Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.velatir.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Deploy the Velatir browser extension to managed devices with pre-configured settings. This guide covers deployment via Microsoft Intune (Windows), SCCM / Configuration Manager (Windows), and Jamf Pro (macOS).

Extension Details

BrowserExtension IDStore Link
ChromebbiokppljpbjgiogcoggjnfffbeiihjaChrome Web Store
EdgephgnjcoglpdamjjmidheehacjbkgkoocEdge Add-ons
Firefoxvelatir@velatir.comFirefox Add-ons

Managed Configuration

The extension accepts configuration via managed storage:
PropertyTypeDescription
apiTokenstringYour Velatir API key
organizationNamestringDisplay name shown in the extension
Additional properties (endpoint, organizationId, enabledServices) are available for advanced configurations. Contact support if you need these.

Microsoft Intune (Windows)

This is the simplest and most reliable method. It works on all Windows editions (Pro, Enterprise, Education), deploys to all browsers in one step, and configures the API token and organisation name automatically. Download the MSI installer: 
https://cdn.velatir.com/VelatirExtension-x64.msi
For ARM64 Windows fleets, use VelatirExtension-arm64.msi instead. The examples below show the x64 filename; substitute the arm64 name throughout for ARM64 deployments.

MSI Properties

PropertyRequiredDescription
API_TOKENYesYour Velatir API token (e.g., vltr_...)
ORGANIZATION_NAMEYesYour organisation’s display name shown in the extension
ADDLOCALNoComma-separated list of browsers. Defaults to all. Options: Chrome, Edge, Firefox
ENABLE_PRIVATE_BROWSINGNoSet to 1 to enable the extension in private browsing. Applies to Edge (InPrivate) and Firefox only. Chrome does not support this on Windows.

Steps

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Apps > All apps, then click + Add
  3. Select Line-of-Business app as the App Type
  4. Upload VelatirExtension-x64.msi (or VelatirExtension-arm64.msi for ARM64 fleets) in the App package file field and click OK
  5. In App information, fill in the following:
    • Name: Velatir Browser Extension
    • Description: Velatir AI compliance browser extension
    • Publisher: Velatir
    • Set Ignore app version to No
    • In the Command-line arguments field, enter: 
      /qn API_TOKEN="vltr_yourApiTokenHere" ORGANIZATION_NAME="Your Organization"
  6. Click OK, then click Next
  7. In the Assignments tab, click Add group and select the device groups to deploy to
  8. Click Next, review your configuration, and click Create
To deploy to specific browsers only, add ADDLOCAL to the command-line arguments: 
/qn API_TOKEN="vltr_yourApiTokenHere" ORGANIZATION_NAME="Your Organization" ADDLOCAL=Chrome,Edge
To enable private browsing support (Edge InPrivate + Firefox), add ENABLE_PRIVATE_BROWSING: 
/qn API_TOKEN="vltr_yourApiTokenHere" ORGANIZATION_NAME="Your Organization" ENABLE_PRIVATE_BROWSING=1
In Firefox, the extension is automatically enabled in private browsing mode. In Edge, the policy requires the extension to be allowed in InPrivate, but each user must still manually enable the extension for InPrivate mode in their browser settings.

Updating the API Token

To rotate the API token, update the command-line arguments with the new token value and redeploy. Reinstalling overwrites the existing registry keys: 
/qn API_TOKEN="vltr_newTokenHere" ORGANIZATION_NAME="Your Organization"
The MSI writes registry keys to force-install the extension from each browser’s official store and configure managed storage with your API token. When ENABLE_PRIVATE_BROWSING=1 is set, it also configures Edge MandatoryExtensionsForInPrivateNavigation (blocks InPrivate until the user enables the extension) and Firefox private_browsing in ExtensionSettings (enables directly). Chrome does not support an Incognito policy on Windows. No files are copied beyond a marker in Program Files\Velatir. Uninstalling removes all registry keys cleanly.

