Credential Manager Deployment and Configuration Guide

This guide helps system administrators deploy and configure the Credential Manager browser extension with Group Policy Objects (GPO) or Microsoft Intune. It describes the managed settings and highlights deployment differences across Windows, macOS, and Linux environments.

Credential Manager supports managed policies, which administrators can use to preconfigure login behavior and restrict users from modifying settings. A key is a specific configuration setting or option that you adjust within a software application or platform. Use these keys to control certain behaviors or features of the application. The following keys are available:

TenantUrl (string): Defines your organization's Delinea Platform or Secret Server login Url. When set, it appears as the default login option.

Example: https://company.secretservercloud.com
LockTenantUrl (Boolean): Controls whether users can change the Tenant Url.
- True: Locks the Url so users cannot change it. If the tenant is invalid, the login page defaults back to allowing the user to choose a tenant Url.
- False: Keeps the Url editable so users can enter alternative tenants.
EnableClickjackWarnings (Boolean): Displays a warning if the autofill field is behind hidden content, which might indicate malicious activity on the site. The setting is off by default because it can also flag valid pages. This setting only affects warning behavior, not security. Credential Manager still blocks known exploits.
LockEnableClickjackWarnings (Boolean): Locks the setting to the admin's EnableClickjackWarnings value so users cannot change it in the Credential Manager settings page.

These keys are case sensitive.

Deploying on Windows

On Windows, administrators typically deploy Credential Manager through GPO. The process involves installing the extension, configuring force-install policies in Chrome or Edge, and setting registry values to define and secure the tenant Url.

To install the extension using GPO:

Download the extension policy template files from https://www.chromium.org/administrators/policy-templates.
Copy the files to your domain controller.

To install on Chrome:

Open Group Policy Editor > User Configuration > Administrative Templates > Google > Google Chrome > Extensions.
Select 'Configure the list of force-installed apps and extensions' and add:

ebennojnciifnigfpjnagolafflmgilp;https://clients2.google.com/service/update2/crx
Navigate to Software > Policies > Google > Chrome > 3rdparty > extensions > ebennojnciifnigfpjnagolafflmgilp > policy.
Add registry string values:

For Delinea Platform:
- TenantUrl = https://{company}.platformcloud.com
- LockTenantUrl = 0 (or 1 to lock the tenant Url field)
For Secret Server:
- TenantUrl = https://{company}.secretservercloud.com
- LockTenantUrl = 0 (or 1 to lock the tenant Url field)

To install on Edge:

Open Group Policy Editor > User Configuration > Administrative Templates > Microsoft Edge > Extensions.
Select 'Control which extensions are installed silently' and add:

mbgapjfdohjpllbeppiajkjilllilblf;https://edge.microsoft.com/extensionwebstorebase
Navigate to Software > Policies > Microsoft > Edge > 3rdparty > extensions > mbgapjfdohjpllbeppiajkjilllilblf > policy.
Add registry string values:

For Delinea Platform:
- TenantUrl = https://{company}.platformcloud.com
- LockTenantUrl = true
For Secret Server:
- TenantUrl = https://{company}.secretservercloud.com
- LockTenantUrl = true

Deploying on MacOS

On macOS, administrators typically deploy Credential Manager by creating a configuration profile in a .plist file and distributing it through an MDM solution such as Jamf or Intune. The process is similar across supported browsers but requires a browser-specific .plist file.

To create a configuration profile on Chrome:

Create a .plist file named com.google.Chrome.extensions.ebennojnciifnigfpjnagolafflmgilp.plist.

Add the following:

Copy

<dict>
                    <key>TenantUrl</key>
                    <string>https://company.secretservercloud.com</string>
                    <key>LockTenantUrl</key>
                    <true/>
                </dict>

Deploy the profile through MDM (Jamf, Intune).

To create a configuration profile on Edge:

Create a .plist file named com.microsoft.Edge.extensions.mbgapjfdohjpllbeppiajkjilllilblf.plist.

Add the following:

Copy

<dict>
                    <key>TenantUrl</key>
                    <string>https://company.secretservercloud.com</string>
                    <key>LockTenantUrl</key>
                    <true/>
                </dict>

Deploy the profile through MDM.

Deploying on Linux

On Linux, administrators typically deploy Credential Manager by creating a JSON policy file in the appropriate managed policies directory for each browser. The configuration specifies the tenant Url and whether the tenant field is locked.

To configure a JSON file on Chrome:

Create the following JSON file:

/etc/opt/chrome/policies/managed/ebennojnciifnigfpjnagolafflmgilp.json
Add the configuration.

For example:

For Delinea Platform:
- TenantUrl = https://{company}.platformcloud.com
- LockTenantUrl = true
For Secret Server:
- TenantUrl = https://{company}.secretservercloud.com
- LockTenantUrl = true

To configure a JSON file on Edge:

Create the following JSON file:

/etc/opt/edge/policies/managed/mbgapjfdohjpllbeppiajkjilllilblf.json
Add the configuration.

For example:

For Delinea Platform:
- TenantUrl = https://{company}.platformcloud.com
- LockTenantUrl = true
For Secret Server:
- TenantUrl = https://{company}.secretservercloud.com
- LockTenantUrl = true

Common Deployment Considerations

Regardless of the operating system or deployment method, administrators follow a similar process to ensure a consistent and reliable rollout of Credential Manager.

In most deployments, administrators perform the following tasks:

Obtain the extension ID. The following example IDs assume Credential Manager was installed from the App Store. If it was installed in another way, check your actual extension ID and substitute it.
- Chrome: ebennojnciifnigfpjnagolafflmgilp
- Edge: mbgapjfdohjpllbeppiajkjilllilblf
Configure force-install (optional but recommended).
Define policies using JSON, registry keys, or configuration profiles.
Test configurations before rolling out to their organization.

Optional: Pin Credential Manager so it always appears in the browser toolbar. Use the ExtensionSettings policy to define pinned extensions by adding the required JSON under Software\Policies\Google\Chrome\ExtensionSettings.

For Windows devices, add the following JSON to your Chrome policy using Intune, registry, or GPO:

Copy

json
            {
            "*extension_id*": {
            "toolbar_pin": "force_pinned"
            }
        }

Add the following JSON to your Edge policy:

Copy

json
            {
            "*extension_id*": {
            "toolbar_state": "force_shown"
            }
        }

For macOS devices, add the following XML to your Chrome managed preferences:

Copy

xml
            <key>ExtensionSettings</key>
            <dict>
            <key>*extension_id*</key>
            <dict>
            <key>toolbar_pin</key>
            <string>force_pinned</string>
            </dict>
        </dict>

Add the following XML to your managed preferences for Edge:

Copy

xml
            <key>ExtensionSettings</key>
            <dict>
            <key>*extension_id*</key>
            <dict>
            <key>toolbar_state</key>
            <string>force_shown</string>
            </dict>
        </dict>

Replace `*extension_id*` with your Credential Manager extension identifier for the corresponding browser.

Verifying and Testing

It is recommended that administrators perform the following tests to verify that Credential Manager is deployed successfully before making it available to an entire organization.

Restart the browser after deployment.
Confirm Credential Manager is installed and pinned (if you configured the extension to be pinned).
Verify that the tenant Url is preconfigured and locked or unlocked according to your settings.