Skip to main content

Browser Extensions Troubleshooting

Use these shared tips to resolve common deployment issues across Chrome, Edge, and Firefox. For prerequisites (IDs, update URLs, allowlists), see: Browser Extensions Prerequisites.

Common issues

  • Managed conflicts: If extensions are also managed by another system (e.g., Google Admin, Intune/Jamf), settings can collide with Sensor‑managed policies. Consolidate to a single controller (Sensor‑managed or your MDM/Google Admin) to avoid overrides.
  • Wrong ID / URL (self‑hosted vs store‑hosted): Ensure the correct extension ID and update URL for your Sensor version and deployment method (25.04+ self‑hosted vs store‑hosted for earlier versions).
  • Store access blocked: Allowlist the browser store domains or use the self‑hosted flow as documented in prerequisites.
  • No updates detected: For self‑hosted flows, verify the local update URL is reachable (https://localhost:10584/api/update). Contact Support to configure an alternate port if 10584 is unavailable.
  • Network allowlists: For Firefox self‑hosted, allow https://content.cyberhaven.io/browser-extensions/ (and the versioned XPI path). For Chromium self‑hosted, allow your tenant update URL https://<your-domain>.cyberhaven.io/v1/extensions/chromium/update.
  • Incognito/Private windows: Browsers do not allow forcing extensions in Incognito/Private mode. Users must enable manually; copy‑paste can be traced, but uploads cannot be blocked.

Chrome

  • Refresh and verify: Visit chrome://policy and click Reload Policies; confirm at chrome://extensions.
  • Managed environment key: If HKEY_USERS\...\PolicyDictionaryMultipleSourceMergeList is present, the Sensor will not force‑load the extension—deploy via your managed solution instead.

Microsoft Edge

  • Refresh and verify: Visit edge://policy and click Reload Policies; confirm at edge://extensions.
  • Required keys together: Ensure all settings required by ExtensionInstallForcelist live in the same configuration profile; otherwise behavior can be non‑deterministic.

Firefox

  • Verify: Check about:addons and about:policies to confirm installation and enterprise policies.
  • Self‑hosted XPI: Confirm the configured XPI URL matches the current self‑hosted path in prerequisites.

Sensor‑managed vs MDM

  • Windows (Sensor‑managed): The Endpoint Sensor can auto‑install and maintain Chrome/Edge/Firefox extensions. If you need to manage via GPO/Intune instead, contact Support to disable Sensor‑managed updates for that browser to prevent policy overrides.
  • macOS (MDM): Use a single MDM profile per browser to set the required keys (including any override update URL for self‑hosted flows).

Safari (macOS) — DDM enforcement (optional)

On macOS Sequoia and later, MDMs that support Declarative Device Management (DDM) can enforce Safari App Extension state (e.g., keep CyberhavenSafariExtension enabled). See: Manage Cyberhaven Safari Extension via Declarative Device Management (DDM).