|
| 1 | +#Island Browser Integration |
| 2 | + |
| 3 | +<div> |
| 4 | + <ahref="https://github.com/ericpaulsen"style="text-decoration:none;color:inherit;"> |
| 5 | +<span style="vertical-align:middle;">Eric Paulsen</span> |
| 6 | +<img src="https://github.com/ericpaulsen.png" width="24px" height="24px" style="vertical-align:middle; margin: 0px;"/> |
| 7 | + </a> |
| 8 | +</div> |
| 9 | +April 24, 2024 |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +[Island](https://www.island.io/) is an enterprise-grade browser, offering a |
| 14 | +Chromium-based experience similar to popular web browsers like Chrome and Edge. |
| 15 | +It includes built-in security features for corporate applications and data, |
| 16 | +aiming to bridge the gap between consumer-focused browsers and the security |
| 17 | +needs of the enterprise. |
| 18 | + |
| 19 | +Coder natively integrates with Island's feature set, which include data loss |
| 20 | +protection (DLP), application awareness, browser session recording, and single |
| 21 | +sign-on (SSO). This guide intends to document these feature categories and how |
| 22 | +they apply to your Coder deployment. |
| 23 | + |
| 24 | +##General Configuration |
| 25 | + |
| 26 | +###Create an Application Group for Coder |
| 27 | + |
| 28 | +We recommend creating an Application Group specific to Coder in the Island |
| 29 | +Management console. This Application Group object will be referenced when |
| 30 | +creating browser policies. |
| 31 | + |
| 32 | +[See the Island documentation for creating an Application Group](https://documentation.island.io/docs/create-and-configure-an-application-group-object). |
| 33 | + |
| 34 | +##Advanced Data Loss Protection |
| 35 | + |
| 36 | +Integrate Island's advanced data loss prevention (DLP) capabilities with Coder's |
| 37 | +cloud development environment (CDE), enabling you to control the “last mile” |
| 38 | +between developers’ CDE and their local devices, ensuring that sensitive IP |
| 39 | +remains in your centralized environment. |
| 40 | + |
| 41 | +###Block cut, copy, paste, printing, screen share |
| 42 | + |
| 43 | +1.[Create a Data Sandbox Profile](https://documentation.island.io/docs/create-and-configure-a-data-sandbox-profile) |
| 44 | + |
| 45 | +1. Configure the following actions to allow/block (based on your security |
| 46 | + requirements): |
| 47 | + |
| 48 | +- Screenshot and Screen Share |
| 49 | +- Printing |
| 50 | +- Save Page |
| 51 | +- Clipboard Limitations |
| 52 | + |
| 53 | +1.[Create a Policy Rule](https://documentation.island.io/docs/create-and-configure-a-policy-rule-general) |
| 54 | + to apply the Data Sandbox Profile |
| 55 | + |
| 56 | +1. Define the Coder Application group as the Destination Object |
| 57 | + |
| 58 | +1. Define the Data Sandbox Profile as the Action in the Last Mile Protection |
| 59 | + section |
| 60 | + |
| 61 | +###Conditionally allow copy on Coder's CLI authentication page |
| 62 | + |
| 63 | +1.[Create a URL Object](https://documentation.island.io/docs/create-and-configure-a-policy-rule-general) |
| 64 | + with the following configuration: |
| 65 | + |
| 66 | +-**Include** |
| 67 | +-**URL type**: Wildcard |
| 68 | +-**URL address**:`coder.example.com/cli-auth` |
| 69 | +-**Casing**: Insensitive |
| 70 | + |
| 71 | +1.[Create a Data Sandbox Profile](https://documentation.island.io/docs/create-and-configure-a-data-sandbox-profile) |
| 72 | + |
| 73 | +1. Configure action to allow copy/paste |
| 74 | + |
| 75 | +1.[Create a Policy Rule](https://documentation.island.io/docs/create-and-configure-a-policy-rule-general) |
| 76 | + to apply the Data Sandbox Profile |
| 77 | + |
| 78 | +1. Define the URL Object you created as the Destination Object |
| 79 | + |
| 80 | +1. Define the Data Sandbox Profile as the Action in the Last Mile Protection |
| 81 | + section |
| 82 | + |
| 83 | +###Prevent file upload/download from the browser |
| 84 | + |
