Introduction
This guide outlines how to deploy a browser extension (e.g., for Chrome or Edge) across your organization using Microsoft Intune, or other MDM systems.
✅ General Deployment
✅ General Deployment
This is a general guide to what registry keys needs to be set for everything to work
Windows
Download the ADM or ADMX files for the browsers you want to manage
Import the downloaded files into your MDM system of choice
Set a policy for Client key to the key that you find in Substly > Extension > Settings
Set the policy for the browsers to force install the extension by setting the following registry keys
Your MDM system might have a different way to set these keys where you won't need to import the ADMX templates for each browser.
Chrome
Registry path:
HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist
Value:
1 = fkjmkdagklhjcebfnejjkjmfclgnplgd;https://clients2.google.com/service/update2/crx
Edge
Registry path:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallForcelist
Value:
1 = ghjglhcgjblhpnfcpkgpjbekjmmhjamn;https://edge.microsoft.com/extensionwebstorebase/v1/crx
macOS
Download the plist files for the browsers you want to push the extension to
Edit the files with the names that have
.extensions.{id}
and add your Client Key that you find in Substly > Extension > SettingsYou may also change what it should use as a UserKey. Default is
%Email%
Upload the files with the same names as they have originally have to your MDM.
👉 Download file: macOS plist files
✅ Deploying with Microsoft Intune
✅ Deploying with Microsoft Intune
Step 1: Import ADMX Templates (if not already present)
Go to Intune Admin Center → Devices → Configuration → Import ADMX.
Import the following:
Windows.admx
substly_chrome.admx
substly_edge.admx
Step 2: Create Policy for Substly Client Key
Go to Configuration → Policies
Create a Configuration Profile → Templates → Administrative Templates.
Search for the Client key setting under
\Substly\Chrome Extension
or\Substly\Edge Extension
policies.Enable the setting and set the value to the Client key found in your Substly extension settings page.
Assign the policy to your target device group and save.
Step 3: Force Install the Substly Extension
Create a new Configuration Profile → Settings catalog.
Add the following force-install settings:
Assign the profile to your target device group.
Step 4: Deploy PowerShell Script for User Identification
This step is only needed if your organization requires user identification in Substly. If anonymous authentication is sufficient, you can skip this step.
Go to Devices → Scripts and remediations → Platform scripts in Intune.
Add a new Windows 10 and later.
Upload PowerShell script (chromium-based.ps1 is recommended)
Configure the following options:
Assign to target device group and deploy.
👉 Download PowerShell script: Substly User Identification Script
📦 File Descriptions
File download directory: Google Drive
File Name | Purpose |
{edge,chrome}/adm/substly_chrome.adm | ADM file for windows configuration of ClientKey. Useful for GPO |
{edge,chrome}/admx/substly_chrome.admx | Main ADMX file for configuration of ClientKey for windows. |
{edge,chrome}/admx/en-US/substly_chrome.adml | Language file needed for importing and using the substly_chrome.admx file. |
Plist/* | Collection of .plist files that can be used for macOS configuration of the extension. These need to be edited after download to include your ClientKey in the |
PowerShell scripts/* | Collection of PowerShell scripts that can be used to set the UserKey on devices |
💬 FAQs
Q: Can users remove the extension?
No, forced installations are locked by policy.
Q: Can the user logout after authenticating?
No, if the ClientKey is set the user is unable to logout from the extension
Q: My devices page in Substly isn't being populated
On the settings page of the extension page you have 2 options.
Allow login with device id
Allows authentication with UserKey otherwise the user needs to be signed into a browser profile
Allow anonymous authentication
Allows anyone to authenticate as long as they have the ClientKey
If you have the first one enabled and it's still not populated you might want to try to enable the anonymous authentication to see if the extension is being installed and ClientKey is being set.
If that works there is likely a problem with running the PowerShell script or the UserKey in .plist is invalid
Q: Does this require internet access?
Yes, the browser fetches the extension from the update URL.