ENS WebControl uses an extension on supported browsers to manage sites. Often its required to prevent users from Disabling/Uninstalling WebControl Extensions.

KB87568 outlines key configuration to be used in GPO policies.

We will see how to use GPO configuration to enforce WebControl Extensions on Supported Browsers.

Note:- GPO configuration are beyond the scope of technical support.  Configurations for browsers has to be manually downloaded in the form of ADMX. We do Not take responsibility for any issues caused by Misconfiguration.

Computer Based GPO policies are used for the purpose of this demonstration. The same should also apply to User Based GPO policies.

Before proceeding, please ensure ENS WebControl module is installed successfully on the target systems.

Internet Explorer

It can be managed via Web Control Policy. No GPO configuration required

1. On ePO, navigate to Menu > Policy Catalog
2. Under Products. Select Endpoint Security Web Control
3. Expand Options. Click Edit next to the Policy in use
4. Select the Configuration as shown below and Save

5. Systems will take in the policy changes as per Agent-Server communication (Default time 60mins). Alternatively, send a wake-up Agent task to the desired system.

Microsoft Edge

1. Follow the URL below for Edge ADMX files

_https_://_www.microsoft.com/en-us/edge/business/download

* Remove _ from the URL

2. Download latest Policy File available for Edge. Click on Windows 64-bit Policy

3. It downloads MicrosoftEdgePolicyTemplates.cab
4. Double click the file and choose a location to extract
5. Then extract MicrosoftEdgePolicyTemplates.zip file to access the path - \EdgePolicyFiles\MicrosoftEdgePolicyTemplates\windows\ADMX

6. Create PolicyDefinitions folder under C:\Windows\SYSVOL\domain\Policies on AD Server if it doesn’t exist.
7. Copy the following files from ADMX folder (Step 5) to PolicyDefinitions

8. Open Group Policy Management and access the policy files

9. Double Click Control which extensions are installed silently
10. Choose Enabled and click on Show. Enter the following Text in Show Contents

bnloapiedmegfapoomlbhpnkipeekgfo;_https_://_edge.microsoft.com/extensionwebstorebase/v1/crx

* Remove _ from the text above. Use as shown in screenshot below.

11. Click Ok & then Apply & OK to save the changes
12. Run gpupdate /force on the client to enforce the policies

GoogleChrome

1. Follow the URL below for Chrome ADMX files.

_https_://_support.google.com/chrome/a/answer/187202?hl=en

* Remove _ from the URL

2. Click on Zip file of Google Chrome templates as shown below. It downloads policy_templates.zip

3. Extract it to a folder. Access the path \policy_templates\windows\admx
4. Copy following files to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions on AD Server



5. Open Group Policy Management and configure policies

6. Double Click Configure the list of force-installed apps and extensions

7. Choose Enabled and click on Show. Enter the following Text in Show Content

jjkchpdmjjdmalgembblgafllbpcjlei;_https_://_clients2.google.com/service/update2/crx

* Remove _ from the text above. Use as shown in screenshot below.

8. Click Ok & then Apply & OK to save the changes
9. Run gpupdate /force on the client to enforce the policies

Mozilla Firefox

1. Follow the link below to download configuration files for Firefox

_https_://_github.com/mozilla/policy-templates/releases

* Remove _ from the URL

2. Download Policy_templates_<VersionNo.>.zip



3. Extract Policy_templates_<VersionNo.>.zip and access path \windows



4. Copy the following to C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions on AD Server
5. Open Group Policy Management to configure policies
6. Double Click Extensions to Install 

7. Choose Enabled. Then click Show. Enter the following values under Show Contents

C:\Program Files\McAfee\Endpoint Security\Web Control\e10swcffplg.xpi
C:\Program Files (x86)\McAfee\Endpoint Security\Web Control\e10swcffplg.xpi

8. Click Ok , then Apply and Ok.
9. In the same Policy Page. Double Click Prevent Extensions from being disabled or removed

10. Choose Enabled. Then click Show. Enter the following values under Show Contents

{cb40da56-497a-4add-955d-3377cae4c33b}

11. Click Ok & then Apply & OK to save the changes


12. Run gpupdate /force on the client to enforce the policies

The above configuration should help restrict users from disabling/uninstalling extensions from browsers.

Extensions may not be enforced in Private/Incognito Mode. Its a browser design and only option is to disable Private Mode altogether.

To disable Private/Incognito Mode. Refer the Screenshots below.

1. Microsoft Edge

2. Google Chrome

3. Mozilla Firefox

Please update GPO policies on the system (gpupdate /force) for the changes to take effect.

These configurations can also be used on a Workgroup system. The policy files (ADMX) needs to copied to C:\Windows\PolicyDefinitions. Then follow the instructions as explained above.

If there are any suggestions, please send a private message on community.

Thanks