Deploy ConcealBrowse on macOS using Intune Deploy ConcealBrowse on macOS using Intune

Deploy ConcealBrowse on macOS using Intune

Description

Deploy ConcealBrowse to multiple browsers on macOS endpoints with Microsoft Intune. This is a two stage process as required by macOS architecture.

Stage 1 deploys the ConcealBrowse helper application which authenticates the browser extension(s) and provides you with telemetry such as the hostname and logged in username.

Stage 2 configures your browsers to install and require ConcealBrowse from each browser's web store.

Applies to

  • Microsoft Intune
  • Apple macOS
  • Google Chrome
  • Microsoft Edge
  • Mozilla Firefox
  • Brave browser

Before You Begin

  1. Request your customized ConcealBrowse.pkg from support@conceal.io. The customized file will includes your tenant's information.
  2. Download the customized macOS PKG

Stage 1: Install ConcealBrowse Helper application

  1. In the Intune console, click Apps > macOS > +Add
  2. App Type: macOS app (PKG)
    1. We have not been able to make other types work in our testing
  3. Click Select app package file
  4. Select TenantName-ConcealBrowse.pkg downloaded earlier
  5. Click OK

  6. Name: ConcealBrowse

  7. Description: ConcealBrowse is a lightweight browser extension that converts any browser to a secure, zero-trust browser, catching malware and credential theft attacks that bypass other security controls.
  8. Publisher: Conceal

  9. Other fields are optional

  10. Next

  11. Pre and Post Install scripts are not used, Next
  12. Minimum operating system, oldest is OK, Next
  13. Ignore app version: No
  14. Next
  15. Start by assigning the app to a test group and expand after initial testing, use the same group in the following Stages.

  16. The installation may not complete until the target device is restarted.

Stage 2: Deploy ConcealBrowse Extension to each browser

We highly recommend verifying that the ConcealBrowse helper application has installed on endpoints before configuring your browsers to install the ConcealBrowse Extension. If the extension is installed prior to the helper, the user will be prompted to log in which may cause confusion and disruption for your support team.

These steps may vary depending on how you manage each browser. As this article is targeted to Intune, we will assume you manage your browsers with Intune.

Steps for Chrome, Brave, and Edge

Follow these steps all the way through for each browser you are configuring

  1. In the Intune console, click Devices > macOS > Configuration Profiles
  2. Check to see if you have an existing profile for your browser. From our testing you can only have one profile per application.
    1. If you do NOT have a profile for your browser, refer to the next section named: If you need to create a profile
    2. If you already have a profile, scroll down to the section: If you already have a profile

If you need to create a profile

  1. Download the pre-configured plist file for your browser, they are attached to this article and may be found near the bottom
    - Chrome or Brave: Select Intune_ConcealBrowse_Chrome.plist (the content is identical for both browsers)
    - Edge: Select Intune_ConcealBrowse_Edge.plist
    - Firefox: Select Intune_ConcealBrowse_Firefox.plist

  2. In the Intune console, Click +Create > +New Policy
    - Profile type: Templates
    - Template name: Preference file
    - Click Create
  3. Basics:
    - Name: <Browser> Preferences (example: Chrome Preferences)
    - Description: We recommend adding your name, date, and a link to this article
    - Click Next

  4. Configuration settings:
    - Preference domain name:
    - - Chrome: com.google.chrome
    - - Brave: com.brave.browser
    - - Edge: com.microsoft.edge
    - - Firefox: org.mozilla.firefox
    - Click Select a file
    - Browse to and select the plist file you downloaded in step 1
    - Click Next

  5. Assignments:
    - Choose a group to test the preferences with before expanding deployment
    - Click Next, then Create

If you already have a profile

  1. Click on the existing profile
  2. Click Edit next to Configuration settings
  3. Verify the Preference domain name is correct for your browser
    - Chrome: com.google.Chrome
    - Brave: com.brave.Browser
    - Edge: com.microsoft.edge
    - Firefox: org.mozilla.firefox

  4. Copy the contents of the existing Property list file (plist) into your favorite text editor

  5. Search the plist for "ExtensionSettings", it’s unlikely to be present.

    1. If ExtensionSettings is present you will need to merge the following into the existing ExtensionSettings section. Specifically lines 3-11 will be inserted.

  6. For Chrome or Brave, add the following to the bottom of the existing plist file:

    <key>ExtensionSettings</key>
    <dict>
    <key>jmdpihfpelphmllgmamebdbelmobjfpg</key>
    <dict>
    <key>installation_mode</key>
    <string>force_installed</string>
    <key>toolbar_pin</key>
    <string>force_pinned</string>
    <key>update_url</key>
    <string>https://clients2.google.com/service/update2/crx</string>
    </dict>
    </dict>
  7. For Edge, add the following to the bottom of the existing plist file
    <key>ExtensionSettings</key>
    <dict>
    <key>ojjdicpccncniljgdmjcepenkkpmnnmk</key>
    <dict>
    <key>installation_mode</key>
    <string>force_installed</string>
    <key>toolbar_state</key>
    <string>force_shown</string>
    <key>update_url</key>
    <string>https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
    </dict>
    </dict>
  8. For Firefox, add the following to the bottom of the existing plist file.
    <key>ExtensionSettings</key>
    <dict>
    <key>concealbrowse@conceal.io</key>
    <dict>
    <key>installation_mode</key>
    <string>force_installed</string>
    <key>install_url</key>
    <string>https://conceal-browse.conceal.io/firefox/latest/concealbrowse.xpi</string>
    </dict>
    </dict>
  9. Save the updated filed to you computer

  10. In the Preference file editing screen from step 3, click Select a file

  11. Select the updated file on your computer and click Open

  12. Click Review + save, then Save the updated profile

  13. It will take some time before Intune applies the profile to a targeted device

Verify the Configuration Profile has applied to your testing Mac(s)

  1. Open System Settings on a targeted Mac
  2. Navigate to Privacy & Security > Profiles
  3. When applied you see a profile named Custom Preferences Profile - tld.domain.browser (ex com.google.chrome)
  4. Open, or reopen, the targeted browser and the ConcealBrowse extension will be automatically installed. The extension will also automatically register to your dashboard thanks to the helper installed in Stage 1.

Recommended Step: Disable incognito and guest mode

It’s not possible to enforce extension usage in Incognito or Guest mode. Therefore it is recommended to disable them by adding the following to your browser's plist configuration.

Chrome and Brave:

<key>IncognitoModeAvailability</key>
<integer>1</integer>
<key>BrowserGuestModeEnabled</key>
<false/>

Edge:

<key>InPrivateModeAvailability</key>
<integer>1</integer>
<key>BrowserGuestModeEnabled</key>
<false/>

Firefox:

<key>DisablePrivateBrowsing</key>
<true/>

References