Skip to main content

Authentication with UserKey policy

Ola Stål avatar
Written by Ola Stål
Updated over 3 weeks ago

Introduction

This guide outlines how to deploy a browser extension (e.g., for Chrome or Edge) across your organization using Microsoft Intune, or other MDM systems.

✅ General Deployment

This is a general guide to what registry keys needs to be set for everything to work

Windows

  1. Download the ADM or ADMX files for the browsers you want to manage

  2. Import the downloaded files into your MDM system of choice

  3. Set a policy for Client key to the key that you find in Substly > Extension > Settings

  4. Set the policy for the browsers to force install the extension by setting the following registry keys

    1. Your MDM system might have a different way to set these keys where you won't need to import the ADMX templates for each browser.

    2. Chrome

      1. Registry path:
        HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist

      2. Value: 1 = fkjmkdagklhjcebfnejjkjmfclgnplgd;https://clients2.google.com/service/update2/crx

    3. Edge

      1. Registry path:
        HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallForcelist

      2. Value:
        1 = ghjglhcgjblhpnfcpkgpjbekjmmhjamn;https://edge.microsoft.com/extensionwebstorebase/v1/crx

macOS

  1. Download the plist files for the browsers you want to push the extension to

  2. Edit the files with the names that have .extensions.{id} and add your Client Key that you find in Substly > Extension > Settings

    1. You may also change what it should use as a UserKey. Default is %Email%

  3. Upload the files with the same names as they have originally have to your MDM.

👉 Download file: macOS plist files

✅ Deploying with Microsoft Intune

Step 1: Import ADMX Templates (if not already present)

  1. Go to Intune Admin Center → Devices → Configuration → Import ADMX.

  2. Import the following:

    • Windows.admx

    • substly_chrome.admx

    • substly_edge.admx

Step 2: Create Policy for Substly Client Key

  1. Go to Configuration → Policies

  2. Create a Configuration Profile → Templates → Administrative Templates.

  3. Search for the Client key setting under \Substly\Chrome Extension or \Substly\Edge Extension policies.

  4. Enable the setting and set the value to the Client key found in your Substly extension settings page.

  5. Assign the policy to your target device group and save.

Step 3: Force Install the Substly Extension

  1. Create a new Configuration Profile → Settings catalog.

  2. Add the following force-install settings:

    • Chrome:
      fkjmkdagklhjcebfnejjkjmfclgnplgd;https://clients2.google.com/service/update2/crx

    • Edge:
      ghjglhcgjblhpnfcpkgpjbekjmmhjamn;https://edge.microsoft.com/extensionwebstorebase/v1/crx

  3. Assign the profile to your target device group.

Step 4: Deploy PowerShell Script for User Identification

This step is only needed if your organization requires user identification in Substly. If anonymous authentication is sufficient, you can skip this step.

  1. Go to Devices → Scripts and remediations → Platform scripts in Intune.

  2. Add a new Windows 10 and later.

  3. Upload PowerShell script (chromium-based.ps1 is recommended)

  4. Configure the following options:

    • Run script using logged on credentials: No

    • Enforce script signature check: No

    • Run script in 64-bit PowerShell: No

  5. Assign to target device group and deploy.

👉 Download PowerShell script: Substly User Identification Script

📦 File Descriptions

File download directory: Google Drive

File Name

Purpose

{edge,chrome}/adm/substly_chrome.adm

ADM file for windows configuration of ClientKey. Useful for GPO

{edge,chrome}/admx/substly_chrome.admx

Main ADMX file for configuration of ClientKey for windows.

{edge,chrome}/admx/en-US/substly_chrome.adml

Language file needed for importing and using the substly_chrome.admx file.

Plist/*

Collection of .plist files that can be used for macOS configuration of the extension. These need to be edited after download to include your ClientKey in the com.{google.Chrome;microsoft.Edge;}.extensions.fkjmkdagklhjcebfnejjkjmfclgnplgd.plist files

PowerShell scripts/*

Collection of PowerShell scripts that can be used to set the UserKey on devices

💬 FAQs

Q: Can users remove the extension?
No, forced installations are locked by policy.

Q: Can the user logout after authenticating?

No, if the ClientKey is set the user is unable to logout from the extension

Q: My devices page in Substly isn't being populated

On the settings page of the extension page you have 2 options.

  • Allow login with device id

    • Allows authentication with UserKey otherwise the user needs to be signed into a browser profile

  • Allow anonymous authentication

    • Allows anyone to authenticate as long as they have the ClientKey

If you have the first one enabled and it's still not populated you might want to try to enable the anonymous authentication to see if the extension is being installed and ClientKey is being set.

If that works there is likely a problem with running the PowerShell script or the UserKey in .plist is invalid

Q: Does this require internet access?
Yes, the browser fetches the extension from the update URL.

Did this answer your question?