Description

Deploy ConcealBrowse to multiple browsers on macOS endpoints with JumpCloud MDM. This is a two stage process as required by macOS architecture.

Stage 1 deploys the ConcealBrowse helper application which authenticates the browser extension(s) and provides you with telemetry such as the hostname and logged in username.

Stage 2 configures your browsers to install and require ConcealBrowse from each browser's web store.

Applies to

• JumpCloud MDM
• Apple macOS
• Google Chrome
• Microsoft Edge
• Mozilla Firefox
• Brave browser

Before You Begin

1. Request a Distribution-Type PKG from support@conceal.io.
   • JumpCloud requires a Distribution-Type PKG which differs from the standard Component-Type PKG used by most MDMs, at this time Conceal provides these by request. The customized file will includes your tenant's information for easy deployment.
2. Download the customized Distribution-Type macOS PKG

Stage 1: Install ConcealBrowse Helper application

Upload the customized Distribution-Type PKG which installs the ConcealBrowse helper

1. In the JumpCloud console, in the lefthand menu, click Software Management
2. Click the Apple tab, then click the large ⊕ icon (plus in circle)
3. Choose JumpCloud Private Repo
   1. Self-hosted should also work, this guide will focus on JumpCloud Private Repo
4. Name: ConcealBrowse Helper
5. Choose A File: Choose the Distribution-Type PKG
6. Click Upload
7. Monitor the upload progress, move on to the next step after success
   1. If you encounter this error, you will need to ensure you are using the special Distribution-Type PKG which was requested in the Before You Begin section above. Error: "The Package Validation Failed. Please delete this instance and try again."
      
8. With the ConcealBrowse helper application selected, click either the Device Groups or Devices tab
9. In either tab, select the device group or devices to which you will deploy the application
10. Click Save
11. Click the Status tab to monitor the deployment status

Stage 2: Deploy the ConcealBrowse Extension to each browser

We highly recommend verifying that the ConcealBrowse helper application has installed on endpoints before configuring your browsers to install the ConcealBrowse Extension. If the extension is installed prior to the helper, the user will be prompted to log in which may cause confusion and disruption for your support team.

These steps may vary depending on how you manage each browser. As this article is targeted to JumpCloud, we will assume you manage your browsers with JumpCloud.

Check to see if you have an existing profile for your browser. From our testing you can only have one profile per application.

• If you do NOT have a profile for your browsers, refer to the next section named: If you need to create a profile
• If you already have a profile, scroll down to the section: If you already have a profile

If you need to create a policy

We recommend this Unified mobileconfig file for Chrome, Edge, Brave, and Firefox for customers who do not currently manage their browser settings, this allows for rapid deployment in one step. If you do manage your browser settings already, you will need to merge in the settings which install the ConcealBrowse extension.

1. In the JumpCloud console, in the lefthand menu, click Policy Management
2. Click the large ⊕ icon (plus in circle)
3. Click the Mac tab
4. Search for, or scroll down to, MDM Custom Configuration, then click configure
5. Policy Name: Multi-Browser ConcealBrowse Extension
6. Policy Notes: we recommend including a link to this article
7. At the bottom of this article, click the download attachment link for Multi-Browser ConcealBrowse Extension.mobileconfig
8. Back in JumpCloud, under Settings: Mobile Configuration File, click upload file
9. Upload the Multi-Browser ConcealBrowse Extension.mobileconfig
10. Click either the Device Groups or Devices tab
11. In either tab, select the same device group or devices to which you deployed the ConcealBrowse helper application
12. Click Save
13. Click the Status tab to monitor the deployment status

If you already have a policy

We will assume your existing policy utilizes Policy Management MDM Custom Configuration

1. Click on the existing policy
2. Scroll down to Settings: Profile Contents
3. Verify the PayloadType matches the browser you intend to configure
   - Chrome: com.google.chrome
   - Brave: com.brave.browser
   - Edge: com.microsoft.edge
   - Firefox: org.mozilla.firefox
4. Search the Property List for "ExtensionSettings", it’s unlikely to be present.
   • If ExtensionSettings is present you will need to merge the following into the existing ExtensionSettings section. Specifically lines ~3-11 will be inserted.
5. Click Copy to copy the Profile Contents to your preferred text editor
6. For Chrome or Brave, within the PayloadContent, add the following:

   <key>ExtensionSettings</key>
   <dict>
     <key>jmdpihfpelphmllgmamebdbelmobjfpg</key>
     <dict>
       <key>installation_mode</key>
       <string>force_installed</string>
       <key>toolbar_pin</key>
       <string>force_pinned</string>
       <key>update_url</key>
       <string>https://clients2.google.com/service/update2/crx</string>
     </dict>
   </dict>

7. For Edge, within the PayloadContent, add the following:

   <key>ExtensionSettings</key>
   <dict>
     <key>ojjdicpccncniljgdmjcepenkkpmnnmk</key>
     <dict>
       <key>installation_mode</key>
       <string>force_installed</string>
       <key>toolbar_state</key>
       <string>force_shown</string>
       <key>update_url</key>
       <string>https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
     </dict>
   </dict>

8. For Firefox, within the PayloadContent, add the following:

   <key>ExtensionSettings</key>
   <dict>
     <key>concealbrowse@conceal.io</key>
     <dict>
       <key>installation_mode</key>
       <string>force_installed</string>
       <key>install_url</key>
       <string>https://conceal-browse.conceal.io/firefox/latest/concealbrowse.xpi</string>
     </dict>
   </dict>

9. Save your modified mobileconfig
10. Upload the modified mobileconfig to the existing or new policy and test that it works as expected

Verify the Configuration Profile has applied to your testing Mac(s)

1. Open System Settings on a targeted Mac
2. Navigate to
   1. macOS version 15+: General > Device Management
   2. macOS version <15: Privacy & Security > Profiles
3. When applied, you will see a profile named Multi-Browser ConcealBrowse Extension as named in an earlier step
4. Open, or reopen, the targeted browser and the ConcealBrowse extension will be automatically installed. The extension will also automatically register to your Conceal dashboard thanks to the helper installed in Stage 1.
5. You may check the browser configuration by looking at its policy page, restarting the browser causes it to check for new policies:
   - Chrome: chrome://policy
   - Brave: brave://policy
   - Edge: edge://policy
   - Firefox: about:policies

Recommended Step: Disable incognito and guest mode

It’s not possible to enforce extension usage in Incognito/InPrivate or Guest mode. Therefore it is recommended to disable them by adding the following to your browser's mobileconfig configuration.

Chrome and Brave:

<key>IncognitoModeAvailability</key>
<integer>1</integer>
<key>BrowserGuestModeEnabled</key>
<false/>

Edge:

<key>InPrivateModeAvailability</key>
<integer>1</integer>
<key>BrowserGuestModeEnabled</key>
<false/>

Firefox:

<key>DisablePrivateBrowsing</key>
<true/>

References