Deploy Chrome Collector v0.6.x

note:

These instructions apply to the Prompt Inspection Extension (0.6.x), distributed via Chrome Web Store.

This extension enables prompt inspection on supported AI sites. It doesn't support

Site Access policy rules.

For Site Access and Prompt Inspection Extension (1.x.x), see Deploy 1.x.x .

Deploying a browser collector requires two steps:

• Install the browser extension.
• Save AIDR collector configuration in the extension's Managed storage.

Managed storage

All deployment methods populate the browser extension's Managed storage with values required to connect to AIDR.

Configuration fields

• Required fields:

  • registrationIdentity - Encoded credentials the extension uses to authenticate with the AIDR service and obtain an authorization token
  • urlTemplate - AIDR API base URL

  You can find collector-specific values for registrationIdentity and urlTemplate on the Install tab in the AIDR console. Configuration files and templates on the Install tab include these values.

• Optional user identity fields that appear in AIDR event logs:

  • userId - User identifier, such as an email address. Appears in AIDR logs and findings as a top-level field. If not provided, defaults to user_<device-id>.
  • userFullName - User's display name. Appears in AIDR logs and findings under Extra Info. If not provided, defaults to name_<device-id>.
  • hostname - Device hostname. Appears in AIDR logs and findings under Extra Info. If not configured, the value is empty.

System settings

Jamf, Intune, Group Policy, and Self-Service apply extension configuration through OS-level settings: managed preference profiles on macOS or registry entries on Windows.

Chrome Enterprise pushes configuration via cloud policy to the extension's managed storage in enrolled browsers, bypassing OS-level settings.

Select extension version

Choose the extension edition to deploy:

• Prompt Inspection Extension (0.6.x) - Applies prompt inspection rules to supported AI sites. Does not support Site Access rules.

Select distribution method

On the collector details page in the AIDR console, switch to the Install tab. This tab provides instructions, links, and templates for common deployment methods. The following sections include step-by-step guides for specific methods.

• Jamf - Enforce extension deployment and system-level settings on macOS with Apple-native Configuration Profiles.
• Microsoft Intune - Deploy extensions and configuration profiles across Windows and macOS managed endpoints.
• Chrome Enterprise (Google Chrome only) - Enroll browsers into the Google Admin console for centralized cloud-based policy management.
• Group Policy (Windows only) - Force-install the extension and configure managed storage via registry settings across domain-joined Windows endpoints.
• Self-Service - Install the extension and apply a configuration profile on a single machine to quickly test the collector.

Chrome Enterprise

With Chrome Enterprise Cloud Management, you can centrally install and configure extensions across managed Chrome browsers.

Requirements

• Cloud-managed Chrome browsers and browser profiles.

  For more information on how to enroll, see the

  Cloud-managed Chrome browser documentation.

Install and configure extension

1. With user browsers and profiles enrolled, log in to your Google Admin console .
2. Click the main menu icon and go to Chrome browser > Apps & extensions.
3. Add the AIDR Chrome browser extension:
   1. Select or create an Organizational Unit (OU).
   2. Click the Users & browsers tab.
   3. Hover over the + icon and select Add Chrome app or extension by ID.
   4. In the Add Chrome app or extension by ID dialog:

      1. Extension ID:

         folndgmoekgkipoolphnkclopeopkecc
      2. Keep the default From the Chrome Web Store source.
      3. Click SAVE.
4. Select the added extension in the app list.
5. Under Policy for extensions, paste the Extension Policy JSON from the collector's Install tab in the AIDR console, for example:

   {
     "urlTemplate": {
       "Value": "https://api.crowdstrike.com/aidr/aiguard"
     },
     "registrationIdentity": {
       "Value": "eyJzIj...iI6MX0"
     }
   }
   This policy authenticates the extension with the AIDR service. The copied JSON contains the correct credentials and AIDR base URL for your collector.
6. Select an Installation policy. For example, select Force install + pin to browser toolbar to force-install the extension to all enrolled user devices in the OU. This option also pins the extension to the browser toolbar for visibility.
7. Click SAVE in the top right corner of the screen.

note:

Chrome Enterprise policies can't dynamically populate these fields:

• userId
• userFullName
• hostname

To populate these fields in AIDR event logs, configure them on each endpoint. You can use an endpoint management tool, such as Jamf or Intune, to deploy a managed preference profile or registry entry. Apply the configuration at these system paths:

• macOS preference domain:
  • com.google.Chrome.extensions.folndgmoekgkipoolphnkclopeopkecc
• Windows registry path:
  • HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc\policy

tip:

If you force-install the extension, DevTools might not be accessible by default.