Method B: PowerShell Script

A single PowerShell script covers Chrome, Edge, and Firefox. It uses the Windows computer name ($env:COMPUTERNAME) as the machineId shared across all three browsers, matching the MSI’s behaviour so both deployment paths produce the same value. Edit $ApiToken and $OrganizationName at the top of the script, then run it as Administrator or SYSTEM in 64-bit PowerShell. Set $EnablePrivateBrowsing = $true to enable the extension in Edge InPrivate and Firefox private browsing. Configuration script (Configure-Velatir.ps1): 
# Configuration - UPDATE THESE VALUES
$ApiToken = "your-api-token-here"
$OrganizationName = "Your Organization"
$EnablePrivateBrowsing = $false  # Set to $true to enable in Edge InPrivate and Firefox private browsing

# Extension IDs
$ChromeId = "bbiokppljpbjgiogcoggjnfffbeiihja"
$EdgeId = "phgnjcoglpdamjjmidheehacjbkgkooc"
$FirefoxId = "velatir@velatir.com"

# Machine ID: Windows computer name. Matches the MSI's [ComputerName] behaviour.
$MachineId = $env:COMPUTERNAME

function Set-ManagedPolicy($Path, $Token, $OrgName, $Id) {
    if (-not (Test-Path $Path)) {
        New-Item -Path $Path -Force | Out-Null
    }
    Set-ItemProperty -Path $Path -Name "apiToken" -Value $Token -Type String
    Set-ItemProperty -Path $Path -Name "organizationName" -Value $OrgName -Type String
    Set-ItemProperty -Path $Path -Name "machineId" -Value $Id -Type String
}

# Chrome
$ChromeForcelist = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (-not (Test-Path $ChromeForcelist)) {
    New-Item -Path $ChromeForcelist -Force | Out-Null
}
# Use name "1000" to avoid colliding with MDM-managed entries (which start at 1)
Set-ItemProperty -Path $ChromeForcelist -Name "1000" -Value "$ChromeId;https://clients2.google.com/service/update2/crx" -Type String
Set-ManagedPolicy "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\$ChromeId\policy" $ApiToken $OrganizationName $MachineId

# Edge
$EdgeForcelist = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist"
if (-not (Test-Path $EdgeForcelist)) {
    New-Item -Path $EdgeForcelist -Force | Out-Null
}
Set-ItemProperty -Path $EdgeForcelist -Name "1000" -Value "$EdgeId;https://edge.microsoft.com/extensionwebstorebase/v1/crx" -Type String
Set-ManagedPolicy "HKLM:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\$EdgeId\policy" $ApiToken $OrganizationName $MachineId

# Edge InPrivate (opt-in)
$EdgeInPrivate = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\MandatoryExtensionsForInPrivateNavigation"
if ($EnablePrivateBrowsing) {
    if (-not (Test-Path $EdgeInPrivate)) {
        New-Item -Path $EdgeInPrivate -Force | Out-Null
    }
    Set-ItemProperty -Path $EdgeInPrivate -Name "1000" -Value $EdgeId -Type String
} elseif (Test-Path $EdgeInPrivate) {
    Remove-ItemProperty -Path $EdgeInPrivate -Name "1000" -ErrorAction SilentlyContinue
}

# Firefox
# Force-install via Extensions\Install to avoid overwriting ExtensionSettings (a single JSON value that may conflict with MDM)
$FirefoxInstall = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install"
if (-not (Test-Path $FirefoxInstall)) {
    New-Item -Path $FirefoxInstall -Force | Out-Null
}
Set-ItemProperty -Path $FirefoxInstall -Name "1000" -Value "https://addons.mozilla.org/firefox/downloads/latest/velatir/latest.xpi" -Type String
Set-ManagedPolicy "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\3rdparty\Extensions\$FirefoxId" $ApiToken $OrganizationName $MachineId

# Firefox private browsing (opt-in)
$FirefoxPolicyKey = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox"
if ($EnablePrivateBrowsing) {
    $ExtensionSettings = '{"velatir@velatir.com":{"private_browsing":true}}'
    Set-ItemProperty -Path $FirefoxPolicyKey -Name "ExtensionSettings" -Value $ExtensionSettings -Type String
} elseif (Get-ItemProperty -Path $FirefoxPolicyKey -Name "ExtensionSettings" -ErrorAction SilentlyContinue) {
    Remove-ItemProperty -Path $FirefoxPolicyKey -Name "ExtensionSettings" -ErrorAction SilentlyContinue
}

