Browser Extension - Enterprise Deployment

Documentation Index

Fetch the complete documentation index at: https://docs.velatir.com/llms.txt

Use this file to discover all available pages before exploring further.

​

Overview

Deploy the Velatir browser extension to managed devices with pre-configured settings. Pick a deployment method below; the browser support and configuration reference follow underneath.

​

Deployment methods

Choose the path that matches your platform and tooling. The MSI is the recommended route for Windows fleets.

​

Extension Details

​

Supported Browsers

Velatir’s deployment methods cover every browser that publishes an enterprise policy surface. Where a browser does not yet expose one, the relevant limitation is called out inline. Vivaldi, Brave, and Atlas install the Chrome Web Store build of the extension (same extension ID, same managed-storage schema), so no separate listing is required.

​

Managed Configuration

The extension accepts configuration via managed storage:

​

Directory Context (optional)

The Windows MSI ships with an optional native messaging host that attaches each signed-in user’s department, office, OU hierarchy, and group memberships from Active Directory or Microsoft Entra ID to every trace. Add ENABLE_LDAP_HOST=1 to the MSI command line to install it alongside the extension. See Directory Context for the admin consent step in Entra, the single-machine verification, and what does (and does not) get sent.

---

​

Vendor-managed browsers (Island, Prisma Access, Surf)

Enterprise browsers ship their own management plane and do not honour host-OS Chromium policy registry keys or managed-preference plists for extension force-install. The Velatir extension can still be force-installed and pre-configured, but the configuration lives in each vendor’s admin console rather than in the MSI or .mobileconfig. For all three browsers, paste these values into the vendor’s extension policy field:

​

Island Browser

1. Sign in to the Island admin console
2. Go to Device Management > Extensions > Extension Policy
3. Add a new policy, paste the extension ID above, and set installation mode to Force-installed
4. In the extension configuration field, paste the managed-storage JSON
5. Scope the policy to your user / device groups

See Island’s documentation on managing browser extensions in the enterprise for the latest console layout.

​

Prisma Access Browser (formerly Talon)

Talon Cyber Security was acquired by Palo Alto Networks in December 2023 and the browser is now sold as Prisma Access Browser. Extension management is administered from Strata Cloud Manager.

1. Sign in to Strata Cloud Manager
2. Open the Prisma Access Browser policy profile you want to scope this to
3. Under Manage Extensions / Configure Extensions, allow bbiokppljpbjgiogcoggjnfffbeiihja and set it to force-install from the Chrome Web Store update URL
4. Paste the managed-storage JSON into the extension’s configuration field

See the Palo Alto Networks documentation on managing Prisma Access Browser extensions for the current console UI.

​

Surf Security

1. Sign in to the Surf admin console
2. Open the extension management section
3. Add bbiokppljpbjgiogcoggjnfffbeiihja as a force-installed extension
4. Provide the managed-storage JSON in the extension configuration field

Surf has not published a registry path or preference domain for direct GPO/MDM deployment; configuration runs through the console.

---

​

Browsers without an enterprise policy surface

These browsers do not publish a policy framework that can force-install an extension. The extension still works — users install it manually from the Chrome Web Store and enter the API token from the extension popup the first time it opens.

• Arc (The Browser Company) — Arc documents only a small set of Arc-specific feature toggles via a user-local plist. There is no Chromium-style ExtensionInstallForcelist surface. With Arc in maintenance mode, this is unlikely to change.
• Dia (The Browser Company) — Dia’s for-work page advertises support for “standard Chromium enterprise policies” but the company has not yet published the registry path, preference domain, or any policy key list. When they publish a policy reference, we will add Dia to the MSI / mobileconfig.
• Perplexity Comet — Perplexity advertises 500+ Chromium policies via MDM but has not published the registry root. Admins who need centralised configuration can request the enterprise admin guide directly from Perplexity.
• Opera / Opera GX — Opera does not honour Chromium policy registry keys or managed-preference plists. Users on Opera install via Opera’s “Install Chrome Extensions” add-on and complete the API token from the extension popup.

