Installing the Endpoint Protection Browser Extension for Chrome or Edge using an Active Directory Group Policy Object
book
Article ID: 214750
calendar_today
Updated On:
Products
Endpoint Protection
Issue/Introduction
The Symantec Endpoint Security (SES) or Symantec Endpoint Protection (SEP) agent delivers browser protection through an extension for Google Chrome and Microsoft Edge. This article provides information about which versions of the extension are supported on browser versions. Additionally, this article provides guidance for installing the Chrome extension using an Active Directory (AD) Group Policy Object (GPO).
Environment
Google Chrome browser extension supported on 14.3 RU2 and later.
Microsoft Edge v112 and later supported on 14.3 RU8 and later.
Resolution
To install the SEP browser extension using an Active Directory Group Policy Object.
Download and unzip the latest Chrome Browser ADM and/or Microsoft Edge ADM policy templates. NOTE: Using an older ADM template can result in the extension failing to load due to deprecated settings.
Open Group Policy Management and expand Forest> Domains> your domain> Group Policy Objects
Right click and Edit the desired group policy object.
Right-click on Administrative Templates and choose Add/Remove Templates... and click Add. NOTE: Configuration via Computer Configuration GPO policy is required. The SEP Chrome browser extension install logic does not support User Configuration policy settings and if they are configured SEP will fall back to local settings.
Navigate to the unzipped ADM templates and windows\adm\ and "en-US" (for example) and select the appropriate *.adm files (chrome.adm and/or msedge.adm). Click Close.
Under Administrative Templates, navigate to the new item and appropriate property. Classic Administrative Templates (ADM)> ...
Chrome: Google> Chrome> Extensions> Configure the list of force-installed extensions
Edge: Microsoft Edge> Extensions> Control which extensions are installed silently
Right click on the property, click Enabled.
Under Options, click Show, then enter the following information in Value.
Chrome: pamolibmfebkknkdmfabpjebifbffbec;https://clients2.google.com/service/update2/crx This value is the Google-assigned GUID for the Chrome extension and the URL from which the extension will be downloaded. NOTE: This ID does not change and is still used for the Chrome App Store listing https://chrome.google.com/webstore/detail/symantec-endpoint-protect/pamolibmfebkknkdmfabpjebifbffbec. Customers can use this ID when configuring extensions via AD GPO.
NOTE: SEP will honor the active directory GPO first, and if our extension ID is not found SEP will fall back to installing the extension from the Liveupdate package via local GPO, provided the following Chrome GPO policy extensions settings are not configured.
Configure extension installation blocklist
Blocks external extensions from being installed
If the above settings are configured, you will need to add the following extension ID's to the Chrome GPO policy setting Configure Extension installation allow list.
Distribution Channel
Extension ID
Google Chrome Web Store
pamolibmfebkknkdmfabpjebifbffbec
Microsoft Edge Add-ons website
mafpfdefhckoofnjleedgkpohekieocm
LiveUpdate
14.3 RU2 and later:
gnhglcnkcmhnocgkcnlliammpmagaghd -1.1.0.18 of webextbridge.exe.
amnfbgkhpdmeeobndndgebhdklioljbc - 1.2.0.39 of webextbridge.exe, released April 13, 2022
hjhklbomhmbfockimpldchgpbnccmbgp - 1.2.0.39 released August 30, 2022.
hlgkjeecidokoilkiocgkakgnengkppc -
GPO snapshot for reference - Chrome settings highlighted in yellow, Edge in blue:
Additional Information
Using the Google Admin Console to manage the Chrome extension is not supported at this time. This feature is being considered for inclusion in a future client version.
If an Active Directory Group Policy Object policy is used to configure Chrome extensions in an environment, this policy will take precedence over any Browser Extension added by the SEP agent in the local Group Policy Objects which would result in the browser extension not being installed.
In this case, the SEP Chrome Browser Extension must be configured using the steps above. This could be done locally for non-domain computers or via GPO for domain members
Starting with the 14.3 RU5 Windows Endpoint Agent, you can disable IPS "Browser Intrusion Prevention" in the ICDm or SEPM policy settings which will unload the Chrome Browser extension. When re-enabling Browser Intrusion prevention, it can take some time for the extension to reload.