Description
Deploy the ConcealBrowse extension and helper to multiple browsers on macOS endpoints seamlessly with N-able N-central's Mac Scripting and Device Management for Apple (DMA).
This is a two stage process as required by macOS architecture.
Stage 1 deploys the ConcealBrowse helper application which authenticates the browser extension(s) and provides you with telemetry such as the hostname and logged in username.
Stage 2 configures your browsers to install and require ConcealBrowse from each browser's web store.
Applies to
- N-able N-central
- macOS 13+
- Google Chrome
- Microsoft Edge
- Brave browser
- Mozilla Firefox
Requirements
- N-central version ~2023
- N-central Device Management for Apple (DMA) must be configured with a valid Apple push certificate
- macOS devices must have the N-central Agent installed
- macOS devices must be enrolled in N-central Device Management for Apple (DMA)
Gather your IDs
- Log in to https://dashboard.conceal.io
- (Optional for multi-tenants) Choose the specific tenant
- At the top right, click DOWNLOAD EXTENSION
- Scroll down to find your CompanyID and SiteID, note these for use in later steps
Stage 1: Install ConcealBrowse Helper application
Upload the installation script
- In the N-central dashboard, navigate to Configuration > Scheduled Tasks > Script/Software Repository
- Click Add > Mac Scripting
- Name: Install ConcealBrowse Helper macOS
- Description: We recommend including a link to this article
- File Name: Download and browse to the file attached to this article, it can be found at the bottom of the page "Install-ConcealBrowse-PKG-N-central.sh"
- Command Line Parameters: After the script name, we recommend adding placeholders to help later when you run the script. Append --companyid="InsertYourCompanyIdHere" --siteid="InsertYourSiteIdHere"
- Example with placeholders: Install-ConcealBrowse-PKG-N-central.sh --companyid="InsertYourCompanyIdHere" --siteid="InsertYourSiteIdHere"
- Click OK to finish the upload
Run the script on test device(s)
- In the N-central dashboard, navigate to Actions > Run a Mac Script
- (Optional) Task Name: name your script run as desired
- Credentials: select Use root credentials
- Location: From N-able N-central's Script Repository
- Repository Item: Install ConcealBrowse Helper macOS (uploaded earlier)
- Command Line Parameters: Using the CompanyID and SiteID gathered earlier, replace the InsertYourCompany/SiteIdHere text with the IDs
- Example with values: Install-ConcealBrowse-PKG-N-central.sh --companyid="12345678-9012-3456-7890-123456789012" --siteid="abcdefgh-ijkl-mnop-qrst-uvwxyzabcdef"
- Click the Targets tab
- Select device(s) to run the script on
- (Optional) Modify the settings in the Schedule and Notifications tabs
- Click Save to execute the script according to the chosen schedule
Monitor the script run
- In the N-central dashboard, navigate to Views > Job Status
- Click on the job name of the mac script run
- If needed, click the Status tab
- Review the per device script output for any errors
Stage 2: Deploy the ConcealBrowse Extension to each browser
We highly recommend verifying that the ConcealBrowse helper application has installed on endpoints before configuring your browsers to install the ConcealBrowse Extension. If the extension is installed prior to the helper, the user will be prompted to log in which may cause confusion and disruption for your support team. |
These steps may vary depending on how you manage each browser. As this article is targeted to N-central, we will assume you manage your browsers with N-central.
Preparation
- In the N-central dashboard, navigate to Configuration > Device Management for Apple
- Click the Profiles tab
- Review the existing profiles to see if you have a profile for your browser(s). From our testing you can only have one profile per application.
-
- If you do NOT have a profile for your browsers, refer to the next section named: If you need to create a profile
- If you already have a profile, scroll down to the section: If you already have a profile
If you need to create a profile
We recommend the attached Multi-Browser mobileconfig file for Chrome, Edge, Brave, and Firefox to customers who do not currently manage their browser settings, this allows for rapid deployment in one step.
