In order to protect domain-joined Windows 10 devices, Cloud Filter requires the deployment of a MSI along with a browser extension.
A number of steps need to be taken to ensure the Cloud Filter client is deployed and licensed correctly. The short-hand deployment path is:
- Software Installation
- Browsers Configuration
- Post Deployment Checks
NOTE: Cloud Filter MSI only supports Windows 10 64-bits version.
- Download the Windows 64bits Unified Client zip from https://software.smoothwall.com
- Extract it
- On the AD Domain Controller, create a new GPO where you want to deploy Smoothwall Cloud Filter. This document will refer to this GPO as "the Smoothwall GPO". For a multitenant organization, you can repeat these steps for each tenant/domain.
NOTE: The zip package (smoothwall-unified-client-<version>-windows.zip) contains a msi installer and some provisioning tools (ADMX templates).
- C:\Program Files\Smoothwall
- C:\Program Files\Smoothwall\Unified Client\bin\sw-uc-desktop-client.exe
- C:\Program Files\Smoothwall\Unified Client\bin\sw-uc-browser-bridge.exe
Note: this document assumes that Chrome and/or Edge browsers are already force installed on all relevant machines
- Copy the Smoothwall MSI file in a network shared folder, for example, \\MACHINE_NAME\Shared_Folder. This is so that the targeted device can access the file.
- Attach the Smoothwall MSI file to the Smoothwall GPO, see the Microsoft help topic, Open Group Policy Software Installation.
- Assign the MSI application.
- Set permissions for the Group Policy Software Installation:
- Authenticated users:
- Special permissions
- Authenticated users:
NOTE 1: An ADMX template is available as part of the zip package, it consists of the smoothwall.admx and smoothwall.adml files. When adding the ADMX template to a Domain Controller, the default configuration location for the adml file is C:\Windows\PolicyDefinitions\en-US and the default location for the admx file are C:\Windows\PolicyDefinitions.
NOTE 2: If you are a multitenant organization, tenant IDs can be found in the on-premise appliance admin UI. For more details: What's a Tenant ID?
In the Smoothwall GPO, configure the Smoothwall ADMX template as below and leave any other settings as ‘Not Configured’:
|Smoothwall/Unified Client||Serial Number||Enabled||Your UNCL serial|
|Smoothwall/Unified Client||Tenant ID||Enable = multi-tenanted
Disabled = not multi-tenanted
|If enabled, the tenant GUID|
Alternative Provisioning Method
If the ADMX template is not an option, the follow Registry values should be deployed using the preferred method. Note that all registry values must be created under the following registry path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Smoothwall\UnifiedClient\
|REG_SZ||Must be a 16 character string containing only ASCII letters and numbers.||UNCL serial|
|REG_SZ||Must be a standard UUID as displayed in the Filtering admin UI.||Tenant ID
For untenanted organizations, this key can be missing or empty.
Chrome and Edge require some configuration to force install the Smoothwall extension along with locking them down to ensure safe usage.
Microsoft Edge ADMX template: https://www.microsoft.com/en-us/edge/business/download
In the Smoothwall GPO, configure the Edge ADMX template as below:
|Control which extensions are installed silently||Enabled||dlcaglefdlidioooijnigjhfcndlncfp;https://edge.microsoft.com/extensionwebstorebase/v1/crx|
|Control where developer tools can be used||Enabled||Don’t allow using the developer tools|
|Configure InPrivate mode availability||Enabled||InPrivate mode disabled|
|Enable guest mode||Disabled||N/A|
|Enable profile creation from the Identity flyout menu or the Settings page||Disabled||N/A|
|Enable ending processes in the Browser task manager||Disabled||N/A|
|Browser sign-in settings*||Enabled||Disable browser sign-in|
*We recommend that Browser Sign-ins are completely disabled. However if sign-in is needed (for instance to allow bookmark sync), we recommend restricting it to the managed domain. Restricting it to the customer’s domain prevents conflicting policies from being pushed which potentially compromise the filtering protection. The Intune setting for configuring Browser Sign-in allowed domains is called "Restrict which accounts can be used as Microsoft Edge primary accounts"
Google Chrome ADMX template: https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
For more detailed instructions, visit: https://support.google.com/chrome/a/answer/3115278?hl=en
In the Smoothwall GPO, configure the Google ADMX template as below:
|Configure the list of force-installed apps and extensions||Enabled||jbldkhfglmgeihlcaeliadhipokhocnm;http://clients2.google.com/service/update2/crx|
|Control where Developer Tools can be used||Enabled||Disallow usage of the Development Tools|
|Incognito mode availability||Enabled||Incognito mode disabled|
|Enable guest mode in browser||Disabled||N/A|
|Enable add person in user manager||Disabled||N/A|
|Enable ending processes in Task Manager||Disabled||N/A|
|Browser sign in settings*||Enabled||Disable browser sign-in|
*We recommend that Browser Sign-ins are completely disabled. However if sign-in is needed (for instance to allow bookmark sync), we recommend restricting it to the managed domain. Restricting it to the customer’s domain prevents conflicting policies from being pushed which potentially compromise the filtering protection. The Chrome setting for configuring Browser Sign-in allowed domains is called "Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome"
Post Deployment Checks
- Check the deployment using the Client Diagnostics Page, see Running Cloud Filter Diagnostics
- Check that your custom policies are being applied, see Checking that Cloud Filter Policies Work (Real-time log viewer)