Skip to main content

Mass deploy Omnix Credential Protection using Windows and GPO

Fred Rodriguez

Credential Risk Detection, AI phishing alerts and In-browser nudges are available to organizations on a Arrow Omnix plan.
Upgrade to Arrow Omnix

Estimated time to complete: 20 minutes

If you have the Arrow Omnix plan and mass deploy the Arrow Smart Extension, you can also deploy these Omnix Credential Protection features at the same time:

Omnix plan admins can use the master data management (MDM) tool GPO to set up Credential Protection features for company-managed Google Chrome and Microsoft Edge desktop browsers on Windows.

What is GPO?
Looking to set up Risk detection on macOS using Jamf?
Looking to set up Risk detection on Windows using Intune?

Although Omnix Credential Protection features are most beneficial when rolled out to your entire organization, you can start with a smaller group (or just yourself) during setup and extend it to more employees anytime. To add more employees, update the groups included in your deployment policy.

Add employees to the policy

Process overview

Prerequisites

Make sure you have the appropriate access needed to set up Omnix features:

  • Admin access to a Arrow Omnix account
  • Admin access to Group Policy (GPO) on Windows
  • Permission to deploy policies to devices using GPO

Set up Omnix features on Windows using GPO

Setup involves two main steps:

  1. Apply Arrow’s deployment policy
  2. Mass deploy the extension

If you prefer, watch the Windows + GPO step-by-step video

1: Apply Arrow’s deployment policy

Don't skip this step, even if you've already deployed the Arrow Smart Extension.

If the extension has already been deployed and you want to turn on Omnix features for existing employees, you can skip step 2 in the setup guide. You can turn on the features after deploying the Credential Protection policy.

Important: You must deploy the Arrow security policies before you deploy the Arrow Smart Extension. This order ensures the extension installs silently and the security features work as expected. If you don't deploy the policies to your targeted machines, your employees will be asked to log in to Arrow on every login screen. If you deploy the extension before the policies, employees might create a personal account before the policies are applied.

What is a silent deployment?

A "silent deployment" of the extension means installing the extension on employees' company-managed desktop browsers without any visible prompts or interaction needed from the employee. Admins must configure the managed device policy before they deploy Credential Risk Detection to avoid inadvertently notifying employees about Arrow.

In the Arrow Admin Console, start the setup:

  1. Open the Admin Console
  2. Under Integrations, select Mass deployment.
  3. On the Mass deployment page, select Start setup.

  4. On the Setup page, select Start to see the steps for applying Arrow’s deployment policy.

  5. Select the Group Policy (GPO) tab and the browsers you're deploying to. Ensure your selection is accurate before downloading the XML files so your GPO is created correctly.
  6. In the Windows guidelines section, select Download all XML files.

  7. On a domain-joined server, open Group Policy Management, right-click, and select Run as administrator. You're going to create a new Policy Object.

  8. Right-click on Group Policy Object and select New.

  9. You can name this new GPO CRD Policy and select OK.

  10. Right-click on the CRD Policy you created and select Edit.

  11. Go to User Configuration, Preferences, Windows Settings, Registry.

  12. Drag the .xml templates you downloaded in the Admin Console and drop them in the Registry window.

  13. Select Yes when asked if you want to import the pasted document.

  14. Close the Group Policy Management Editor.

  15. Back in the Group Policy Management window, right-click your OU (organizational unit) from the "Group Policy Management" folder and select Link an Existing GPO.

  16. Select CRD Policy and OK.

  17. Right-click on CRD Policy in the Domains folders and select Enforced.

After performing these steps, the deployment might take up to eight hours, but it's usually faster.

To ensure Risk Detection's proactive threat monitoring doesn't alert or disrupt employees, you must wait for the policy to take effect in your MDM before deploying the Arrow Smart Extension to enrolled devices and activating the feature.

Check that the policy was applied:

Using a device that was part of the group the script was deployed to, go to Registry Editor and select the following folders in order.

Chrome:

HKEY_LOCAL_MACHINE; Software; Policies; Google; Chrome; 3rdparty; extensions

Edge:

HKEY_LOCAL_MACHINE; Software; Policies; Microsoft; Edge; 3rdparty; extensions

In the extensions, you'll see a folder named using the Arrow Smart Extension ID. Under that folder, the policy folder contains the actual values of the Credential Protection policy.

Go back to the Arrow Admin Console, and select Continue to move to the second step.

2: Mass deploy the extension

You can skip this step if you've previously deployed the Arrow Smart Extension.

If you're deploying to both Chrome and Edge, repeat these steps for each browser.

Create new GPO policy

  1. Open all folders within Group Policy Management until you see the "Group Policy Objects" folder. Right-click that folder and select New.

