Installing the Endpoint Protection Browser Extension for Chrome or Edge using an Active Directory Group Policy Object
search cancel

Installing the Endpoint Protection Browser Extension for Chrome or Edge using an Active Directory Group Policy Object

book

Article ID: 214750

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The Symantec Endpoint Security (SES) or Symantec Endpoint Protection (SEP) agent delivers browser protection through an extension for Google Chrome and Microsoft Edge.  This article provides information about which versions of the extension are supported on browser versions.  Additionally, this article provides guidance for installing the Chrome extension using an Active Directory (AD) Group Policy Object (GPO). 

Environment

  • Google Chrome browser extension supported on 14.3 RU2 and later.
  • Microsoft Edge v112 and later supported on 14.3 RU8 and later.

Resolution

To install the SEP browser extension using an Active Directory Group Policy Object. 

  1. Download and unzip the latest Chrome Browser ADM and/or Microsoft Edge ADM policy templates.
    NOTE: Using an older ADM template can result in the extension failing to load due to deprecated settings.

  2. Open Group Policy Management and expand Forest> Domains> your domain> Group Policy Objects

  3. Right click and Edit the desired group policy object.

  4. Expand Computer Configuration> Policies> Administrative Templates

  5. Right-click on Administrative Templates and choose Add/Remove Templates... and click Add.
    NOTE: Configuration via Computer Configuration GPO policy is required. The SEP Chrome browser extension install logic does not support User Configuration policy settings and if they are configured SEP will fall back to local settings.

  6. Navigate to the unzipped ADM templates and windows\adm\ and "en-US" (for example) and select the appropriate *.adm files (chrome.adm and/or msedge.adm). Click Close.

  7. Under Administrative Templates, navigate to the new item and appropriate property. Classic Administrative Templates (ADM)> ...

    Chrome:  Google> Chrome> Extensions> Configure the list of force-installed extensions

    Edge: Microsoft Edge> Extensions> Control which extensions are installed silently

  8. Right click on the property, click Enabled.

  9. Under Options, click Show, then enter the following information in Value.

    • Chrome: pamolibmfebkknkdmfabpjebifbffbec;https://clients2.google.com/service/update2/crx
      This value is the Google-assigned GUID for the Chrome extension and the URL from which the extension will be downloaded. NOTE: This ID does not change and is still used for the Chrome App Store listing https://chrome.google.com/webstore/detail/symantec-endpoint-protect/pamolibmfebkknkdmfabpjebifbffbec. Customers can use this ID when configuring extensions via AD GPO.

    • Edge: mafpfdefhckoofnjleedgkpohekieocm;https://edge.microsoft.com/extensionwebstorebase/v1/crx

  10. Save the changes.

NOTE: SEP will honor the active directory GPO first, and if our extension ID is not found SEP will fall back to installing the extension from the Liveupdate package via local GPO, provided the following Chrome GPO policy extensions settings are not configured.  

    • Configure extension installation blocklist
    • Blocks external extensions from being installed

If the above settings are configured, you will need to add the following extension ID's to the Chrome GPO policy setting Configure Extension installation allow list.

Distribution Channel Extension ID
Google Chrome Web Store pamolibmfebkknkdmfabpjebifbffbec
Microsoft Edge Add-ons website mafpfdefhckoofnjleedgkpohekieocm

LiveUpdate

14.3 RU2 and later:

  • gnhglcnkcmhnocgkcnlliammpmagaghd  -1.1.0.18 of webextbridge.exe. 
  • amnfbgkhpdmeeobndndgebhdklioljbc  - 1.2.0.39 of webextbridge.exe, released April 13, 2022
  • hjhklbomhmbfockimpldchgpbnccmbgp - 1.2.0.39 released August 30, 2022.
  • hlgkjeecidokoilkiocgkakgnengkppc - 

GPO snapshot for reference - Chrome settings highlighted in yellow, Edge in blue: 

Additional Information

  • Using the Google Admin Console to manage the Chrome extension is not supported at this time.  This feature is being considered for inclusion in a future client version.

  • If an Active Directory Group Policy Object policy is used to configure Chrome extensions in an environment, this policy will take precedence over any Browser Extension added by the SEP agent in the local Group Policy Objects which would result in the browser extension not being installed.

In this case, the SEP Chrome Browser Extension must be configured using the steps above. This could be done locally for non-domain computers or via GPO for domain members

  • Starting with the 14.3 RU5 Windows Endpoint Agent, you can disable IPS "Browser Intrusion Prevention" in the ICDm or SEPM policy settings which will unload the Chrome Browser extension.  When re-enabling Browser Intrusion prevention, it can take some time for the extension to reload.