Installing the Endpoint Protection Chrome Browser Extension using an Active Directory Group Policy Object

Products

Endpoint Protection

Issue/Introduction

Starting with Symantec Endpoint Protection (SEP) 14.3 RU2, a Chrome Browser Extension is installed to provide further protection to the system. One method for installing the extension is through an Active Directory (AD) Group Policy Object (GPO).

Environment

SEP 14.3 RU2 and later

Chrome

Resolution

To install the SEP Chrome browser extension using an Active Directory Group Policy Object:

Ensure you have the latest Chrome Browser ADM policy. See Set Chrome Browser policies on managed PCs for more information.
- NOTE: Using an older Chrome Browser ADM template can result in the extension failing to load due to deprecated settings.
Unzip policy_templates.zip
Open Group Policy Management and expand Forest -- Domains -- your domain -- Group Policy Objects
Right click on the group policy object that you want to edit
Expand Computer Configuration -- Policies -- Administrative Templates
Right-click on Administrative Templates and choose Add/Remove Templates... and click Add.
NOTE: Configuration via Computer GPO policy is required . The SEP Chrome browser extension install logic does not support User Policy settings and if they are configured will fall back to writing to local GPO.
Navigate to the expanded Google Chrome Bundle "adm" folder and "en-US" (for example) and select "chrome.adm". Click Close.
Under Administrative Templates, navigate to the new item: Classic Administrative Templates (ADM) -- Google -- Chrome -- Extensions.
Locate the property: Configure the list of force-installed extensions.
Right click on the property, click Enabled.
Under Options, click Show, then enter the following information in Value.
- pamolibmfebkknkdmfabpjebifbffbec;https://clients2.google.com/service/update2/crx
  This value is the Google-assigned GUID for the Chrome extension and the URL from which the extension will be downloaded.
- NOTE: This ID does not change and is still used for the Chrome App Store listing https://chrome.google.com/webstore/detail/symantec-endpoint-protect/pamolibmfebkknkdmfabpjebifbffbec. Customers can use this ID when configuring extensions via AD GPO.
Save the changes.

NOTE: SEP will honor the active directory GPO first, and if our extension ID is not found SEP will fall back to installing the extension from the Liveupdate package via local GPO, provided the following Chrome GPO policy extensions settings are not configured.

- configure extension installation blocklist
- blocks external extensions from being installed

If the above settings are configured, you will need to add the following extension ID's to the Chrome GPO policy setting Configure Extension installation allow list.

Distribution Channel

Extension ID

Google Chrome Web Store

pamolibmfebkknkdmfabpjebifbffbec

LiveUpdate

14.3 RU2 and later:

gnhglcnkcmhnocgkcnlliammpmagaghd -1.1.0.18 of webextbridge.exe.
amnfbgkhpdmeeobndndgebhdklioljbc - 1.2.0.39 of webextbridge.exe, released April 13, 2022
hjhklbomhmbfockimpldchgpbnccmbgp - 1.2.0.39 released August 30, 2022.

GPO snapshot for reference :

Additional Information

If an Active Directory Group Policy Object policy is used to configure Chrome extensions in an environment, this policy will take precedence over any Browser Extension added by the SEP agent in the local Group Policy Objects which would result in the browser extension not being installed.

In this case, the SEP Chrome Browser Extension must be configured using the steps above. This could be done locally for non-domain computers or via GPO for domain members

Starting with the 14.3 RU5 Windows Endpoint Agent, you can disable IPS "Browser Intrusion Prevention" in the ICDm or SEPM policy settings which will unload the Chrome Browser extension. When re-enabling Browser Intrusion prevention, it can take some time for the extension to reload.