We recommend that customers who are enforcing Chrome or Edge ExtensionInstallForcelist policies at the Domain GPO level also add the Extension for each browser to the Domain policy and that they be managed at the "Computer (Machine Hive)" level (not at the User level). The advanced agent setting ExtensionEnablement.INSTALL_BROWSER_EXTENSION.int determines whether the agent creates the ExtensionInstallForceList LGPO policies for Chrome and Edge (1) or not (0).įor agent versions 15.5 - 15.7, you can skip installing the Chrome extension during the agent installation by adding the INSTALLCHROMEPLUGIN=0 parameter to the installation command in the install_agent.bat file. With DLP 15.8 and higher, the Chrome and Edge policy entry is managed on-demand when the respective (HTTPS) channel is enabled/disabled, and also at agent service startup. In other words, a direct registry entry at position 1, with no other LGPO entries defined, would be overwritten by our extension at position 1. Directly created Registry entries within this same key (non-GPO / ExtensionInstallForceList) that have a colliding position value will be overwritten once the Group Policies processing occurs. Registry.pol) and increments our entry by the last string value + 1. To determine the position, the LGPO API enumerates those entries defined within LGPO only (i.e.
The agent installer uses a Local Group Policy Windows API call to install/uninstall our Chrome browser extension into the LGPO at HKLM/Software/Policies/Google/Chrome/ExtensionInstallForceList. With DLP 15.5 and 15.7, the Chrome policy entry is created during the agent installation. Placing the extension policies in the LGPO prevents users from permanently disabling the extension by removing the Registry entries since during Group Policy processing it will be reloaded into the registry from the registry.pol file. These extension policies are also added to the Local Group Policy - %windir%\System32\GroupPolicy\Machine\registry.pol. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist These are added into the Registry at the following keys for the respective browsers: Registry Type/Data/Value (the value could change, depending on whether there are already any other local extension policies in place): The Symantec Extension registry value/data information is as follows: Chrome
The extension is not installed until after the respective browser has been launched with the extension reference in place.įor Chrome extension on Mac see Creating an MDM configuration profile to support monitoring in Google Chrome on macOS endpoints. The URL is needed when processing policies to understand the destination and to report the URL on incidents. Google Chrome and Microsoft Edge Chromium utilize a browser extension to report the current tab's URL to the DLP Agent (via the Native Messaging Host - brkrprcs64.exe to edpa.exe).