Skip to main content

Browser Extension - Installation with Intune

This guide covers deploying the Viio Browser Extension with Microsoft Intune on both Windows and macOS.

M
Written by Marta Droneva

Every Intune deployment has two steps:

  1. Install the extension – force-install it into managed Chrome and Edge browsers.

  2. Configure employee recognition – make sure usage is attributed to the right employee.

New to the extension? Read Browser Extension first to choose an edition and understand how employee recognition works.


Before you start

  • Intune administrator access (Devices → Configuration and, for the remediation method, Devices → Scripts and remediations).

  • Your Viio customer key — from Viio under Integrations → Browser Extension.

  • Decide which edition you're deploying and use its extension ID everywhere:

Edition

Extension ID

Silent (recommended)

nffjckgmpigfpkmamacllkakieaphfnm

Interactive

fjambfppaeandondpbbjkggkabeccjmh

The examples below use the Silent extension ID. Swap it for the Interactive ID if that's the edition you chose.


Windows

Step 1: Install the extension

Force-install the extension into Chrome and Edge using a Settings Catalog profile.

  1. In Intune, go to Devices → Configuration → Create → New Policy.

  2. Set:

    • Platform: Windows 10 and later

    • Profile type: Settings Catalog

  3. Give the profile a name (e.g. Viio Browser Extension — Install).

  4. Click Add settings and add the force-install setting for each browser:

    • Chrome: Google → Google Chrome → Extensions → Configure the list of force-installed apps and extensions

    • Edge: Microsoft Edge → Extensions → Control which extensions are installed silently

  5. Enable each setting and add the extension with its update URL:

    nffjckgmpigfpkmamacllkakieaphfnm;https://clients2.google.com/service/update2/crx

  6. Assign the profile to your target device/user groups and create it.


Step 2: Configure employee recognition

Two values drive recognition, written under the extension's policy registry key:

  • Chrome - SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\<EXTENSION_ID>\policy

  • Edge: SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\<EXTENSION_ID>\policy

  • customerKey – your Viio customer key (same for everyone). Always required.

  • employeeEmail – the individual employee's work email.

Which path applies to you? It depends on whether you need to set employeeEmail:

Your situation

What you need to set

Use

Employees sign into managed Chrome/Edge profiles with their work email

customerKey only (email is automatic)

Browsers are not (or only partially) managed

customerKey and employeeEmail


Path A – customerKey only (ADMX template)

When employees are on managed browser profiles, the extension picks up their email automatically, so you only need to deploy the customer key. The easiest way is the Viio ADMX template, which exposes a Customer Key setting for Chrome and Edge (for both the Silent and Interactive editions).

Get the templates: download viio.admx and its en-US\viio.adml language file from the viio-io/agent-installer-scripts repository (policies). If you can't access them, contact [email protected].

Then import them into Intune:

  1. Import the ADMX. In the Intune admin center, go to Devices → Configuration → Import ADMX → Import, upload viio.admx together with its en-US\viio.adml language file, and wait until the status shows Available (ingestion takes a few minutes).

  2. Create a profile that uses it. Go to Devices → Configuration → Create → New Policy and set:

    • Platform: Windows 10 and later

    • Profile type: TemplatesImported Administrative templates (this is the only profile type that shows your imported ADMX – Settings Catalog won't).

    Give it a name (e.g. Viio Browser Extension – Customer Key) and continue.

  3. Find the Customer Key setting. On the Configuration settings tab, the imported ADMX appears as a browsable, searchable tree. Expand Viio → Extensions → Chrome / Edge → Silent (or Interactive, matching the edition you deployed) – or just search for Customer Key. There's a separate setting per browser, so configure it for each browser you're rolling out.

  4. Open Customer Key, set it to Enabled, and enter the customer key from Viio (Settings).

  5. On the Assignments tab, assign the profile to your target device/user groups, then create it.

No ADMX? As an alternative, add a Settings Catalog / custom OMA-URI setting that writes the customerKey string value directly under each browser's policy key above (value name customerKey, type String).


Path B – customerKey + employeeEmail (Remediation script)

When browsers aren't managed, employeeEmail differs per user, so hard-coding it doesn't scale. Use an Intune Remediation (a detection + remediation script pair) that writes customerKey and, per user, employeeEmail into the extension policy for Chrome and Edge – covering both editions. It re-checks on a schedule, so new users are configured automatically.

Get the scripts. detect.ps1 and remediate.ps1 are maintained in the viio-io/agent-installer-scripts repository under browser-extension/. Download both from there – always use the maintained version rather than a copy.

Configure them. Both scripts share an identical CONFIGURATION block at the top. Edit it, and keep it the same in both files – Intune's detect/remediate model requires the pair to agree:

Setting

What to set

$CustomerKey

Your Viio customer key (from Settings). Required – always written to HKLM for every browser/edition.

$EmployeeEmail

"AUTO" to derive each user's email from their Entra (Azure AD) UPN, a literal email address, or "" to skip email (customer-key only).

$EmployeeEmailScope

"HKCU" (per logged-on user) or "HKLM" (machine-wide).

For this path (customer key and per-user email), set $EmployeeEmail = "AUTO" and $EmployeeEmailScope = "HKCU".

How it works: detect.ps1 reports non-compliant when the configured values are missing or wrong; Intune then runs remediate.ps1 to write them. With AUTO, the email is resolved from the logged-on user's UPN (Entra registration, with an Office identity fallback). When the remediation runs as SYSTEM, HKCU-scoped values are written into the logged-on user's hive (HKEY_USERS\<SID>) rather than SYSTEM's own.

Deploy it:

  1. Edit the CONFIGURATION block in both detect.ps1 and remediate.ps1 (identical values in each).

  2. In Intune, go to Devices → Scripts and remediations → Create and upload:

    • Detection script file: detect.ps1

    • Remediation script file: remediate.ps1

    • Set Run this script using the logged-on credentials to No

    • Set Run script in 64-bit PowerShell to Yes.

  3. Choose a schedule (e.g. daily) and assign to your target groups.

Only need the customer key here? Set $EmployeeEmail = "" and the same scripts configure customerKey alone – a scripted alternative to the Path A ADMX method.


Did this answer your question?