How deployment works
Every browser needs two configuration profiles (or in the case of Firefox a configuration profile to install the extension and a bash script to configure it to your Nudge Security tenant) in Jamf:
Install profile — force-installs the extension.
Configure profile — applies your deployment policy so the extension connects to your Nudge Security tenant.
Two rules keep deployments clean:
One browser per configuration profile. Never combine multiple browsers in a single profile.
Same force-install list per browser. If you already manage extensions for a browser, add Nudge to that browser's existing list rather than creating a competing one. Conflicting lists cause policy errors.
Two browser groups are exceptions to the standard configure step:
Firefox installs with a profile but configures with a script. See the Firefox section below.
Dia, Atlas, and Comet install like other Chromium browsers but configure with a
nudge-security-browser-namekey instead of an.extensionspreference domain. See their section below.
Before you start: get your deployment key
You'll need your deployment key for the configure step of every browser. Grab it once and keep it handy.
In Nudge Security, go to Settings → Browser Extension → Enroll New Users.
Select Managed Deployment, then Device Management.
Choose Mac as the operating system, then select your browser.
Scroll to Step 2: Configure Deployment Policy and download or copy the PLIST file (
ConfigureNudgeBrowserExtension.plist).In that PLIST, find the value under
nudge-security-deployment-key. It looks likeNUDGE_EXTDK.xxxxxxxx-.... That's your deployment key.
Deploy to a Chromium browser
These steps cover Chrome, Edge, and Brave. The procedure is identical for all three—only the preference domains change. Find your browser's values in the table, then follow the steps.
Browser | Install preference domain | Configure preference domain |
Chrome |
|
|
Edge |
|
|
Brave |
|
|
Dia, Atlas, and Comet are also Chromium browsers, but they configure their deployment policy a bit differently. See the Dia, Atlas, and Comet section below.
Step 1: Create the install profile
Go to Configuration Profiles → New.
Name it something clear, like
Nudge Install Chrome macOS.In the left nav, scroll down and select Application & Custom Settings.
Select Upload, click + Add, and set the preference domain to your browser's install value from the table above.
Paste this PLIST to force-install the extension:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ExtensionInstallForcelist</key>
<array>
<string>diaecjfdpohehjhliaephjnpnlmeajfa</string>
</array>
</dict>
</plist>
Save the profile and continue to Step 2.
Step 2: Create the configure profile
Go to Configuration Profiles → New again.
Name it something clear, like
Nudge Configure Chrome macOS.In the left nav, scroll down and select Application & Custom Settings.
Select Upload, click + Add, and set the preference domain to your browser's configure value from the table above.
Paste the below PLIST, replacing
DEPLOYMENT_KEY_HEREwith the key you copied earlier. The$SERIALNUMBERvariable is filled in automatically by Jamf at deployment:
<dict>
<key>nudge-security-deployment-key</key>
<string>DEPLOYMENT_KEY_HERE</string>
<key>nudge-security-device-identifier</key>
<string>$SERIALNUMBER</string>
<key>nudge-security-device-type</key>
<string>laptop</string>
<key>nudge-security-device-os</key>
<string>macOS</string>
</dict>
Save the profile.
That's it for Chromium browsers. Skip to Verify the installation.
Deploy to Firefox
Firefox installs the same way as Chromium browsers but configures its deployment policy with a script instead of a second profile.
Step 1: Create the install profile
Go to Configuration Profiles → New.
Name it something clear, like
Nudge Install Firefox macOS.In the left nav, scroll down and select Application & Custom Settings.
Select Upload, click + Add, and set the preference domain to
org.mozilla.firefox.Paste this PLIST to force-install the extension:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnterprisePoliciesEnabled</key>
<true/>
<key>ExtensionSettings</key>
<dict>
<key>*</key>
<dict>
<key>installation_mode</key>
<string>allowed</string>
</dict>
<key>nudge-security-browser-helper@nudge.security</key>
<dict>
<key>install_url</key>
<string>https://addons.mozilla.org/firefox/downloads/latest/nudge-security-browser-ext/latest.xpi</string>
<key>installation_mode</key>
<string>force_installed</string>
</dict>
</dict>
<key>InstallAddonsPermission</key>
<dict>
<key>Allow</key>
<array>
<string>https://addons.mozilla.org</string>
<string>https://addons.mozilla.org/</string>
</array>
</dict>
</dict>
</plist>
Save the profile and continue to Step 2.
Step 2: Create the configure script
In Nudge Security, go to Settings → Browser Extension → Enroll New Users → Managed Deployment → Device Management. Choose Mac, select Firefox, then scroll to Step 2: Configure Firefox Deployment Policy and click Download Bash Script to get
ConfigureFirefoxNudgeBrowserExtension.sh. (you can also copy the script directly from Nudge Security)In Jamf, create a new Script named something like
Nudge Configure Firefox macOS.Upload or paste the script.
Save the script.
Deploy to Dia, Atlas, and Comet
Dia, Atlas, and Comet are Chromium browsers and deploy exactly like Chrome, Edge, and Brave—same two profiles, same install and configure preference-domain structure. The only difference is one extra key in the configure profile: nudge-security-browser-name.
