcelist
    • Description: Code42 Incydr Chrome Browser Extension
    • Setting type: Registry value
    • Data type: String
    • Hive Name: HKEY_LOCAL_MACHINE
    • Key Name: 
      • Chrome: Software\Policies\Google\Chrome\ExtensionInstallForcelist
      • Edge: Software\Policies\Microsoft\Edge\ExtensionInstallForcelist
    • Value Name: 1
      The Value Name must be a unique number. If you deploy other extensions via SCCM, use a different number for each.
  7. Select the Compliance Rules tab and click New. Enter the following settings values:
    • Name/Description: Code42 Incydr Browser Extension Compliance Rule
    • For the following values: hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx
    • Select Remediate noncompliant rules when supported
    • Select Report noncompliance if this setting instance is not found
  8. Click OK and close the Create Configuration Item Wizard.

Step 2: Create a configuration baseline

  1. Navigate to Assets and Compliance > Compliance Settings > Configuration Baselines.
  2. Create a new configuration baseline.
  3. Enter a name and description. For example: Code42 Incydr Chrome Browser Extension.
  4. In the Configuration data section, select Add > Configuration items
  5. Select the Code42 Incydr Chrome Browser Extension configuration item you created above and click Add.
  6. Click OK.

Step 3: Deploy the configuration baseline

  1. Navigate to Assets amd Compliance > Compliance Settings > Configuration Baselines.
  2. Select the Code42 Incydr Chrome Browser Extension baseline and click Deploy.
    The Deploy Configuration Baseline wizard appears.
  3. Confirm that the Code42 Incydr Chrome Browser Extension baseline is selected. If not, add it.
  4. Select Remediate noncompliant rules when supported.
  5. Select the collection to deploy to.
  6. Set the compliance evaluation schedule. For testing or immediate deployment, set to 1 minute.
  7. Click OK.

Step 4: Confirm deployment to user devices

  1. From a user’s device, open Google Chrome.
  2. In the address bar, enter chrome://policy to view all applied policies.
  3. Alternatively, enter chrome://extensions to verify if the Code42 Incydr Chrome Browser Extension is installed.

Deploy to Chrome or Edge via Jamf Pro (Mac only)

Use the same profile for all browser extensions
If you manage multiple browser extensions, include the configuration details for all extensions in one profile to reduce the risk of unintended behavior. Deploying separate profiles for each extension can lead to conflicts that prevent extensions from functioning properly.
  1. Sign in to your Jamf Pro console.
  2. Select Computers.
  3. Select Content Management > Configuration Profiles.
  4. Update an existing configuration profile, or create a new one.
    1. Select Application & Custom Settings.
    2. Select External Applications.
  5. For Google Chrome:
    1. Add a new application for com.google.Chrome
    2. Use the following key/value pairs:
{
  "title": "Google Chrome Extensions (com.google.Chrome)",
  "description": "Install extensions in Google Chrome",
  "properties": {
    "ExtensionInstallForcelist": {
      "title": "Extension Install Forcelist",
      "description": "Add extension IDs. Paste the extension ID in front of the default text.",
      "property_order": 5,
      "type": "array",
      "items": {
        "title": "Extension ID",
        "default": "hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx",
        "type": "string"
      }}}}
  1. For Microsoft Edge:
    1. Add a new application for com.microsoft.Edge
    2. Use the following key/value pairs:
{
  "title": "Microsoft Edge Extensions (com.microsoft.Edge)",
  "description": "Install extensions in Microsoft Edge",
  "properties": {
    "ExtensionInstallForcelist": {
      "title": "Extension Install Forcelist",
      "description": "Add extension IDs. Paste the extension ID in front of the default text.",
      "property_order": 5,
      "type": "array",
      "items": {
        "title": "Extension ID",
        "default": "hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx",
        "type": "string"
      }
    }
  }
}

Deploy to Prisma Access Browser (formerly Talon)

  1. Sign in to the Prisma or Talon management console.
  2. Go to Policy > Rules.
  3. Add/create a new Browser Security rule.
  4. Select the scope of users/users groups to receive the Incydr browser extension.
  5. Go to Browser Customization controls and add the Extension Force Install rule to the policy.
  6. Enter the Incydr browser extension ID or URL:
  7. Save the rule. 
  8. Go to Browser Hardening > Native Messaging Hosts.
  9. Select Allow or Allow only hosts with installed with admin permissions.
    If Native Messaging Hosts is set to Block, the Incydr browser extension cannot send data to the Code42 insider risk agent installed on the device. A connection to the agent is required to report file activity to the Code42 cloud.

Deploy to Island

  1. Sign in to the Island management console.
  2. Go to Browser > Extension Management.
  3. Select Create to add a new rule.
  4. Enter a descriptive name (for example: "Incydr browser extension").
  5. Select Any source to deploy to all users, or Specific Sources to deploy to specific users or groups.
  6. Click Create.
  7. From the list of all extension management rules, select the rule you just created.
  8. Go to Extensions > Manage extensions > Force-installed extensions.
  9. Enter the Incydr browser extension ID: hamlakigaoomkpddnpnbjkhdfppbnjjh
  10. Click Add.
  11. Click Save changes.

Browser permissions

The Code42 Incydr browser extension requires the following permissions.

Permission Usage
Read your browsing history

Allows the extension to view which websites are visited and when files are uploaded to those sites.

The extension does not read the contents of uploaded files.
Read data you copy and paste

Allows the extension to see when and where a paste action occurs.

The extension does not access the content of the copied/pasted data.
Manage your downloads

Used to monitor files downloaded to the user's endpoint.

The extension does not read the contents of downloaded files.
Know your email address

Used to identify if the logged-in user belongs to a personal or corporate account.

  • The email address is especially helpful for sites that use the same URL for both personal and corporate accounts.
  • The email address is also used for identifying trusted activity and applying preventative controls.
Communicate with cooperating native applications Required for the extension to communicate with the Code42 insider risk agent installed on the endpoint. Chromium extensions operate in a sandbox unless given explicit access to system-level applications.

The extension's permission requests are limited to Google's set of pre-defined permissions. While we make every effort to adhere to the principle of least privilege, in some cases, Incydr may request a permission that provides more access than is used by the extension. For example, Incydr only uses the Read data you copy and paste permission to identify the destination of a paste event. Incydr does not access, read, or store the content of the copied/pasted data. However, Google does not provide a permission scoped to only read the existence and destination of a paste event.

External resources

Downloads
Jamf Pro guides
Microsoft Intune

Related topics