If you plan to debug the extension on target machines, in the Google Admin console:

1. Go to Devices > Chrome > Settings > Developer tools availability.
2. Set Developer tools availability to Always allow use of built-in developer tools.
3. Click Save.

Group Policy (Windows)

Active Directory Group Policy lets you force-install the browser extension on domain-joined Windows endpoints and configure its managed storage through registry entries.

Requirements

• Active Directory domain environment with Group Policy Management console (GPMC) installed.
• Permission to create, edit, and link Group Policy Objects (GPOs). For example, membership in Domain Admins or Group Policy Creator Owners.
• Target computer and user accounts in Organizational Units (OUs) linked to the GPO. Verify OU membership in Active Directory Users and Computers (dsa.msc).
• If you plan to force-install the extension through GPO, you need write access to the domain's SYSVOL share (\\<domain>\SYSVOL\) to install administrative templates.

Create or edit Group Policy Object

1. Open Group Policy Management console (gpmc.msc).
2. Right-click your target OU and select Create a GPO in this domain, and Link it here..., or right-click an existing GPO and select Edit... to open Group Policy Management Editor.

Force-install extension

If the extension is already deployed through another method, such as Microsoft Intune, skip to Configure computer-level registry settings.

Install administrative templates

The Google Chrome administrative templates (ADMX/ADML files) aren't included with Windows. Check whether they're installed, and install them if needed.

1. In Group Policy Management Editor, go to Computer Configuration > Policies > Administrative Templates. If Google > Google Chrome policy settings are already listed, skip to Enable force-install policy.
2. Download the Chrome Enterprise Bundle from chromeenterprise.google by following the Quick start guide for Windows.
3. Extract the downloaded archive.
4. Inside the extracted folder, locate the Configuration/admx/ subfolder containing .admx files and language-specific subfolders, such as en-US, with .adml files.
5. Create the Central Store in SYSVOL. The Central Store is a PolicyDefinitions folder inside the domain's Policies folder. When this folder exists, GPMC reads administrative templates from the Central Store instead of the local machine. DFS Replication automatically copies the folder to all domain controllers. This folder doesn't exist by default - you must create it manually. Create PolicyDefinitions\ and a subfolder for each language you need, such as en-US\:
   • \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions\
   • \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions\en-US\
6. Copy all .admx files to PolicyDefinitions\ and the .adml files from each language subfolder to the matching subfolder under PolicyDefinitions\.
7. Close and reopen Group Policy Management Editor to load the new templates.

note:

If no Central Store exists in SYSVOL, GPMC reads templates from the local C:\Windows\PolicyDefinitions\ folder on the machine running the console. Every Windows installation includes this folder with built-in OS templates, but the contents aren't replicated to other domain controllers. This approach works for single-admin environments and testing but isn't recommended for production.

Enable force-install policy

1. In Group Policy Management Editor, go to: Computer Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions.
2. Double-click Configure the list of force-installed apps and extensions.
3. In the Configure the list of force-installed apps and extensions dialog:
   1. Click Enabled.
   2. Click Show... under Extension/App IDs and update URLs to be silently installed.
   3. In the Show Contents dialog, add the extension update URL:

      folndgmoekgkipoolphnkclopeopkecc;https://clients2.google.com/service/update2/crx
   4. Click OK in the Show Contents dialog.
4. Click OK in the Configure the list of force-installed apps and extensions dialog.

