Browser Management: A Practical Guide

Ten years ago, browsers were applications you installed to view websites. Today, browsers are identity platforms, data sync engines, and runtime environments. They handle sign-in, store passwords and form data, sync bookmarks and history across devices, run extensions with broad permissions, and can encrypt DNS queries to bypass network controls.

This shift means browsers are no longer optional to manage. They are part of your security baseline. When browsers are unmanaged, you lose visibility into what users are accessing, create data leakage paths through sync, and introduce inconsistent security posture across devices.

Modern browsers encourage users to sign in to sync data across devices. This is convenient for users but creates risk for organizations. When users sign into browsers with personal accounts, corporate data can sync to personal devices and personal cloud storage.

The risk varies by what syncs:

The practical approach is to standardize on a managed browser configuration that either disables personal sync or routes it through corporate accounts. For BYOD scenarios, this may require user education and clear policy rather than technical enforcement.

Browser extensions are powerful. They can read and modify all website content, access browsing history, and sometimes access data on other sites. Uncontrolled extensions are a significant attack surface.

High-risk extension categories to govern:

• Password managers: extensions that store and autofill credentials. Prefer a corporate password manager over random extensions.
• Ad blockers and privacy tools: generally safe, but some have opaque ownership or data collection practices.
• VPN and proxy extensions: can route traffic outside your network controls and bypass filtering.
• Developer tools: powerful but necessary for some roles. Govern by role rather than blanket bans.
• Productivity and collaboration tools: evaluate for data handling practices before approval.

The governance model should match your device management approach. For fully managed devices, you can enforce extension policies through MDM. For BYOD, you may need to rely on user education, conditional access based on device posture, or browser-based policies that users can opt into.

DNS-over-HTTPS (DoH) encrypts DNS queries between the browser and a DNS resolver. This prevents network intermediaries from seeing what domains users are visiting. For privacy advocates, this is a feature. For security teams, it can be a problem.

When browsers enable DoH by default, your DNS-based filtering and logging may be bypassed. Security controls that rely on DNS visibility (content filtering, threat intelligence, logging) become less effective. This is particularly relevant for organizations that rely on DNS filtering as part of their security stack.

The practical approach depends on your security requirements. If DNS filtering is critical to your security posture, you should disable DoH or ensure it routes through your infrastructure. If DNS filtering is less critical, you may accept DoH as a privacy feature and rely on other controls.

Browsers, like all software, need regular updates to patch security vulnerabilities. The question is who owns that update process and how you ensure it happens consistently.

The answer depends on your device management model:

The key is to know which model you have and plan accordingly. For fully managed devices, browser patching is straightforward. For BYOD, you may need to rely on Conditional Access rules that block access from outdated browsers or user education.

Browsers have built-in password managers that are convenient and widely used. But for organizations, a corporate password manager is usually the better choice.

The recommendation is to prefer a corporate password manager over browser storage. This provides centralized control, auditability, and consistent policy enforcement. Browser password storage can be allowed as a fallback, but should not be the primary strategy.

Standardizing browser policy is not just about security. It also improves operational efficiency and user experience. When everyone uses the same browser with the same configuration, support becomes easier and users have a consistent experience.

Operational benefits:

• Reduced support friction: helpdesk spends less time troubleshooting browser-specific issues.
• Consistent security posture: all users have the same baseline protections.
• Easier auditing: you know what to expect and can verify compliance consistently.
• Simplified onboarding: new users get a pre-configured browser rather than starting from scratch.

User experience benefits:

• Familiarity: users become proficient in one browser rather than switching between multiple options.
• Consistent extensions: users have access to approved tools without hunting for them.
• Reduced friction: corporate resources work predictably without browser-specific workarounds.
• Better performance: you can optimize for one browser rather than supporting all options equally.

The practical approach is to standardize on one or two browsers (e.g., Chrome and Edge for compatibility) and deploy managed configurations. This gives you control while still accommodating user preferences and workflow needs.

A good browser management rollout follows a staged pattern. Start with the highest-risk areas and expand from there.

1. Assess your current state: inventory what browsers are in use, what extensions are installed, and what sync settings are enabled.
2. Define your policy: decide on standard browsers, extension governance approach, DoH stance, and password manager strategy.
3. Pilot with a user group: validate that your policies work in practice and don't break workflows.
4. Roll out broadly: deploy managed configurations through MDM or browser-based policies.
5. Monitor and adjust: audit compliance, gather user feedback, and refine policies based on real-world usage.

The goal is not to eliminate all browser-related risk (that is impossible). The goal is to reduce risk to an acceptable level while maintaining productivity and user experience.