Write-Output "Velatir browser extensions configured (machineId: $MachineId)"
The script uses the Windows computer name ($env:COMPUTERNAME) as the machineId and writes it into each browser’s managed policy. The value is stable across reruns and consistent between Chrome, Edge, and Firefox, matching the MSI deployment behaviour.
To deploy to a subset of browsers, comment out the corresponding Chrome, Edge, or Firefox section in both the configuration and uninstall scripts.
In Firefox, setting $EnablePrivateBrowsing = $true enables the extension in private browsing automatically. In Edge, the policy requires the extension to be allowed in InPrivate, but each user must still manually enable the extension for InPrivate mode in their browser settings. Chrome does not support an Incognito policy on Windows.

Uninstall

To reverse everything the configuration script writes, run the script below. It’s safe to run whether or not the configuration script has been applied, and it leaves any MDM-managed policies (at forcelist indexes other than 1000) untouched. Uninstall script (Remove-Velatir.ps1): 
$ChromeId = "bbiokppljpbjgiogcoggjnfffbeiihja"
$EdgeId = "phgnjcoglpdamjjmidheehacjbkgkooc"
$FirefoxId = "velatir@velatir.com"

function Remove-ForcelistEntry($Path, $Name) {
    if (Test-Path $Path) {
        Remove-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue
    }
}

# Chrome
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" "1000"
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\$ChromeId" -Recurse -Force -ErrorAction SilentlyContinue

# Edge
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist" "1000"
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Microsoft\Edge\MandatoryExtensionsForInPrivateNavigation" "1000"
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\$EdgeId" -Recurse -Force -ErrorAction SilentlyContinue

# Firefox (registry)
Remove-ForcelistEntry "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install" "1000"
# Only clear ExtensionSettings if it matches the private-browsing-only blob written by the configuration script
$FxKey = "HKLM:\SOFTWARE\Policies\Mozilla\Firefox"
$ExtSettings = (Get-ItemProperty -Path $FxKey -Name "ExtensionSettings" -ErrorAction SilentlyContinue).ExtensionSettings
if ($ExtSettings -eq '{"velatir@velatir.com":{"private_browsing":true}}') {
    Remove-ItemProperty -Path $FxKey -Name "ExtensionSettings" -ErrorAction SilentlyContinue
}
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Mozilla\Firefox\3rdparty\Extensions\$FirefoxId" -Recurse -Force -ErrorAction SilentlyContinue

# Firefox policies.json alternative: remove only Velatir entries, leave other policies intact
$PolicyFile = "C:\Program Files\Mozilla Firefox\distribution\policies.json"
if (Test-Path $PolicyFile) {
    try {
        $Policy = Get-Content $PolicyFile -Raw | ConvertFrom-Json -AsHashtable
        if ($Policy.policies.ExtensionSettings) {
            $Policy.policies.ExtensionSettings.Remove($FirefoxId)
            if ($Policy.policies.ExtensionSettings.Count -eq 0) { $Policy.policies.Remove("ExtensionSettings") }
        }
        if ($Policy.policies."3rdparty".Extensions) {
            $Policy.policies."3rdparty".Extensions.Remove($FirefoxId)
            if ($Policy.policies."3rdparty".Extensions.Count -eq 0) { $Policy.policies.Remove("3rdparty") }
        }
        if ($Policy.policies.Count -eq 0) {
            Remove-Item -Path $PolicyFile -Force
        } else {
            $Policy | ConvertTo-Json -Depth 10 | Set-Content -Path $PolicyFile -Encoding UTF8
        }
    } catch {}
}

