Product Architecture

In this section:

Architectural Diagram

Agent

Browser Manager is installed and run on endpoints using an agent constructed as a Windows Installer package (MSI). It is installed locally onto each endpoint requiring Browser Manager features. The installer package can be installed manually or delivered using any suitable third-party deployment system. Both 32-bit and 64-bit Microsoft Installer packages are available.

Depending on the installation options selected for use by the installer Browser Manager may install two Windows Services, and a file system filter driver along with other binaries.

When the Browser Manager installers (x64.msi or x86.msi) are imported into the Ivanti UWM Management Center and configured for deployment, all features are installed by default.

Agent Services

There are 2 services which may be installed by the Agent:

Ivanti Browser Manager Notification Service
Ivanti Browser Manager Network Service

The Ivanti Browser Manager Notification Service runs as SYSTEM on each endpoint. The service is used for system level notifications for items such as user sessions, user logon and logoff events and browser process start and stop events. When the Ivanti Browser Manager Notification Service is installed the file system filter driver is also installed.

Notification Service

The Ivanti Browser Manager Notification Service serves multiple purposes:

The service is used for system level notifications including user session, user logon/logoff events and process start and stop events for the various browsers. When the Ivanti Browser Manager Notification Service is installed the file system filter driver is also installed.
The notification service ensures that the WebData Management component is applied prior to any profile management solution and before the user profile is unloaded during the logoff of a user session.
Enables the Browser Redirector feature to receive notifications for new sessions and ensures that browser requests are intercepted and redirected as required.
Provides a session-based mechanism to allow the synchronization of Favorites/bookmarks. The service handles all notifications for new sessions and ensures that the Favorites Synchronization is completed for any specified users.
The Notification Service is not required for the WebData Management feature but is required for Browser Redirector and Favorites Synchronization. The behaviour of the notification service can be managed by the configuration as required.
When the Notification Service is selected for use with the WebData Management feature, additional options are available for executing the data clean-up for the Google Chrome, Mozilla Firefox and Microsoft Edge (Chromium) browsers in their current state. WebData Management can be configured to perform the data management on the exit of the browser as well as during the logoff of a user session. If required, the automatic execution of WebData Management at logoff can be disabled so only the on browser exit processing is enabled.
Enables the Resource Blocking feature to receive notifications for new sessions and loads the required browser extensions to enable Ad Blocking capabilities.

Network Services

The Ivanti Browser Manager Network Service runs as NETWORK SERVICE on each endpoint. The service is used for network communications for automatic update purposes.

The Ivanti Browser Manager Network Service is an option which can be selected as part of the installation. The Network Service will ensure that the latest definition files are downloaded automatically for both the WebData Management and Resource Blocking features.

File System Filter Driver

When the Ivanti Browser Manager Notification Service is installed a mini filter driver is also installed. This driver is responsible for the notifying the notification service about predefined process start and stop events.

Browser Extensions/Browser Helper Objects

Browser Add-ons are used for the Browser Redirector and Resource Blocking features. An Internet Explorer Browser Helper Object (BHO) is loaded when the Browser Redirector feature is enabled and if selected an Enhanced Protected Mode compliant BHO can be loaded.

The BHO is only used by Internet Explorer. Separate extensions are provided for Google Chrome, Microsoft Edge (Chromium) and Mozilla Firefox. These extensions are installed automatically when the Browser Redirector or Resource Blocking features are enabled.

Configuration

Browser Manager configuration files (ABMP files) are used to store configuration settings and can be generated by the Browser Manager Console.

Configurations are stored locally in the All Users profile and are protected by NTFS security. In standalone mode, configuration changes are written directly to the file system from the Application Control console. In Enterprise mode, configurations are stored in the Management Center database, and distributed in MSI format using the Management Center or Application Control console.

Configurations can also be exported and imported to and from MSI file format using the Browser Manager console. This is useful for creating templates or distributing configurations using third party deployment systems.

After creating or modifying a configuration you must save the configuration (and deploy if necessary) to ensure that they are actioned.

Content Delivery Network

A Content Delivery Network (CDN) hosted in Microsoft Azure is used to contain the latest Ad Blocking content and Cookie definitions files. The Ad Blocking content and Cookie definitions files are built in to the agent but can be dynamically updated from the CDN if required.

The Network Service is not required for any of the other features and is only used to update the files which store the definitions for which tracking, advertising and analytics cookies are to be removed by WebData Management, and what Ads are blocked.