Install Cloud Filter Extension on Windows using Domain Group Policy Object (GPO)

This article applies to organisations with a 'Hybrid' setup (both On-Premise Appliance and Cloud), as well as On-Premise only and Cloud only setups.

 

To use Cloud Filter on BYOD Windows devices that use Domain Group Policy Object (GPO), you must deploy an MSI (Microsoft Software Installer) along with a browser extension.

Before you begin

Check device browsers

Force-install Chrome and/or Edge browsers on all relevant devices.

Add exceptions to antivirus software on devices

To prevent your antivirus software from quarantining the Smoothwall client, add these exception paths to the antivirus software on student devices:

  • C:\Program Files\Smoothwall
  • C:\ProgramData\Smoothwall

In some cases, the antivirus might require the full path of each program:

  • C:\Program Files\Smoothwall\Unified Client\bin\sw-uc-desktop-client.exe
  • C:\Program Files\Smoothwall\Unified Client\bin\sw-uc-browser-bridge.exe

Step 1: Download the installer

  1. Go to software.smoothwall.com
  2. In the Unified Client section, select Windows x64.
  3. This downloads the Windows 64-bit zip file (smoothwall-unified-client-x-windows.zip) to your computer, containing:
    • An MSI installer
    • A smoothwall.admx file
    • A smoothwall.adml file
    • Other files.

Step 2: Create a GPO

In Group Policy Management, create a new GPO called ‘Smoothwall GPO’ for the AD Domain Controller for where you want to deploy the Cloud Filter Extension.

Step 3: Install Cloud Filter

  1. Copy the Smoothwall MSI file into a network shared folder, for example, \\MACHINE_NAME\Shared_Folder so the devices can access this file on the network.
  2. Attach the Smoothwall MSI file to the Smoothwall GPO.
  3. Assign the MSI application to the GPO.
  4. Set permissions for the Group Policy Software Installation for Authenticated users to give both Read and Special permissions.

Step 4: Provision using the ADMX template

In the Smoothwall GPO, add the Smoothwall ADMX template. Configure the Smoothwall ADMX template in the Smoothwall/Unified Client path as below and leave any other settings as Not Configured.

Serial number

Tenant ID

  • Enable = multi-tenanted, Disabled = not multi-tenanted
  • If enabled, the Tenant ID

Alternative method to provision

If you can't use the ADMX template, you must create a registry key at this path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Smoothwall\UnifiedClient\

  • SerialId = String (REG_SZ) containing your UNCL.
  • TenantId= String (REG_SZ) containing your Tenant ID, if you have a multi-tenant environment. If you don’t, leave this blank.

Step 5: Configure your browsers

Chrome and Edge require some configuration to force install the Smoothwall extension and lock them down to ensure safe usage.

Edge

  1. Download the Microsoft Edge ADMX template.
  2. In the Smoothwall GPO, configure the Edge ADMX template with these settings.

Force Windows executable Native Messaging hosts to launch directly:

  • State=Enabled
  • Value=N/A

Control which extensions are installed silently:

  • State= Enabled
  • Value=dlcaglefdlidioooijnigjhfcndlncfp;https://edge.microsoft.com/extensionwebstorebase/v1/crx

Control where developer tools can be used:

  • State=Enabled
  • Value=Don’t allow using the developer tools

Configure InPrivate mode availability:

  • State=Enabled
  • Value=InPrivate mode disabled

Enable guest mode:

  • State=Disabled
  • Value=N/A

Enable profile creation from the Identity flyout menu or the Settings page:

  • State=Disabled
  • Value=N/A

Enable ending processes in the Browser task manager:

  • State=Disabled
  • Value=N/A

Browser sign-in settings:

  • State=Enabled
  • Value=Disable Browser sign-in

If sign-in is needed (for instance to allow bookmark sync), instead restrict to the managed domain using the Restrict which accounts can be used as Microsoft Edge primary accounts setting to prevent conflicting filtering policies.

Chrome

  1. Download the Google Chrome ADMX template.
  2. In the Smoothwall GPO, configure the Google ADMX template with these settings.

Force Windows executable Native Messaging hosts to launch directly:

  • State=true
  • Value=N/A

Configure the list of force-installed apps and extensions:

  • State= Enabled
  • Value=jbldkhfglmgeihlcaeliadhipokhocnm;https://clients2.google.com/service/update2/crx

Control where Developer Tools can be used:

  • State=Enabled
  • Value=Disallow usage of the Development Tools

Incognito mode availability:

  • State=Enabled
  • Value=Incognito mode disabled

Enable guest mode in browser:

  • State=Disabled
  • Value=N/A

Enable add person in user manager:

  • State=Disabled
  • Value=N/A

Enable ending processes in Task Manager:

  • State=Disabled
  • Value=N/A

Browser sign in settings:

  • State=Enabled
  • Value=Disable Browser sign-in

If sign-in is needed (for instance to allow bookmark sync), instead restrict to the managed domain using the Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome setting to prevent conflicting filtering policies.

Next steps

If you are part of a multi-tenant organization, repeat steps 3-5 for each tenant.

Check your deployment is working as expected:

You can also prevent users from using their own extensions. If you are already familiar with Intune, you can use Microsoft’s Use group policies to manage Microsoft Edge extensions article.