Enterprise browser push failed hard

Posted by LingonberryHour6055@reddit | sysadmin | View on Reddit | 25 comments

I floated the idea of rolling out an enterprise browser (like Island or similar) in my org for better controls on extensions, phishing bypasses, data exfiltration to AI tools.... and unmanaged personal devices accessing corporate stuff. Got shut down immediately lol. devs and execs are glued to Chrome/Edge with their custom extensions and profiles. No appetite for another browser to manage or train on. We've already got Chrome Enterprise policies in place (forced extensions, blocked installs via GPO, basic site isolation), plus Defender for Endpoint and some CASB visibility. But gaps remain obv as rogue extensions slipping through, copy-paste leaks to external AI sites, and phishing that evades standard filters. in hunt of layered additional controls successfully without a full browser replacement Things like: * Extension management tools or allowlists that actually stick * Real-time DLP/alerting on browser activity (e.g., sensitive data to unapproved domains) * User adoption metrics from similar setups – what worked to get buy-in without mandating a new browser? Tried a PoC with one of the extension-based solutions but hit compatibility issues with some legacy internal apps. Open to hearing what scaled for you.

25 Comments

[-]

gr8tobesquare@reddit

I work at DefensX. We can cover the majority of this without the friction. If you'd like to have a chat you can request information there. Keeping the "pitch" to a miminum but you here but your use cases can be covered on any browser without disruption to users. (except they can no longer upload/click/download across browsers unchecked. It does scale. If interested just check our our website: [www.defensx.com](http://www.defensx.com)

calculatetech@reddit

There's something wrong with your browser GPO if rogue extensions are a problem. You should be blocking all and whitelisting. Both Edge and Chrome can be tamed pretty easily. You might consider forcing work email logins to avoid data leakage to personal accounts.

cspotme2@reddit

Some dumb ai post. We use gpo only and it works fine .. so all this talk about it not working is bs. Notice everything is generic.

VoltageOnTheLow@reddit

Yip. Obvious AI post, and many of the commenters below are AI themselves. This sub is getting flooded lately.

mooneye14@reddit

I did this as a help desk tech in 2017. Chrome gpo pushed mandatory extension(okta), bookmarks and we had a short allow list of other extensions but you could request new ones.

jimicus@reddit

You're coming at it from completely the wrong angle. Your angle is "This would work for me". The business' angle is "What will work for us?". Will your proposal: 1. Make money. No, obviously not. 2. Save money. No, again, obviously not. 3. Reduce risk. Well, perhaps it will a little bit, but relative to the hassle involved, it's not really seen as worth it. We as IT professionals are in a remarkably privileged position. We understand the technology well enough that we can be very flexible, and jump (eg) from Chrome to Edge to Firefox to something else with very little pain. Most end-users are nowhere near as flexible. Your proposal boils down to "create a shedload of work for everyone else for little or no practical benefit to anyone". I'm not surprised you crashed and burned.

thenewguyonreddit@reddit

Agreed, and I think this is a major blind spot that many IT departments have. Are you making the decision to make YOUR life better, or are you making the decision to make your CUSTOMER’S life better? IT should serve the business and its users, not be an annoyance of hoops to jump through.

vCentered@reddit

I have a hard enough time getting vendors to settle on supporting Chrome or Edge. If I tried to propose a browser no one has ever heard of it would be like climbing up on the table and taking a shit in a full conference room.

pdp10@reddit

You'd think that in this modern era of standards-compliant browsers and no Flash, ActiveX, or Silverlight, that vendor support would almost never be a problem. Unless the functionality is all based in a browser extension and we're not just talking about webapps.

It's not so much that the browser is the issue as much as it is vendors insisting their webapp *only* works in Chrome or works *best* in Edge.

Adam_Kearn@reddit

Personally I don’t think you can get any better than edge in all business environments. I’ve gone as far as blocking Google chrome completely in our org and only allowing edge to be used. The edge policy is super customisable you just need to learn how edge handles and processes things. I would recommend using a combination of GPO controls and also edge policies within the 365 portal. I only use the GPO to set generic polices such as enforcing a work profile to use their UPN for automatic sign in and block other things like password exports etc… Anything that is user sided like enforced bookmarks goes within the 365 portal under edge policies. This then means if they sign into edge on BYOD computers they get the same settings and enforcements. AI tools should be blocked via your firewall and not browser configuration. Extensions whitelist/blocklists are super easy to setup. We only allow a few extensions such as ad blockers etc. Also doing the browser polices via the 365 portal means that your users get the changes within a few hours automatically rather than waiting for them to reboot their computers while they are on-site with GPO updates.

