Skip to main content

Remote Activation of Josys Browser Extension Using SOTI MobiControl

Updated

Josys provides a Browser Extension for organizations to detect Shadow IT and manage SaaS application usage. IT Admins seek ways to remotely deploy and activate applications like Josys Browser Extension across various endpoints, devices, and applications.

SOTI MobiControl is an Enterprise Mobility Management (EMM) solution that integrates with Microsoft 365 to facilitate enterprise-level device management through a centralized system. Josys remotely installs and activates browser extension on Microsoft 365 devices by using MobiControl's app policies and ESSO (Enterprise Single Sign-On) payloads.

 

Prerequisites

Before you begin with the activation, make sure that you have:

  • A SOTI MobiControl admin account
  • The Josys Browser Extension installation link for Google Chrome and Microsoft Edge browsers
  • A working PowerShell script for activating the Josys Browser Extension for SOTI MobiControl

To deploy the browser extension, first, you need to modify the following SOTI MobiControl console settings:

 

1. Assigning App Policy

To integrate SOTI MobiControl with Microsoft 365 for Conditional Access (CA), you need to configure MobiControl as a third-party compliance partner in Microsoft Endpoint Manager. After registering the device, its compliance status is reported to Microsoft, allowing you to set CA policies for app access in Azure AD. The process includes configuring device-based access policies, assigning app policies, deploying Extensible Single Sign-On (ESSO) payloads, and ensuring device compliance for access to Microsoft 365 apps. Supported platforms include Android, iOS, and macOS (with specific requirements).

Learn more from SOTI Documentation.

 

2. Creating and Deploying ESSO Payload

To enable Conditional Access on macOS devices with the Josys Browser Extension, SOTI MobiControl requires the deployment of an Extensible Single Sign-On (ESSO) payload. This is done by creating a Custom Profile configuration in MobiControl's macOS Device section. The ESSO payload enables the launch of the SSO extension in the Company Portal app for Azure authentication, ensuring smooth integration of Microsoft 365 services and Josys. Once the custom profile is created, it is assigned to the macOS devices to complete the setup.

Learn more from SOTI Documentation.

 

To deploy, do the following:

Step 1: Create a macOS device profile, following the "Creating a Profile" instructions.

Step 2: Navigate to the "Configurations" tab and click "Add New Profile."

Step 3: Under the "Other" section, select "Custom Profiles."

Step 4: In the Plist text box, paste the following Plist code provided. This configuration will be deployed to devices that require Azure device registration.

 

Case 1: If the plist is not supported, use the following script as an alternative solution.

#!/bin/bash

# Define extension IDs for Chrome and Edge
CHROME_EXTENSION_ID="moaklgcgokbgplldonjkoochhlefkbjf"
EDGE_EXTENSION_ID="hjifncajikcdkhlofdjjlhcjoennmdfc"

# Define the Chrome and Edge extension installation URLs
CHROME_EXTENSION_URL="https://clients2.google.com/service/update2/crx"
EDGE_EXTENSION_URL="https://edge.microsoft.com/extensionwebstorebase/v1/crx"

# Flags (variables inside the code)
REMOVE=false
DEVTOOLS=false
BROWSER="chrome" # Default to Chrome if no browser is specified
FORCE_REMOVE_EMPTY_BRACKETS=true
ORG_KEY="ORGANIZATION_KEY"
DOMAIN="@josys.com" # Add organization domain
USERNAME="$(id -F)"

# Set flags based on your requirements
# Example:
# REMOVE=true # To remove extension
# DEVTOOLS=true # To enable developer tools
# BROWSER="edge" # To install in Edge (set this to "chrome" for Chrome)

# Function to silently install the extension for Chrome
install_chrome_extension() {
echo "Silently installing extension for Chrome..."

# Check if the extension is already in the allowlist or forcelist
ALLOWLIST=$(defaults read com.google.Chrome ExtensionInstallAllowlist)
FORCELIST=$(defaults read com.google.Chrome ExtensionInstallForcelist)

if [[ "$ALLOWLIST" != *"$CHROME_EXTENSION_ID"* && "$FORCELIST" != *"$CHROME_EXTENSION_ID"* ]]; then
# Add Chrome extension to the allowlist and forcelist
defaults write com.google.Chrome ExtensionInstallAllowlist -array-add "$CHROME_EXTENSION_ID"
defaults write com.google.Chrome ExtensionInstallForcelist -array-add "$CHROME_EXTENSION_ID;$CHROME_EXTENSION_URL"
echo "Chrome extension installed silently."
else
echo "Chrome extension is already installed. Skipping installation."
fi

# Add OrganizationKey policy
echo "Adding OrganizationKey policy to Chrome..."
defaults write com.google.Chrome.extensions.$CHROME_EXTENSION_ID OrganizationKey -string "$ORG_KEY"
echo "OrganizationKey policy added."

echo "Adding User email to Chrome policy..."
# Convert username to lowercase and replace spaces with dots
formatted_username=$(echo "$USERNAME" | tr '[:upper:]' '[:lower:]' | sed 's/ /./g')
email="${formatted_username}${DOMAIN}"
echo "fu $formatted_username"
echo "email $email"
defaults write com.google.Chrome.extensions.$CHROME_EXTENSION_ID UserEmail -string "$email"
echo "OrganizationKey policy added."
}

# Function to silently install the extension for Edge
install_edge_extension() {
echo "Silently installing extension for Microsoft Edge..."

