Enterprise Deployment via Microsoft Intune

This guide covers deploying the Noxys browser extension at scale across your organization using Microsoft Intune.

Prerequisites

• Microsoft Intune admin access
• Microsoft Edge or Chrome on Windows/macOS managed by Intune
• Noxys tenant with admin access to generate API tokens
• Azure Entra ID (formerly Azure AD) configured with your organization

Overview

Intune deployment allows you to:

1. Automatically install the Noxys extension on all managed devices
2. Pre-configure API tokens so users don't need manual setup
3. Enforce settings like Tier 2 classification and webhook alerts
4. Track deployment status across your fleet
5. Manage updates automatically

Step 1: Prepare API Tokens for Bulk Deployment

Before deploying, create API tokens that will be distributed to devices.

Option A: Single Token (All Users Share)

Use one API token for all devices. Simple but less granular:

1. Go to Noxys Dashboard → Settings → API Keys
2. Click + Generate New Token
3. Label it: intune-deployment-prod
4. Click Generate
5. Copy the token (you'll use it in Intune configuration)
6. Store it securely in your password manager or secrets vault

Option B: Per-Team Tokens (Better Auditing)

Create separate tokens for each department or location:

1. Go to Noxys Dashboard → Settings → API Keys
2. Click + Generate New Token for each team:
   • intune-deployment-sales
   • intune-deployment-engineering
   • intune-deployment-finance
3. Copy each token and store securely
4. You'll reference the appropriate token per group in Intune

Step 2: Create Intune Configuration Profile

Deploy to Microsoft Edge

Microsoft Intune has native support for Edge extensions via policies.

Steps

1. Go to Microsoft Intune → Devices → Configuration profiles
2. Click Create profile
3. Select Platform: Windows 10 and later (or macOS for Apple devices)
4. Select Profile type: Settings catalog
5. Click Create
6. Name your profile: Noxys Extension Deployment
7. Click Next

Configure Settings

1. In the Settings catalog, search for "extension"

2. Add these policies:

   Policy: Control which extensions are installed silently

   • Set to Enabled
   • Add extension: [{"extension_id": "noxys-extension-id", "installation_mode": "force_installed"}]
   • (Contact Noxys support for the exact extension ID for your region)

   Policy: Extension managed settings

   • Set to Enabled
   • Configure the API token:

   {
     "noxys-extension-id": {
       "api_token": "YOUR_API_TOKEN_HERE",
       "backend_url": "https://api.noxys.cloud",
       "auto_enable_tier2": true
     }
   }

3. Click Next

Assign Profile

1. On the Assignments tab, click Add groups
2. Select your security groups:
   • For all users: Select "All Users"
   • For specific departments: Select appropriate groups
3. Set Assignment type: Required
4. Click Assign

Deploy to Google Chrome

For Chrome on Windows/macOS managed devices:

1. Go to Intune → Devices → Configuration profiles
2. Create a new profile with Platform: Windows 10 and later
3. Select Profile type: Administrative Templates → Google Chrome
4. Search for: "Control which extensions are installed silently"
5. Set to Enabled and add the Noxys extension ID
6. Assign to security groups

Note: Chrome extension deployment is less tightly integrated than Edge. Consider using Microsoft Edge for better management.

Step 3: Monitor Deployment Status

Track Installation Progress

1. Go to Intune → Devices → Configuration profiles
2. Click your Noxys profile
3. Go to Device status to see:
   • Number of devices: Succeeded / Failed / In progress / Not applicable
   • Per-device status (Success, Pending, Failed)
4. Review failed deployments and troubleshoot as needed

Common Deployment Issues

Status	Cause	Solution
Not Applicable	Device doesn't run Windows 10/Edge	Assign to compatible device groups
Failed	Extension not in Microsoft Store	Contact Noxys support for marketplace availability
Succeeded	Extension installed	Verify via device, check extension status
Pending	Device hasn't checked in yet	Wait 24 hours or force sync on device

Force Device Sync

If a device is stuck in "Pending":

1. Go to Intune → Devices → All devices
2. Click the device name
3. Click Sync (top menu)
4. Device checks in within 5 minutes

Step 4: Verify Extension Installation

After 1-24 hours, verify the extension is installed on managed devices.

