Warning: The instructions in this document will update the registry on your endpoints. Please check your work by deploying on a test endpoint before deploying broadly.

Deploying in Google Chrome on MacOS using Workspace ONE

If you are using Workspace ONE to manage your Mac OS devices, you can follow the guide posted here.

Deploying in Google Chrome on Windows 10 using Workspace ONE

1. In your Workspace ONE UEM console, go to Resources > Profiles and Baselines – Profiles
2. Select Add > Add Profile
3. Select Windows > Windows Desktop > Device Profile
4. Provide a Name and assign a smart group for your windows devices
5. Click on Custom Settings on the left (Scroll to the bottom)
6. For Target, select “Workspace ONE Intelligent Hub”
7. Un-check “Make Commands Atomic”
8. Under Initial Settings, paste the following custom profile.
   

   This profile contains an encoded command that will add the Torii Browser Extension via a PowerShell command. We strongly recommend reading the section on building the profile manually to customize the PowerShell for your environment.

<wap-provisioningdoc id="47cdf1f4-7c99-44e5-bf5e-d3fecca68a74" name="customprofile">
  <characteristic type="com.airwatch.winrt.powershellcommand" uuid="b6d3bb2d-7c2b-46d9-8d50-71a8a87ee820">
    <parm name="PowershellCommand" value="&amp;$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand JAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAAgAD0AIAAnAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXABFAHgAdABlAG4AcwBpAG8AbgBJAG4AcwB0AGEAbABsAEYAbwByAGMAZQBsAGkAcwB0ACcADQAKACQAVABvAHIAaQBpAFIAZQBnAGkAcwB0AHIAeQBQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACAAPQAgACIAawBoAGYAaABrAGUAZABoAGgAZABiAGUAagBjAGIAYQBwAGQAaQBjAGcAYQBnAGIAbABqAGkAbQBhAGsAYQBpADsAaAB0AHQAcABzADoALwAvAGMAbABpAGUAbgB0AHMAMgAuAGcAbwBvAGcAbABlAC4AYwBvAG0ALwBzAGUAcgB2AGkAYwBlAC8AdQBwAGQAYQB0AGUAMgAvAGMAcgB4ACIADQAKAFsAaQBuAHQAXQAgACQAcAByAG8AcABlAHIAdAB5AEMAbwB1AG4AdAAgAD0AIAAwAA0ACgBJAGYAIAAoACEAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAcgBlAGcAaQBzAHQAcgB5AFAAYQB0AGgAKQApACAAewANAAoAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHIAZQBnAGkAcwB0AHIAeQBQAGEAdABoACAALQBGAG8AcgBjAGUAIAAgACAAIAAgACAAIAANAAoAfQAgAGUAbABzAGUAIAB7AA0ACgAJACQAaQB0AGUAbQAgAD0AIABHAGUAdAAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAHIAZQBnAGkAcwB0AHIAeQBQAGEAdABoAA0ACgAJAGYAbwByAGUAYQBjAGgAIAAoACQAcAByAG8AcAAgAGkAbgAgACQAaQB0AGUAbQAuAFAAcgBvAHAAZQByAHQAeQApACAAewANAAoACQAJACQAcAByAG8AcABlAHIAdAB5AEMAbwB1AG4AdAArACsADQAKAAkAfQANAAoAfQANAAoAJAByAGUAZwBpAHMAdAByAHkASwBlAHkAIAA9ACAAJABwAHIAbwBwAGUAcgB0AHkAQwBvAHUAbgB0ACAAKwAgADEADQAKAE4AZQB3AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAHIAZQBnAGkAcwB0AHIAeQBQAGEAdABoACAALQBOAGEAbQBlACAAJAByAGUAZwBpAHMAdAByAHkASwBlAHkAIAAtAFYAYQBsAHUAZQAgACQAVABvAHIAaQBpAFIAZQBnAGkAcwB0AHIAeQBQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAIgBTAHQAcgBpAG4AZwAiAA==" />
  </characteristic>
</wap-provisioningdoc>

9. Under Remove Settings paste the following custom profile.

This profile contains an encoded command that will remove the Torii Browser Extension via a PowerShell command. We strongly recommend reading the section on building the profile manually to customize the PowerShell for your environment.

