AARI Extensions Enterprise IT Setup Guide
Information on setting up Automation Anywhere Automation Co-Pilot
Last updated
Was this helpful?
Information on setting up Automation Anywhere Automation Co-Pilot
Last updated
Was this helpful?
This guide is intended for Enterprise IT Administrators provisioning AARI Extensions within their organization.
There are three scenarios for deploying AARI Extensions. Each are covered by your AARI license.
The "Lite" Integration is the fastest way to get started. We recommend to starting with the "Lite" integration for building prototypes and demonstrating the business case.
"Full" Integration The most comprehensive integration
The Control Room is used as the source of truth for users and extension entitlement
Server-server link between PixieBrix and Control Room
Manage users and entitlements in Control Room
Automatic authentication with SAML/SSO
Requires SAML/SSO to use AuthConfig App
More initial setup — AuthConfig App and server-server link
Requires allowlisting traffic from PixieBrix to your Control Room
"Lite" Integration The best way to build initial prototypes fast
Users are managed both in PixieBrix and the Control Room — no server-server link
PixieBrix is used as the source of truth for extension entitlement
End-user configures password or API credential for browser extension API calls
Less IT infrastructure setup — no server-server link is created
Available without SAML/SSO
End-users must configure password or API credentials for extension API calls
Users cannot be logged into the Control Room Web Interface and make Control Room API calls at the same time
Co-Pilot Widget Sidebar Integration The easiest way to embed Automation Co-Pilot on any site at scale Introduced July 2024
Extension fetches the Automation Co-Pilot sidebar and data mapping definitions
No server-server link required
Central shared secret management
No additional end-user account management in PixieBrix
Can only embed the Co-Pilot widget and define data mappings
Mods cannot make direct API/Bot Task calls to the Control Room
Automation Anywhere Control Room: source of truth for user entitlements, Process Requests, Bot Tasks, and API Tasks
PixieBrix: source of truth for Automation Co-Pilot Extension definitions. Hosted on Salesforce Heroku (in the United States) and utilizes Cloudflare as a Content Delivery Network (CDN)
/: OAuth2 client authentication between the browser and the Control Room
: browser extension application error telemetry. Datadog is out-of-band from PixieBrix to facilitate service disruption detection and response
Automation Co-Pilot Extension Definitions: define where and how the extension operates on a page. Similar to a Automation Anywhere Bot definition that instructs what steps for a bot to take when executed on a machine.
Automation Co-Pilot Extension Metadata: available Automation Co-Pilot extension metadata, e.g., name and version
User Entitlements: Automation Co-Pilot assignments for a user
Browser Extension Application Error Telemetry: user information (browser version, IP address, team id, browser extension version) and error information (error message, error type, code version, code stack trace, timestamp). Does not include page content.
Outgoing connections from the Browser to:
Automation Anywhere Control Room: Co-pilot Widget, Bot/API Task Deployment API, other Control Room API calls
PixieBrix: Browser requests Automation Co-Pilot Extension Definitions and sends business telemetry to surface in Admin Console (errors, usage of each extension), receives Co-Pilot Extension Definitions. Browsing data is not transferred to PixieBrix
Auth0: OAuth2 PKCE authentication flow to obtain JSON Web Token (JWT) for calls to PixieBrix and Automation Anywhere Control Room
Websites/SaaS: user accesses via browser as usual
Datadog: browser extension application error telemetry. Browsing data is not transferred to Datadog
Outgoing connections from PixieBrix to:
Automation Anywhere Control Room: PixieBrix pushes Automation Co-Pilot Extension metadata, and requests user entitlement information. The Control Room responds with user entitlements
Datadog: application error and security telemetry
Outgoing connections from the Control Room to:
PixieBrix: there are no outgoing connections from the Control Room to PixieBrix
3rd Party APIs: API Task calls
Outgoing connections from the Browser to:
Automation Anywhere Control Room: Co-pilot Widget (served in iframe)
PixieBrix: Browser requests Automation Co-Pilot Extension Definitions and sends business telemetry to surface in Admin Console (errors, usage of each extension), receives Co-Pilot Extension Definitions. Browsing data is not transferred to PixieBrix
Websites/SaaS: user accesses via browser as usual
Datadog: browser extension application error telemetry. Browsing data is not transferred to Datadog
Outgoing connections from PixieBrix to:
Datadog: application error and security telemetry
Outbound hosts to allowlist from client devices:
Automation Anywhere Control Room host
app.pixiebrix.com: PixieBrix package registry
https://*.browser-intake-datadoghq.com: error telemetry
fonts.gstatic.com: font content delivery network
For more information, see Network/Email Firewall Configuration.
The PixieBrix Web Service makes API calls to the Control Room API for syncing permissions and AARI Extensions. If you’re running your Control Room behind a firewall (e.g. inside a Virtual Private Cloud or on-premise), the firewall may block inbound traffic from the PixieBrix Web Service, causing the Control Room connection to fail:
To enable the connection from PixieBrix to your Control Room, you’ll need to allowlist incoming traffic from the PixieBrix server in your firewall configuration.
PixieBrix static outbound IP addresses and ports for the Control Room link:
The PixieBrix platform provides a load-balanced pair of outgoing IP addresses for the server-server Control Room connection. If one IP fails, traffic will automatically route through the second IP using automated failover:
Troubleshooting Connection Issues
Ensure the DNS record you provide is for a publicly accessible destination. If the DNS record is for a private IP address on your network (e.g., starting 192.X.X.X or 172.X.X.X), the PixieBrix server will not be able to connect to your Control Room
Ensure your firewall policy is set to allow incoming HTTPS traffic from the above IP addresses
AARI Extensions officially supports the latest two versions of the Chrome Web Browser.
