Deploy the Code42 Incydr browser extension

Overview

The Code42 Incydr browser extension works alongside the insider risk agent to improve browser activity monitoring and to enforce preventative controls.

Specifically, the extension provides:

  • More accurate source and destination details in some situations, such as when users switch between multiple tabs while uploads and downloads are in progress
  • Monitoring of pasting clipboard contents into the browser
  • Blocking of uploads and pastes into the browser via preventative controls

This article explains how to deploy the extension via Google Admin console, Microsoft Intune, and Jamf Pro. For assistance deploying the extension with other tools, contact your Customer Success Manager (CSM) to engage our Professional Services team.

Considerations

  • To use the Code42 Incydr browser extension, user devices must be running:
    • A supported Windows, macOS, or Linux operating system
    • Insider risk agent version 1.9.2 or later for Windows and macOS
    • Insider risk agent version 1.12.0 or later for Linux
    • The Google Chrome or Microsoft Edge web browser (most recent version)
  • The Code42 Incydr browser extension can only be deployed in a managed browser environment.

Options for deploying the extension

Choose the steps below appropriate for your environment.

Deploy to Chrome via Google Admin console

Step 1: Enroll browsers

To force-install the Code42 Incydr browser extension for all user profiles, you must first enroll browsers for management:

  1. Sign in to your Google Admin console as a user with Google Workspace Super Admin permissions.
  2. Ensure Chrome Browser Management is enabled. See Google support for more details.
  3. Select Devices.
  4. Navigate to Chrome > Managed Browsers
  5. Select the appropriate Organizational Unit.
  6. Click Enroll.
  7. Enroll browsers with the enrollment token. See Google support for more details.
  8. Restart the Google Chrome browser and confirm enrollment was successful.

Step 2: Set policies for enrolled browsers

After employee browsers are enrolled, configure the user and browser policy to force-install the Code42 Incydr browser extension.

  1. Navigate to Chrome > Apps and Extensions > Users & Browsers.
  2. Select the appropriate Organizational Unit.
  3. Click the plus (+) icon and select the Add Chrome app or extension by ID icon.
  4. In the View app by ID field, enter: hamlakigaoomkpddnpnbjkhdfppbnjjh
  5. Select the Code42 Incydr extension.
  6. In the extension settings, change Allow install to Force install.
  7. Click Save.

Deploy to Edge via Microsoft Intune

Managed environment required
To deploy the Code42 Incydr browser extension, Windows devices must be joined to a Microsoft Active Directory domain. macOS devices must be managed via a mobile device management (MDM) tool or joined to a domain via MCX.
  1. Sign in to your Microsoft Intune.
  2. Select Devices.
  3. Select Policy > Configuration Profiles.
  4. In the Profiles tab, select Create Profile.
  5. Select a platform ("macOS" or "Windows 10 and later"). 
  6. In the Profile type dropdown, select Settings catalog.
  7. Click Create.
  8. Enter a name and description, then click Next.
  9. From the Configuration settings tab, click Add settings.
    • For Windows:
      1. Select Microsoft Edge > Extensions.
      2. Select the setting name Configure extension management settings.
      3. Close the Settings picker.
      4. Enable Configure extension management settings
      5. In the Configure extension management setting field, enter:
        {"hamlakigaoomkpddnpnbjkhdfppbnjjh": {"installation_mode": "force_installed","update_url": "https://clients2.google.com/service/update2/crx" }}
      6. Click Next.
    • For Mac:
      1. Select Microsoft Edge.
        A list of settings appear below.
      2. Select the setting Control which extensions are installed silently.
      3. Close the Settings picker window.
      4. In the empty text field, enter: https://chrome.google.com/webstore/detail/code42-incydr/hamlakigaoomkpddnpnbjkhdfppbnjjh/related 
      5. Click Next.
  10. In the Scope tags tab, click Select scope tags.
  11. Select Default and click Next.
  12. In the Assignments tab, select the groups to receive the extension. We recommend adding all users and/or devices.
  13. Click Next.
  14. Click Create.

Deploy to Chrome or Edge via SCCM

Step 1: Create a configuration item

  1. Sign in to Microsoft Configuration Manager.
  2. Select Assets and Compliance > Create Configuration Item.
    The Create Configuration Item Wizard appears.
  3. Enter a name and description. For example: Code42 Incydr Chrome Browser Extension
  4. Under Settings for devices managed with Configuration Manager client, select Windows Desktops and Servers (custom), then click Next.
  5. Select the platforms where the extension will be installed, then click Next.
  6. From General > Settings, click New. Enter the following settings values, then click OK:
    • Name: ExtensionInstallForcelist
    • Description: Code42 Incydr Chrome Browser Extension
    • Setting type: Registry value
    • Data type: String
    • Hive Name: HKEY_LOCAL_MACHINE
    • Key Name: 
      • Chrome: Software\Policies\Google\Chrome\ExtensionInstallForcelist
      • Edge: Software\Policies\Microsoft\Edge\ExtensionInstallForcelist
    • Value Name: 1
      The Value Name must be a unique number. If you deploy other extensions via SCCM, use a different number for each.
  7. Select the Compliance Rules tab and click New. Enter the following settings values:
    • Name/Description: Code42 Incydr Browser Extension Compliance Rule
    • For the following values: hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx
    • Select Remediate noncompliant rules when supported
    • Select Report noncompliance if this setting instance is not found
  8. Click OK and close the Create Configuration Item Wizard.