Ihaveasmallwang@reddit

Purview and Defender can prevent the copy paste into external AI sites. You might want to look into that instead of paying for an enterprise browser. I’d also tell you no for the enterprise browser. I’m not sure what problem you’re having with extension management in the current browsers, but I’ve never had that issue. The GPO policies work.

iamMRmiagi@reddit

Chrome and Edge policies as you say but maybe add something like LayerX? You need to open up policies enough for people to be independent without adding too much risk. Adding an unfamiliar browser is not the way, IMO.

raip@reddit

Check out SquareX - they're an extension based one that focus a lot of DLP controls and you can exclude those legacy internal apps so it doesn't touch those.

redbaum@reddit

Let’s say you do deploy enterprise browser, wouldn’t uses still be able to install a chrome based browser as a user? See some browsers out there that don’t need admin rights.

bjc1960@reddit

We don't use app locker - we are not set up for that, from staffing, remote users, etc. We use a detect/remediate to remove browsers that install to localappdata. It is a hard-coded list for now.

pvatokahu@reddit

Yeah we hit the same wall at BlueTalon when we tried pushing a managed browser. The politics around browser choice is insane - you'd think you were asking people to switch religions. We ended up going a different route with browser-agnostic monitoring that hooked into the network layer instead.. caught way more stuff that way anyway since people were using their phones to access things too. The extension management piece is such a pain. At Microsoft we had this whole system for vetting extensions but devs would just sideload whatever they wanted anyway. One thing that kinda worked was making the security team approve exceptions case by case - made it annoying enough that people only asked for stuff they really needed. But you need executive backing or it falls apart fast.

True that. Chrome, Outlook and Acrobat cause more fighting than everything else combined. No matter how much you explain that Edge and Chrome are both Chromium, 'an end user convinced against this will, is off the same opinion still." We block all extensions, whitelist those "I" approve, and force SquareX on all browsers, and disable incognito.

sakatan@reddit

I would lose my fucking mind if my company were to implement anything other than Edge or Chrome or maybe Firefox, and I'm not even a dev! You can claw my seamless Edge profile sync from my cold dead hands! Unless you're in a highly regulated industry, forcing another browser for the reasons you posted without exhausting all the available options and plugging gaps with the existing one will of course meet extreme resistance. It's like you were to mandate pencils because you couldn't figure out how to prevent users from smudging their table with ballpoint pens. Or only allowing automatic cars in your fleet while the most common and best cars for your industry only come with a manual. Are you insane!?

dieselxindustry@reddit

In terms of monitoring/preventing data ex filtration to Ai site etc, we’re using Incyder. For rogue extensions, it should be block all white list the approved ones.

disclosure5@reddit

Extension allowlists perfectly stick with GPOs in Chrome and Edge. If you had this covered I suspect you'd be a lot less worried. I really don't see why you should be up about this.

Jealous-Bit4872@reddit

Exactly, you can manage a lot on Edge, especially with the new cloud-based management.

Upset-Addendum6880@reddit

Visibility > Mandates... until you fix the blind spots, nothing you enforce at the perimeter actually guarantees compliance. Chrome Enterprise policies are great for blocking installs, but they don’t show what those extensions are doing at runtime, how sensitive data is actually moving, or whether sessions are leaking data to unapproved AI services. There is a reason some teams are shifting from enterprise browser replacement to a browser centric security overlay that works with Chrome and Edge. * Users keep their workflows. * You get real time policy enforcement on paste, upload, cookie, and session state. * Risky extensions can be scored or blocked without manual whitelisting hell. If you cannot measure risk inside that last mile context, you are guarding a fortress wall while everyone sneaks out of the back door. LayerX is one example of that browser layer control model. It is not a silver bullet, but it fills one of the most glaring blind spots in most stacks today.

A SWG with good DLP and browser gpo cover all this. If endpoints don't leave the building then you don't even need to push a client, can use network tunnels.

Soft_Attention3649@reddit

The core assumption here is that the gap is purely a browser issue. It is not. The gaps you are describing, rogue extensions, copy and paste to AI tools, and sophisticated phishing, are fundamentally about endpoint visibility and real time data controls, not which browser icon sits on the taskbar. You might get more traction by layering lightweight extension allowlists, real time DLP plugins that hook into existing browsers, or browser session monitoring. The trade off is complexity. You cannot just click install and forget. You will need ongoing tuning and user education. But at least you do not break dev workflows or hit compatibility hell with legacy apps.

Reply to Post

25 Comments