AARI Extensions Enterprise IT Setup Guide
Information on setting up Automation Anywhere Automation Co-Pilot
Overview
This guide is intended for Enterprise IT Administrators provisioning AARI Extensions within their organization.
The Automation Anywhere Automation Co-Pilot documentation can be found at Automation Co-Pilot using Chrome extension
AARI Extensions have been renamed Automation Co-Pilot Extensions. This documentation page will be updated to reflect the name change
There are two scenarios for deploying AARI Extensions.
The "Lite" Integration approach is convenient if you're embedding the Co-Pilot Widget for a small number of users and do not need to make direct API calls (e.g., Bot Deploy API) from the Browser Extension to the Control Room.
| Scenario | Description | Benefits | Limitations |
|---|---|---|---|
"Full" Integration |
|
|
|
"Lite" Integration |
|
|
|
Data Flow / Architecture Diagram
System Components
Automation Anywhere Control Room: source of truth for user entitlements, Process Requests, Bot Tasks, and API Tasks
PixieBrix: source of truth for Automation Co-Pilot Extension definitions. Hosted on Salesforce Heroku (in the United States) and utilizes Cloudflare as a Content Delivery Network (CDN)
Automation Anywhere AuthConfig App/Auth0: OAuth2 client authentication between the browser and the Control Room
Datadog: browser extension application error telemetry. Datadog is out-of-band from PixieBrix to facilitate service disruption detection and response
Data Categories
Automation Co-Pilot Extension Definitions: define where and how the extension operates on a page. Similar to a Automation Anywhere Bot definition that instructs what steps for a bot to take when executed on a machine.
Automation Co-Pilot Extension Metadata: available Automation Co-Pilot extension metadata, e.g., name and version
User Entitlements: Automation Co-Pilot assignments for a user
OAuth2 Authentication: OAuth2 PKCE authentication to obtain JWT, the JWT is used for the browser extension to authenticate with the Automation Anywhere Control Room and the PixieBrix service
Browser Extension Application Error Telemetry: user information (browser version, IP address, team id, browser extension version) and error information (error message, error type, code version, code stack trace, timestamp). Does not include page content.
SAML Configuration: SAML registration token to set up OAuth2 services
Data Flows for "Full" Integration
Outgoing connections from the Browser to:
Automation Anywhere Control Room: Co-pilot Widget, Bot/API Task Deployment API, other Control Room API calls
PixieBrix: Browser requests Automation Co-Pilot Extension Definitions and sends business telemetry to surface in Admin Console (errors, usage of each extension), receives Co-Pilot Extension Definitions. Browsing data is not transferred to PixieBrix
Auth0: OAuth2 PKCE authentication flow to obtain JSON Web Token (JWT) for calls to PixieBrix and Automation Anywhere Control Room
Websites/SaaS: user accesses via browser as usual
Datadog: browser extension application error telemetry. Browsing data is not transferred to Datadog
Outgoing connections from PixieBrix to:
Automation Anywhere Control Room: PixieBrix pushes Automation Co-Pilot Extension metadata, and requests user entitlement information. The Control Room responds with user entitlements
Datadog: application error and security telemetry
For a full list of PixieBrix's service providers, see our Privacy Policy
Outgoing connections from the Control Room to:
Automation Anywhere Auth Config App: to set up OAuth2 services
PixieBrix: there are no outgoing connections from the Control Room to PixieBrix
3rd Party APIs: API Task calls
Networking/Firewall Rules
Outbound Hostnames from the Browser
Outbound hosts to allowlist from client devices:
Automation Anywhere Control Room host
app.pixiebrix.com: PixieBrix package registryhttps://*.browser-intake-datadoghq.com: error telemetryfonts.gstatic.com: font content delivery network
For more information, see Network/Email Firewall Configuration.
Inbound On-Premise Control Room Firewall Rules
Before configuring your Control Room in the Admin Console, contact PixieBrix support ([email protected]) to enable the static IP feature for your PixieBrix team.
Firewall, port, and protocol requirements for Automation Anywhere deployment: Automation 360 Ports, protocols, and firewall requirements
The PixieBrix Web Service makes API calls to the Control Room API for syncing permissions and AARI Extensions. If you’re running your Control Room behind a firewall (e.g. inside a Virtual Private Cloud or on-premise), the firewall may block inbound traffic from the PixieBrix Web Service, causing the Control Room connection to fail:
To enable the connection from PixieBrix to your Control Room, you’ll need to allowlist incoming traffic from the PixieBrix server in your firewall configuration.