On Windows/Edge

1. Open Microsoft Edge
2. Press Ctrl + Shift + O to open Extensions
3. Look for "Noxys" in the list
4. Verify the status is "On"
5. Click the extension to verify API token was pre-configured

On macOS/Edge

1. Open Microsoft Edge
2. Click the three-dot menu (top right) → Extensions
3. Look for "Noxys"
4. Verify it's enabled

Step 5: Configure Advanced Settings (Optional)

Enable Tier 2 PII Detection

For deeper classification across your organization:

1. Go to Intune → Devices → Configuration profiles
2. Create a new profile or edit your existing one
3. Add setting: "enable_tier2_classification": true
4. Assign and deploy

This enables Presidio and custom recognizers on the backend.

Enforce Webhook Alerts

Route all policy violations to your SIEM:

1. Add setting to your Intune profile:

   {
     "webhook_url": "https://your-siem.com/webhook/noxys",
     "webhook_events": ["policy_violation", "pii_detection"]
   }

2. Deploy to devices

Disable Offline Mode

If your organization requires always-connected security:

1. Add setting:

   {
     "allow_offline_mode": false
   }

2. Extension will not function without backend connectivity

Step 6: Manage Updates

Noxys extension updates are delivered automatically via the browser's extension marketplace (Chrome Web Store, Microsoft Edge Add-ons, etc.). Intune doesn't need separate update management.

Check for Updates Manually

To verify all devices are on the latest version:

1. Go to Intune → Devices → Configuration profiles
2. Click your Noxys profile
3. Check the "Last modified" date
4. Devices will check for extension updates within 24 hours

Troubleshooting

Extension Still Shows "Red Icon" After Deployment

Problem: Even though the API token was pre-configured, extension shows connection error.

Solution:

• Verify the API token in your Intune profile is correct (no extra spaces)
• Check that the token hasn't been rotated in the Noxys Dashboard
• Verify network connectivity to api.noxys.cloud (or your backend)
• Check device's corporate proxy settings
• Force device sync in Intune to push the latest configuration

Some Devices Failed Deployment

Problem: A percentage of managed devices show "Failed" status.

Solution:

• Check if those devices are running Windows 10 (version 1903 or later) or macOS
• Verify devices have checked into Intune recently
• Force sync those specific devices
• Check device event logs for Intune policy errors
• If issue persists, contact your Intune support team

Users Can Uninstall the Extension

Problem: The extension is forced-installed, but users can still uninstall it.

Solution:

• This is by design in Intune; administrators cannot prevent user uninstalls
• If uninstalled, Intune will reinstall it within 24 hours
• To reduce uninstalls, communicate the security benefits to your teams
• Monitor uninstall events in Intune device logs

Pre-Configured Token Not Applied

Problem: Extension is installed, but users still see "Configure API Token" prompt.

Solution:

• Check your Intune policy JSON is valid (use a JSON validator)
• Verify the api_token field matches the actual token in Noxys Dashboard
• Wait 24 hours for devices to receive the configuration
• Force device sync to apply immediately
• Check device event logs for policy application errors

Best Practices

1. Use per-team tokens for better auditing and token rotation
2. Test with a pilot group before rolling out to entire organization
3. Enable Tier 2 classification for enhanced PII detection (may add ~30ms latency)
4. Set up webhook alerts to integrate with your SOC
5. Monitor deployment status weekly and address failures promptly
6. Communicate the rollout to users explaining the security benefits
7. Rotate API tokens quarterly and deploy new versions via Intune
8. Review device compliance monthly to ensure all devices remain managed

Integration with Entra ID Groups

To deploy only to specific departments using dynamic Entra ID groups:

1. In Intune, when assigning the profile, use dynamic groups:
   • Security Engineering team: dept:security
   • Finance department: dept:finance
2. Intune automatically applies the profile to users in these groups
3. New employees added to the group automatically receive the extension

Next Steps

• Create Your First Policy
• Admin Console for policy management
• Extension Guide

Need Help?

• Email: support@noxys.eu
• Security Issues: security@noxys.eu
• Intune Support: Your organization's IT support team