Enterprise Deployment
Deploy the Governance Shield to managed devices via Microsoft Intune, SCCM, Jamf Pro, or Google Workspace.
Deploy the Governance Shield browser extension across your organization with pre-configured settings. End users receive a fully configured extension — no manual API key entry required.
Extension Details
| Browser | Extension ID | Store |
|---|---|---|
| Chrome | Published after Chrome Web Store review | Chrome Web Store |
| Edge | Same extension ID as Chrome | Edge Add-ons |
| Firefox | [email protected] | Firefox Add-ons |
Chrome and Edge share the same extension ID. A single deployment configuration covers both Chromium-based browsers.
Managed Configuration
The extension reads configuration from chrome.storage.managed (Chromium) or managed preferences (Firefox). When managed values are present, the extension connects automatically — no manual setup by end users.
| Property | Type | Required | Default | Description |
|---|---|---|---|---|
gateway_url | string | Yes | — | Your gateway URL (e.g., https://gateway.example.com) |
api_key | string | Yes | — | Project API key (format: pv_live_...) |
enabled | boolean | No | true | Enable or disable the extension globally |
show_badges | boolean | No | true | Show toast notifications for enforcement actions |
The managed-storage-schema.json file in the extension package defines these properties for MDM systems that require a schema reference.
Microsoft Intune (Windows)
Intune offers three deployment methods. Choose based on your environment:
| Method | Windows Editions | Complexity | Recommended |
|---|---|---|---|
| Registry via Remediations | Enterprise, Education | Medium | Yes |
| Settings Catalog (Force Install Only) | All | Low | For force-install without config |
| Custom OMA-URI | All | High | For managed storage only |
Intune Remediations require Windows Enterprise or Education editions. They fail silently on Windows Pro — no error is logged. If your fleet includes Windows Pro devices, use Settings Catalog for force-install and Custom OMA-URI for configuration.
Method A: Registry via Remediations (Recommended)
This method writes registry keys to force-install the extension and configure managed storage in a single script.
Step 1. Sign in to the Microsoft Intune admin center.
Step 2. Navigate to Devices → Remediations → Create script package.
Step 3. Name the package (e.g., "Governance Shield — Chrome + Edge").
Step 4. Add the Detection Script (PowerShell):
# Detection Script — checks if extension is configured
# Replace EXTENSION_ID with your actual Chrome Web Store extension ID
$extId = "EXTENSION_ID"
$regPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (Test-Path $regPath) {
$values = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
$found = $false
foreach ($prop in $values.PSObject.Properties) {
if ($prop.Value -like "$extId*") {
$found = $true
break
}
}
if ($found) {
Write-Output "Extension is configured"
exit 0
}
}
Write-Output "Extension not configured"
exit 1Step 5. Add the Remediation Script (PowerShell):
# Remediation Script — installs and configures the extension
# Replace these values with your actual configuration
$extId = "EXTENSION_ID"
$gatewayUrl = "https://gateway.yourcompany.com"
$apiKey = "pv_live_your_api_key_here"
$updateUrl = "https://clients2.google.com/service/update2/crx"
# --- Chrome: Force Install ---
$chromeForcelist = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (-not (Test-Path $chromeForcelist)) {
New-Item -Path $chromeForcelist -Force | Out-Null
}
# Find next available index
$existing = (Get-ItemProperty -Path $chromeForcelist -ErrorAction SilentlyContinue).PSObject.Properties |
Where-Object { $_.Name -match '^\d+$' } |
ForEach-Object { [int]$_.Name }
$nextIndex = if ($existing) { ($existing | Measure-Object -Maximum).Maximum + 1 } else { 1 }
Set-ItemProperty -Path $chromeForcelist -Name "$nextIndex" -Value "$extId;$updateUrl"
# --- Chrome: Managed Storage ---
$chromePolicy = "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\$extId\policy"
if (-not (Test-Path $chromePolicy)) {
New-Item -Path $chromePolicy -Force | Out-Null
}
Set-ItemProperty -Path $chromePolicy -Name "gateway_url" -Value $gatewayUrl
Set-ItemProperty -Path $chromePolicy -Name "api_key" -Value $apiKey
Set-ItemProperty -Path $chromePolicy -Name "enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $chromePolicy -Name "show_badges" -Value 1 -Type DWord
# --- Edge: Force Install ---
$edgeForcelist = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist"
if (-not (Test-Path $edgeForcelist)) {
New-Item -Path $edgeForcelist -Force | Out-Null
}
$existingEdge = (Get-ItemProperty -Path $edgeForcelist -ErrorAction SilentlyContinue).PSObject.Properties |
Where-Object { $_.Name -match '^\d+$' } |
ForEach-Object { [int]$_.Name }
$nextIndexEdge = if ($existingEdge) { ($existingEdge | Measure-Object -Maximum).Maximum + 1 } else { 1 }
Set-ItemProperty -Path $edgeForcelist -Name "$nextIndexEdge" -Value "$extId;$updateUrl"
# --- Edge: Managed Storage ---
$edgePolicy = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\$extId\policy"
if (-not (Test-Path $edgePolicy)) {
New-Item -Path $edgePolicy -Force | Out-Null
}
Set-ItemProperty -Path $edgePolicy -Name "gateway_url" -Value $gatewayUrl
Set-ItemProperty -Path $edgePolicy -Name "api_key" -Value $apiKey
Set-ItemProperty -Path $edgePolicy -Name "enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $edgePolicy -Name "show_badges" -Value 1 -Type DWord
Write-Output "Extension configured for Chrome and Edge"
exit 0Step 6. In Settings, enable Run script in 64-bit PowerShell. This is critical — 32-bit context writes to WOW6432Node and Chrome will not read the values.