| 85 | +1. Create a Protection Profiles for both upload/download |
| 86 | + |
| 87 | +-[Upload documentation](https://documentation.island.io/docs/create-and-configure-an-upload-protection-profile) |
| 88 | +-[Download documentation](https://documentation.island.io/v1/docs/en/create-and-configure-a-download-protection-profile) |
| 89 | + |
| 90 | +1.[Create a Policy Rule](https://documentation.island.io/docs/create-and-configure-a-policy-rule-general) |
| 91 | + to apply the Protection Profiles |
| 92 | + |
| 93 | +1. Define the Coder Application group as the Destination Object |
| 94 | + |
| 95 | +1. Define the applicable Protection Profile as the Action in the Data Protection |
| 96 | + section |
| 97 | + |
| 98 | +###Scan files for sensitive data |
| 99 | + |
| 100 | +1.[Create a Data Loss Prevention scanner](https://documentation.island.io/docs/create-a-data-loss-prevention-scanner) |
| 101 | + |
| 102 | +1.[Create a Policy Rule](https://documentation.island.io/docs/create-and-configure-a-policy-rule-general) |
| 103 | + to apply the DLP Scanner |
| 104 | + |
| 105 | +1. Define the Coder Application group as the Destination Object |
| 106 | + |
| 107 | +1. Define the DLP Scanner as the Action in the Data Protection section |
| 108 | + |
| 109 | +##Application Awareness and Boundaries |
| 110 | + |
| 111 | +Ensure that Coder is only accessed through the Island browser, guaranteeing that |
| 112 | +your browser-level DLP policies are always enforced, and developers can’t |
| 113 | +sidestep such policies simply by using another browser. |
| 114 | + |
| 115 | +###Configure browser enforcement, conditional access policies |
| 116 | + |
| 117 | +1. Create a conditional access policy for your configured identity provider. |
| 118 | + |
| 119 | +>Note: the configured IdP must be the same for both Coder and Island |
| 120 | +
|
| 121 | +-[Azure Active Directory/Entra ID](https://documentation.island.io/docs/configure-browser-enforcement-for-island-with-azure-ad#create-and-apply-a-conditional-access-policy) |
| 122 | +-[Okta](https://documentation.island.io/docs/configure-browser-enforcement-for-island-with-okta) |
| 123 | +-[Google](https://documentation.island.io/docs/configure-browser-enforcement-for-island-with-google-enterprise) |
| 124 | + |
| 125 | +##Browser Activity Logging |
| 126 | + |
| 127 | +Govern and audit in-browser terminal and IDE sessions using Island, such as |
| 128 | +screenshots, mouse clicks, and keystrokes. |
| 129 | + |
| 130 | +###Activity Logging Module |
| 131 | + |
| 132 | +1.[Create an Activity Logging Profile](https://documentation.island.io/docs/create-and-configure-an-activity-logging-profile) |
| 133 | + |
| 134 | +Supported browser events include: |
| 135 | + |
| 136 | +- Web Navigation |
| 137 | +- File Download |
| 138 | +- File Upload |
| 139 | +- Clipboard/Drag & Drop |
| 140 | +- Print |
| 141 | +- Save As |
| 142 | +- Screenshots |
| 143 | +- Mouse Clicks |
| 144 | +- Keystrokes |
| 145 | + |
| 146 | +1.[Create a Policy Rule](https://documentation.island.io/docs/create-and-configure-a-policy-rule-general) |
| 147 | + to apply the Activity Logging Profile |
| 148 | + |
| 149 | +1. Define the Coder Application group as the Destination Object |
| 150 | + |
| 151 | +1. Define the Activity Logging Profile as the Action in the Security & |
| 152 | + Visibility section |
| 153 | + |
| 154 | +##Identity-aware logins (SSO) |
| 155 | + |
| 156 | +Integrate Island's identity management system with Coder's authentication |
| 157 | +mechanisms to enable identity-aware logins. |
| 158 | + |
| 159 | +###Configure single sign-on (SSO) seamless authentication between Coder and Island |
| 160 | + |
| 161 | +Configure the same identity provider (IdP) for both your Island and Coder |
| 162 | +deployment. Upon initial login to the Island browser, the user's session token |
| 163 | +will automatically be passed to Coder and authenticate their Coder session. |