The browser extension works in two modes:
- Users must log in to Trelica
- Users can be identified by other means
All possible methods of identifying users are enabled when you first turn on the browser extension. You can do this under Admin > Settings > Browser extension.
If you want to restrict access so that users must explicitly log in to Trelica (option 1, above), turn the Browser identity, authentication links and Windows identity switch off.
Forcing users to log in to Trelica can be impractical if you are deploying the extension at any scale, so Trelica offers a number of other ways to identify users:
| Method | Advantages | Disadvantages |
|---|---|---|
| Direct login | Guarantees the activity data is from the user. |
Each user must log in to Trelica on each browser they use, once the extension is installed. SAML2 SSO can help with this as Trelica can provision new user accounts the first time a user logs in. |
| Authentication links |
Simple to deploy - Trelica workflows can send users a link which will prompt them to install the extension if required, and then logs them in automatically. This works especially well for Safari due to the way Safari extensions are installed. |
Users might overlook the email. The link will open in their default browser. To install on other browsers the user would have to cut and paste the link to each one. |
| Browser login |
Chrome and Edge allow users to log in to their browsers using their work Google or Microsoft accounts respectively. You can enforce this when deploying Chrome and Edge. Edge also supports something called ImplicitSignin. The browser extension can detect the email address used and identify the user from this. |
Enforcing this policy will work at best for one browser (Chrome or Edge, depending on whether your organization uses Google Workspace or Microsoft 365). Employees likely use a mixture of Edge, Chrome and Firefox so coverage will be reduced. |
| Browser helper | Once deployed, the user will be identified automatically regardless of whether they use Chrome, Edge or Firefox. |
Typically needs centralized deployment via a macOS or Windows endpoint management tool like Intune or JAMF. |
Recommendations
| Mostly Windows | Mostly macOS | |
|---|---|---|
| Google Workspace | Browser helper or Browser login | Browser helper or Browser login |
| Microsoft 365 | Browser helper | Browser helper |
| Other | Browser helper | Browser helper |
If you don't use an endpoint management tool capable of pushing software to users' machines then we recommend Authentication links instead of the Browser helper.
In what order does the browser extension identify users?
The browser extension tries various methods to identify a user. These are followed in a priority order:
- If you are already logged in to Trelica, the extension will recognise this.
- If the Browser helper is installed, and if this returns a user name that matches a Trelica person, then this will be used.
- Authentication links include an encoded identity for a user and if the extension sees one of these it will be used to recognise the user.
- If you are logged in to Chrome or Edge, and if your email address matches a Trelica person, then this will be used.
- If none of the above work, the user will be prompted to log in to Trelica
Direct login
The extension detects when someone logs in to Trelica in their browser. You can also log in directly from the extension. We recommend using SAML2 SSO if users are logging in since it will automatically create Trelica accounts if needed.
Authentication link
You can add links to emails from Trelica workflows which, when clicked, will guide the user to install the extension (if not yet installed) and then automatically log the user in.
1. Configure a workflow:
2. The user receives the email:
3. The link prompts them to install the extension (only if it's not yet installed):
4. A confirmation message is shown:
5. The extension is now automatically linked to their identity:
Browser login
If users are logged in to their browser (e.g. Chrome for Google Workspace, or Edge for Microsoft 365) then Trelica can identify the user. They must be logged in with their work email address, using a domain linked to your Trelica organization.
Google and Microsoft let you define centralized policies for Chrome and Edge to require users to log in.
- Read about Chrome Policy management specifically the BrowserSignin policy.
- Read about Managing browser sign-in for Microsoft Edge specificaly ImplicitSignin.
Windows or macOS Browser helper
The Browser helper is deployed to an employee's computer. It reads the user name that they used to log in to Windows or macOS and then passes that through to the Trelica browser extension to identify the user.
This is similar to ImplictSignin on Microsoft Edge, but it works for Chrome, Edge, Firefox.
The Safari browser extension automatically implements this, because Safari extensions are wrapped in a macOS executable.
Read more about deploying the browser helper on Windows or macOS.
Comments
0 comments
Please sign in to leave a comment.