Step 7. Assign the script package to your target device group.
Method B: Settings Catalog (Force Install Only)
Use this method to force-install the extension without managed storage configuration. Suitable for environments where users enter the API key manually, or as a complement to Method C.
Step 1. In the Intune admin center, go to Devices → Configuration → Create → New policy.
Step 2. Select Windows 10 and later → Settings catalog.
Step 3. Search for ExtensionInstallForcelist and add it.
Step 4. Add the value:
EXTENSION_ID;https://clients2.google.com/service/update2/crxStep 5. Repeat for Edge by searching for the Edge-specific ExtensionInstallForcelist.
Method C: Custom OMA-URI (Managed Storage)
Use this method to push managed storage configuration alongside Method B.
Step 1. Create a Custom configuration profile.
Step 2. Add an OMA-URI setting:
| Field | Value |
|---|---|
| Name | Governance Shield — Chrome Policy |
| OMA-URI | ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~3rdparty~extensions~EXTENSION_ID~policy/gateway_url |
| Data type | String |
| Value | https://gateway.yourcompany.com |
Step 3. Add additional OMA-URI settings for api_key, enabled, and show_badges.
For Edge, replace Chrome~Policy~googlechrome with Edge~Policy~microsoft_edge in the OMA-URI path.
SCCM / Configuration Manager (Windows)
Step 1: Create an Application
In the Configuration Manager console, go to Software Library → Application Management → Applications → Create Application.
Select Manually specify the application information.
Step 2: Create a Deployment Type
Add a Script Installer deployment type.
Install command:
powershell.exe -ExecutionPolicy Bypass -File "Install-GovernanceShield.ps1"Use the same remediation script from the Intune section as Install-GovernanceShield.ps1.
Step 3: Configure Detection Method
Add a Registry detection rule:
| Field | Value |
|---|---|
| Hive | HKEY_LOCAL_MACHINE |
| Key | SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\EXTENSION_ID\policy |
| Value | gateway_url |
| Data Type | String |
| Operator | Equals |
| Value | Your gateway URL |
Step 4: Deploy
Deploy the application to a device collection. Use Required install purpose for automatic deployment.
Updating the API Key
To rotate the API key, update the $apiKey variable in the install script and redeploy. The script overwrites existing registry values.
Jamf Pro (macOS)
Jamf deploys browser extension configuration via Configuration Profiles. You need separate profiles for each browser.
Chrome Extension (Configuration Profile)
Step 1. In Jamf Pro, go to Computers → Configuration Profiles → New.
Step 2. Add a Google Chrome payload → Extensions.
Step 3. Under Extension Install Force List, add:
EXTENSION_ID;https://clients2.google.com/service/update2/crxStep 4. For managed storage, add a Google Chrome → 3rd Party Preferences payload with this JSON:
{
"EXTENSION_ID": {
"gateway_url": "https://gateway.yourcompany.com",
"api_key": "pv_live_your_api_key_here",
"enabled": true,
"show_badges": true
}
}Edge Extension (Configuration Profile)
Step 1. Add a Microsoft Edge payload → Extensions.