<wap-provisioningdoc id="3443f782-0a33-4474-b519-d2bfe207493c" name="customprofile">
  <characteristic type="com.airwatch.winrt.powershellcommand" uuid="8ac8d044-b35e-4534-8a3d-f7502c9fcb35">
    <parm name="PowershellCommand" value="&amp;$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand JAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAAgAD0AIAAnAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAFAAbwBsAGkAYwBpAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXABFAHgAdABlAG4AcwBpAG8AbgBJAG4AcwB0AGEAbABsAEYAbwByAGMAZQBsAGkAcwB0ACcADQAKACQAVABvAHIAaQBpAFIAZQBnAGkAcwB0AHIAeQBQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACAAPQAgACIAawBoAGYAaABrAGUAZABoAGgAZABiAGUAagBjAGIAYQBwAGQAaQBjAGcAYQBnAGIAbABqAGkAbQBhAGsAYQBpADsAaAB0AHQAcABzADoALwAvAGMAbABpAGUAbgB0AHMAMgAuAGcAbwBvAGcAbABlAC4AYwBvAG0ALwBzAGUAcgB2AGkAYwBlAC8AdQBwAGQAYQB0AGUAMgAvAGMAcgB4ACIADQAKACQAVABvAHIAaQBpAFIAZQBnAGkAcwB0AHIAeQBQAHIAbwBwAGUAcgB5AE4AYQBtAGUAIAA9ACAAJwBmAGEAbABzAGUAJwANAAoADQAKAEkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAiACQAcgBlAGcAaQBzAHQAcgB5AFAAYQB0AGgAIgApACAAewANAAoACQAkAGkAdABlAG0AIAA9ACAARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAJAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAANAAoACQBmAG8AcgBlAGEAYwBoACAAKAAkAHAAcgBvAHAAIABpAG4AIAAkAGkAdABlAG0ALgBQAHIAbwBwAGUAcgB0AHkAKQAgAHsADQAKAAkAaQBmACgAJABpAHQAZQBtAC4ARwBlAHQAVgBhAGwAdQBlACgAJABwAHIAbwBwACkAIAAtAG0AYQB0AGMAaAAgACQAVABvAHIAaQBpAFIAZQBnAGkAcwB0AHIAeQBQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACkAIAB7ACAACQAkAFQAbwByAGkAaQBSAGUAZwBpAHMAdAByAHkAUAByAG8AcABlAHIAeQBOAGEAbQBlACAAPQAgACQAcAByAG8AcAAgAH0ADQAKAAkAfQANAAoAfQANAAoAaQBmACAAKAAkAFQAbwByAGkAaQBSAGUAZwBpAHMAdAByAHkAUAByAG8AcABlAHIAeQBOAGEAbQBlACAALQBuAGUAIAAiAGYAYQBsAHMAZQAiACkAewANAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACQAcgBlAGcAaQBzAHQAcgB5AFAAYQB0AGgAIAAtAE4AYQBtAGUAIAAkAFQAbwByAGkAaQBSAGUAZwBpAHMAdAByAHkAUAByAG8AcABlAHIAeQBOAGEAbQBlAA0ACgB9AA==" />
  </characteristic>
</wap-provisioningdoc>

10. Click Save and Publish

Deploying in Microsoft Edge on Windows 10

1. In your Workspace ONE UEM console, go to Resources > Profiles and Baselines – Profiles
2. Select Add > Add Profile
3. Select Windows > Windows Desktop > Device Profile
4. Provide a Name and assign a smart group for your Windows devices
5. Click on Custom Settings on the left (Scroll to the bottom)
6. For Target, select “Workspace ONE Intelligent Hub”
7. Un-check “Make Commands Atomic”
8. Under Initial Settings, paste the following custom profile.

