search cancel

Installing the Endpoint Protection Chrome Browser Extension using an Active Directory Group Policy Object

book

Article ID: 214750

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Starting with Symantec Endpoint Protection (SEP) 14.3 RU2, a Chrome Browser Extension is installed to provide further protection to the system.  One method for installing the extension is through an Active Directory (AD) Group Policy Object (GPO).

Environment

  • SEP 14.3 RU2 and later

Chrome

Resolution

To install the SEP Chrome browser extension using an Active Directory Group Policy Object:

  1. Ensure you have the latest Chrome Browser ADM policy.   See Set Chrome Browser policies on managed PCs  for more information.
    • NOTE: Using an older Chrome Browser ADM template can result in the extension failing to load due to deprecated settings.
  2. Unzip policy_templates.zip
  3. Open Group Policy Management and expand Forest -- Domains -- your domain -- Group Policy Objects
  4. Right click on the group policy object that you want to edit
  5. Expand Computer Configuration -- Policies -- Administrative Templates
  6. Right-click on Administrative Templates and choose Add/Remove Templates... and click Add.
    NOTE: Configuration via Computer GPO policy is required .  The SEP Chrome browser extension install logic does not support User Policy settings and if they are configured will fall back to writing to local GPO.
  7. Navigate to the expanded Google Chrome Bundle "adm" folder and "en-US" (for example) and select "chrome.adm". Click Close.
  8. Under Administrative Templates, navigate to the new item: Classic Administrative Templates (ADM) -- Google -- Chrome -- Extensions.
  9. Locate the property: Configure the list of force-installed extensions.
  10. Right click on the property, click Enabled.
  11. Under Options, click Show, then enter the following information in Value.
    • pamolibmfebkknkdmfabpjebifbffbec;https://clients2.google.com/service/update2/crx
      This value is the Google-assigned GUID for the Chrome extension and the URL from which the extension will be downloaded. 
    • NOTE: This ID does not change and is still used for the Chrome App Store listing https://chrome.google.com/webstore/detail/symantec-endpoint-protect/pamolibmfebkknkdmfabpjebifbffbec. Customers can use this ID when configuring extensions via AD GPO.
  12. Save the changes.

NOTE: SEP will honor the active directory GPO first, and if our extension ID is not found SEP will fall back to installing the extension from the Liveupdate package via local GPO, provided the following Chrome GPO policy extensions settings are not configured.  

    • configure extension installation blocklist
    • blocks external extensions from being installed

If the above settings are configured, you will need to add the following extension ID's to the Chrome GPO policy setting Configure Extension installation allow list.

Distribution Channel Extension ID
Google Chrome Web Store pamolibmfebkknkdmfabpjebifbffbec
LiveUpdate gnhglcnkcmhnocgkcnlliammpmagaghd  -- 14.3 RU2/RU3/RU4 version 1.1.0.18 of webextbridge.exe. 
amnfbgkhpdmeeobndndgebhdklioljbc  -- 14.3 RU2/RU3/RU4 version 1.2.0.39 of webextbridge.exe.  released April 13th to May 11th 2022.

GPO snapshot for reference : 

Additional Information

  • If an Active Directory Group Policy Object policy is used to configure Chrome extensions in an environment, this policy will take precedence over any Browser Extension added by the SEP agent in the local Group Policy Objects which would result in the browser extension not being installed.

In this case, the SEP Chrome Browser Extension must be configured using the steps above. This could be done locally for non-domain computers or via GPO for domain members

Starting with SES 14.3 RU4, you can disable IPS "Browser Intrusion Prevention" in SES client settings or SES IPS policy, which will unload the Chrome Browser extension.  When re-enabling Browser Intrusion prevention, it can take some time for the extension to reload.

NOTE: The above change is only for cloud enrolled SES clients.

To prevent installation or remove the SEP Chrome Browser extension, choose one of the following options:

  • If you are part of a Google Enterprise account, then use Google's Admin Console to specify the list of allowed extensions (minus SEP's extension).
  • Set the force-install policy at the domain level to a list of extensions that does not include SEP's extension. This must be done at domain level; SEP will override the local configuration.
  • Edit and lockdown (deny write access to) the related registry key:
    HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist
  • Uninstall the SEP IPS component.
  • Disable the force-install policy setting at domain level (or locally, for non-domain computers)—this will prevent the forced installation of all extensions.

Attachments