DocumentationRelease Notes
Documentation

Workforce Passwords deployable extension

Suggest Edits

Workforce Passwords offers a secure way to store and access business credentials through a browser extension. Administrators can deploy the Workforce Passwords extension across Chrome, Edge, and Firefox browsers on Windows systems efficiently by using Windows Group Policy Objects (GPOs) to centrally deploy the extension to all domain-joined Windows machines. This eliminates the need for users to manually install it. Administrators can also pre-configure the Workforce Passwords server URL to provide a seamless setup for end users. First, use the Group Policy administrative template to set the desired values for the configurable options. Then enforce the installation of Workforce Passwords.

Obtain Policy Definitions

In order to centrally deploy and pre-configure the Workforce Passwords extension, place the Group Policy administrative template (ADMX) and language resources (ADML) files into the Policy Definitions Central Store.

The .zip file is available in the customer portal, and should be downloaded and unzipped on the system where GPMC will be used.

Once unzipped, there are 5 files:

  • Administrative Templates (.admx)
    • BeyondTrust.admx
    • WorkforcePasswords.admx
  • Language resources
    • BeyondTrust.adml
    • WorkforcePasswords.adml
  • Firefox-specific requirement
    • policies.json

Place both of the .admx files into the GPMC Policy Definition folder (C:\Windows\PolicyDefinitions or similar).

Place both of the .adml files into the en-US language resources folder (C:\Windows\PolicyDefinitions\en-US or similar).

After completing this step, you can launch the Group Policy Management Console (GPMC).

Group Policy Management Console (GPMC)

Group Policy Management Console in Windows Explorer is tool used to administer GPOs and associated permissions across a network. Administrators have access to this tool.

There are several ways to start Group Policy Management:

  • Start menu: Enter Group Policy Management in the Start menu search bar and select the appropriate item.
  • Run Dialog: Press Windows + R, enter gpmc.msc, and hit Enter.
  • Server Manager: On a domain controller, launch Server Manager, go to Tools, and choose Group Policy Management.

Once the GPMC is open, you can manage GPOs across your domain or organization. This includes creating, linking, and modifying GPOs to define settings for users and computers.

Edit the Workforce Passwords specific GPO Settings

  1. Start the GPMC using one of the methods listed above.
  2. In GPMC, navigate to the policy you want to edit, and then select Computer Configuration > Policies > Administrative Templates > BeyondTrust > Workforce Passwords.

Within the Workforce Passwords folder, there are three folders:

  • Google Chrome folder
  • Microsoft Edge folder
  • Mozilla Firefox folder

Select the appropriate folder.

There are three settings within each folder that admins can configure:

  • Authenticate with Pathfinder (beyondtrust.io)
    • If State is set to Not configured or Disabled, and the user starts Workforce Passwords, the user has the option to choose between different login portals.
    • If State is set to Enabled, and the user starts Workforce Passwords, the option to choose between different login portals is no longer available. The user is instead taken to the Platform Cloud Solutions login screen.
  • Specify default locale
    • If State is set to Not configured or Disabled, the local defaults to what is specified in the user's web browser.
    • If State is set to Enabled, one of the locals listed in the Default Locale dropdown can be selected.
      • When a local is selected and the user launches Workforce Passwords, the start dialog will appear in that local language.

        ℹ️

        Users can change the local setting to a value different from the one set by the administrator. This is the only enterprise deployment setting that users are allowed to freely customize.

  • Authenticate with a Password Safe URL (cloud or self-hosted)
    • If State is set to Enabled , administrators can supply a Password Safe URL to authenticate with Pathfinder.
      • When the user starts Workforce Passwords, they are brought to the URL entered in the GPO screen.
      • The user is not able to modify the Password Safe URL from the pre-configured value, or switch to Pathfinder to login.
      • The URL should follow the format https://ps-instance.local/webconsole

To apply the updates, run the GPUPDATE command on the client machine. Once completed, the new settings take effect.

Enforce installation of Workforce Passwords on Chrome browsers

ℹ️

This applies to Windows systems only.

Go to https://chromeenterprise.google/download/ and download the Chrome ADM/ADMX templates. Install these into your Windows Policy folder (e.g., C:\Windows\PolicyDefinitions or similar).

Once the templates are installed, open the GPMC. Navigate to User Configuration -> Administrative Templates -> Google -> Google Chrome -> Extensions. Open Configure the list of force-installed apps and extensions. Select the Enabled radio button,, and then chose Show under Options. Add an entry for lchpepnpfkooehfcdnlaklepfiedhipi. Apply your changes. This entry forces the installation of BeyondTrust Workforce Passwords for Chrome once the policy is deployed.

Enforce installation of Workforce Passwords on Edge browsers

Go to Download and Deploy Microsoft Edge for Business and download the administrative templates for your Windows operating system. Install them in your Windows Policy folder (e.g., C:\windows\PolicyDefinitions). The ADMX files must reside in that folder while the ADML files reside in the language folder of your choice (e.g., en-US).

Once the templates are installed, open the GPMC. Under User Configuration, navigate to Administrative Templates -> Microsoft Edge -> Extensions. Open Configure extension management settings. Select the Enabled radio button, and then click in the empty text field on the left under Options. Add an entry for { "djojdgogandjnhpnmnpodfcgnbjmbich": { "installation_mode": "force_installed", "update_url": "https://edge.microsoft.com/extensionwebstorebase/v1/crx" } }. Apply your changes. This entry forces the installation of BeyondTrust Workforce Passwords for Edge once the policy is deployed.

Enforce installation of Workforce Passwords on Firefox browsers

Go to https://github.com/mozilla/policy-templates/releases and download the Firefox policy templates for your Windows operating system. Install them in your Windows Policy folder (e.g., C:\Windows\PolicyDefinitions). The ADMX files must reside in that folder while the ADML files reside in the language folder of your choice (e.g., en-US).

Once the templates are installed, open the Windows Group Policy Editor. Under User Configuration, navigate to Administrative Templates -> Mozilla -> Firefox -> Extensions. Open Extensions to install. Select the Enabled radio button, and then click Show on the left under Options. Add an entry for https://addons.mozilla.org/firefox/downloads/latest/beyondtrust-workforcepasswords/latest.xpi. Apply your changes.

Next, open Prevent extensions from being disabled or removed. Select the Enabled radio button, and then click Show on the left under Options. Add an entry for [email protected], then apply your changes.

This entry forces the installation of BeyondTrust Workforce Passwords for Firefox once the policy is deployed and prevents users from disabling or uninstalling it.

Updated 8 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.