This profile contains an encoded command that will add the Torii Browser Extension via a PowerShell command. We strongly recommend reading the section on building the profile manually to customize the PowerShell to your environment.

<wap-provisioningdoc id="403c7682-0160-4ba8-9cdf-ffb8395d5b4f" name="customprofile">
  <characteristic type="com.airwatch.winrt.powershellcommand" uuid="35cd527c-c1c1-4930-9e66-75b3d5d4c5f1">
    <parm name="PowershellCommand" value="&amp;$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand JAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAAgAD0AIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQBkAGcAZQBcAEUAeAB0AGUAbgBzAGkAbwBuAEkAbgBzAHQAYQBsAGwARgBvAHIAYwBlAGwAaQBzAHQAJwANAAoAJABUAG8AcgBpAGkAUgBlAGcAaQBzAHQAcgB5AFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAA9ACAAIgBnAG0AagBmAHAAbgBnAHAAawBrAGIAZQBpAGMAZgBsAG0AYwBrAGIAaABkAGIAbgBhAG4AZgBmAGsAaQBoAGkAOwBoAHQAdABwAHMAOgAvAC8AZQBkAGcAZQAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBlAHgAdABlAG4AcwBpAG8AbgB3AGUAYgBzAHQAbwByAGUAYgBhAHMAZQAvAHYAMQAvAGMAcgB4ACIADQAKAFsAaQBuAHQAXQAgACQAcAByAG8AcABlAHIAdAB5AEMAbwB1AG4AdAAgAD0AIAAwAA0ACgANAAoASQBmACAAKAAhACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAHIAZQBnAGkAcwB0AHIAeQBQAGEAdABoACkAKQAgAHsADQAKACAAIAAgACAATgBlAHcALQBJAHQAZQBtACAALQBQAGEAdABoACAAJAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAAgAC0ARgBvAHIAYwBlACAAIAAgACAAIAAgACAADQAKAH0AIABlAGwAcwBlACAAewANAAoACQAkAGkAdABlAG0AIAA9ACAARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAJAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAANAAoACQBmAG8AcgBlAGEAYwBoACAAKAAkAHAAcgBvAHAAIABpAG4AIAAkAGkAdABlAG0ALgBQAHIAbwBwAGUAcgB0AHkAKQAgAHsADQAKAAkACQAkAHAAcgBvAHAAZQByAHQAeQBDAG8AdQBuAHQAKwArAA0ACgAJAH0ADQAKAH0ADQAKACQAcgBlAGcAaQBzAHQAcgB5AEsAZQB5ACAAPQAgACQAcAByAG8AcABlAHIAdAB5AEMAbwB1AG4AdAAgACsAIAAxAA0ACgBOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAJAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAAgAC0ATgBhAG0AZQAgACQAcgBlAGcAaQBzAHQAcgB5AEsAZQB5ACAALQBWAGEAbAB1AGUAIAAkAFQAbwByAGkAaQBSAGUAZwBpAHMAdAByAHkAUAByAG8AcABlAHIAdAB5AFYAYQBsAHUAZQAgACAALQBQAHIAbwBwAGUAcgB0AHkAVAB5AHAAZQAgACIAUwB0AHIAaQBuAGcAIgANAAoADQAKAA0ACgANAAoA" />
  </characteristic>
</wap-provisioningdoc>

9. Under Remove Settings paste the following custom profile.

This profile contains an encoded command that will remove the Torii Browser Extension via a PowerShell command. We strongly recommend reading the section on building the profile manually to customize the PowerShell to your environment.

