Deploying My1Login Extension via Group Policy
1.1 Use Just One Group Policy
For simplicity in administering group policies we suggest that all My1Login related settings are made in the same group policy (e.g. “My1Login SSO”). However, this is merely a suggestion, we recognise that some products, particularly Firefox, tend to work better if all group settings are in the same group policy and that you may already have some settings enabled.
This document assumes that all settings are in a policy called “My1Login SSO”.
1.2 Merging Settings
The instructions in this document assume that you are starting from a clean sheet and that the settings may be freely applied.
Some browser settings, e.g. setting startup pages, can influence what users can do so it may be desirable to merge existing settings with the My1Login settings.
Contact My1Login if you have any questions on this.
1.3 Linking the Group Policy
The My1Login SSO policy should be deployed to those users who are synchronised to the My1Login system with the Active Directory Connector.
Deploying the policy to users that are not synchronised will not break anything, but users will see the browser plug-in icons and may see warnings that they do not have permission to use the My1Login system.
In a typical install the users permitted to use My1Login would be in one, or more, groups under a suitable OU. In the example below the users are in a group called “SSO Users” under an OU called “My1Login SSO”.
The My1Login SSO policy may be linked to the domain but to restrict the deployment of the My1Login group policy to those users permitted to use the system (using the above example), you would remove “Authenticated Users” from the Security Filtering section of the Scope tab of the policy and add the “SSO Users” group.
Removing “Authenticated Users” from this section requires it to be added, with read permissions, under the delegation tab.
1.4 Deploying My1Login Extension
1.4.1 Google Chrome
In Group Policy Management, navigate to the following either in Computer Configuration or User Configuration:
Policies\Administrative Templates\Google Chrome\Extensions
Double click the option "Configure the list of force-installed apps and extensions"
Click the checkbox "Enabled" and then click on the "Show..." button
The next dialogue window will show a table of contents for you to input links, input the following for the My1Login Chrome extension:
nmmjlkfpmjldpacpocblimkniapnigff;https://clients2.google.com/service/update2/crx
Click OK and Apply and the OK again on the previous window to apply the changes.
1.4.2 Microsoft Edge
In Group Policy Management, navigate to the following either in Computer Configuration or User Configuration:
Policies\Administrative Templates\Windows Components\Microsoft Edge
Double click on "Control which extensions are installed silently"
Click the checkbox "Enabled" and then click on the "Show..." button
The next dialogue window will show a table of contents for you to input links, input the following for the My1Login Edge extension:
nlhejimbbfdpbedmabgbfbjknjgooppn;https://edge.microsoft.com/extensionwebstorebase/v1/crx
Click OK and Apply and the OK again on the previous window to apply the changes.
1.5 Browser Password Managers
My1Login recommend disabling browser password managers (and other password vaulting tools) to improve security and eliminate any potential conflict.
To disable the password manager in your respective browser follow the instructions below:
1.5.1 Google Chrome
In Group Policy Management, navigate to the following either in Computer Configuration or User Configuration:
Policies\Administrative Templates\Google Chrome\Password Manager
On the right side pane, select the option "Enable saving passwords to the password manager"
On the dialogue window that appears, click the checkbox labelled "Disabled"
Click "Apply" and then "OK"
1.5.2 Microsoft Edge
In Group Policy Management, navigate to the following either in Computer Configuration or User Configuration:
Policies\Administrative Templates\Windows Components\Microsoft Edge
On the right side pane, look for an option called "Configure Password Manager"and double click.
On the dialogue window that appears, click the checkbox labelled "Disabled"
1.6 Zero Sign-On and Non-IE Browsers
This section is not applicable to Internet Explorer.
Zero Sign-on authentication can be achieved by:
My1Login subdomain
Setting one of your browser start-up pages to your company's My1Login subdomain [company.my1login.com] will automatically authenticate your users on browser start-up and present their User Vault to them.
Query String
This parameter identifies your My1Login account to the browser plug-in which, in turn, allows the plug-in to login to My1Login with no user intervention.
The query parameter value for your account is available in the Administration Portal: Administration | Security | Key Management
The query string has the format “?m1l=ABC123” and is added to the end of your start-up URL across all non-IE browsers.
Example
If one of your home pages was google, then you would append the query string as follows:https://www.google.co.uk/?m1l=ABC123
Related Articles
Seamless Authentication and Zero Login into My1Login
There are a three different ways you can initiate seamless authentication and zero login into My1Login where users have already been authenticated with Entra or Active Directory. This document outlines the different approaches and their respective ...How the browser extension works
The My1Login browser extensions work by either: Connecting to the company Active Directory or Entra Directory Storing the client-side encrypted credentials on the My1Login cloud server The job of the browser extensions is to search webpages for login ...Deploying My1Login Extensions and Disabling Password Manager via Intune
Deploy My1Login Extension Microsoft Edge Open Endpoint Manager admin centre and go to Devices > Configuration, click on Create policy. Select Windows 10 and later for platform and Profile Type Templates and select Administrative Templates. Name the ...Troubleshooting: No seamless SSO Authentication
If users are not being automatically authenticated with My1Login when logging on to a network joined device, quick checks: The extension is installed on the browser in use. The account short code (query string) present at the end of the homepage URL. ...