# Check if the extension is already in the allowlist or forcelist
ALLOWLIST=$(defaults read com.microsoft.Edge ExtensionInstallAllowlist)
FORCELIST=$(defaults read com.microsoft.Edge ExtensionInstallForcelist)

if [[ "$ALLOWLIST" != *"$EDGE_EXTENSION_ID"* && "$FORCELIST" != *"$EDGE_EXTENSION_ID"* ]]; then
# Add Edge extension to the allowlist and forcelist
defaults write com.microsoft.Edge ExtensionInstallAllowlist -array-add "$EDGE_EXTENSION_ID"
defaults write com.microsoft.Edge ExtensionInstallForcelist -array-add "$EDGE_EXTENSION_ID;$EDGE_EXTENSION_URL"
echo "Edge extension installed silently."
else
echo "Edge extension is already installed. Skipping installation."
fi

# Add OrganizationKey policy
echo "Adding OrganizationKey policy to Edge..."
defaults write com.microsoft.Edge.extensions.$CHROME_EXTENSION_ID OrganizationKey -string "$ORG_KEY"
echo "OrganizationKey policy added."

echo "Adding User email to Edge policy..."
# Convert username to lowercase and replace spaces with dots
formatted_username=$(echo "$username" | tr '[:upper:]' '[:lower:]' | sed 's/ /./g')
email="${formatted_username}${domain}"
echo $email
defaults write com.microsoft.Edge.extensions.$CHROME_EXTENSION_ID UserEmail -string "$email"
echo "OrganizationKey policy added."
}

# Function to remove the extension
remove_extension() {
if [[ "$BROWSER" == "chrome" ]]; then
echo "Removing extension for Chrome..."

# Get the current allowlist and forcelist, remove the extension ID, and then update
ALLOWLIST=$(defaults read com.google.Chrome ExtensionInstallAllowlist)
FORCELIST=$(defaults read com.google.Chrome ExtensionInstallForcelist)

# Remove the extension ID from the allowlist
UPDATED_ALLOWLIST=$(echo "$ALLOWLIST" | grep -v "$CHROME_EXTENSION_ID")
UPDATED_FORCELIST=$(echo "$FORCELIST" | grep -v "$CHROME_EXTENSION_ID")

# If there are still items left, update the list, else clear the key
if [ -n "$UPDATED_ALLOWLIST" ]; then
defaults write com.google.Chrome ExtensionInstallAllowlist -array "$UPDATED_ALLOWLIST"
else
defaults delete com.google.Chrome ExtensionInstallAllowlist
fi

if [ -n "$UPDATED_FORCELIST" ]; then
defaults write com.google.Chrome ExtensionInstallForcelist -array "$UPDATED_FORCELIST"
else
defaults delete com.google.Chrome ExtensionInstallForcelist
fi

# If FORCE_REMOVE_EMPTY_BRACKETS is true, remove the key entirely if it's empty
if [[ "$FORCE_REMOVE_EMPTY_BRACKETS" == true ]]; then
ALLOWLIST_LENGTH=$(defaults read com.google.Chrome ExtensionInstallAllowlist | grep -c "$CHROME_EXTENSION_ID")
FORCELIST_LENGTH=$(defaults read com.google.Chrome ExtensionInstallForcelist | grep -c "$CHROME_EXTENSION_ID")

if [[ "$ALLOWLIST_LENGTH" -eq 0 && "$FORCELIST_LENGTH" -eq 0 ]]; then
defaults delete com.google.Chrome ExtensionInstallAllowlist
defaults delete com.google.Chrome ExtensionInstallForcelist
echo "Removed empty brackets (no other extensions)."
fi
fi

# Remove policy OrganizationKey and UserEmail
defaults delete com.google.Chrome.extensions.$CHROME_EXTENSION_ID OrganizationKey
defaults delete com.google.Chrome.extensions.$CHROME_EXTENSION_ID UserEmail

elif [[ "$BROWSER" == "edge" ]]; then
echo "Removing extension for Edge..."

