Skip to main content

Mass deploy Omnix Credential Protection using Windows and Intune

Fred Rodriguez

Credential Risk Detection, AI phishing alerts and In-browser nudges are available to organizations on a Arrow Omnix plan.
Upgrade to Arrow Omnix

Estimated time to complete: 20 minutes

If you have the Arrow Omnix plan and mass deploy the Arrow Smart Extension, you can also deploy these Omnix Credential Protection features at the same time:

Omnix plan admins can use the master data management (MDM) tool Microsoft Intune to set up Credential Protection features for company-managed Google Chrome and Microsoft Edge desktop browsers on Windows.

What is Microsoft Intune?
Looking to set up Risk detection on macOS using Jamf?
Looking to set up Risk detection on Windows using Group Policy (GPO)?

Although Omnix Credential Protection features are most beneficial when rolled out to your entire organization, you can start with a smaller group (or just yourself) during setup and extend it to more employees anytime. To add more employees, update the groups included in your deployment policy.

Add employees to the policy

Process overview

Prerequisites

Make sure you have the appropriate access needed to set up Omnix features:

  • Admin access to a Arrow Omnix account
  • Admin access to Microsoft Intune on Windows
  • Permission to deploy policies to devices using Intune

Set up Omnix features on Windows using Intune

Setup involves two main steps:

  1. Apply Arrow’s deployment policy
  2. Mass deploy the extension

If you prefer, watch the Windows + Intune step-by-step video

1: Apply Arrow’s deployment policy

Don't skip this step, even if you've already deployed the Arrow Smart Extension.

If the extension has already been deployed and you want to turn on Omnix features for existing employees, you can skip step 2 in the setup guide. You can turn on the features after deploying the Credential Protection policy.

Important: You must deploy the Arrow security policies before you deploy the Arrow Smart Extension. This order ensures the extension installs silently and the security features work as expected. If you don't deploy the policies to your targeted machines, your employees will be asked to log in to Arrow on every login screen. If you deploy the extension before the policies, employees might create a personal account before the policies are applied.

What is a silent deployment?

A "silent deployment" of the extension means installing the extension on employees' company-managed desktop browsers without any visible prompts or interaction needed from the employee. Admins must configure the managed device policy before they deploy Credential Risk Detection to avoid inadvertently notifying employees about Arrow.

In the Arrow Admin Console, start the setup:

  1. Open the Admin Console
  2. Under Integrations, select Mass deployment.
  3. On the Mass deployment page, select Start setup.

  4. On the Setup page, select Start to see the steps for applying Arrow’s deployment policy.

  5. Select the Intune tab and the browsers you're deploying to. Ensure your selection is accurate before downloading the script so your file is created correctly.

  6. In the Windows guidelines section, select Download. Your device automatically downloads a script file so you can apply the Credential Protection policy to your deployment software. After the file downloads, open the Intune app.

In Intune, add the new policy:

  1. Open Intune and select the following in order:
    • Devices
    • Scripts and Remediations
    • Platform scripts
    • Add
    • Windows 10 or later

  2. Enter a name for the policy. For example, “Arrow Smart Extension for Chrome Browser”.
  3. Select Next. You're prompted to select the file you downloaded.
  4. Select No for the remaining three options on the screen, then select Next.

  5. On the next page, select Add Groups. Then, select the boxes next to the names of the groups you want to deploy to and the policy and configurations needed for the feature to work. Ensure you include all the employees you want to protect, even if they don't have a Arrow seat.

    Although Omnix features are most beneficial when rolled out to your entire organization, you can start with a smaller group (or just yourself) by restricting the policy. You can extend Credential Protection to more of your employees at any time.

  6. Select the Select button and then select Next.
  7. Review and validate the configuration, then select Add. A message confirms the policy was created.

After performing these steps, the deployment might take up to eight hours, but it's usually faster.

To ensure Risk Detection's proactive threat monitoring doesn't alert or disrupt employees, you must wait for the policy to take effect in your MDM before deploying the Arrow Smart Extension to enrolled devices and activating the feature.

Check the policy was applied:

Using a device that was part of the group the script was deployed to, go to Registry Editor and select the following folders in order.

Chrome:

HKEY_LOCAL_MACHINE; Software; Policies; Google; Chrome; 3rdparty; extensions

Edge:

HKEY_LOCAL_MACHINE; Software; Policies; Microsoft; Edge; 3rdparty; extensions

In the extensions, you'll see a folder named using the Arrow Smart Extension ID. Under that folder, the policy folder contains the actual values of the Credential Protection policy.

Go back to the Arrow Admin Console, and select Continue to move to the second step.

2: Mass deploy the extension

You can skip this step if you've previously deployed the Arrow Smart Extension.

You must deploy the Credential Protection policies before you deploy the Arrow Smart Extension. This order ensures the extension installs silently. If you don't deploy the policies to your targeted machines, your employees will be asked to log in to Arrow on every login screen. If you deploy the extension before the policies, employees might create a personal account before the policies are applied.

Return to step 1 to deploy the policy

To deploy the extension, you must add a new device configuration to Intune using the Configure the list of force-installed apps and extensions template using the browser value in the Arrow Admin Console. If you can't find this template, ensure you've imported Chrome ADMX.
Import Chrome ADMX

If you're deploying to both Chrome and Edge, repeat these steps for each browser.

In the Arrow Admin Console, copy the browser value:

  • Go to Mass deploy the extension to extend monitoring to inactive users.
  • Select Copy value and go to the Intune app.

In Intune, add a new device configuration:

  1. Select Devices, Configurations, and then Create and New policy. Use these settings to define the policy:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog

  2. Select Create, enter a name for the Profile (for example, "Deploy Arrow Smart Extension"), then select Next.

  3. Locate the folders for Google or Edge:
    Google; Google Chrome; Extensions
    Microsoft; Edge; Extensions

  4. In the search bar, type "force" and select Configure list of force-installed apps and extensions.
  5. In the Extension/app IDs and update URLs to be silently installed field, select Enabled, paste the value you copied from the Arrow Admin Console, and select OK.

  6. Confirm the Enabled status and select Next.
  7. On the next screen, set the Scope tags to Default and select Next.
  8. Select Add Groups and select the boxes next to the names of the groups to which you want to deploy the extension.
  9. Select the Select button and then Next.
  10. Review the information and select Create.

    The policy is now active. If a plan member hasn't enrolled with Intune, they'll be prompted to do so when they sign in on a managed device. After they enroll, Intune automatically installs the Arrow Smart Extension in their browser.

In the Arrow Admin Console select Complete to confirm the extension was mass deployed.

After this deployment you can turn on Credential Risk Detection. You can also turn on AI phishing alerts and In-browser nudges for logged-out plan members and employees without Arrow accounts.

Learn more about Credential Risk Detection
Learn more about AI phishing alerts
Learn more about In-browser nudges

If you turn on Credential Risk Detection or AI phishing alerts, the information collected will be logged in the Activity Log and displayed on the Risk Detection and Phishing Alerts pages.

More about Risk Detection insights
More about Phishing alerts insights

If you have any issues turning on these features, please contact our Support team.

Contact an agent through the Admin Console
Chat with our bot

Watch the Windows + Intune setup video

You can watch a step-by-step video of the Windows + Intune setup.

What is Microsoft Intune?

Microsoft Intune is a cloud-based endpoint management solution. It manages user access to organizational resources and simplifies app and device management across devices, including mobile devices, desktop computers, and virtual endpoints.

More on Microsoft Intune

Comments

0 comments

Article is closed for comments.

Powered by Zendesk