Deployment methods
Recommended
Microsoft Intune
Force-install via Chrome extension policy. Works for Entra ID-joined devices. Zero user interaction.
Enterprise
Group Policy (GPO)
Windows Active Directory environments. Uses Chrome ADMX templates. Best for on-prem AD.
macOS
JAMF Pro
Deploy via mobileconfig profile. Works for macOS fleets managed with JAMF.
Small teams
Manual install
Install from Chrome Web Store, enter Account ID in popup. No admin tooling required.
Method 1 — Microsoft Intune
1
Create a Chrome extension configuration policy
In Intune Admin Center: Devices → Configuration → Create → New policy → Windows 10+ → Settings catalog
Search for ExtensionInstallForcelist and add this value:
pnpcomkpinmnhhlajjimcflfflnpbaej;https://clients2.google.com/service/update2/crx
What this does: Force-installs the extension. Users cannot disable or remove it.
2
Configure auto-enrollment (optional — skip for manual enrollment)
To pre-configure the Account ID so users don't need to enroll manually, add an ExtensionSettings policy:
{
"pnpcomkpinmnhhlajjimcflfflnpbaej": {
"installation_mode": "force_installed",
"update_url": "https://clients2.google.com/service/update2/crx",
"managed_storage": {
"mbr_account_id": "YOUR_ACCOUNT_ID",
"auto_enroll": true,
"mbr_org_name": "Your Company Name"
}
}
}
Replace
YOUR_ACCOUNT_ID with your membrAIn account ID from the portal (Settings → Account).3
Assign policy to device groups and sync
Assign the configuration policy to your target device group. Extension installs on next Intune sync (typically within 8 hours, or force sync via Company Portal).
Verify: After sync, open Chrome on an enrolled device. The membrAIn icon should appear in the toolbar. Check the portal → Active Devices to confirm enrollment.
Method 2 — Group Policy (Windows AD)
1
Install Chrome ADMX templates
Download Chrome ADMX templates from chromeenterprise.google. Copy to your domain's PolicyDefinitions folder:
# On your Domain Controller:
Copy-Item "chrome.admx" "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\"
Copy-Item "chrome.adml" "C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions\en-US\"
2
Configure force-install policy
In Group Policy Management Editor:
Computer Configuration → Policies → Administrative Templates → Google → Google Chrome → Extensions → Configure the list of force-installed apps and extensions
Enable the policy and add:
pnpcomkpinmnhhlajjimcflfflnpbaej;https://clients2.google.com/service/update2/crx
3
Configure managed storage for auto-enrollment (optional)
To pre-configure Account ID via registry:
# Deploy via GPO Preferences → Registry Key: HKLM\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\pnpcomkpinmnhhlajjimcflfflnpbaej\policy Values: mbr_account_id REG_SZ YOUR_ACCOUNT_ID auto_enroll REG_SZ true mbr_org_name REG_SZ Your Company Name
Method 3 — JAMF Pro (macOS)
1
Create a Chrome management profile
In JAMF Pro: Computers → Configuration Profiles → New. Add a Custom Settings payload with this preference domain and JSON:
# Preference Domain: com.google.Chrome # JSON value: { "ExtensionInstallForcelist": [ "pnpcomkpinmnhhlajjimcflfflnpbaej;https://clients2.google.com/service/update2/crx" ], "ExtensionSettings": { "pnpcomkpinmnhhlajjimcflfflnpbaej": { "installation_mode": "force_installed", "update_url": "https://clients2.google.com/service/update2/crx" } } }
2
Deploy managed storage for auto-enrollment (optional)
Add a second Custom Settings payload for the extension's managed storage:
# Preference Domain: com.google.Chrome.extensions.pnpcomkpinmnhhlajjimcflfflnpbaej # JSON value: { "mbr_account_id": "YOUR_ACCOUNT_ID", "auto_enroll": true, "mbr_org_name": "Your Company Name" }
Verification
| Check | Expected result | Status |
|---|---|---|
| Extension icon in Chrome toolbar | membrAIn shield icon visible | Manual |
| Portal → Active Devices | Device appears within 2 minutes of enrollment | Automated |
| DLP test — type SSN in ChatGPT | Extension blocks/warns before submission | Manual |
| Heartbeat check (30 min) | Device shows green dot in portal | Automated |
| Policy sync | Policy changes in portal apply within 1 hour | Automated |
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| Extension not installing after policy push | Intune sync delay | Force sync via Company Portal or wait up to 8 hours |
| Device not appearing in portal | Account ID not set or auto-enroll false | Check managed storage config, or manually enroll via popup |
| Extension visible but not detecting | Content scripts blocked by security policy | Whitelist extension in EDR/endpoint policy |
| CrowdStrike/SentinelOne blocking extension | Browser extension injection policy | Add extension ID to allowed list in EDR console |
| Zscaler/Netskope breaking gateway calls | SSL inspection on gateway domain | Add gateway.getmembrain.ai to SSL bypass list |
| Firefox users unprotected | Extension is Chrome/Edge only (MV3) | Use the Lane 3 AI Gateway for server-side coverage |
Firewall / network requirements
| Domain | Port | Purpose |
|---|---|---|
gateway.getmembrain.ai | 443 | DLP scanning + audit log |
agents.getmembrain.ai | 443 | Support agents |
app.getmembrain.ai | 443 | Portal |
clients2.google.com | 443 | Chrome Web Store updates |