Configure computer-level registry settings

Add extension settings that apply to all users under Computer Configuration:

1. Go to Computer Configuration > Preferences > Windows Settings > Registry.
2. Add AIDR base URL:
   1. Right-click and select New > Registry Item. Use these values in the New Registry Properties dialog:
      • Action: Update
      • Hive: HKEY_LOCAL_MACHINE
      • Key Path:

        SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc\policy
      • Value name:

        urlTemplate
      • Value type: REG_SZ
      • Value data: Copy the cloud-specific value from the collector's Install tab in the AIDR console. The AIDR base URL depends on your CrowdStrike cloud:
        • US-1

          https://api.crowdstrike.com/aidr/aiguard
        • US-2

          https://api.us-2.crowdstrike.com/aidr/aiguard
        • EU-1

          https://api.eu-1.crowdstrike.com/aidr/aiguard
   2. Click OK.
3. Add collector credentials:

   1. Right-click and select New > Registry Item. Use these values in the New Registry Properties dialog:

      • Action: Update
      • Hive: HKEY_LOCAL_MACHINE
      • Key Path:

        SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc\policy
      • Value name:

        registrationIdentity
      • Value type: REG_SZ
      • Value data: Copy the value from the collector's Install tab in the AIDR console. The value is a base64-encoded string that looks like eyJzIj...oxfQ==.

   2. Click OK.

4. Add device hostname:

   1. Right-click and select New > Registry Item. Use these values in the New Registry Properties dialog:

      • Action: Update
      • Hive: HKEY_LOCAL_MACHINE
      • Key Path:

        SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc\policy
      • Value name:

        hostname
      • Value type: REG_SZ
      • Value data:

        %COMPUTERNAME%

   2. Click OK.

To edit a registry setting, right-click it and select Properties.

note:

• Group Policy Preferences expand variables, such as %COMPUTERNAME%, at processing time and write the target machine name to the registry as a static string. This differs from REG_EXPAND_SZ, where the OS expands variables each time the value is read.

Cleanup behavior:

GPO Registry Preferences don't remove registry entries when you delete the preference item from the GPO. To enable automatic cleanup, click the Common tab of each registry item and select Remove this item when it is no longer applied. Enable this setting before you apply the GPO to target machines. If you didn't select this option before initial application, you must remove the registry entries manually or with a script.

Configure user-level registry settings

Because user-specific variables must resolve per user, add user identity settings under User Configuration.

note:

Windows processes Computer Configuration preferences during computer startup in the SYSTEM context, before any user logs in. In that context, %USERNAME% resolves to the computer account name - for example, WORKSTATION1$ - not the logged-in user.

1. Go to User Configuration > Preferences > Windows Settings > Registry.
2. Add user ID:
   1. Right-click and select New > Registry Item. Use these values in the New Registry Properties dialog:
      • Action: Update
      • Hive: HKEY_CURRENT_USER
      • Key Path:

        SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc\policy
      • Value name:

        userId
      • Value type: REG_SZ
      • Value data:

        %USERNAME%
   2. Click OK.
3. Add user full name:
   1. Right-click and select New > Registry Item. Use these values in the New Registry Properties dialog:
      • Action: Update
      • Hive: HKEY_CURRENT_USER
      • Key Path:

        SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc\policy
      • Value name:

        userFullName
      • Value type: REG_SZ
      • Value data:

        %USERNAME%
   2. Click OK.

To edit a registry setting, right-click it and select Properties.

note:

• Group Policy Preferences expand variables, such as %USERNAME%, at processing time and write the result to the registry as a static string. This differs from REG_EXPAND_SZ, where the OS expands variables each time the value is read.

• %USERNAME% resolves to the Windows SAM account name, such as jhammond, not an email address or display name.

• Multi-domain environments

  By default, userId is set to %USERNAME%. In multi-domain environments, you can use %USERDOMAIN%\%USERNAME%, such as INGENHQ\jhammond, to distinguish users who share a SAM name across domains.

Cleanup behavior:

GPO Registry Preferences don't remove registry entries when you delete the preference item from the GPO. To enable automatic cleanup, click the Common tab of each registry item and select Remove this item when it is no longer applied. Enable this setting before you apply the GPO to target machines. If you didn't select this option before initial application, you must remove the registry entries manually or with a script.

