Agent-based browser extensions

The browser extensions for Flexera One SaaS Management discover and meter SaaS application usage in web browsers across your IT estate. The data is presented in Flexera One SaaS Management.

The information below applies to the SaaS Web Metering feature which uses agent-based browser extensions. Flexera One SaaS Management also offers an agentless browser extension. For more information, see Browser extension.

The SaaS Web Metering feature is a powerful tool to discover unknown SaaS application usage. The collected user activity also enriches subscription and user data from the SaaS connectors.

The feature requires local installations, as described in Prerequisites.

The browsers and platforms for which the feature is available are listed in Browser availability.

For instructions on how to enable and manage the feature, see Manage SaaS Web Metering. Note that you can select between three levels of automation depending on if you want the system to take care of all installation steps automatically or if you want complete or partial control of the installation. For more information, see Installation options.

For a description of the data flow and the ports that are used, see Technical description and Ports used.

Security considerations for the solution are discussed in Security considerations.

Overview

The browser extensions discover SaaS applications, users, and user activity in web browsers across your IT estate. The collected data is consolidated and presented as discovered applications and users, and user activity, in Flexera One SaaS Management. For more information, see SaaS discovery and Data consolidation.

User activity data collected by SaaS Web Metering varies by application. For some applications, the browser extensions can verify whether a user has signed in to the application; this is represented by the discovery type Browser verified. For other applications, the browser extensions can detect only whether a user has navigated to a URL associated with an application, but cannot verify whether the user has signed in to the application; this is represented by the discovery type Browser unverified.

Prerequisites

The SaaS Web Metering feature requires locally installed Inventory Agents to collect and process SaaS application usage data gathered by the browser extensions, and Inventory Beacons to import the data into Flexera One SaaS Management.

If your organization is an IT Visibility customer, the requirement is to use IT Visibility Inventory Beacons and Agents. For more information, see IT Visibility Inventory Beacons and Agents.

If your organization is an ITAM customer, the requirement is to use ITAM Inventory Beacons and Agents. For more information, see Inventory Beacon and Inventory Agent.

Browser availability

The browser extensions are available for the browsers and platforms listed in the table below. Flexera supports the deployment of extensions for browser versions that are supported by the respective vendor.

Browser Platform Location
Google Chrome Windows, macOS The extension is available in Chrome Web Store. Snow Software is the official publisher of the extension.
Microsoft Edge Windows, macOS The extension is available in Microsoft Edge Add-ons Store. Snow Software is the official publisher of the extension.
Mozilla Firefox Windows, macOS The extension is an add-on file that is hosted by Flexera and downloaded from a public GitHub repository. The extension is signed by Mozilla but not published on addons.mozilla.org (AMO).
Apple Safari macOS The installation package can be downloaded from this Flexera Community article: https://community.flexera.com/s/article/Cloud-Application-Metering-extension-for-Safari.

Installation options

When setting up the SaaS Web Metering feature on the Data Collection > Common Inventory Tasks > SaaS Web Metering Settings page, you can select between three installation options for each browser, depending on if you want the installation to be fully automated or if you want to manage the installation yourself, partly or completely. There is also a fourth option to be used when uninstalling the extension for a browser.

Fully Installed: Select this option if you want the installation procedure to be fully automated. The system will install the browser extension and all related files and configuration for the browser.

Prerequisites Only: Select this option if you want to use a management tool or policy to install the extension. The system will install the related files and configuration for the browser but will not instruct the browser to install the extension. For more information, see Install browser extensions using a management tool.

User Managed (default option): Select this option if you want to be fully in control of the installation procedure, for example, if your organization has strict security policies. With this option, the system will not install or configure anything. Instead, you must manually install the related files and configuration for the browser, as well as install the browser extension. For more information, see Install Web Metering manually.

Not Installed: Select this option if you want to uninstall a browser extension that has been installed previously by one of the above options. The system will uninstall the extension and all related files and configuration for the browser.

The installation options apply to the Edge, Chrome, and Firefox browsers. For Safari, due to restrictions enforced by Apple, you must download the extension installation package and install or uninstall it manually, regardless of the installation options selected for the other browsers. For more information, see Manage Apple Safari browser extension.