# Get the current allowlist and forcelist, remove the extension ID, and then update
ALLOWLIST=$(defaults read com.microsoft.Edge ExtensionInstallAllowlist)
FORCELIST=$(defaults read com.microsoft.Edge ExtensionInstallForcelist)

# Remove the extension ID from the allowlist
UPDATED_ALLOWLIST=$(echo "$ALLOWLIST" | grep -v "$EDGE_EXTENSION_ID")
UPDATED_FORCELIST=$(echo "$FORCELIST" | grep -v "$EDGE_EXTENSION_ID")

# If there are still items left, update the list, else clear the key
if [ -n "$UPDATED_ALLOWLIST" ]; then
defaults write com.microsoft.Edge ExtensionInstallAllowlist -array "$UPDATED_ALLOWLIST"
else
defaults delete com.microsoft.Edge ExtensionInstallAllowlist
fi

if [ -n "$UPDATED_FORCELIST" ]; then
defaults write com.microsoft.Edge ExtensionInstallForcelist -array "$UPDATED_FORCELIST"
else
defaults delete com.microsoft.Edge ExtensionInstallForcelist
fi

# If FORCE_REMOVE_EMPTY_BRACKETS is true, remove the key entirely if it's empty
if [[ "$FORCE_REMOVE_EMPTY_BRACKETS" == true ]]; then
ALLOWLIST_LENGTH=$(defaults read com.microsoft.Edge ExtensionInstallAllowlist | grep -c "$EDGE_EXTENSION_ID")
FORCELIST_LENGTH=$(defaults read com.microsoft.Edge ExtensionInstallForcelist | grep -c "$EDGE_EXTENSION_ID")

if [[ "$ALLOWLIST_LENGTH" -eq 0 && "$FORCELIST_LENGTH" -eq 0 ]]; then
defaults delete com.microsoft.Edge ExtensionInstallAllowlist
defaults delete com.microsoft.Edge ExtensionInstallForcelist
echo "Removed empty brackets (no other extensions)."
fi
fi

# Remove policy OrganizationKey and UserEmail
defaults delete com.microsoft.Edge.extensions.$EDGE_EXTENSION_ID OrganizationKey
defaults delete com.microsoft.Edge.extensions.$EDGE_EXTENSION_ID UserEmail
fi
}

# Function to enable developer tools
enable_devtools() {
if [[ "$BROWSER" == "chrome" ]]; then
defaults write com.google.Chrome DeveloperToolsAvailability -int "1"
echo "Developer tools enabled for Chrome."
elif [[ "$BROWSER" == "edge" ]]; then
defaults write com.microsoft.Edge DeveloperToolsAvailability -int "1"
echo "Developer tools enabled for Edge."
fi
}

force_remove_empty_brackets_cleanup() {
if [[ "$BROWSER" == "chrome" ]]; then
defaults delete com.google.Chrome ExtensionInstallAllowlist
defaults delete com.google.Chrome ExtensionInstallForcelist
echo "Removed empty brackets"
elif [[ "$BROWSER" == "edge" ]]; then
defaults delete com.microsoft.Edge ExtensionInstallAllowlist
defaults delete com.microsoft.Edge ExtensionInstallForcelist
echo "Removed empty brackets"
fi
}

# Main logic based on the flags

if [[ "$REMOVE" == true ]]; then
remove_extension
elif [[ "$BROWSER" == "chrome" ]]; then
install_chrome_extension
elif [[ "$BROWSER" == "edge" ]]; then
install_edge_extension
fi

if [[ "$DEVTOOLS" == true ]]; then
enable_devtools
fi

# Open the respective browser's extension page for verification
# if [[ "$BROWSER" == "chrome" ]]; then
# open -a "Google Chrome" "chrome://extensions/"
# elif [[ "$BROWSER" == "edge" ]]; then
# open -a "Microsoft Edge" "edge://extensions/"
# fi


Case 2: If the plist is supported, follow these steps:

 

a. For Google Chrome:

i. To force-push the extension, use the following plist configuration:

Plist Name: com.google.Chrome

Plist Content: As shown below

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DeveloperToolsAvailability</key>
<integer>1</integer>
<key>ExtensionInstallForcelist</key>
<array>
<string>PASS_EXTENSION_ID</string>
</array>
</dict>
</plist>


ii. To add managed data plist

Name: com.google.Chrome.extensions.PASS_EXTENSION_ID Plist

Content: As shown below

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OrganizationKey</key>
<string>E2ETestStandardPlan</string>
<key>CurrentEnv</key>
<string>qabesa</string>
</dict>
</plist>


b. For Microsoft Edge:

i. To force-push the extension, use the following plist configuration:

Plist Name: com.microsoft.Edge

Plist Content: As shown below

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>DeveloperToolsAvailability</key>
<integer>1</integer>
<key>ExtensionInstallForcelist</key>
<array>
<string>PASS_EXTENSION_ID</string>
</array>
</dict>
</plist>


ii. To add managed data Plist

Plist Name:com.microsoft.Edge.extensions.PASS_EXTENSION_ID

Plist Content: As shown below

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>OrganizationKey</key>
<string>E2ETestStandardPlan</string>
<key>CurrentEnv</key>
<string>qabesa</string>
</dict>
</plist>