<wap-provisioningdoc id="2c41433a-053a-4a5f-9998-df1bc8240265" name="customprofile">
  <characteristic type="com.airwatch.winrt.powershellcommand" uuid="e2c6be54-abf6-4af9-8615-e9e868fdbdf1">
    <parm name="PowershellCommand" value="&amp;$env:SystemRoot\sysnative\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand JAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAAgAD0AIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQBkAGcAZQBcAEUAeAB0AGUAbgBzAGkAbwBuAEkAbgBzAHQAYQBsAGwARgBvAHIAYwBlAGwAaQBzAHQAJwANAAoAJABUAG8AcgBpAGkAUgBlAGcAaQBzAHQAcgB5AFAAcgBvAHAAZQByAHQAeQBWAGEAbAB1AGUAIAA9ACAAIgBnAG0AagBmAHAAbgBnAHAAawBrAGIAZQBpAGMAZgBsAG0AYwBrAGIAaABkAGIAbgBhAG4AZgBmAGsAaQBoAGkAOwBoAHQAdABwAHMAOgAvAC8AZQBkAGcAZQAuAG0AaQBjAHIAbwBzAG8AZgB0AC4AYwBvAG0ALwBlAHgAdABlAG4AcwBpAG8AbgB3AGUAYgBzAHQAbwByAGUAYgBhAHMAZQAvAHYAMQAvAGMAcgB4ACIADQAKACQAVABvAHIAaQBpAFIAZQBnAGkAcwB0AHIAeQBQAHIAbwBwAGUAcgB5AE4AYQBtAGUAIAA9ACAAJwBmAGEAbABzAGUAJwANAAoADQAKAEkAZgAgACgAVABlAHMAdAAtAFAAYQB0AGgAIAAiACQAcgBlAGcAaQBzAHQAcgB5AFAAYQB0AGgAIgApACAAewANAAoACQAkAGkAdABlAG0AIAA9ACAARwBlAHQALQBJAHQAZQBtACAALQBQAGEAdABoACAAJAByAGUAZwBpAHMAdAByAHkAUABhAHQAaAANAAoACQBmAG8AcgBlAGEAYwBoACAAKAAkAHAAcgBvAHAAIABpAG4AIAAkAGkAdABlAG0ALgBQAHIAbwBwAGUAcgB0AHkAKQAgAHsADQAKAAkAaQBmACgAJABpAHQAZQBtAC4ARwBlAHQAVgBhAGwAdQBlACgAJABwAHIAbwBwACkAIAAtAG0AYQB0AGMAaAAgACQAVABvAHIAaQBpAFIAZQBnAGkAcwB0AHIAeQBQAHIAbwBwAGUAcgB0AHkAVgBhAGwAdQBlACkAIAB7ACAACQAkAFQAbwByAGkAaQBSAGUAZwBpAHMAdAByAHkAUAByAG8AcABlAHIAeQBOAGEAbQBlACAAPQAgACQAcAByAG8AcAAgAH0ADQAKAAkAfQANAAoAfQANAAoAaQBmACAAKAAkAFQAbwByAGkAaQBSAGUAZwBpAHMAdAByAHkAUAByAG8AcABlAHIAeQBOAGEAbQBlACAALQBuAGUAIAAiAGYAYQBsAHMAZQAiACkAewANAAoAUgBlAG0AbwB2AGUALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AUABhAHQAaAAgACQAcgBlAGcAaQBzAHQAcgB5AFAAYQB0AGgAIAAtAE4AYQBtAGUAIAAkAFQAbwByAGkAaQBSAGUAZwBpAHMAdAByAHkAUAByAG8AcABlAHIAeQBOAGEAbQBlAA0ACgB9AA==" />
  </characteristic>
</wap-provisioningdoc>

10. Click Save and Publish

Building the Application Profile Manually

In order to add the browser extension on Windows 10 the windows registry must be updated. Typically, registry entries can be updated directly via a CSP, however browser extensions are in a restricted portion of the registry, requiring the use of a PowerShell command.