Technical description

The process for communication, data collection, filtering, and sending the data to Flexera One SaaS Management is outlined below:

  1. The SaaS Web Metering feature is enabled by the customer on the Data Collection > Common Inventory Tasks > SaaS Web Metering Settings page. The set-up process is described in Set up SaaS Web Metering.

  2. Browser extensions are installed on the devices in the customer environment as part of the set-up process.

  3. At regular intervals, the Inventory Beacon downloads the following items from Flexera One:

    • Webmetering settings based on the settings made by the customer on the Data Collection > Common Inventory Tasks > SaaS Web Metering Settings page.
    • An allowlist including predefined, business-relevant SaaS application domains.

  4. The Inventory Beacon transfers the webmetering settings and allowlist to the Inventory Agent on each device. The webmetering settings tell the Inventory Agent if webmetering data should be collected and sent or not, and if browser extensions and related files and configuration should be installed by the agent or not.

  5. The browser extensions monitor and collect user activity in the browsers.

  6. Once every hour, the data collected by the browser extensions is filtered by the Inventory Agent based on the allowlist, and only the usage captured on applications from listed domains is kept and saved in a json.gz file.

  7. Once every 12 hours, the Inventory Agent sends the json.gz file to the Inventory Beacon.

  8. The Inventory Beacon transfers the data to Flexera One, where it is consolidated and displayed in Flexera One SaaS Management.

Ports used

The figure illustrates what ports are used for the transfer of SaaS application usage data.

saas-agent-based-browser-extensions-ports.png

Security considerations

The SaaS Web Metering feature is designed with data protection and user privacy in mind.

Flexera has minimized the collected data to ensure that only necessary data points are stored. The collected data is filtered against an allowlist so that only data relevant for licensing purposes is sent to Flexera's systems.

Data collected and sent

The browser extensions collect the following data points:

  • Full URL of a website visited by a user.

  • The account that the user is logged on with, that is, either the local computer account or the Active Directory account. For example, computername\username or AD\username.

  • A timestamp associated with the URL visit.

The extension only collects the URL of web requests made by the browser. That means we do not look at security headers or the request body. The collected information is stored in an encrypted file.

The collected information is processed by the agent. The URLs are filtered against an allowlist, so that only domains of interest to the customer are included.

The data that leaves the device consists of:

  • The entire URL, including query parameters.

  • The computer or Active Directory account that the user is logged on with.

  • A timestamp associated with the URL visit.

Data encryption

All collected and processed data is stored encrypted.

This includes:

  • Temporary storage of URLs, logins, and timestamps (AES-256)

  • Storage of rules with corresponding hit numbers (AES-256)

  • Generic Snow Inventory files that are used to package the data for sending (AES-128)

Extension permissions

When the browser extension is installed, it will request permission to access browsing data, since it is a prerequisite for it to be able to perform its tasks. Different browsers have different permission models. For example, Chromium-based browsers, as well as Mozilla Firefox, by design implement an all-or-nothing permission model for an extension that requests access to all URLs visited by a user. For Snow Web Application Metering extension, this means that Chromium-based browsers and Mozilla Firefox will give it permission to read and change all data on websites visited by the user.

It is important to note that the browser extensions only require and collect information on the user-visited URLs, regardless of the permission model of the respective browser. The extensions do not change or read the content of the visited web pages.

The respective app store and browser will show a list of permissions that will be, or have been, given to the browser extension based on the browser's permission model, as shown in the table below.

The table shows permissions given by the browser, as stated by the browser. No matter what permissions are given, the browser extension will use them only to collect information on the user-visited URLs.

Browser Permissions as shown in the app store and browser
Chromium-based browsers Google Chrome and Microsoft Edge "Read and change all your data on the websites you visit"

"Communicate with cooperating native applications"
Apple Safari "Webpage Contents Can read sensitive information from webpages, including passwords, phone numbers, and credit cards. Can alter the appearance and behavior of webpages on: all webpages".

"Browsing History Can see when you visit: all webpages".
Mozilla Firefox "Access your data for all websites"

"Exchange messages with programs other than Firefox"

Security testing

Flexera recognizes the importance of keeping the browser extensions secure as they are deployed to end-user computers and have access to the websites that the users visit. Therefore, Flexera has started a bug bounty program, where security researchers are rewarded for finding and reporting security issues within the extensions. This facilitates continuous security assessment of the latest changes to the cloud application metering extensions.