Step 2. Under Extension Install Force List, add:
EXTENSION_ID;https://clients2.google.com/service/update2/crxStep 3. For managed storage, use a Custom Settings payload with this .plist content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>3rdparty</key>
<dict>
<key>extensions</key>
<dict>
<key>EXTENSION_ID</key>
<dict>
<key>gateway_url</key>
<string>https://gateway.yourcompany.com</string>
<key>api_key</key>
<string>pv_live_your_api_key_here</string>
<key>enabled</key>
<true/>
<key>show_badges</key>
<true/>
</dict>
</dict>
</dict>
</dict>
</plist>Preference domain: com.microsoft.Edge
Firefox Extension (Configuration Profile)
Firefox on macOS uses a different mechanism — managed preferences via org.mozilla.firefox.
Step 1. Create a Custom Settings payload with preference domain org.mozilla.firefox.
Step 2. Use this .plist content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnterprisePoliciesEnabled</key>
<true/>
<key>ExtensionSettings</key>
<dict>
<key>[email protected]</key>
<dict>
<key>installation_mode</key>
<string>force_installed</string>
<key>install_url</key>
<string>https://addons.mozilla.org/firefox/downloads/latest/palveron-governance-shield/latest.xpi</string>
</dict>
</dict>
<key>3rdparty</key>
<dict>
<key>Extensions</key>
<dict>
<key>[email protected]</key>
<dict>
<key>gateway_url</key>
<string>https://gateway.yourcompany.com</string>
<key>api_key</key>
<string>pv_live_your_api_key_here</string>
<key>enabled</key>
<true/>
<key>show_badges</key>
<true/>
</dict>
</dict>
</dict>
</dict>
</plist>Firefox requires EnterprisePoliciesEnabled to be true. Without this key, all enterprise policies are ignored silently.
Combined Profile (Chrome + Edge)
If you deploy both Chrome and Edge, you can create a single .mobileconfig profile. Upload it to Jamf Pro as a Configuration Profile:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<!-- Chrome -->
<dict>
<key>PayloadType</key>
<string>com.google.Chrome</string>
<key>PayloadIdentifier</key>
<string>com.yourcompany.governance-shield.chrome</string>
<key>PayloadUUID</key>
<string>A1B2C3D4-E5F6-7890-ABCD-EF1234567890</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ExtensionInstallForcelist</key>
<array>
<string>EXTENSION_ID;https://clients2.google.com/service/update2/crx</string>
</array>
<key>3rdparty</key>
<dict>
<key>extensions</key>
<dict>
<key>EXTENSION_ID</key>
<dict>
<key>gateway_url</key>
<string>https://gateway.yourcompany.com</string>
<key>api_key</key>
<string>pv_live_your_api_key_here</string>
<key>enabled</key>
<true/>
<key>show_badges</key>
<true/>
</dict>
</dict>
</dict>
</dict>
<!-- Edge -->
<dict>
<key>PayloadType</key>
<string>com.microsoft.Edge</string>
<key>PayloadIdentifier</key>
<string>com.yourcompany.governance-shield.edge</string>
<key>PayloadUUID</key>
<string>B2C3D4E5-F6A7-8901-BCDE-F12345678901</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>ExtensionInstallForcelist</key>
<array>
<string>EXTENSION_ID;https://clients2.google.com/service/update2/crx</string>
</array>
<key>3rdparty</key>
<dict>
<key>extensions</key>
<dict>
<key>EXTENSION_ID</key>
<dict>
<key>gateway_url</key>
<string>https://gateway.yourcompany.com</string>
<key>api_key</key>
<string>pv_live_your_api_key_here</string>
<key>enabled</key>
<true/>
<key>show_badges</key>
<true/>
</dict>
</dict>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Governance Shield — Browser Extensions</string>
<key>PayloadIdentifier</key>
<string>com.yourcompany.governance-shield</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C3D4E5F6-A7B8-9012-CDEF-123456789012</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Replace the PayloadUUID values with unique UUIDs for your organization. You can generate them with uuidgen on macOS.
Google Workspace (Chrome Browser Cloud Management)
Google Workspace provides cloud-based extension management for Chrome. This method works across Windows, macOS, and Linux without local policy configuration.
Prerequisites
- Chrome Browser Cloud Management enrollment token deployed to target devices
- Chrome browsers enrolled in your Google Workspace domain
Step 1: Force Install the Extension
1. Sign in to the Google Admin console.
2. Navigate to Devices → Chrome → Apps & extensions → Users & browsers.
3. Select the organizational unit to target.
4. Click + (Add) → Add from Chrome Web Store.
5. Search for the extension by name or ID.
6. Under Installation policy, select Force install.
Step 2: Configure Managed Storage
1. Click the extension in your list.
2. Under Policy for extensions, enter:
{
"gateway_url": {
"Value": "https://gateway.yourcompany.com"
},
"api_key": {
"Value": "pv_live_your_api_key_here"
},
"enabled": {
"Value": true
},
"show_badges": {
"Value": true
}
}3. Click Save.
