Summary
This article explains how to deploy Smoothwall Cloud Filter in the following environment:
- Windows 10 & 11 machines (not Windows 11 SE)
- Managed with Intune
-
Users log into their PCs with their email address (authenticated by AzureAD)
- Edge as the only allowed browser
- Machine users automatically forced signed-in to Edge
NOTE: This deployment is also called 'Winbook", read more about it: What is a WinBook, and why do we like it?
In order to protect Windows 10 devices in this environment, Cloud Filter simply requires the deployment of a browser extension.
A number of steps need to be taken to ensure the Cloud Filter client is deployed and licensed correctly. The short-hand deployment path is:
- Provisioning
- Edge Configuration
- Post Deployment Checks
Prerequisites
- Download the Windows 64bits Unified Client zip from https://software.smoothwall.com
- Extract it
NOTE: The zip package (smoothwall-unified-client-x-windows.zip) contains some provisioning tools. For WinBook deployment, only 1 powershell script is required.
Provisioning
NOTE: If you are a multitenant organization, tenant IDs can be found in the on-premise appliance admin UI. Leave the tenant variable empty if you are not a multitenant organization. For more details: What's a Tenant ID?
- Edit the file named smoothwall-provisioning-winbook.ps1 and add your provisioning information.
For example, if your serial number is UNCL123456789 and you want to provision tenant d77b701d-d1ca-4c8d-b4b9-a9b576167d92:
######################################
# CONFIGURE CUSTOMER PROVIONING HERE #
# LEAVE TENANT EMPTY IF NOT RELEVANT #
######################################
$serial = "UNCL123456789"
$tenant = "d77b701d-d1ca-4c8d-b4b9-a9b576167d92"
###################################### -
In Intune, create a new script and upload your edited smoothwall-provisioning-winbook.ps1 file
-
Target the script to users and/or machines which require Cloud Filter
Alternative Method
If executing a PowerShell script is not possible or convenient, the following Registry values should be deployed using the preferred method. Note that all registry values must be created under the following registry path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\dlcaglefdlidioooijnigjhfcndlncfp\policy\Smoothwall\
Type | Key | Value |
REG_SZ | ForceOS | chromeos |
REG_SZ | Serial | <Your UNCL serial> |
REG_SZ | TenantId | <Tenant ID> For untenanted organizations, this key can be missing or empty. |
Edge Configuration
In Intune, using an Administrative Template Profile, configure Edge with the following properties and target the Cloud Filter devices. These properties must apply at the Computer level, not the User level.
Settings Name | State | Value |
Control which extensions are installed silently | Enabled |
dlcaglefdlidioooijnigjhfcndlncfp;https://edge.microsoft.com/extensionwebstorebase/v1/crx |
Control where developer tools can be used | Enabled |
Don’t allow using the developer tools |
Configure InPrivate mode availability | Enabled |
InPrivate mode disabled |
Enable guest mode | Disabled | N/A |
Enable profile creation from the Identity flyout menu or the Settings page | Disabled | N/A |
Enable ending processes in the Browser task manager | Disabled | N/A |
Configure whether a user always has a default profile automatically signed in with their work or school account | Enabled | N/A |
Enable implicit sign-in | Enabled | N/A |
Browser sign-in settings | Enabled |
Force users to sign-in to the browser |
Restrict which accounts can be used to sign in to Microsoft Edge |
Enabled |
Set this to a regular expression which matches the Azure AD email addresses used by your organisation. This prevents users for signing into the browser using other accounts which the filter will not recognise. For example: .*@example.com |
Note: The recommended policies were updated in July 2023. A change in Edge means the "implicit sign in" feature no longer creates a user profile in the browser automatically, which prevents Cloud Filter from identifying the user. As a workaround, it is necessary to force the user to sign-in instead.
For more information about Edge browser policies, see this link:
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies
Post Deployment Checks
- Check the deployment using the Client Diagnostics Page, see Running Cloud Filter Diagnostics
- Check that your custom policies are being applied, see Checking that Cloud Filter Policies Work (Real-time log viewer)