Conceal partners with ThreatLocker and as a result, ThreatLocker has set some global rules in place regarding deploying the ConcealBrowse extension through the MSI. Depending on your organization's ThreatLocker policies, you may need to make changes if you are running into issues. This article will outline how to determine and resolve the issue.
All browser extension native messaging hosts (like the Conceal helper) are launched via the command prompt by Chrome and Edge. The default ThreatLocker ringfencing policies for Chrome and Edge prevent them from calling out to the Command Prompt. Thus, the default ThreatLocker ringfencing policy prevents key ConcealBrowse functionality such as device authentication, and device labels in the dashboard (eg hostname).
Q: How do I know if ThreatLocker is interfering with my Conceal deployment?
A: If you deploy Conceal and the extension is grayed out and asking for a login (Image below), or device labels are not updating in the dashboard, ThreatLocker ringfencing could be interfering.
You can verify this in the Unified Audit log by finding an entry like the one below:
Q: How do I resolve ThreatLocker interfering with the extension?
A1: ThreatLocker's support team suggest to edit the standard policy they have set in place to allow communication to the command prompt. How to implement that policy can be found in this ThreatLocker article.
A2: Chrome and Edge on Windows, as of 1/2024, have a new policy that may be enabled to force browsers to call helpers directly instead of using cmd.exe. Thus Threatlocker Ringfencing may remain in place, and ConcealBrowse will operate normally. Use your company's MDM to enable these settings in your browsers:
- Chrome: https://chromeenterprise.google/policies/#NativeHostsExecutablesLaunchDirectly
- Edge: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#nativehostsexecutableslaunchdirectly
*Never hesitate to contact your Customer Success Manager for any questions or concerns. You may also open a support ticket at support.conceal.io by scrolling to the bottom and clicking Submit a request.
Was this article helpful?
Articles in this section
- Introducing ConcealBrowse to end users
- Possible ThreatLocker effects when deploying ConcealBrowse
- Deploy ConcealBrowse on Windows 10+ using Atera RMM
- Deploy ConcealBrowse on Windows 10+ using Group Policy
- Download the MSI from the ConcealBrowse dashboard
- Deploy ConcealBrowse on Windows 10+ using N-Able N-sight RMM
- Deploy ConcealBrowse on Windows 10+ using Intune and Win32 app
- Deploying ConcealBrowse through ConnectWise Automate
- Conceal Firefox Release
- Deploying ConcealBrowse through Datto ComStore