These browsers don't identify themselves as anything other than base Chromium, so Nudge can't tell them apart on its own. The nudge-security-browser-name key tells Nudge which browser the deployment is for.
Use the install and configure preference domains below:
Browser | Install preference domain | Configure preference domain |
Dia |
|
|
Atlas |
|
|
Comet |
|
|
Step 1: Create the install profile
Follow Step 1: Create the install profile above, using the install preference domain for your browser from the table. The install PLIST is identical to the one used for Chrome, Edge, and Brave.
Step 2: Create the configure profile
Follow Step 2: Create the configure profile above, using the configure preference domain for your browser. The only change is to add the nudge-security-browser-name key. Replace DEPLOYMENT_KEY_HERE with your key, and set the browser name to dia, atlas, or comet:
Dia:
<key>nudge-security-browser-name</key>
<string>dia</string>
<key>nudge-security-deployment-key</key>
<string>DEPLOYMENT_KEY_HERE</string>
<key>nudge-security-device-identifier</key>
<string>$SERIALNUMBER</string>
<key>nudge-security-device-type</key>
<string>laptop</string>
<key>nudge-security-device-os</key>
<string>macOS</string>
Atlas:
<key>nudge-security-browser-name</key>
<string>atlas</string>
<key>nudge-security-deployment-key</key>
<string>DEPLOYMENT_KEY_HERE</string>
<key>nudge-security-device-identifier</key>
<string>$SERIALNUMBER</string>
<key>nudge-security-device-type</key>
<string>laptop</string>
<key>nudge-security-device-os</key>
<string>macOS</string>
Comet:
<key>nudge-security-browser-name</key>
<string>comet</string>
<key>nudge-security-deployment-key</key>
<string>DEPLOYMENT_KEY_HERE</string>
<key>nudge-security-device-identifier</key>
<string>$SERIALNUMBER</string>
<key>nudge-security-device-type</key>
<string>laptop</string>
<key>nudge-security-device-os</key>
<string>macOS</string>
Create one dedicated profile per browser, and use the matching browser name (dia, atlas, or comet) in each.
Already managing extensions for this browser?
If you already force-install extensions for a Chromium browser, don't create a competing install list. Add Nudge to your existing force-install list instead, then create only the configure profile.
In Jamf, open the existing Configuration Profile for that browser.
In Application & Custom Settings, add Nudge to the existing force-install list. In Nudge Security, the Managed Deployment screen gives you the exact value to copy for each browser type:
Chromium browsers (Chrome, Edge, Brave):
diaecjfdpohehjhliaephjnpnlmeajfa;https://clients2.google.com/service/update2/crxFirefox:
nudge-security-browser-helper@nudge.security;https://addons.mozilla.org/firefox/downloads/latest/nudge-security-browser-ext/latest.xpi
Save your changes.
Skip the install step—it's handled by your existing list you just added to—and create the configure profile (or configure bash script, for Firefox) using the steps in the sections above.
Verify the installation
Once the extension is installed and configured, users start showing as Connected on the Browser Extension settings page in Nudge Security. User discovery can take up to 72 hours. To verify a device manually, use the steps below.
Chrome, Edge, and Brave
Confirm the extension installed. Open chrome://extensions and check that the Nudge Security browser extension appears. If it's missing, recheck your install profile and ExtensionInstallForcelist.
Confirm the deployment policy applied. Open the extension's status page at chrome-extension://diaecjfdpohehjhliaephjnpnlmeajfa/options.html and check the status:
Configured — Fully installed and operational.
Waiting for User — Still in the user discovery process.
NO_DEPLOYMENT_KEY — Something's wrong with the deployment policy. Recheck your configure profile.
Firefox
Confirm the extension installed. Open about:addons and check that the Nudge Security browser extension appears. If it's missing, recheck your install profile.
Confirm the deployment policy applied. In about:addons, find Nudge Security Browser Extension and click Preferences:
Configured — Fully installed and operational.
Waiting for User — Still in the user discovery process.
NO_DEPLOYMENT_KEY — Something's wrong with the deployment policy. Recheck your script.
Troubleshooting
Confirm the Mac is MDM-enrolled
Run this in Terminal:
bash
sudo profiles status -type enrollment
You should see something like:
Enrolled via MDM: Yes MDM enrollment ID: <UUID>
If you see No, the Mac isn't enrolled with your MDM. Re-enroll it before continuing.
Confirm the profile reached the device
In Jamf Pro, go to Computers → [your test Mac] → Management → Configuration Profiles and check that your profile is listed with status = Installed.
If it isn't installed:
Click View to confirm it's scoped correctly.
Force a check-in by running this on the Mac:
sudo jamf recon sudo jamf policy
Validate your PLIST syntax
Before uploading a PLIST to Jamf, lint it locally:
bash
plutil -lint com.google.Chrome.plist
A valid file returns:
com.google.Chrome.plist: OK
A missing semicolon, bad array, or stray space can break a PLIST silently, so always lint before uploading.
Deploying to Safari?
This guide covers Chromium browsers (Chrome, Edge, Brave, Dia, Atlas, and Comet) and Firefox. Safari follows a different process. To deploy the extension to Safari, see Deploy the Nudge Security browser extension to Safari.