# Legacy cleanup: earlier versions of the configuration script persisted a
# generated GUID here. Remove it if present so upgrades leave no stale data.
Remove-Item -Path "HKLM:\SOFTWARE\Velatir\BrowserExtension" -Recurse -Force -ErrorAction SilentlyContinue
$VelatirRoot = "HKLM:\SOFTWARE\Velatir"
if ((Test-Path $VelatirRoot) -and -not (Get-ChildItem $VelatirRoot -ErrorAction SilentlyContinue)) {
    Remove-Item -Path $VelatirRoot -Force -ErrorAction SilentlyContinue
}

Write-Output "Velatir browser policies removed"
Removing the force-install policy does not uninstall the extension from existing browser profiles. Users will simply be able to disable or remove it themselves. To force removal, block the extension first (Chrome/Edge ExtensionInstallBlocklist, or Firefox ExtensionSettings with installation_mode: blocked) before running the uninstall script.
If you deployed via the MSI rather than this script, use msiexec /x VelatirExtension-x64.msi /qn (or VelatirExtension-arm64.msi for ARM64 fleets) — the MSI’s uninstall removes its own registry writes cleanly.

Alternative: Firefox via policies.json

If you prefer a policies.json file over registry keys for Firefox, use the following script instead of (or alongside) the Firefox section above. Configuration script (Configure-VelatirFirefoxJson.ps1): 
# Configuration - UPDATE THESE VALUES
$ApiToken = "your-api-token-here"
$OrganizationName = "Your Organization"

# Machine ID: Windows computer name. Matches the MSI's [ComputerName] behaviour.
$MachineId = $env:COMPUTERNAME

$PolicyDir = "C:\Program Files\Mozilla Firefox\distribution"
$PolicyFile = "$PolicyDir\policies.json"

if (-not (Test-Path $PolicyDir)) {
    New-Item -Path $PolicyDir -ItemType Directory -Force | Out-Null
}

# Merge with existing policies.json if present
$Policy = @{ policies = @{} }
if (Test-Path $PolicyFile) {
    try {
        $Policy = Get-Content $PolicyFile -Raw | ConvertFrom-Json -AsHashtable
    } catch {
        $Policy = @{ policies = @{} }
    }
}

$Policy.policies.ExtensionSettings = @{
    "velatir@velatir.com" = @{
        installation_mode = "force_installed"
        install_url = "https://addons.mozilla.org/firefox/downloads/latest/velatir/latest.xpi"
        private_browsing = $true
    }
}

$Policy.policies."3rdparty" = @{
    Extensions = @{
        "velatir@velatir.com" = @{
            apiToken = $ApiToken
            organizationName = $OrganizationName
            machineId = $MachineId
        }
    }
}

$Policy | ConvertTo-Json -Depth 10 | Set-Content -Path $PolicyFile -Encoding UTF8

Write-Output "Velatir Firefox policies.json configured (machineId: $MachineId)"
Firefox updates may remove the distribution folder. If using this method, schedule the script to run regularly (e.g., once per day) to ensure the file is recreated after updates.

Method C: Settings Catalog (Force Install Only)

Use this method if you only need to force-install the extension without pre-configured settings. Users will need to enter their API token manually after installation.
The Intune Settings Catalog does not support Firefox extension deployment. For Firefox, use Method A or Method B.
  1. Sign in to the Microsoft Intune admin center
  2. Go to Devices > Configuration > Create > New policy
  3. Select:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  4. Name your profile (e.g., “Velatir Chrome Extension”)
  5. Click Add settings and search for Google Chrome
  6. Select Google Chrome > Extensions
  7. Enable Configure the list of force-installed apps and extensions
  8. Add the following value: 
    bbiokppljpbjgiogcoggjnfffbeiihja;https://clients2.google.com/service/update2/crx
  9. Assign to your device groups and create the profile

SCCM / Configuration Manager (Windows)

If your organisation uses Microsoft SCCM (ConfigMgr) instead of Intune, you can deploy the Velatir browser extension using the pre-built MSI installer that Velatir provides. No need to build anything. Just pass your API token and organisation name as properties at install time. Download the MSI installer: 
https://cdn.velatir.com/VelatirExtension-x64.msi
For ARM64 Windows fleets, use VelatirExtension-arm64.msi instead. The examples below show the x64 filename; substitute the arm64 name throughout for ARM64 deployments.

