Deploy Willow Guard Browser Extension
Deploy Willow Guard when you need to monitor and govern OAuth flows and web AI agent access in managed Chrome browsers.
Prerequisites
- Admin access to Willow.
- Access to the Scan Agent Setup flow in AI Discovery.
- Admin access to the MDM, GPO, or browser-management tool you use for Chrome policy.
- A pilot group of managed browsers or devices.
- The Willow Guard Chrome policy profile from Willow.
Minimum requirements
| Component | Minimum requirement |
|---|---|
| Browser | Managed Google Chrome. Google Chrome Enterprise documents Chrome browser policy management for managed Chrome browsers on Windows, Mac, and Linux in Set Chrome browser policies on managed PCs. |
| macOS deployment | An MDM provider that can deploy the Willow Guard Chrome policy .mobileconfig profile to managed Macs. |
| Windows deployment | GPO, Intune, or another Chrome policy management tool that can set extension force-install policy and managed storage values. |
| Linux deployment | Chrome policy management is supported by Google on Linux, but Willow currently provides macOS and Windows-oriented policy artifacts. Use Linux only if your team converts the policy into Chrome's Linux JSON policy format. |
| Policy values | serverUrl and authToken must be present in Chrome managed storage for Willow Guard. |
Willow does not publish a separate minimum Chrome version. Use a currently supported Chrome Enterprise browser that supports extension force-install and managed storage policies.
Expected outcome
Target browsers install Willow Guard from the Chrome Web Store, receive your Willow connection details through managed policy, and report browser-based AI usage signals to AI Discovery.
Download the browser extension files
- In Willow, open AI Discovery.
- Click Setup Instructions or Setup Scan Agent.
- In Browser Extension - Willow Guard, use the Chrome Web Store option for manual testing.
- Download the Chrome Policy (.mobileconfig) file for managed deployment.
The downloaded policy is pre-filled for your organization.
Connection details
The Scan Agent Setup modal shows Server URL and Auth Token under Connection Details.
These values are pre-filled in the downloaded Chrome policy profile. Use them only when you need to convert the generated policy into another browser-management format, such as Windows registry policy, Intune settings, or Chrome's Linux JSON policy format.
Do not edit the generated values unless Willow Support asks you to. Treat the auth token as sensitive.
Deploy with MDM on macOS
Use this flow for Jamf, Kandji, Mosyle, Iru, JumpCloud, or another MDM that can deploy macOS configuration profiles.
- Upload the Willow Guard Chrome policy
.mobileconfigfile to your MDM as a custom configuration profile. - Assign the profile to your pilot device group.
- Confirm the profile installs on a test Mac.
- Confirm Chrome installs Willow Guard from the Chrome Web Store.
The Chrome policy force-installs the extension and writes Willow connection details to Chrome managed storage. Users do not need to configure the extension manually.
Deploy with GPO on Windows
Use this flow when Chrome policy is managed through Group Policy.
The Willow-provided Chrome policy is a macOS .mobileconfig, so on Windows you deliver the same values through Chrome's Windows policy. Willow Guard's Chrome Web Store ID is ibekbbcohbodaihoahkeilfhjmadabkd.
- Force-install the extension: add
ibekbbcohbodaihoahkeilfhjmadabkd;https://clients2.google.com/service/update2/crxtoHKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist. - Push the connection details to Chrome managed storage. The standard Chrome administrative template does not expose per-extension managed storage, so set
serverUrlandauthTokenas string values underHKLM\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\ibekbbcohbodaihoahkeilfhjmadabkd\policy(deliver them through a Group Policy Preferences registry item). Use the pre-filled values from Connection Details. - Link the GPO to your pilot user or device OU.
- Run policy update on a test device or wait for the next policy refresh.
After policy refresh, Chrome should install Willow Guard automatically and expose the managed connection values to the extension.
Deploy with Intune on Windows
Use this flow when Chrome policy is managed through Microsoft Intune.
Willow Guard's Chrome Web Store ID is ibekbbcohbodaihoahkeilfhjmadabkd.
- Create or update a Chrome administrative template policy in Intune.
- Force-install the extension: add
ibekbbcohbodaihoahkeilfhjmadabkd;https://clients2.google.com/service/update2/crxto the ExtensionInstallForcelist setting. - Push the connection details to Chrome managed storage. The Chrome administrative template does not expose per-extension managed storage, so deliver
serverUrlandauthTokenwith a custom profile (OMA-URI or a registry-based configuration) that writes them underHKLM\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\ibekbbcohbodaihoahkeilfhjmadabkd\policy. Use the pre-filled values from Connection Details. - Assign the policy to your pilot device group.
- Sync policy on a test device.
After the policy applies, Chrome should install Willow Guard automatically and the extension should read its Willow connection values from managed storage.
Verify deployment
On a managed browser:
- Open Chrome.
- Open
chrome://extensions. - Confirm Willow Guard is installed and enabled.
- Open
chrome://policy. - Reload policies and confirm the Willow Guard Chrome policy is present.
In Willow, open AI Discovery and confirm browser-based AI usage appears in AI Usage Signals after a test OAuth or web AI agent interaction.
Troubleshooting
| Symptom | Check |
|---|---|
| Extension does not install | Confirm the force-install Chrome policy applies to the test browser. |
| Extension installs but does not report | Confirm managed storage includes serverUrl and authToken. |
| Policy applies on macOS but Chrome ignores it | Confirm Chrome is managed on the device and that the profile targets Chrome policy, not only the OS profile scope. |
| No AI Usage Signals appear | Confirm the browser can reach your Willow Connect URL and test a browser-based AI flow after policy refresh. |