Roll-out playbook
A phased plan for deploying BeeSensible across your organization.
Organisation
Manage your organisation name, seats, and team members.
This is a phased plan for rolling out BeeSensible. Starting with a pilot, then a second team, and then a wider rollout helps you tune configuration and communication.
For the faster path to one pilot group, see Quick start for admins.
Phase 1: Pilot
Goal: confirm that BeeSensible works well in your environment and collect early feedback.
Choose a small group of users from a team that regularly handles sensitive data, such as HR, finance, legal, or support.
Before inviting them:
- Review the default detection profile.
- Create a stricter or quieter profile where needed.
- Assign relevant apps to the right profile.
After the first usage period, review the analytics dashboard:
- Detections per app.
- Which data types are flagged most often.
- Apps with unusually high or low detection volume.
Phase 2: Second team
Goal: confirm that your settings also work for another team.
Apply what you learned during the pilot. Refine profiles, discuss app feedback, and check whether other teams need a different balance between visibility and noise.
Phase 3: Organization-wide
Goal: roll BeeSensible out to the rest of the organization in a controlled way.
Before rolling out further:
- Finish the most important detection profiles.
- Brief IT and support so they can answer questions.
- Tell employees why BeeSensible is being used and what they will see.
Communication to employees
Explain briefly:
- What BeeSensible does: highlights sensitive data before someone shares it.
- What users do themselves: choose whether to replace, mask, remove, or leave a value.
- Why you use it: to reduce privacy and security risks in daily tools.
- Where to get help: link to the user documentation.
Employees who understand the purpose and scope of the extension use it more constructively.
Managed rollout (Intune, Chrome Enterprise, Jamf)
On managed devices you can force-install the BeeSensible extension so employees do not have to add it themselves. The mechanism is the browser's force-install policy, pointed at the BeeSensible extension ID. Users still sign in with Google or Microsoft afterwards to link the extension to your organisation.
Before you start
BeeSensible has a separate extension ID per browser store. Use the one that matches the browser you are configuring:
- Chrome:
cnlogmngeghlgbncagnoodfjkbaknnbo - Edge:
plnhmaecddjmliagaedlgagopdcahlgb
Decide which browsers you manage: Chrome, Edge, or both.
Chrome (Chrome Enterprise policy, Windows and macOS)
Add to the ExtensionInstallForcelist policy:
cnlogmngeghlgbncagnoodfjkbaknnbo;https://clients2.google.com/service/update2/crx
Force-installed extensions are pinned and cannot be removed by the user.
Microsoft Edge
Use ExtensionInstallForcelist the same way, with the Edge ID and the Edge update URL:
plnhmaecddjmliagaedlgagopdcahlgb;https://edge.microsoft.com/extensionwebstorebase/v1/crx
Microsoft Intune
- Go to Devices, then Configuration profiles, then Create profile.
- Platform: Windows 10 and later. Profile type: Settings catalog (or use the Google Chrome / Microsoft Edge ADMX templates).
- Add the setting "Configure the list of force-installed apps and extensions" (Chrome) or "Control which extensions are installed silently" (Edge).
- Add the value
<extension-ID>;<update-url>from the matching browser section above (the Chrome ID for the Chrome policy, the Edge ID for the Edge policy). - Assign the profile to your device group. Always test on a representative device before rolling out widely.
Jamf (macOS)
Deliver the same ExtensionInstallForcelist key through a Configuration Profile on the com.google.Chrome or com.microsoft.Edge preference domain, using the matching browser's ID.
Allowlisting
If you also restrict which extensions may run (for example ExtensionInstallBlocklist set to *), add the matching BeeSensible ID to ExtensionInstallAllowlist as well, or the force-install will be blocked.
After the policy applies, the extension installs on the next browser launch.
Common blockers
| Blocker | Likely cause | What to do |
|---|---|---|
| Extension does not install on managed devices | Browser policy blocks extensions, or a blocklist is set to * | Add the extension ID to ExtensionInstallForcelist (and to ExtensionInstallAllowlist if a blocklist is active) |
| Invitation emails do not arrive | Email security blocks them | Ask IT to allow BeeSensible emails |
| Many false positives in one app | Profile is too broad or strict | Adjust the profile for that app |
For anything not listed here, email hello@beesensible.eu.