For any of these browsers, the manual install path is:

1. Open the Chrome Web Store listing for Velatir
2. Click Add to browser
3. Open the Velatir popup and enter the API token + organisation name

---

​

Verification

​

Windows

1. Trigger an Intune sync on the device or wait for the scheduled check-in
2. Verify policies are applied:
   • Chrome: Navigate to chrome://policy and click Reload policies
   • Edge: Navigate to edge://policy and click Reload policies
   • Firefox: Navigate to about:policies
   • Vivaldi: Navigate to vivaldi://policy and click Reload policies
   • Brave: Navigate to brave://policy and click Reload policies
3. Verify you see:
   • Chrome / Edge / Vivaldi / Brave: ExtensionInstallForcelist with the Velatir extension ID, and your configured apiToken and organizationName
   • Firefox: ExtensionSettings containing velatir@velatir.com with force_installed mode
4. Confirm the extension is installed:
   • Chrome: chrome://extensions
   • Edge: edge://extensions
   • Firefox: about:addons (should show “Installed by enterprise policy”)
   • Vivaldi: vivaldi://extensions
   • Brave: brave://extensions

​

macOS

1. After the Jamf profile deploys, verify the plist files exist:
   # Chrome
   ls /Library/Managed\ Preferences/com.google.Chrome.plist
   
   # Edge
   ls /Library/Managed\ Preferences/com.microsoft.Edge.plist
   
   # Firefox
   ls /Library/Managed\ Preferences/org.mozilla.firefox.plist
   
   # Vivaldi
   ls /Library/Managed\ Preferences/com.vivaldi.Vivaldi.plist
   
   # Brave
   ls /Library/Managed\ Preferences/com.brave.Browser.plist
   
   # ChatGPT Atlas
   ls /Library/Managed\ Preferences/com.openai.atlas.web.plist
   
2. Check the applied settings:
   # Chrome
   defaults read /Library/Managed\ Preferences/com.google.Chrome
   
   # Firefox
   defaults read /Library/Managed\ Preferences/org.mozilla.firefox
   
   # Brave
   defaults read /Library/Managed\ Preferences/com.brave.Browser
   
3. Verify policies in the browser:
   • Chrome: chrome://policy
   • Edge: edge://policy
   • Firefox: about:policies
   • Vivaldi: vivaldi://policy
   • Brave: brave://policy
   • ChatGPT Atlas: open the extensions page from the Atlas menu and confirm Velatir is present
4. Confirm the extension is installed:
   • Chrome: chrome://extensions
   • Edge: edge://extensions
   • Firefox: about:addons
   • Vivaldi: vivaldi://extensions
   • Brave: brave://extensions
   • ChatGPT Atlas: extensions panel in the Atlas menu

---

​

Troubleshooting

​

Extension not installing

• Windows: Verify the device has synced with Intune. Check Devices > Monitor > Device configuration status
• macOS: Verify the configuration profile is installed under System Settings > Privacy & Security > Profiles
• Firefox (macOS): Ensure EnterprisePoliciesEnabled is set to true in the plist. Firefox ignores all policies without it.
• Ensure the browser is installed before the policy applies
• Check the browser’s policy page for errors (chrome://policy, edge://policy, or about:policies for Firefox)

​

Configuration not appearing

• Windows: Verify the script is running in 64-bit PowerShell with administrator / SYSTEM privileges
• macOS: Check that the preference domain matches exactly (com.google.Chrome, com.microsoft.Edge, or org.mozilla.firefox)
• Firefox (Windows): If using policies.json, check that the file exists at C:\Program Files\Mozilla Firefox\distribution\policies.json. Firefox updates can remove this directory.
• Restart the browser after policy changes

​

Policy conflicts (Windows)

If multiple Intune profiles configure ExtensionInstallForcelist, they may conflict. Use the MSI or the PowerShell script instead of the Settings Catalog to avoid this issue, as both write to a high-numbered value name (1000) that does not collide with MDM-managed entries.

​

32-bit vs 64-bit context (Windows)

Registry changes may be written to WOW6432Node if the script runs in 32-bit context. Always run the configuration and uninstall scripts in 64-bit PowerShell.

---