Force install browser extension via Google Workspace, Group Policy, or your Enterprise Device Management policy:
Display Name: PixieBrix
Chrome Web Store ID: mpjjildhmpddojocokjkgmlkkkfjnepo
Enterprise Browser Extensions are configured using Chrome’s managed storage feature. For end-users, set the following extension properties:
managedOrganizationId
REG_SZ (string)
The UUID of the PixieBrix tenant
Enforces association with a particular PixieBrix tenant
partnerId
REG_SZ (string)
automation-anywhere
Applies Automation Anywhere branding and enforces Control Room authentication
controlRoomUrl
REG_SZ (string)
URL (including scheme) of the Control Room to connect to
Pre-fills the controlRoomUrl for connecting the Automation Anywhere
Locating the UUID of the PixieBrix tenant
The UUID of the PixieBrix tenant is in the URL path when the team is selected:
The team UUID in the URL
Windows
On Windows, use the registry to set the properties for the extension:
Login with Google: see Enabling Login with Google
Login with Microsoft: see Enabling Login with Microsoft
Login with Email (aka Magic Link): see Network/Email Firewall Configuration
Additional security information on the Chrome Browser Extension is available here: Security and Compliance
Yes, PixieBrix works with cloud and on-premise Control Rooms. For the "Full" Integration, the only requirement is that incoming traffic from the PixieBrix service IPs can be allowlisted. See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.
For the "Full" Integration, you must allowlist incoming traffic from the PixieBrix service IPs. See the Data Flow / Architecture Diagram andNetworking/Firewall Rules sections above.
If you are using a hostname for your Control Room, ensure the DNS records are accessible.
Yes, an outgoing internet connection is required for two reasons:
An external internet connection is required to request extension definitions from the PixieBrix service, which is hosted on Heroku Salesforce (in the United States) and uses Cloudflare's Content Delivery Network (CDN)
See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.
No, because PixieBrix uses Cloudflare as a Content Delivery Network (CDN), there is no fixed IP address for outgoing traffic from the browser to the PixieBrix web service.
In the Automation Co-Pilot solution, the PixieBrix server acts as the source of truth for the extension definitions. The browser must be able to access the PixieBrix service to fetch Automation Co-Pilot Extension definitions.
The "Full" integration requires a server-server link integration initiated by the PixieBrix server (hosted on Amazon Web Services). Enabling the link requires allowlisting incoming traffic to the Control Room from PixieBrix's static IP addresses (see Networking/Firewall Rules).
Firewalls distinguish between incoming vs. outgoing traffic. IT security teams generally apply stricter policies to incoming traffic (i.e., traffic initiated from an external source). The "Lite" integration requires less setup/approvals because in the "Lite" integration, there is:
No server-server link
The only traffic with PixieBrix is initiated from the end-user’s browser (outgoing)
PixieBrix does not read/change data on websites unless you've activated a mod that performs those reads/changes data on a website.
You can prevent PixieBrix from having access to certain pages by setting the runtime_blocked_hosts and/or runtime_allowed_hosts policies in your extension configuration. See Browser Extension Securityfor more details.
PixieBrix store team mod and brick definitions in your team's Package Registry. The Package Registry is hosted in the United State on Salesforce Heroku (backed by Amazon Web Services) and encrypted with AES-256 block-level encryption.
Similar to programming languages, you should avoid hard-coding secrets/credentials in definitions. Instead use PixieBrix's Integrations feature (see Integration Scenarios).
By default, PixieBrix does not transmit or store browsing data from the device. PixieBrix only transmits data if you activate a mod that uses an Integration and/or our Team Database.
See the Data Categories section for the information transmitted by the PixieBrix browser extension and service.
See the Data Categoriessection for the information transmitted by the PixieBrix browser extension and service.
For teams, PixieBrix makes available Role-Based Access Control (RBAC) and Group-Based Access Control (GBAC). For more information, see Access Control. The PixieBrix support team can advise on configuring PixieBrix in a way that is consistent with your security goals.
Teams using the "Full" Integration between PixieBrix and Automation Anywhere control end-user mod entitlements via their Control Room.
Automation Anywhere does not have access to the PixieBrix service or infrastructure.
Browser authenticates API calls
A shared secret is set on the browser extension. See
OAuth2 Authentication:, the JWT is used for the browser extension to authenticate with the Automation Anywhere Control Room and the PixieBrix service
SAML Configuration:
For a full list of PixieBrix's service providers, see our
Automation Anywhere Auth Config App: to
For a full list of PixieBrix's service providers, see our
https://*.cloudflare-ech.com : Cloudflare . Read more about
Firewall, port, and protocol requirements for Automation Anywhere deployment: .
AARI Extensions is also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email
See in the Automation Anywhere documentation portal for how to set up Login with Automation Anywhere
Our and are available publicly.
For a copy of our SOC 2 Type 2 report audited by (or other reports, e.g., Independent Penetration Test), please contact .
An external internet connection is required to use
You can view a .
Chrome shows this permission prompt on installation from the Chrome Web Store because PixieBrix utilizes Chrome's tabs and webNavigation API to .
The PixieBrix extension is source-available. You can .
Automation Co-Pilot Extensions are also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email .
PixieBrix's controls are audited for the SOC 2 Type 2 trust criteria of Security, Confidentiality, and Availability. For a complete list of audited technical controls, request a copy of our SOC 2 Type 2 report from .
For a public summary of our controls, see our .
PixieBrix follows the Principle of Least Privilege. Platform admin access is restricted to members of our platform team that require access for site reliability. For a copy of our System Access Control policy, contact .