MSI Properties

PropertyRequiredDescription
API_TOKENYesYour Velatir API token (e.g., vltr_...)
ORGANIZATION_NAMEYesYour organisation’s display name shown in the extension
ADDLOCALNoComma-separated list of browsers. Defaults to all. Options: Chrome, Edge, Firefox
ENABLE_PRIVATE_BROWSINGNoSet to 1 to enable the extension in private browsing. Applies to Edge (InPrivate) and Firefox only.

Step 1: Create an Application

  1. Open the Configuration Manager Console
  2. Navigate to Software Library > Application Management > Applications
  3. Click Create Application > Manually specify the application information
  4. Add a Deployment Type and select Script Installer
  5. Set the content location to the network share containing VelatirExtension-x64.msi (and VelatirExtension-arm64.msi if you support ARM64 endpoints)

Step 2: Configure Install Command

All browsers (Chrome, Edge, and Firefox): 
msiexec /i VelatirExtension-x64.msi API_TOKEN=vltr_yourApiTokenHere ORGANIZATION_NAME="Your Organization" /qn
Specific browsers only (e.g., Chrome and Edge): 
msiexec /i VelatirExtension-x64.msi API_TOKEN=vltr_yourApiTokenHere ORGANIZATION_NAME="Your Organization" ADDLOCAL=Chrome,Edge /qn
With private browsing support (Edge + Firefox): 
msiexec /i VelatirExtension-x64.msi API_TOKEN=vltr_yourApiTokenHere ORGANIZATION_NAME="Your Organization" ENABLE_PRIVATE_BROWSING=1 /qn
In Firefox, the extension is automatically enabled in private browsing mode. In Edge, the policy requires the extension to be allowed in InPrivate, but each user must still manually enable the extension for InPrivate mode in their browser settings.
Uninstall command: 
msiexec /x VelatirExtension-x64.msi /qn

Step 3: Configure Detection Method

Use a registry-based detection rule to check if the extension is already configured:
SettingValue
HiveHKEY_LOCAL_MACHINE
KeySOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bbiokppljpbjgiogcoggjnfffbeiihja\policy
ValueapiToken
Data TypeString
RuleThe registry setting must exist

Step 4: Deploy

  1. Right-click the application > Deploy
  2. Select the target Device Collection
  3. Set purpose to Required (auto-install) or Available (self-service via Software Center)
  4. Set a deployment schedule and complete the wizard

Updating the API Token

To rotate the API token, re-deploy the MSI with the new value. Reinstalling overwrites the existing registry keys: 
msiexec /i VelatirExtension-x64.msi API_TOKEN=vltr_newTokenHere ORGANIZATION_NAME="Your Organization" /qn
The MSI writes registry keys to force-install the extension from the browser’s official store and configure managed storage with your API token. When ENABLE_PRIVATE_BROWSING=1 is set, it also configures private browsing for Edge (InPrivate) and Firefox. Chrome does not support an Incognito policy on Windows. No files are copied beyond a marker in Program Files\Velatir. Uninstalling removes all registry keys cleanly.

Manual Registry Configuration (Windows)

If you’re not using Intune or SCCM, you can apply the same policies directly to the Windows registry. Use regedit, Group Policy Preferences, or any other tool that writes registry values. The tables below list every key, value name, and data needed. All values are written under HKEY_LOCAL_MACHINE (HKLM) as REG_SZ (String). Run any tool you use in 64-bit context so writes don’t land under WOW6432Node.
Use the value name 1000 for the force-install entries. This avoids colliding with MDM-managed entries, which typically start at 1.
Required
KeyValue nameData
SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist1000bbiokppljpbjgiogcoggjnfffbeiihja;https://clients2.google.com/service/update2/crx
SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bbiokppljpbjgiogcoggjnfffbeiihja\policyapiTokenYour Velatir API token (e.g. vltr_...)
SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bbiokppljpbjgiogcoggjnfffbeiihja\policyorganizationNameYour organisation’s display name
Optional
KeyValue nameData
SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\bbiokppljpbjgiogcoggjnfffbeiihja\policymachineIdStable per-device identifier (e.g. computer name)
Chrome does not support an Incognito policy on Windows, so there’s no equivalent to the Edge InPrivate or Firefox private-browsing entry.
To remove the configuration, delete the values you added. Removing the force-install entry doesn’t uninstall the extension from existing browser profiles. Users will simply be able to disable or remove it themselves.

