Deploying on Windows

If you want to deploy at scale on Windows we recommend using the Windows browser helper.

The browser helper passes the user's Windows User ID to the 1Password SaaS Manager browser extension to transparently identify the user, regardless of web browser, avoiding any log in step.

This can be deployed with an endpoint management tool and can also help you force deploy the browser extensions too.

Why is the Windows browser helper useful?

The browser extension needs to know the identity of the user to tell SaaS Manager which business apps they are accessing.

SaaS Manager has various ways to identify this. At the simplest level, the user can login to SaaS Manager, although other approaches are available (e.g. if they're logged in to the web browser with a work account, or by sending the user a link to click to identify them).

Each of these approaches has downsides, particularly if multiple browsers are being used. 

What is the Windows browser helper?

The Windows browser helper is a light-weight (under 200k) executable which uses the Native Messaging browser protocol to communicate with Chrome, Edge and Firefox.

The browser extension tells the browser to load the agent and all communication is through the browser. 

Source code is available to customers upon request.

helper.png

Installing the Browser helper

Go to Settings > Browser extension. Click to download the Windows browser helper MSI, and you will be shown the msiexec command used to install it.

  • Deploying the browser helper automatically installs the browser extension too.
  • By default msiexec will install for the current user.

  • To deploy to all users on the device append ALLUSERS=1 or MSIINSTALLPERUSER="" to the command, e.g.

    msiexec /i TrelicaBrowserHelper.msi ORGID=af278...4242 DOMAIN=app.trelica.com MSIINSTALLPERUSER=""

If you need to find your Organization ID, you can go to your Profile in SaaS Manager. Scroll down the page and copy the Organization ID to the clipboard.

Deployment at scale

We recommend distributing the helper to all users using an end-point management solution like Microsoft Endpoint Manager (formerly known as Intune). 

We strongly recommend configuring an app as a Windows app (Win32) rather than a Line-of-business app. Win32 apps require a wrapped app. You can download a wrapped version of the Helper here:

Download: https://app-files.trelica.com/public/browserxtn/TrelicaBrowserHelper.intunewin

You should append the /qn switch to the Install command specified in Intune.

In Detection rules, add a rule with the Manually configure detection rules format, then click + Add. Select MSI as the rule type and set "MSI product version check" to No, then click OK.

Troubleshooting

The helper identifies the logged in user by the equivalent of the whoami /upn command. If the user isn't a domain user, then it falls back to the equivalent of whoami /user.

If the user isn't logged in using Microsoft Entra ID or Microsoft 365, then the user name may not match a person in SaaS Manager. In this case you may need to map user accounts to SaaS Manager identities. Please contact saasmanager@1password.com for help with this.

If you have assigned users to devices in your endpoint management tool and connected that to SaaS Manager then SaaS Manager will fall-back to this assignment to identify users.

The MSI won't deploy correctly

Please run msiexec using the following parameters to log verbose output to a file:

msiexec /l*v %TEMP%\install.log /i TrelicaBrowserHelper.msi DOMAIN=... ORGID=...

If you're deploying via Intune then please refer to the Microsoft Intune app troubleshooting help.

Where is the browser helper installed?

The helper is installed to a TrelicaBrowserHelper folder in the current user's %LocalAppData%/Programs folder.

If you used the ALLUSERS=1 switch then it will be installed to C:\Program Files\TrelicaBrowserHelper

Where is the Organization ID and domain stored?

The installer writes the Organization ID and domain to the registry under:

HKEY_CURRENT_USER\SOFTWARE\Trelica\TrelicaBrowserHelper

The helper checks this location when it runs, and if no value is found then the helper also checks the same path under HKEY_LOCAL_MACHINE.

How does a browser know to run the browser helper?

On Windows, browsers look for a key called com.trelica.browser_helper in the registry. The parent key depends on the browser:

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\NativeMessagingHosts
HKEY_CURRENT_USER\SOFTWARE\Mozilla\NativeMessagingHosts
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\NativeMessagingHosts

The browser also checks the same paths under HKEY_LOCAL_MACHINE.

The key value contains a path to a JSON manifest file which contains a path attribute which tells the extension where to find the executable.

How do I deinstall the browser helper?

Using PowerShell:

Get-CimInstance Win32_Product `
 | Where-Object { $_.Name -like "*TrelicaBrowserHelper*" } `
 | ForEach-Object {
     Start-Process "msiexec.exe" `
         -ArgumentList "/x $($_.IdentifyingNumber) /qn" `
         -Wait
 }

Note that this uses /qn to deinstall silently.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.