Link GPO and verify

1. Link the GPO to target OUs.

   This GPO includes both Computer Configuration and User Configuration settings. Both computer accounts and user accounts must be in OUs linked to the GPO. If your computers and users are in different OUs, link the GPO to both, or to a parent OU that contains both.

   note:

   User accounts in the default CN=Users container don't receive User Configuration policies. GPOs can't be linked to the default Users container. Move user accounts to a proper OU.

2. On the Scope tab of the GPO, check the Security Filtering section. By default, this section includes Authenticated Users, which covers all domain-joined accounts. If your organization has narrowed filtering to a specific security group, confirm that target computer and user accounts are members. Otherwise, no endpoints receive the policy.

3. Run gpupdate /force on a target machine and restart Google Chrome:

   gpupdate /force

4. Verify the computer-level registry values:

   reg query "HKLM\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc\policy"

   Confirm that urlTemplate, registrationIdentity, and hostname are present.

5. Verify the user-level registry values:

   reg query "HKCU\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc\policy"

   Confirm that userId and userFullName are present with the logged-in user's name.

6. In Google Chrome on the target machine:

   • Go to chrome://extensions and verify that the extension is installed. If you force-installed the extension through GPO, verify that users can't disable it.
   • Go to chrome://policy. Confirm that the AIDR extension policy shows all five values with the correct per-user expansion.

Open the AIDR extension from the browser toolbar and verify its status.

After successful registration, the extension status progresses through Configured and Ready to Active.

To confirm that the extension connects to AIDR, see Verify Deployment .

Self-Service (testing)

The Self-Service option lets you quickly evaluate the collector on your own machine before deploying it at scale:

• Introduces the key browser collector deployment steps.
• Requires no management tools. Lets you perform both installation and configuration steps manually on your machine.
• Describes extension deployment parameters that also apply to production deployments.

Self-service limitations:

Self-service deployment is intended for testing and evaluation purposes. It isn't a supported option for production deployments.

The first time you select this option, you must acknowledge these limitations in a confirmation dialog before proceeding.

Install and configure extension

1. Install the extension from the Chrome Web Store .

2. Download and apply the configuration.

   • macOS

     Download the configuration profile from the collector's Install tab in the AIDR console.

     Example configuration profile (User scope)

     This profile populates the extension's managed storage with AIDR credentials. Apply at the User level (User Channel).

     <?xml version="1.0" encoding="UTF-8"?>
     <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
     <plist version="1.0">
     <dict>
       <key>PayloadContent</key>
       <array>
           <dict>
               <key>PayloadType</key>
               <string>com.google.Chrome.extensions.folndgmoekgkipoolphnkclopeopkecc</string>
               <key>PayloadIdentifier</key>
               <string>com.crowdstrike.aidr.chrome.config</string>
               <key>PayloadUUID</key>
               <string>9dd7538f-f46c-482a-91d6-11f87b8f9e6d</string>
               <key>PayloadVersion</key>
               <integer>1</integer>
               <key>PayloadEnabled</key>
               <true/>
               <key>PayloadDisplayName</key>
               <string>AIDR Chrome Extension Configuration</string>
               <key>urlTemplate</key>
               <string>https://api.crowdstrike.com/aidr/aiguard</string>
               <key>registrationIdentity</key>
               <string>eyJzIj...YiOjF9</string>
               <key>userId</key>
               <string>{{user-id}}</string>
               <key>userFullName</key>
               <string>{{user-full-name}}</string>
               <key>hostname</key>
               <string>replace-with-hostname</string>
           </dict>
       </array>
       <key>PayloadType</key>
       <string>Configuration</string>
       <key>PayloadIdentifier</key>
       <string>com.crowdstrike.aidr.chrome.config.profile</string>
       <key>PayloadUUID</key>
       <string>c4d2e6f8-1a3b-5c7d-9e0f-4b6a8c2d0e1f</string>
       <key>PayloadVersion</key>
       <integer>1</integer>
       <key>PayloadScope</key>
       <string>User</string>
       <key>PayloadDisplayName</key>
       <string>AIDR Chrome Extension Configuration Profile</string>
     </dict>
     </plist>

     Install the profile:

     1. Double-click the .mobileconfig file.
     2. Install in System Settings > General > Device Management.
     note:

     • The exact path may vary depending on your macOS version.
     • If a previous profile for this extension exists, remove it first.