Jamf Pro (macOS)

Configuration Profile

A single .mobileconfig profile handles force-install and managed storage for Chrome, Edge, and Firefox. Upload it to Jamf Pro as a Configuration Profile (or any MDM that supports .mobileconfig files).
Replace vltr_yourApiTokenHere with your Velatir API token and Your Organization with your organisation’s display name before deploying.
The Firefox payload sets EnterprisePoliciesEnabled to true. Without it, Firefox ignores all enterprise policy configuration on macOS.
velatir-browser-extension.mobileconfig
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <!-- Chrome: Force install -->
        <dict>
            <key>PayloadType</key>
            <string>com.google.Chrome</string>
            <key>PayloadIdentifier</key>
            <string>com.velatir.chrome.forcelist</string>
            <key>PayloadUUID</key>
            <string>5ECD8344-941A-45C0-BE37-7E13BCBBBBBE</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ExtensionInstallForcelist</key>
            <array>
                <string>bbiokppljpbjgiogcoggjnfffbeiihja;https://clients2.google.com/service/update2/crx</string>
            </array>
        </dict>
        <!-- Chrome: Extension managed storage -->
        <dict>
            <key>PayloadType</key>
            <string>com.google.Chrome.extensions.bbiokppljpbjgiogcoggjnfffbeiihja</string>
            <key>PayloadIdentifier</key>
            <string>com.velatir.chrome.extension.config</string>
            <key>PayloadUUID</key>
            <string>5102578B-1554-4556-B895-591A7621A7F8</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>apiToken</key>
            <string>vltr_yourApiTokenHere</string>
            <key>organizationName</key>
            <string>Your Organization</string>
        </dict>
        <!-- Edge: Force install + require for InPrivate -->
        <dict>
            <key>PayloadType</key>
            <string>com.microsoft.Edge</string>
            <key>PayloadIdentifier</key>
            <string>com.velatir.edge.forcelist</string>
            <key>PayloadUUID</key>
            <string>590735BD-010D-4C3E-BB5B-0FF9DE7577B8</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ExtensionInstallForcelist</key>
            <array>
                <string>phgnjcoglpdamjjmidheehacjbkgkooc;https://edge.microsoft.com/extensionwebstorebase/v1/crx</string>
            </array>
            <key>MandatoryExtensionsForInPrivateNavigation</key>
            <array>
                <string>phgnjcoglpdamjjmidheehacjbkgkooc</string>
            </array>
        </dict>
        <!-- Edge: Extension managed storage -->
        <dict>
            <key>PayloadType</key>
            <string>com.microsoft.Edge.extensions.phgnjcoglpdamjjmidheehacjbkgkooc</string>
            <key>PayloadIdentifier</key>
            <string>com.velatir.edge.extension.config</string>
            <key>PayloadUUID</key>
            <string>963ED0A7-556F-45A6-8F17-A0DBDF3DA264</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>apiToken</key>
            <string>vltr_yourApiTokenHere</string>
            <key>organizationName</key>
            <string>Your Organization</string>
        </dict>
        <!-- Firefox: Force install + managed storage + enterprise policies -->
        <dict>
            <key>PayloadType</key>
            <string>org.mozilla.firefox</string>
            <key>PayloadIdentifier</key>
            <string>com.velatir.firefox.config</string>
            <key>PayloadUUID</key>
            <string>8B2A4F6E-3D5C-4A1B-9E7F-2C6D8A0B4E1C</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>EnterprisePoliciesEnabled</key>
            <true/>
            <key>ExtensionSettings</key>
            <dict>
                <key>velatir@velatir.com</key>
                <dict>
                    <key>installation_mode</key>
                    <string>force_installed</string>
                    <key>install_url</key>
                    <string>https://addons.mozilla.org/firefox/downloads/latest/velatir/latest.xpi</string>
                    <key>private_browsing</key>
                    <true/>
                </dict>
            </dict>
            <key>3rdparty</key>
            <dict>
                <key>Extensions</key>
                <dict>
                    <key>velatir@velatir.com</key>
                    <dict>
                        <key>apiToken</key>
                        <string>vltr_yourApiTokenHere</string>
                        <key>organizationName</key>
                        <string>Your Organization</string>
                    </dict>
                </dict>
            </dict>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Velatir Browser Extension</string>
    <key>PayloadIdentifier</key>
    <string>com.velatir.browser.profile</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>D582F777-FEBE-4B67-A3DC-35FD07F37E03</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
  1. In Jamf Pro, go to Computers > Configuration Profiles > Upload
  2. Upload the .mobileconfig file above
  3. Scope the profile to your target computers
  4. Save the configuration profile