Policy changes propagate to enrolled browsers within minutes. Users can verify by navigating to chrome://policy and clicking Reload policies.
Verification
After deployment, verify that the extension is installed and configured correctly.
Windows
1. Open Chrome or Edge.
2. Navigate to chrome://extensions (Chrome) or edge://extensions (Edge).
3. Confirm the extension is listed and enabled. Force-installed extensions show "Installed by your administrator".
4. Navigate to chrome://policy or edge://policy.
5. Look for the extension ID in the policy list. The managed storage values (gateway_url, api_key, enabled, show_badges) should appear with Status: OK.
6. Click the extension icon in the browser toolbar. The popup should show the gateway URL and connection status without requiring manual configuration.
macOS
1. Open the browser and check for the extension in the toolbar.
2. In Chrome, navigate to chrome://policy and verify policies are applied.
3. To verify the configuration profile was applied:
profiles list -verbose | grep -A 5 "governance-shield"Firefox
1. Navigate to about:policies to verify enterprise policies are active.
2. Confirm the extension appears in about:addons with "Installed by your organization".
Updating the API Key
To rotate the API key after deployment:
| Method | Process |
|---|---|
| Intune (Remediations) | Update $apiKey in the remediation script. Intune re-runs on next cycle. |
| Intune (OMA-URI) | Edit the custom policy value and sync. |
| SCCM | Update the install script and redeploy. Existing keys are overwritten. |
| Jamf | Edit the configuration profile payload and redistribute. |
| Google Workspace | Edit the "Policy for extensions" JSON in Admin Console. |
Private Browsing
| Browser | Behavior |
|---|---|
| Chrome (Incognito) | Chrome does not support policy-based Incognito extension enablement on Windows. Users must manually enable "Allow in Incognito" in chrome://extensions. |
| Edge (InPrivate) | Supported via ExtensionAllowedForUrls policy or MandatoryExtensionsForInPrivateNavigation. |
| Firefox (Private Browsing) | Supported via managed preferences. Set allowed_in_private_browsing to true in ExtensionSettings. |
Troubleshooting
Extension not installing
- Chrome/Edge: Check
chrome://policyoredge://policy. TheExtensionInstallForcelistpolicy should appear with Status: OK and the extension ID in the value. - Firefox: Verify that
EnterprisePoliciesEnabledis set totrue. Without this, all policies are silently ignored. Checkabout:policies. - Intune delay: Policy sync can take up to 8 hours. Force a sync via Settings → Accounts → Access work or school → Info → Sync.
Configuration not appearing
- Windows: Open
regeditand navigate toHKLM\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\EXTENSION_ID\policy. Verify the keys exist with correct values. - macOS: Run
defaults read com.google.Chrome 3rdpartyto check managed preferences. - chrome://policy shows "Not set": The policy may need a browser restart. Close all browser windows (including background processes) and reopen.
Policy conflicts (Windows)
If multiple Intune profiles configure ExtensionInstallForcelist, they may conflict. The Remediations approach (Method A) avoids this by reading existing entries and appending, rather than overwriting.
32-bit vs 64-bit context (Windows)
PowerShell scripts in Intune Remediations may run in 32-bit context, writing registry keys to WOW6432Node. Always enable Run script in 64-bit PowerShell in the Remediation settings. Chrome only reads from the native 64-bit registry path.
Windows Pro limitations
Intune Remediations (proactive remediation scripts) require Windows Enterprise or Education. They fail silently on Windows Pro — the scripts never execute and no error is logged. For Windows Pro devices, use Settings Catalog (Method B) for force-install and Custom OMA-URI (Method C) for configuration.
Firefox policies not working on macOS
Firefox requires EnterprisePoliciesEnabled in the managed preferences. Additionally, ensure the .plist is deployed with the correct preference domain (org.mozilla.firefox). A common mistake is using org.mozilla.Firefox (capital F) — the domain is case-sensitive and must be lowercase.
Data Handling
The extension processes prompts locally in the browser and sends them to your gateway for policy evaluation. No data is sent to any third party. In on-premise deployments, all data stays within your network.
| Data | Where Processed | Storage |
|---|---|---|
| Prompt text | Browser → Your gateway | Gateway trace log (your database) |
| Policy decisions | Your gateway | Gateway trace log |
| Shadow AI events (Tier 1) | Browser → Your gateway | Shadow AI analytics (your database) |
| Extension configuration | MDM → Browser managed storage | Local browser storage |
| API key | MDM → Browser managed storage | Encrypted in browser profile |