Installing the Endpoint Protection Browser Extension for Chrome or Edge using an Active Directory Group Policy Object
search cancel

Installing the Endpoint Protection Browser Extension for Chrome or Edge using an Active Directory Group Policy Object

book

Article ID: 214750

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Security (SES) or Symantec Endpoint Protection (SEP) agent delivers browser protection through an extension for Google Chrome and Microsoft Edge.  This article provides information about which versions of the extension are supported on browser versions.  Additionally, this article provides guidance for installing the Chrome extension using an Active Directory (AD) Group Policy Object (GPO). 

Environment

  • Google Chrome browser extension supported on 14.3 RU2 and later.
  • Microsoft Edge v112 and later supported on 14.3 RU8 and later.

Resolution

To install the SEP browser extension using an Active Directory Group Policy Object.  The steps below are specific to Chrome, but it also works for Edge with the correct ExtensionID

  1. Obtain the latest Chrome Browser ADM policy.   See Set Chrome Browser policies on managed PCs  for more information.
    • NOTE: Using an older Chrome Browser ADM template can result in the extension failing to load due to deprecated settings.
  2. Unzip policy_templates.zip
  3. Open Group Policy Management and expand Forest -- Domains -- your domain -- Group Policy Objects
  4. Right click on the group policy object that you want to edit
  5. Expand Computer Configuration -- Policies -- Administrative Templates
  6. Right-click on Administrative Templates and choose Add/Remove Templates... and click Add.
    NOTE: Configuration via Computer GPO policy is required .  The SEP Chrome browser extension install logic does not support User Policy settings and if they are configured will fall back to writing to local GPO.
  7. Navigate to the expanded Google Chrome Bundle "adm" folder and "en-US" (for example) and select "chrome.adm". Click Close.
  8. Under Administrative Templates, navigate to the new item: Classic Administrative Templates (ADM) -- Google -- Chrome -- Extensions.
  9. Locate the property: Configure the list of force-installed extensions.
  10. Right click on the property, click Enabled.
  11. Under Options, click Show, then enter the following information in Value.
    • pamolibmfebkknkdmfabpjebifbffbec;https://clients2.google.com/service/update2/crx
      This value is the Google-assigned GUID for the Chrome extension and the URL from which the extension will be downloaded. 
    • NOTE: This ID does not change and is still used for the Chrome App Store listing https://chrome.google.com/webstore/detail/symantec-endpoint-protect/pamolibmfebkknkdmfabpjebifbffbec. Customers can use this ID when configuring extensions via AD GPO.
  12. Save the changes.

NOTE: SEP will honor the active directory GPO first, and if our extension ID is not found SEP will fall back to installing the extension from the Liveupdate package via local GPO, provided the following Chrome GPO policy extensions settings are not configured.  

    • Configure extension installation blocklist
    • Blocks external extensions from being installed

If the above settings are configured, you will need to add the following extension ID's to the Chrome GPO policy setting Configure Extension installation allow list.

Distribution Channel Extension ID
Google Chrome Web Store pamolibmfebkknkdmfabpjebifbffbec
Microsoft Edge Add-ons website mafpfdefhckoofnjleedgkpohekieocm

LiveUpdate

14.3 RU2 and later:

  • gnhglcnkcmhnocgkcnlliammpmagaghd  -1.1.0.18 of webextbridge.exe. 
  • amnfbgkhpdmeeobndndgebhdklioljbc  - 1.2.0.39 of webextbridge.exe, released April 13, 2022
  • hjhklbomhmbfockimpldchgpbnccmbgp - 1.2.0.39 released August 30, 2022.
  • hlgkjeecidokoilkiocgkakgnengkppc - 

GPO snapshot for reference : 

 

Additional Information

  • Using the Google Admin Console to manage the Chrome extension is not supported at this time.  This feature is being considered for inclusion in a future client version.

  • If an Active Directory Group Policy Object policy is used to configure Chrome extensions in an environment, this policy will take precedence over any Browser Extension added by the SEP agent in the local Group Policy Objects which would result in the browser extension not being installed.

In this case, the SEP Chrome Browser Extension must be configured using the steps above. This could be done locally for non-domain computers or via GPO for domain members

  • Starting with the 14.3 RU5 Windows Endpoint Agent, you can disable IPS "Browser Intrusion Prevention" in the ICDm or SEPM policy settings which will unload the Chrome Browser extension.  When re-enabling Browser Intrusion prevention, it can take some time for the extension to reload.