Verification

Windows

  1. Trigger an Intune sync on the device or wait for the scheduled check-in
  2. Verify policies are applied:
    • Chrome: Navigate to chrome://policy and click Reload policies
    • Edge: Navigate to edge://policy and click Reload policies
    • Firefox: Navigate to about:policies
  3. Verify you see:
    • Chrome/Edge: ExtensionInstallForcelist with the Velatir extension ID, and your configured apiToken and organizationName
    • Firefox: ExtensionSettings containing velatir@velatir.com with force_installed mode
  4. Confirm the extension is installed:
    • Chrome: chrome://extensions
    • Edge: edge://extensions
    • Firefox: about:addons (should show “Installed by enterprise policy”)

macOS

  1. After the Jamf profile deploys, verify the plist files exist: 
    # Chrome
ls /Library/Managed\ Preferences/com.google.Chrome.plist

# Edge
ls /Library/Managed\ Preferences/com.microsoft.Edge.plist

# Firefox
ls /Library/Managed\ Preferences/org.mozilla.firefox.plist
  2. Check the applied settings: 
    # Chrome
defaults read /Library/Managed\ Preferences/com.google.Chrome

# Firefox
defaults read /Library/Managed\ Preferences/org.mozilla.firefox
  3. Verify policies in the browser:
    • Chrome: chrome://policy
    • Edge: edge://policy
    • Firefox: about:policies
  4. Confirm the extension is installed:
    • Chrome: chrome://extensions
    • Edge: edge://extensions
    • Firefox: about:addons

Troubleshooting

Extension not installing

  • Windows: Verify the device has synced with Intune. Check Devices > Monitor > Device configuration status
  • macOS: Verify the configuration profile is installed under System Settings > Privacy & Security > Profiles
  • Firefox (macOS): Ensure EnterprisePoliciesEnabled is set to true in the plist. Firefox ignores all policies without it.
  • Ensure the browser is installed before the policy applies
  • Check the browser’s policy page for errors (chrome://policy, edge://policy, or about:policies for Firefox)

Configuration not appearing

  • Windows: Verify the script is running in 64-bit PowerShell with administrator / SYSTEM privileges
  • macOS: Check that the preference domain matches exactly (com.google.Chrome, com.microsoft.Edge, or org.mozilla.firefox)
  • Firefox (Windows): If using policies.json, check that the file exists at C:\Program Files\Mozilla Firefox\distribution\policies.json. Firefox updates can remove this directory.
  • Restart the browser after policy changes

Policy conflicts (Windows)

If multiple Intune profiles configure ExtensionInstallForcelist, they may conflict. Use the PowerShell script (Method B) instead of Settings Catalog to avoid this issue, as the script writes to a high-numbered value name (1000) that does not collide with MDM-managed entries.

32-bit vs 64-bit context (Windows)

Registry changes may be written to WOW6432Node if the script runs in 32-bit context. Always run the configuration and uninstall scripts in 64-bit PowerShell.

Browser Extension Overview

General extension features and manual installation

Get API Token

Set up your Velatir account and get an API token