This article applies to organisations with a 'Hybrid' setup (both On-Premise Appliance and Cloud), as well as On-Premise only and Cloud only setups.
To use Cloud Filter on managed Windows devices enrolled in Microsoft Intune, you must deploy a system service and a browser extension.
- Use this article if your devices use Google Chrome or a mixture of Google Chrome and Microsoft Edge.
- If your devices use Microsoft Edge only, follow the instructions to install Cloud Filter on Windows 10 using Intune (Edge Only).
Before you begin
Check device browsers
Ensure Chrome or Chrome and Edge or both browsers are force-installed on all relevant devices.
Add exceptions to antivirus software on devices
To prevent your antivirus software from thinking that Smoothwall is malware and quarantining the Smoothwall client, you need to add these exception paths to the antivirus software on student devices:
- C:\Program Files\Smoothwall
- C:\ProgramData\Smoothwall
If the full path is required, use:
- C:\Program Files\Smoothwall\Unified Client\bin\sw-uc-desktop-client.exe
- C:\Program Files\Smoothwall\Unified Client\bin\sw-uc-browser-bridge.exe
Step 1: Download the Intune installer
- Go to https://software.smoothwall.com
- In the Unified Client section, select Windows x64
- This downloads the Windows 64-bit zip file (smoothwall-unified-client-x-windows.zip) to your computer, containing an .intunewin installer file and provisioning tools among other files.
Step 2: Install Cloud Filter
- In Intune, go to Apps > Windows.
- Add Windows app (Win 32).
- Select the app package file and select the Smoothwall Intune installer (sw-uc-desktop-client-<version>.intunewin).
- On the App information tab, the Name and Description fields should autofill along with the App Version. Ensure “Smoothwall” is entered in the Publisher field, then select Next.
- Review the Program settings, including Allow available uninstall and Device restart behaviour, then select Next.
- On the Requirements tab, set the Operating system architecture to 64-bit and the Minimum operating system to Windows 10 1607, then select Next.
- On the Detection rules tab, set Rules format to Manually configure detection rules, then select + Add.
- Change the Rule type to MSI and select OK.
- Back on the Add app tab, select Next until you reach the Assignments tab.
- Select the Device Group where the software needs installation, or select +Add all devices.
- On the Review + Create tab, select Create.
Step 3: Provision Intune
Edit the ps1 script file
- Edit the file named smoothwall-provisioning-intune.ps1
- Add your serial number (16 characters, starting with UNCL) to the serial variable.
- Add the tenant ID if multi-tenanted, or leave the tenant variable empty if you are not.
- Save the file as a new version.
For example, if your serial number is UNCL123456789 and you want to provision tenant d77b701d-d1ca-4c8d-b4b9-a9b576167d92, the file will read:
######################################
$serial = "UNCL123456789"
$tenant = "d77b701d-d1ca-4c8d-b4b9-a9b576167d92"
######################################
Upload the script
- In Intune, go to Devices > Scripts and remediations.
- Add a new script for Windows 10 or later.
- In Script settings, select the edited script file.
- Set Run script in 64 bit PowerShell Host to Yes.
- Set all the other fields to No.
- Target the script to users, machines, or both that require Cloud Filter.
Alternative method to provision Intune
If you are unable to run PowerShell scripts, you must instead create a registry key at this path: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Smoothwall\UnifiedClient
Within it, create the following values:
- SerialId = String (REG_SZ) containing your UNCL serial.
- TenantId= String (REG_SZ) containing your tenant ID, if you have a multi-tenant environment. If you don’t, leave this blank.
- EnableAzureAd = Number (REG_DWORD) and set this to 1 to use Azure AD usernames.
Step 4: Configure your browsers
Chrome and Edge require some configuration to force install the Smoothwall extension and lock them down to ensure safe usage.
In Intune, using an Administrative Template Profile, configure Edge or Chrome with the following properties and target the Cloud Filter devices. These properties must apply at the Computer level, not the User level.
Edge
Force Windows executable Native Messaging hosts to launch directly:
- State=Enabled
- Value=N/A
Control which extensions are installed silently:
- State= Enabled
- Value=dlcaglefdlidioooijnigjhfcndlncfp;https://edge.microsoft.com/extensionwebstorebase/v1/crx
Control where developer tools can be used:
- State=Enabled
- Value=Don’t allow using the developer tools
Configure InPrivate mode availability:
- State=Enabled
- Value=InPrivate mode disabled
Enable guest mode:
- State=Disabled
- Value=N/A
Enable profile creation from the Identity flyout menu or the Settings page:
- State=Disabled
- Value=N/A
Enable ending processes in the Browser task manager:
- State=Disabled
- Value=N/A
Browser sign-in settings:
- State=Enabled
- Value=Disable Browser sign-in
If sign-in is needed (for instance, to allow bookmark sync), restrict it to the managed domain using the Restrict which accounts can be used as Microsoft Edge primary accounts setting to prevent conflicting filtering policies.
Chrome
Force Windows executable Native Messaging hosts to launch directly:
- State=true
- Value=N/A
Configure the list of force-installed apps and extensions:
- State= Enabled
- Value=jbldkhfglmgeihlcaeliadhipokhocnm;http://clients2.google.com/service/update2/crx
Control where Developer Tools can be used:
- State=Enabled
- Value=Disallow usage of the Development Tools
Incognito mode availability:
- State=Enabled
- Value=Incognito mode disabled
Enable guest mode in browser:
- State=Disabled
- Value=N/A
Enable add person in user manager:
- State=Disabled
- Value=N/A
Enable ending processes in Task Manager:
- State=Disabled
- Value=N/A
Browser sign in settings:
- State=Enabled
- Value=Disable Browser sign-in
If sign-in is needed (for instance to allow bookmark sync), instead restrict to the managed domain using the Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome setting to prevent conflicting filtering policies.
Next steps
Check your deployment is working as expected:
You can also prevent users from using their own extensions. If you are already familiar with Intune, you can use Microsoft’s Use group policies to manage Microsoft Edge extensions article.