Deployment Guide

Microsoft Intune Deployment

Windows macOS Chrome Edge

Deploy Ghostery across your organization using Microsoft Intune (part of Microsoft Endpoint Manager). This guide covers cloud-based deployment for Windows, macOS, and managed browsers.

Prerequisites

  • Microsoft Intune license (included in Microsoft 365 E3/E5, EMS E3/E5)
  • Intune Administrator or Global Administrator role
  • Devices enrolled in Intune

Deploy to Microsoft Edge

Intune has built-in support for Edge extension management, making it the simplest browser to configure.

Using Settings Catalog (Recommended)

  1. Navigate to Microsoft Intune admin center → Devices → Configuration profiles
  2. Create profile:
    • Platform: Windows 10 and later
    • Profile type: Settings catalog
  3. Add settings: Search for "Extension" and select:
    Microsoft Edge → Extensions → Control which extensions are installed silently
  4. Add the extension entry: 
    fclbdkbhjlgkbpfldjodgjncejkkjcme;https://edge.microsoft.com/extensionwebstorebase/v1/crx
  5. Assign the profile to your target device groups.

Deploy to Google Chrome

Using Settings Catalog

  1. Create a new configuration profile (Settings catalog, Windows 10 and later)
  2. Add settings: Search for "Chrome" and select:
    Google Chrome → Extensions → Configure the list of force-installed apps and extensions
  3. Add the extension entry: 
    mlomiejdfkolichcflejclcbmpeaniij;https://clients2.google.com/service/update2/crx
  4. Assign the profile to your target device groups.

Configure Extension Settings

Intune does not provide a direct way to manage third-party extension configurations through its built-in policies. The Settings Catalog can force-install extensions, but managed storage settings that Ghostery reads must be written to a separate registry path:

  • Edge: HKLM\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\fclbdkbhjlgkbpfldjodgjncejkkjcme\policy
  • Chrome: HKLM\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\mlomiejdfkolichcflejclcbmpeaniij\policy

The recommended workaround is to deploy a PowerShell script via Intune that creates the required registry keys. See Use PowerShell scripts on Windows devices in Intune for guidance on deploying scripts (Devices → Scripts and remediations → Platform scripts).

Edge Configuration Script

Save as ghostery_edge_config.ps1 and deploy via Intune:

try {
    $registry_path = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\3rdparty\extensions\fclbdkbhjlgkbpfldjodgjncejkkjcme\policy"

    if (!(Test-Path $registry_path)) {
        New-Item -Path $registry_path -Force | Out-Null
    }

    New-ItemProperty -Path $registry_path -Name "disableOnboarding" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $registry_path -Name "disableUserControl" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $registry_path -Name "trustedDomains" -Value '["your-company.com"]' -PropertyType String -Force | Out-Null

    exit 0
} catch {
    Write-Error $_.Exception.Message
    exit 1
}

Chrome Configuration Script

Save as ghostery_chrome_config.ps1:

try {
    $registry_path = "HKLM:\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\mlomiejdfkolichcflejclcbmpeaniij\policy"

    if (!(Test-Path $registry_path)) {
        New-Item -Path $registry_path -Force | Out-Null
    }

    New-ItemProperty -Path $registry_path -Name "disableOnboarding" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $registry_path -Name "disableUserControl" -Value 1 -PropertyType DWORD -Force | Out-Null
    New-ItemProperty -Path $registry_path -Name "trustedDomains" -Value '["your-company.com"]' -PropertyType String -Force | Out-Null

    exit 0
} catch {
    Write-Error $_.Exception.Message
    exit 1
}

Customize before deploying: Adjust the registry values to match your requirements. Set DWORD values to 1 to enable or 0 to disable. Replace your-company.com in trustedDomains with your actual domains. See the Policy Reference for all available keys.

Using OMA-URI (Alternative Method)

For scenarios where Settings Catalog doesn't provide the needed options, use custom OMA-URI settings.

Chrome Force Install via OMA-URI

  1. Create profile: Templates → Custom
  2. Add OMA-URI setting:
    Name Chrome Force Install Ghostery
    OMA-URI ./Device/Vendor/MSFT/Policy/Config/Chrome~Policy~googlechrome~Extensions/ExtensionInstallForcelist
    Data type String
    Value <enabled/><data id="ExtensionInstallForcelistDesc" value="1mlomiejdfkolichcflejclcbmpeaniij;https://clients2.google.com/service/update2/crx"/>

Edge Force Install via OMA-URI

Name Edge Force Install Ghostery
OMA-URI ./Device/Vendor/MSFT/Policy/Config/microsoft_edge~Policy~microsoft_edge~Extensions/ExtensionInstallForcelist
Data type String
Value <enabled/><data id="ExtensionInstallForcelistDesc" value="1fclbdkbhjlgkbpfldjodgjncejkkjcme;https://edge.microsoft.com/extensionwebstorebase/v1/crx"/>

macOS Deployment via Intune

For Mac devices enrolled in Intune, use a custom configuration profile with a property list (plist).

  1. Create profile: macOS → Templates → Custom
  2. Upload a .mobileconfig file containing the browser extension policy. See the macOS Profiles guide for plist examples.

Verify Deployment

After the Intune policy syncs to devices:

Check Device Sync Status

In Intune admin center, navigate to Devices → All devices → [select device] → Device configuration to verify the profile was applied successfully.

Verify on Device

  • Edge: Navigate to edge://policy
  • Chrome: Navigate to chrome://policy

Look for the ExtensionInstallForcelist or ExtensionSettings policy containing the Ghostery extension ID.

Sync Timing: Intune policies typically sync within 8 hours, but you can force a sync from the device or Intune admin center. Users may need to restart their browser after the policy applies.

Related Documentation

Need Help?

Our enterprise support team is ready to assist with your deployment.

Contact Enterprise Support