PixieBrix static outbound IP addresses and ports for the Control Room link:
The PixieBrix platform provides a load-balanced pair of outgoing IP addresses for the server-server Control Room connection. If one IP fails, traffic will automatically route through the second IP with health checks and automated failover:
Chrome Browser Extension Distribution
For detailed information on provisioning the Chrome Browser Extension to your organization, see: Browser Extension Installation and Configuration
Browser Support
AARI Extensions officially supports the latest two versions of the Chrome Web Browser.
AARI Extensions is also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email [email protected]
Browser Extension Installation
Force install browser extension via Google Workspace, Group Policy, or your Enterprise Device Management policy:
Display Name: PixieBrix
Chrome Web Store ID:
mpjjildhmpddojocokjkgmlkkkfjnepo
Browser Extension Managed Storage Configuration
Enterprise Browser Extensions are configured using Chrome’s managed storage feature. For end-users, set the following extension properties:
| Name | Type | Value | Purpose |
|---|---|---|---|
managedOrganizationId | REG_SZ (string) | The UUID of the PixieBrix tenant | Enforces association with a particular PixieBrix tenant |
partnerId | REG_SZ (string) | automation-anywhere | Applies Automation Anywhere branding and enforces Control Room authentication |
controlRoomUrl | REG_SZ (string) | URL (including scheme) of the Control Room to connect to | Pre-fills the controlRoomUrl for connecting the Automation Anywhere |
Locating the UUID of the PixieBrix tenant
The UUID of the PixieBrix tenant is in the URL path when the team is selected:
The team UUID in the URL
Windows
On Windows, use the registry to set the properties for the extension:
Authentication
The initial AARI Extensions setup requires the Admin to login via Google, Microsoft, or email. After the initial setup, AARI users will login with Automation Anywhere using Automation Anywhere OAuth2 services support.
Admin Login for Initial Setup:
Login with Google: see Enabling Login with Google
Login with Microsoft: see Enabling Login with Microsoft
Login with Email (aka Magic Link): see Network/Email Firewall Configuration
Login with Automation Anywhere Control Room
See Use AuthConfig App to enable OAuth2 services in the Automation Anywhere documentation portal for how to set up Login with Automation Anywhere
Security Resources
Our Security and Compliance Overview and Privacy and Security Policies are available publicly.
Additional security information on the Chrome Browser Extension is available here: Security and Compliance
For a copy of our SOC 2 Type 2 report audited by A-LIGN, please contact [email protected].
Frequently Asked Questions
Does PixieBrix work with on-premise Control Rooms?
Yes, PixieBrix works with cloud and on-premise Control Rooms. For the "Full" Integration, the only requirement is that incoming traffic from the PixieBrix service IPs can be allowlisted. See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.
My Control Room is on an intranet (e.g., accessed via IP address 192.168.XX.XXX). Do we need to allow incoming public traffic to use Automation Co-Pilot extensions?
For the "Full" Integration, you must allowlist incoming traffic from the PixieBrix service IPs. See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.
Is an outgoing internet connection from the browser required for using PixieBrix with Automation Anywhere Business Co-Pilot?
Yes, an outgoing internet connection is required for two reasons:
An external internet connection is required to use Automation Anywhere OAuth2 services
An external internet connection is required to request extension definitions from the PixieBrix service, which is hosted on Heroku Salesforce (in the United States) and uses Cloudflare's Content Delivery Network (CDN)
See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.
Does PixieBrix offer a fixed IP address for outgoing traffic from the browser to PixieBrix?
No, because PixieBrix uses Cloudflare as a Content Delivery Network (CDN), there is no fixed IP address for outgoing traffic from the browser to the PixieBrix web service.
Why is the whitelisting of PixieBrix URLs required (e.g., app.pixiebrix.com)?
In the Automation Co-Pilot solution, the PixieBrix server acts as the source of truth for the extension definitions. The browser must be able to access the PixieBrix service to fetch Automation Co-Pilot Extension definitions.
Do Automation Co-Pilot Extensions work on Microsoft Edge?
Automation Co-Pilot Extensions are also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email [email protected].
Last updated
