Skip to main content

Deploy Willow Guard Browser Extension

Deploy Willow Guard when you need to monitor and govern OAuth flows and web AI agent access in managed Chrome browsers.

Prerequisites

  • Admin access to Willow.
  • Access to the Scan Agent Setup flow in AI Discovery.
  • Admin access to the MDM, GPO, or browser-management tool you use for Chrome policy.
  • A pilot group of managed browsers or devices.
  • The Willow Guard Chrome policy profile from Willow.

Minimum requirements

ComponentMinimum requirement
BrowserManaged Google Chrome. Google Chrome Enterprise documents Chrome browser policy management for managed Chrome browsers on Windows, Mac, and Linux in Set Chrome browser policies on managed PCs.
macOS deploymentAn MDM provider that can deploy the Willow Guard Chrome policy .mobileconfig profile to managed Macs.
Windows deploymentGPO, Intune, or another Chrome policy management tool that can set extension force-install policy and managed storage values.
Linux deploymentChrome policy management is supported by Google on Linux, but Willow currently provides macOS and Windows-oriented policy artifacts. Use Linux only if your team converts the policy into Chrome's Linux JSON policy format.
Policy valuesserverUrl and authToken must be present in Chrome managed storage for Willow Guard.

Willow does not publish a separate minimum Chrome version. Use a currently supported Chrome Enterprise browser that supports extension force-install and managed storage policies.

Expected outcome

Target browsers install Willow Guard from the Chrome Web Store, receive your Willow connection details through managed policy, and report browser-based AI usage signals to AI Discovery.

Download the browser extension files

  1. In Willow, open AI Discovery.
  2. Click Setup Instructions or Setup Scan Agent.
  3. In Browser Extension - Willow Guard, use the Chrome Web Store option for manual testing.
  4. Download the Chrome Policy (.mobileconfig) file for managed deployment.

The downloaded policy is pre-filled for your organization.

Connection details

The Scan Agent Setup modal shows Server URL and Auth Token under Connection Details.

These values are pre-filled in the downloaded Chrome policy profile. Use them only when you need to convert the generated policy into another browser-management format, such as Windows registry policy, Intune settings, or Chrome's Linux JSON policy format.

Do not edit the generated values unless Willow Support asks you to. Treat the auth token as sensitive.

Deploy with MDM on macOS

Use this flow for Jamf, Kandji, Mosyle, Iru, JumpCloud, or another MDM that can deploy macOS configuration profiles.

  1. Upload the Willow Guard Chrome policy .mobileconfig file to your MDM as a custom configuration profile.
  2. Assign the profile to your pilot device group.
  3. Confirm the profile installs on a test Mac.
  4. Confirm Chrome installs Willow Guard from the Chrome Web Store.

The Chrome policy force-installs the extension and writes Willow connection details to Chrome managed storage. Users do not need to configure the extension manually.

Deploy with GPO on Windows

Use this flow when Chrome policy is managed through Group Policy.

The Willow-provided Chrome policy is a macOS .mobileconfig, so on Windows you deliver the same values through Chrome's Windows policy. Willow Guard's Chrome Web Store ID is ibekbbcohbodaihoahkeilfhjmadabkd.

  1. Force-install the extension: add ibekbbcohbodaihoahkeilfhjmadabkd;https://clients2.google.com/service/update2/crx to HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist.
  2. Push the connection details to Chrome managed storage. The standard Chrome administrative template does not expose per-extension managed storage, so set serverUrl and authToken as string values under HKLM\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\ibekbbcohbodaihoahkeilfhjmadabkd\policy (deliver them through a Group Policy Preferences registry item). Use the pre-filled values from Connection Details.
  3. Link the GPO to your pilot user or device OU.
  4. Run policy update on a test device or wait for the next policy refresh.

After policy refresh, Chrome should install Willow Guard automatically and expose the managed connection values to the extension.

Deploy with Intune on Windows

Use this flow when Chrome policy is managed through Microsoft Intune.

Willow Guard's Chrome Web Store ID is ibekbbcohbodaihoahkeilfhjmadabkd.

  1. Create or update a Chrome administrative template policy in Intune.
  2. Force-install the extension: add ibekbbcohbodaihoahkeilfhjmadabkd;https://clients2.google.com/service/update2/crx to the ExtensionInstallForcelist setting.
  3. Push the connection details to Chrome managed storage. The Chrome administrative template does not expose per-extension managed storage, so deliver serverUrl and authToken with a custom profile (OMA-URI or a registry-based configuration) that writes them under HKLM\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\ibekbbcohbodaihoahkeilfhjmadabkd\policy. Use the pre-filled values from Connection Details.
  4. Assign the policy to your pilot device group.
  5. Sync policy on a test device.

After the policy applies, Chrome should install Willow Guard automatically and the extension should read its Willow connection values from managed storage.

Verify deployment

On a managed browser:

  1. Open Chrome.
  2. Open chrome://extensions.
  3. Confirm Willow Guard is installed and enabled.
  4. Open chrome://policy.
  5. Reload policies and confirm the Willow Guard Chrome policy is present.

In Willow, open AI Discovery and confirm browser-based AI usage appears in AI Usage Signals after a test OAuth or web AI agent interaction.

Troubleshooting

SymptomCheck
Extension does not installConfirm the force-install Chrome policy applies to the test browser.
Extension installs but does not reportConfirm managed storage includes serverUrl and authToken.
Policy applies on macOS but Chrome ignores itConfirm Chrome is managed on the device and that the profile targets Chrome policy, not only the OS profile scope.
No AI Usage Signals appearConfirm the browser can reach your Willow Connect URL and test a browser-based AI flow after policy refresh.