   • Windows

     Download the PowerShell script from the collector's Install tab in the AIDR console.

     Example PowerShell script

     This script creates the managed storage configuration in the Windows Registry. Run as Administrator.

     # Chrome AIDR Extension - Configuration
     $ErrorActionPreference = "Stop"
     
     $extensionId = "folndgmoekgkipoolphnkclopeopkecc"
     
     try {
         # --- Managed storage configuration ---
         $policyPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\$extensionId\policy"
         if (-not (Test-Path $policyPath)) {
             New-Item -Path $policyPath -Force | Out-Null
         }
     
         Set-ItemProperty -Path $policyPath -Name "registrationIdentity" `
             -Value "eyJzIj...YiOjF9" `
             -Type String -Force
     
         Set-ItemProperty -Path $policyPath -Name "urlTemplate" `
             -Value "https://api.crowdstrike.com/aidr/aiguard" `
             -Type String -Force
     
         # Use REG_EXPAND_SZ to expand %...% variables at read time
         # In multidomain environments, you can use %USERDOMAIN%\%USERNAME%
         New-ItemProperty -Path $policyPath -Name "userId" `
             -Value "%USERNAME%" -PropertyType ExpandString -Force | Out-Null
     
         New-ItemProperty -Path $policyPath -Name "userFullName" `
             -Value "%USERNAME%" -PropertyType ExpandString -Force | Out-Null
     
         New-ItemProperty -Path $policyPath -Name "hostname" `
             -Value "%COMPUTERNAME%" -PropertyType ExpandString -Force | Out-Null
     
         # Verify
         $config = Get-ItemProperty -Path $policyPath
         Write-Output "`nConfiguration applied successfully:"
         Write-Output "  - registrationIdentity: Set"
         Write-Output "  - urlTemplate: $($config.urlTemplate)"
         Write-Output "  - userId: $($config.userId)"
         Write-Output "  - userFullName: $($config.userFullName)"
         Write-Output "  - hostname: $($config.hostname)"
     
         Exit 0
     
     } catch {
         Write-Error "Failed: $($_.Exception.Message)"
         Exit 1
     }

     Run the script as Administrator to add the configuration to the Registry.

     warning:

     The script modifies only extension-specific key paths in the Windows Registry. As a precaution, back up the registry before running the script.

3. Restart the browser.

   Fully close and restart your browser. The extension connects to AIDR after the restart.

You can manage the extension on the chrome://extensions page.

note:

The AIDR console pre-populates downloaded configuration files with values from the current session:

• urlTemplate - The AIDR API URL for your CrowdStrike cloud.

• registrationIdentity - Collector-specific credentials.

• userId and userFullName - For macOS, the current AIDR console user's information.

  If you distribute the configuration file to other users, update the userId and userFullName fields to match the target user's identity.

  For Windows, the script uses environment variable expansion (%USERNAME%) to populate these fields automatically with the logged-in user's identity.

• hostname - For macOS, populated with a placeholder value. Replace it with the target machine's hostname.

  For Windows, the script uses environment variable expansion (%COMPUTERNAME%) to populate this field automatically.

In production deployments, set these values dynamically per user with variables in your endpoint management tool or script.

Uninstall collector

When you're done testing, remove the browser extension and its configuration.

1. Remove the browser extension in your browser's extension manager.

2. Remove the system configuration:

   • macOS - Remove the configuration profile in System Settings > General > Device Management > Profiles.

     The exact path may vary depending on your macOS version.

   • Windows - Remove the managed storage registry keys.

     warning:

     This modifies the Windows Registry. You can make a registry backup before proceeding. If you're unsure how to back up the Registry, contact your IT or system administrator.

     Run this command in a PowerShell session as Administrator:

     Remove extension configuration

     Remove-Item -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\folndgmoekgkipoolphnkclopeopkecc" -Recurse -ErrorAction SilentlyContinue

     Verify that no references to the extension remain:

     Verify extension removal

     reg query "HKLM\SOFTWARE\Policies\Google\Chrome" /s /f "folndgmoekgkipoolphnkclopeopkecc"

     Expected output: End of search: 0 match(es) found.