Web Control browser extension must be enabled by the user or through group policy
Technical Articles ID:
KB87568
Last Modified: 12/2/2021
Environment
Endpoint Security (ENS) Web Control 10.x
Google Chrome
Microsoft Edge
Microsoft Edge Chromium
Microsoft Internet Explorer
Mozilla Firefox
Summary
ENS Web Control works with Chrome, Edge, Edge Chromium, Firefox, and Internet Explorer as a browser extension or add-on. These browsers require you to manually activate the ENS Web Control extension before you can use Web Control.
Each browser has different behaviors and steps associated with activating the ENS Web Control extension after ENS Web Control is installed on the local system.
IMPORTANT:If enabled, the ENS option to Prevent users from uninstalling or disabling browser plugins prevents users from disabling the ENS Web Control extension only in Internet Explorer. The hardening policy doesn’t prevent users from disabling ENS Web Control in Chrome, Edge, Edge Chromium, or Firefox.
Contents
Click to expand the section you want to view:
In Edge Chromium, the menu icon is highlighted and a pop-up window opens with a message. The message states that a new extension is installed and ready for use. ENS Web Control doesn’t function in Edge Chromium until the extension is enabled.
NOTE: The version of ENS Web Control reported in the browser is 10.7.0.x when ENS Web Control 10.6.1 is installed.
Edge Chromium also allows for the ENS Web Control extension to be force-enabled through Active Directory. For details, see this Edge Chromium article on group policies.
The ExtensionInstallForcelist policy makes sure that users are unable to uninstall or disable the extension. For details, see this Edge Chromium article on extension policies.
The extensionID for ENS Web Control is jjkchpdmjjdmalgembblgafllbpcjlei, and the updateURL for the Chrome Web Store where the extension is hosted is https://clients2.google.com/service/update2/crx.
In Edge, a prompt displays asking the user to enable the ENS Web Control extension when opening Edge after the ENS Web Control installation. ENS Web Control doesn’t function in Edge until the extension is enabled.
NOTE: The version of ENS Web Control reported in the browser is 10.7.1 when ENS Web Control 10.6.1 is installed.
If a user disables the ENS Web Control extension in Edge, you can't re-enable the extension through ePolicy Orchestrator (ePO) and the McAfee Agent. The user must re-enable the extension locally.
Windows provides a group policy, Prevent turning off required extensions, to harden the Edge extension. To make sure that users can't disable the ENS Web Control extension, add the ENS Web Control extension PFN to the group policy Prevent turning off required extensions. The ENS Web Control extension PFN is the following and can be fetched from the Dev Center portal: 5A894077.McAfeeEndpointSecurityWebControl_wafk5atnkzcwy.
Currently, Microsoft doesn’t provide a way to manage Edge through Active Directory to force-enable the ENS Web Control extension.
In Internet Explorer, a prompt displays at the bottom of the browser screen asking the user to enable the ENS Web Control Browser Helper Object (BHO) and ENS Web Control toolbar. ENS Web Control doesn’t function in Internet Explorer if the ENS Web Control BHO and toolbar aren’t enabled.
If a user disables the ENS Web Control add-ons in Internet Explorer, the add-ons can't be re-enabled with ePO and the McAfee Agent. The user must re-enable them locally. If enabled, the ENS self-protection policy keeps users from disabling the add-ons.
Internet Explorer also allows for the ENS Web Control extension to be force-enabled through Active Directory. For details, see this Internet Explorer article on group policies and Internet Explorer article on templates and group policies. The CLSID for the ENS Web Control BHO is{B164E929-A1B6-4A06-B104-2CD0E90A88FF}, and the CLSID for the ENS Web Control toolbar is {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}.
In Chrome, the menu icon is highlighted and a pop-up window opens with a message. The message states that a new extension is installed and ready for use. ENS Web Control doesn’t function in Chrome until the extension is enabled.
If a user deletes the ENS Web Control extension in Chrome, you can't restore the extension through ePO. An uninstall and reinstall of ENS Web Control doesn’t add the ENS Web Control extension back in Chrome. To make the ENS Web Control extension available in Chrome again, you must do either of two things. Either delete the Chrome user profile that deleted the ENS Web Control extension, or reinstall Chrome on the system.
Chrome also allows for the ENS Web Control extension to be force-enabled through Active Directory. For details, see this Chrome article on group policies. The APPID for ENS Web Control is jjkchpdmjjdmalgembblgafllbpcjlei, and the location at which the extension is hosted is:https://clients2.google.com/service/update2/crx. APPIDs are case sensitive.
When you add the ENS Web Control extension to force install in group policy, you must remove the SiteAdvisor Enterprise extension from being force installed. Otherwise, there will be two icons in Chrome. The SiteAdvisor Enterprise icon doesn’t function because the SiteAdvisor Enterprise service isn’t running. The SiteAdvisor Enterprise extension interferes with the ENS Web Control extension, and it causes navigation issues from ENS Web Control enforcement messages.
In Firefox, a prompt displays asking the user to enable the ENS Web Control extension when opening Firefox after the ENS Web Control installation.
Firefox also allows for the ENS Web Control extension to be force-enabled through Active Directory. Firefox provides ADMX templates to configure policies using Active Directory. The templates are available from this Firefox article on policy templates. The policies work with Firefox 60 and later, and Firefox ESR 60 and later. Use the policy template Extensions to Install to apply a policy to install the ENS Web Control extension. The policy requires the file path of the ENS Web Control extension file on the system. To install the extension on both x86 and x64 systems, add two entries to the policy with the respective paths:
NOTE: These paths are the default installation paths for the extension. For custom installation paths, specify the custom installation directory.
After you apply the policy, on the next restart of the browser, the ENS Web Control extension is installed.
There’s also a policy to prevent users from removing the ENS Web Control extension. Use the policy template Prevent extensions from being disabled or removed. The extension ID for the ENS Web Control extension is {cb40da56-497a-4add-955d-3377cae4c33b}.
If you installed the ENS Web Control extension using group policy, it must be uninstalled using group policy. ENS product uninstallation doesn’t remove the extension. To uninstall the ENS Web Control extension, edit the Extensions to Uninstall policy and add an entry for the ENS Web Control extension ID.
When you upgrade ENS, the ENS Web Control extension doesn’t upgrade. The upgrade doesn’t occur because the Extensions to Install policy doesn’t watch for file changes. Extensions can be updated via policy by uninstalling and reinstalling them. For more details and workarounds, see Firefox bug 1510993.
There are known issues when sometimes the Extensions to Uninstall policy fails to remove the extension. In these cases, Mozilla recommends using the ExtensionSettings with the blocked configuration. The blocked configuration prevents installation of the extension and removes it if the extension is installed. Using the ENS Web Control extension ID, you can enable the blocked configuration to remove the extension from the endpoint in the case that the Extensions to Uninstall policy fails. For detailed documentation on the ExtensionSettings policy, see this Firefox article on ExtensionSettings.
