This article applies to organisations with a 'Hybrid' setup (both On-Premise Appliance and Cloud), as well as On-Premise only and Cloud only setups.
To use Cloud Filter on BYOD Windows devices that use Domain Group Policy Object (GPO), you must deploy an MSI (Microsoft Software Installer) along with a browser extension.
Before you begin
Check device browsers
Make sure Chrome and/or Edge browsers are force-installed on all relevant devices.
Add exceptions to antivirus software on devices
To prevent your antivirus software from quarantining the Smoothwall client, you need to add these exception paths to the antivirus software on student devices:
- C:\Program Files\Smoothwall
- C:\ProgramData\Smoothwall
In some cases, the antivirus might require the full path of each program:
- C:\Program Files\Smoothwall\Unified Client\bin\sw-uc-desktop-client.exe
- C:\Program Files\Smoothwall\Unified Client\bin\sw-uc-browser-bridge.exe
Step 1: Download the installer
- Go to software.smoothwall.com
- In the Unified Client section, select Windows x64.
- This downloads the Windows 64-bit zip file (smoothwall-unified-client-x-windows.zip) to your computer, containing an MSI installer, one smoothwall.admx file and one smoothwall.adml file among other files.
Step 2: Create a GPO
In Group Policy Management, create a new GPO called ‘Smoothwall GPO’ for the AD Domain Controller for where you want to deploy Smoothwall Cloud Filter.
If you are part of a multi-tenant organization, repeat each of the following steps for each tenant.
Step 3: Install Cloud Filter
- Copy the Smoothwall MSI file into a network shared folder, for example, \\MACHINE_NAME\Shared_Folder so the devices can access this file on the network.
- Attach the Smoothwall MSI file to the Smoothwall GPO.
- Assign the MSI application to the GPO.
- Set permissions for the Group Policy Software Installation for Authenticated users to give both Read and Special permissions.
Step 4: Provision using the ADMX template
In the Smoothwall GPO, configure the Smoothwall ADMX template in the Smoothwall/Unified Client path as below and leave any other settings as Not Configured.
Serial number
- Enabled
- Value = Your UNCL serial
Tenant ID
- Enable = multi-tenanted, Disabled = not multi-tenanted
- If enabled, the tenant GUID
Alternative method to provision
If you are unable to use the ADMX template, you must create a registry key at this path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Smoothwall\UnifiedClient\
- SerialId = String (REG_SZ) containing your UNCL serial.
- TenantId= String (REG_SZ) containing your tenant ID, if you have a multi-tenant environment. If you don’t, leave this blank.
Step 5: Configure your browsers
Chrome and Edge require some configuration to force install the Smoothwall extension along with locking them down to ensure safe usage.
Edge
- Download the Microsoft Edge ADMX template.
- In the Smoothwall GPO, configure the Edge ADMX template with these settings.
Control which extensions are installed silently:
- State= Enabled
- Value=dlcaglefdlidioooijnigjhfcndlncfp;https://edge.microsoft.com/extensionwebstorebase/v1/crx
Control where developer tools can be used:
- State=Enabled
- Value=Don’t allow using the developer tools
Configure InPrivate mode availability:
- State=Enabled
- Value=InPrivate mode disabled
Enable guest mode:
- State=Disabled
- Value=N/A
Enable profile creation from the Identity flyout menu or the Settings page:
- State=Disabled
- Value=N/A
Enable ending processes in the Browser task manager:
- State=Disabled
- Value=N/A
Browser sign-in settings:
- State=Enabled
- Value=Disable Browser sign-in
If sign-in is needed (for instance to allow bookmark sync), instead restrict to the managed domain using the Restrict which accounts can be used as Microsoft Edge primary accounts setting to prevent conflicting filtering policies.
Chrome
- Download the Google Chrome ADMX template.
- In the Smoothwall GPO, configure the Google ADMX template with these settings.
Configure the list of force-installed apps and extensions:
- State= Enabled
- Value=jbldkhfglmgeihlcaeliadhipokhocnm;http://clients2.google.com/service/update2/crx
Control where Developer Tools can be used:
- State=Enabled
- Value=Disallow usage of the Development Tools
Incognito mode availability:
- State=Enabled
- Value=Incognito mode disabled
Enable guest mode in browser:
- State=Disabled
- Value=N/A
Enable add person in user manager:
- State=Disabled
- Value=N/A
Enable ending processes in Task Manager:
- State=Disabled
- Value=N/A
Browser sign in settings:
- State=Enabled
- Value=Disable Browser sign-in
If sign-in is needed (for instance to allow bookmark sync), instead restrict to the managed domain using the Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome setting to prevent conflicting filtering policies.
Next steps
Check your deployment is working as expected:
You can also prevent users from using their own extensions with Intune using Microsoft’s guidance.