- In the N-central dashboard, navigate to Configuration > Device Management for Apple
- Click the Profiles tab
- Click Upload Profile
- Choose either Account or Customer for profile scope
- Profile name: Multi-Browser ConcealBrowse Extension
- Profile description: we recommend including a link to this article
- At the bottom of this article, click the download attachment link for Multi-Browser ConcealBrowse Extension.mobileconfig
- Drag the Multi-Browser ConcealBrowse Extension.mobileconfig to Upload profile, or browse to it
- Click Upload
Install the Multi-Browser ConcealBrowse Extension configuration profile on devices
- In Device Management for Apple, click the Devices tab
- Select the device(s) to which you want to install the ConcealBrowse extension
- Click the Install profiles button that appears
- Select the Multi-Browser ConcealBrowse Extension profile
- Click Install
- This change takes effect almost immediately
- See the section: Verify the configuration profile has applied to your test device(s)
If you already have a profile
- Find the existing profile
- Click the three dots in the Actions column
- Choose Download profile
- Open the downloaded profile in your favorite editor
-
Verify the PayloadType matches the browser you intend to configure
- Chrome: com.google.chrome
- Brave: com.brave.browser
- Edge: com.microsoft.edge
- Firefox: org.mozilla.firefox -
Search the Property List for "ExtensionSettings", it’s unlikely to be present.
- If ExtensionSettings is present you will need to merge the following into the existing ExtensionSettings section.
- For Chrome or Brave, within the PayloadContent, add the following:
<key>ExtensionSettings</key>
<dict>
<key>jmdpihfpelphmllgmamebdbelmobjfpg</key>
<dict>
<key>installation_mode</key>
<string>force_installed</string>
<key>toolbar_pin</key>
<string>force_pinned</string>
<key>update_url</key>
<string>https://clients2.google.com/service/update2/crx</string>
</dict>
</dict> - For Edge, within the PayloadContent, add the following:
<key>ExtensionSettings</key>
<dict>
<key>ojjdicpccncniljgdmjcepenkkpmnnmk</key>
<dict>
<key>installation_mode</key>
<string>force_installed</string>
<key>toolbar_state</key>
<string>force_shown</string>
<key>update_url</key>
<string>https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
</dict>
</dict> - For Firefox, within the PayloadContent, add the following:
<key>ExtensionSettings</key>
<dict>
<key>concealbrowse@conceal.io</key>
<dict>
<key>installation_mode</key>
<string>force_installed</string>
<key>install_url</key>
<string>https://conceal-browse.conceal.io/firefox/latest/concealbrowse.xpi</string>
</dict>
</dict> - Save your modified mobileconfig
- Upload the modified mobileconfig to the existing or a new profile and test that it works as expected
- See the section: Verify the configuration crofile has applied to your test device(s)
Verify the configuration profile has applied to your testing device(s)
- Open System Settings on a targeted Mac
- Navigate to
- macOS version 15+: General > Device Management
- macOS version <15: Privacy & Security > Profiles
- When applied, you will see a profile named Multi-Browser ConcealBrowse Extension as named in an earlier step
- Open, or reopen, the targeted browser and the ConcealBrowse extension will be automatically installed. The extension will also automatically register to your Conceal dashboard thanks to the helper installed in Stage 1.
- You may check the browser configuration by looking at its policy page, restarting the browser causes it to check for new policies:
- Chrome: chrome://policy
- Brave: brave://policy
- Edge: edge://policy
- Firefox: about:policies
Recommended Step: Disable incognito and guest mode
It’s not possible to enforce extension usage in Incognito/InPrivate or Guest mode. Therefore it is recommended to disable them by adding the following to your browser's mobileconfig configuration.
Chrome and Brave:
<key>IncognitoModeAvailability</key>
<integer>1</integer>
<key>BrowserGuestModeEnabled</key>
<false/>
Edge:
<key>InPrivateModeAvailability</key>
<integer>1</integer>
<key>BrowserGuestModeEnabled</key>
<false/>
Firefox:
<key>DisablePrivateBrowsing</key>
<true/>