  2. In the New GPO pop-up, enter "ArrowGPO" or "Arrow Smart Extension" for the Name and then select OK.

  3. Right-click your OU from the "Group Policy Management" folder and select Link an Existing GPO. For example, if the domain is "dashlanenyc.com" and the OU is "Arrow-Client", the target computers are in the "Arrow-Client" folder.

  4. In the Select GPO pop-up, select the "Arrow-GPO" you created and select OK.

Select the browser you're using.

Download the template and configure the Arrow Smart Extension GPO in Chrome

  1. Download the “policy_templates.zip” template file
  2. Right-click the "policy_templates.zip" file in Explorer, select Rename, and rename it: "chrome_policy_templates"

  3. Select the "chrome_policy_templates" file that you just renamed, and then select Extract all.

  4. In the Select a Destination and Extract Files pop-up, select Browse, select your "Downloads" folder, and select Extract.

  5. In the "Downloads" folder, open the "chrome_policy_templates" folder you just extracted and then open the "windows" folder inside it.

  6. In the "windows" folder, open the "admx" folder.

  7. Select the two files named "chrome.admx" and "google.admx", right-click the two files, and select Copy.

  8. Open "C:/Windows" in a new Explorer window, right-click on the "Policy Definitions" folder, and select Paste.

  9. Return to the "admx" folder again, open the "en-US" folder inside that, select the two files named "chrome.adml" and "google.adml", right-click the two files, and select Copy.

  10. Return to the "Policy Definitions" folder again, right-click the "en-US" folder, and select Paste.

  11. Right-click your OU from the "Group Policy Management" folder, as you did at the beginning of this article, and select Edit.

  12. In the Group Policy Management Editor, open "Computer Configuration", "Policies", "Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer, "Google", "Google Chrome", and "Extensions". Then right-click "Configure the list of force-installed apps and extensions" and select Edit.

  13. In the Configure the list of force-installed apps and extensions pop-up, select Enabled, and select Show. In the Show Contents pop-up, paste fdjamakpfbbddfjaooikfcpapjohcfmg;https://clients2.google.com/service/update2/crx and select OK.

Download the template and configure the Arrow Smart Extension GPO in Edge

  1. Download Windows 64-bit Policy
  2. In the Download Microsoft Edge Policy File pop-up, select Accept and download.

  3. Open the "MicrosoftEdgePolicyTemplates" file you just downloaded in Explorer and save it to your "Downloads" folder.

  4. Select "MicrosoftEdgePolicyTemplates" file in your "Downloads" folder and then select Extract all.

  5. In the Select a Destination and Extract Files pop-up, select Browse, select your "Downloads" folder, and select Extract.

  6. In the "Downloads" folder, open the "MicrosoftEdgePolicyTemplates" folder you just extracted, and open the "windows" folder inside it.

  7. In the "windows" folder, open the "admx" folder.

  8. Select the three files named "msedge.admx", "msedgeupdate.admx", and "msdegewebview2.admx", right-click the three files, and select Copy.

  9. Open "C:/Windows" in a new Explorer window, right-click on the "Policy Definitions" folder, and select Paste.

  10. Return to the "admx" folder again, open the "en-US" folder inside that, select the three files named "msedge.admx", "msedgeupdate.admx", and "msdegewebview2.admx", right-click the three files, and select Copy.

  11. Return to the "Policy Definitions" folder again, right-click the "en-US" folder, and select Paste.

  12. Right-click your OU from the "Group Policy Management" folder, as you did at the beginning of this article, and select Edit.

  13. In the Group Policy Management Editor, open "Computer Configuration", "Policies", "Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer, "Microsoft Edge", and "Extensions". Then, right-click "Control which extensions are installed silently" and select Edit.

  14. In the Configure the list of force-installed apps and extensions pop-up, select Enabled, and select Show. In the Show Contents pop-up, paste gehmmocbbkpblljhkekmfhjpfbkclbph, and select OK.

In the Arrow Admin Console select Complete to confirm the extension was mass deployed.

After this deployment you can turn on Credential Risk Detection. You can also turn on AI phishing alerts and In-browser nudges.

Learn more about Credential Risk Detection
Learn more about AI phishing alerts
Learn more about In-browser nudges

If you turn on Credential Risk Detection or AI phishing alerts, the information collected will be logged in the Activity Log and displayed on the Risk Detection and Phishing Alerts pages.

More about Risk Detection insights
More about Phishing alerts insights

If you have any issues turning on these features, please contact our Support team.

Contact an agent through the Admin Console
Chat with our bot

Watch the Windows + GPO setup video

You can watch a step-by-step video of the Windows + GPO setup.

What is GPO?

A Group Policy Object (GPO) is a virtual collection of policy settings. Group Policy settings are contained in a GPO. A GPO can represent policy settings in the file system and in the Active Directory.

More on Microsoft's GPO

Comments

0 comments

Article is closed for comments.

Powered by Zendesk