Step 2: Create a configuration baseline

  1. Navigate to Assets and Compliance > Compliance Settings > Configuration Baselines.
  2. Create a new configuration baseline.
  3. Enter a name and description. For example: Code42 Incydr Chrome Browser Extension.
  4. In the Configuration data section, select Add > Configuration items
  5. Select the Code42 Incydr Chrome Browser Extension configuration item you created above and click Add.
  6. Click OK.

Step 3: Deploy the configuration baseline

  1. Navigate to Assets amd Compliance > Compliance Settings > Configuration Baselines.
  2. Select the Code42 Incydr Chrome Browser Extension baseline and click Deploy.
    The Deploy Configuration Baseline wizard appears.
  3. Confirm that the Code42 Incydr Chrome Browser Extension baseline is selected. If not, add it.
  4. Select Remediate noncompliant rules when supported.
  5. Select the collection to deploy to.
  6. Set the compliance evaluation schedule. For testing or immediate deployment, set to 1 minute.
  7. Click OK.

Step 4: Confirm deployment to user devices

  1. From a user’s device, open Google Chrome.
  2. In the address bar, enter chrome://policy to view all applied policies.
  3. Alternatively, enter chrome://extensions to verify if the Code42 Incydr Chrome Browser Extension is installed.

Deploy to Chrome or Edge via Jamf Pro (Mac only)

Use the same profile for all browser extensions
If you manage multiple browser extensions, include the configuration details for all extensions in one profile to reduce the risk of unintended behavior. Deploying separate profiles for each extension can lead to conflicts that prevent extensions from functioning properly.
  1. Sign in to your Jamf Pro console.
  2. Select Computers.
  3. Select Content Management > Configuration Profiles.
  4. Update an existing configuration profile, or create a new one.
    1. Select Application & Custom Settings.
    2. Select External Applications.
  5. For Google Chrome:
    1. Add a new application for com.google.Chrome
    2. Use the following key/value pairs:
{
  "title": "Google Chrome Extensions (com.google.Chrome)",
  "description": "Install extensions in Google Chrome",
  "properties": {
    "ExtensionInstallForcelist": {
      "title": "Extension Install Forcelist",
      "description": "Add extension IDs. Paste the extension ID in front of the default text.",
      "property_order": 5,
      "type": "array",
      "items": {
        "title": "Extension ID",
        "default": "hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx",
        "type": "string"
      }}}}
  1. For Microsoft Edge:
    1. Add a new application for com.microsoft.Edge
    2. Use the following key/value pairs:
{
  "title": "Microsoft Edge Extensions (com.microsoft.Edge)",
  "description": "Install extensions in Microsoft Edge",
  "properties": {
    "ExtensionInstallForcelist": {
      "title": "Extension Install Forcelist",
      "description": "Add extension IDs. Paste the extension ID in front of the default text.",
      "property_order": 5,
      "type": "array",
      "items": {
        "title": "Extension ID",
        "default": "hamlakigaoomkpddnpnbjkhdfppbnjjh;https://clients2.google.com/service/update2/crx",
        "type": "string"
      }
    }
  }
}

Browser permissions

The Code42 Incydr browser extension requires the following permissions.

Permission Usage
Read your browsing history

Allows the extension to view which websites are visited and when files are uploaded to those sites.

The extension does not read the contents of uploaded files.

Read data you copy and paste

Allows the extension to see when and where a paste action occurs.

The extension does not access the content of the copied/pasted data.

Manage your downloads

Used to monitor files downloaded to the user's endpoint.

The extension does not read the contents of downloaded files.

Know your email address

Used to identify if the logged-in user belongs to a personal or corporate account.

  • The email address is especially helpful for sites that use the same URL for both personal and corporate accounts.
  • The email address is also used for identifying trusted activity and applying preventative controls.
Communicate with cooperating native applications Required for the extension to communicate with the Code42 insider risk agent installed on the endpoint. Chromium extensions operate in a sandbox unless given explicit access to system-level applications.

The extension's permission requests are limited to Google's set of pre-defined permissions. While we make every effort to adhere to the principle of least privilege, in some cases, Incydr may request a permission that provides more access than is used by the extension. For example, Incydr only uses the Read data you copy and paste permission to identify the destination of a paste event. Incydr does not access, read, or store the content of the copied/pasted data. However, Google does not provide a permission scoped to only read the existence and destination of a paste event.

External resources

Downloads
Jamf Pro guides
Microsoft Intune

Related topics