What follows are the PowerShell commands used in the above steps to “Add” and “Remove” the profiles. The “Add” examples will search the registry and find the correct key to use for the extension. The registry key (1,2,3…etc) is determined by counting the number of existing entries and using the next available number as the key for the new entry. The “Remove” command will find the number associated with the browser extension and will remove that value.

The supplied PowerShell scripts will not check if the browser extension exists before adding it. However, the script can be easily modified to do so.

For additional information on the registry entry see: Browser extension

Please update the scripts to meet your business requirements.

Google Chrome – Add Profile

$registryPath = 'HKLM:\Software\Policies\Google\Chrome\ExtensionInstallForcelist'
$ToriiRegistryPropertyValue = "khfhkedhhdbejcbapdicgagbljimakai;https://clients2.google.com/service/update2/crx"
[int] $propertyCount = 0
If (!(Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force       
} else {
    $item = Get-Item -Path $registryPath
    foreach ($prop in $item.Property) {
        $propertyCount++
    }
}
$registryKey = $propertyCount + 1
New-ItemProperty -Path $registryPath -Name $registryKey -Value 
$ToriiRegistryPropertyValue  -PropertyType "String"

Google Chrome – Remove Profile

$registryPath = 'HKLM:\Software\Policies\Google\Chrome\ExtensionInstallForcelist'
$ToriiRegistryPropertyValue = "khfhkedhhdbejcbapdicgagbljimakai;https://clients2.google.com/service/update2/crx"
[int] $propertyCount = 0
$registryPath = 'HKLM:\Software\Policies\Google\Chrome\ExtensionInstallForcelist'
$ToriiRegistryPropertyValue = "khfhkedhhdbejcbapdicgagbljimakai;https://clients2.google.com/service/update2/crx"
$ToriiRegistryProperyName = 'false'
If (Test-Path "$registryPath") {
$item = Get-Item -Path $registryPath
foreach ($prop in $item.Property) {
if($item.GetValue($prop) -match $ToriiRegistryPropertyValue) { $ToriiRegistryProperyName = $prop }
}
}
if ($ToriiRegistryProperyName -ne "false"){
Remove-ItemProperty -Path $registryPath -Name $ToriiRegistryProperyName
}

Microsoft Edge – Add Profile

$registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist'
$ToriiRegistryPropertyValue = "gmjfpngpkkbeicflmckbhdbnanffkihi;https://edge.microsoft.com/extensionwebstorebase/v1/crx"
[int] $propertyCount = 0

If (!(Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force       
} else {
    $item = Get-Item -Path $registryPath
    foreach ($prop in $item.Property) {
        $propertyCount++
    }
}
$registryKey = $propertyCount + 1
New-ItemProperty -Path $registryPath -Name $registryKey -Value $ToriiRegistryPropertyValue  -PropertyType "String"
Microsoft Edge – Remove Profile
$registryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist'
$ToriiRegistryPropertyValue = "gmjfpngpkkbeicflmckbhdbnanffkihi;https://edge.microsoft.com/extensionwebstorebase/v1/crx"
$ToriiRegistryProperyName = 'false'

If (Test-Path "$registryPath") {
    $item = Get-Item -Path $registryPath
    foreach ($prop in $item.Property) {
    if($item.GetValue($prop) -match $ToriiRegistryPropertyValue) {     $ToriiRegistryProperyName = $prop }
    }
}
if ($ToriiRegistryProperyName -ne "false"){
Remove-ItemProperty -Path $registryPath -Name $ToriiRegistryProperyName
}

Once you have finalized your PowerShell scripts, you will need to convert them to bytes and then Base64. This process is prone to error as outlined in the following blog post. In it, Camille Debay provides a script that will create the profile automatically. We strongly recommend using the script that the blog author has provided.

You can run the script as below:

.\create-ps-profile.ps1 -FilePath .\ToriiBrowser-Chrome.ps1 -Arch 64

This script will output a file that you can paste directly into the custom settings on the profile in Workspace ONE UEM.