AARI Extensions Enterprise IT Setup Guide

Overview

This guide is intended for Enterprise IT Administrators provisioning AARI Extensions within their organization.

There are three scenarios for deploying AARI Extensions. Each are covered by your AARI license.

The "Lite" Integration is the fastest way to get started. We recommend to starting with the "Lite" integration for building prototypes and demonstrating the business case.

Data Flow / Architecture Diagram

System Components

• Automation Anywhere Control Room: source of truth for user entitlements, Process Requests, Bot Tasks, and API Tasks

• PixieBrix: source of truth for Automation Co-Pilot Extension definitions. Hosted on Salesforce Heroku (in the United States) and utilizes Cloudflare as a Content Delivery Network (CDN)

• Automation Anywhere AuthConfig App/Auth0: OAuth2 client authentication between the browser and the Control Room

• Datadog: browser extension application error telemetry. Datadog is out-of-band from PixieBrix to facilitate service disruption detection and response

Data Categories

• Automation Co-Pilot Extension Definitions: define where and how the extension operates on a page. Similar to a Automation Anywhere Bot definition that instructs what steps for a bot to take when executed on a machine.

• Automation Co-Pilot Extension Metadata: available Automation Co-Pilot extension metadata, e.g., name and version

• User Entitlements: Automation Co-Pilot assignments for a user

• OAuth2 Authentication: OAuth2 PKCE authentication to obtain JWT, the JWT is used for the browser extension to authenticate with the Automation Anywhere Control Room and the PixieBrix service

• Browser Extension Application Error Telemetry: user information (browser version, IP address, team id, browser extension version) and error information (error message, error type, code version, code stack trace, timestamp). Does not include page content.

• SAML Configuration: SAML registration token to set up OAuth2 services

Data Flows for "Full" Integration

• Outgoing connections from the Browser to:

  • Automation Anywhere Control Room: Co-pilot Widget, Bot/API Task Deployment API, other Control Room API calls

  • PixieBrix: Browser requests Automation Co-Pilot Extension Definitions and sends business telemetry to surface in Admin Console (errors, usage of each extension), receives Co-Pilot Extension Definitions. Browsing data is not transferred to PixieBrix

  • Auth0: OAuth2 PKCE authentication flow to obtain JSON Web Token (JWT) for calls to PixieBrix and Automation Anywhere Control Room

  • Websites/SaaS: user accesses via browser as usual

  • Datadog: browser extension application error telemetry. Browsing data is not transferred to Datadog

• Outgoing connections from PixieBrix to:

  • Automation Anywhere Control Room: PixieBrix pushes Automation Co-Pilot Extension metadata, and requests user entitlement information. The Control Room responds with user entitlements

  • Datadog: application error and security telemetry

  • For a full list of PixieBrix's service providers, see our Privacy Policy

• Outgoing connections from the Control Room to:

  • Automation Anywhere Auth Config App: to set up OAuth2 services

  • PixieBrix: there are no outgoing connections from the Control Room to PixieBrix

  • 3rd Party APIs: API Task calls

Data Flows for Co-Pilot Widget Sidebar Integration

• Outgoing connections from the Browser to:

  • Automation Anywhere Control Room: Co-pilot Widget (served in iframe)

  • PixieBrix: Browser requests Automation Co-Pilot Extension Definitions and sends business telemetry to surface in Admin Console (errors, usage of each extension), receives Co-Pilot Extension Definitions. Browsing data is not transferred to PixieBrix

  • Websites/SaaS: user accesses via browser as usual

  • Datadog: browser extension application error telemetry. Browsing data is not transferred to Datadog

• Outgoing connections from PixieBrix to:

  • Datadog: application error and security telemetry

  • For a full list of PixieBrix's service providers, see our Privacy Policy

Networking/Firewall Rules

Outbound Hostnames from the Browser

Outbound hosts to allowlist from client devices:

• Automation Anywhere Control Room host

• app.pixiebrix.com: PixieBrix package registry

• https://*.browser-intake-datadoghq.com: error telemetry

• https://*.cloudflare-ech.com : Cloudflare Encrypted Client Hello (ECH) endpoint. Read more about ECH for security here

• fonts.gstatic.com: font content delivery network

For more information, see Network/Email Firewall Configuration.

Inbound On-Premise Control Room Firewall Rules

Firewall, port, and protocol requirements for Automation Anywhere deployment: Automation 360 Ports, protocols, and firewall requirements.

The PixieBrix Web Service makes API calls to the Control Room API for syncing permissions and AARI Extensions. If you’re running your Control Room behind a firewall (e.g. inside a Virtual Private Cloud or on-premise), the firewall may block inbound traffic from the PixieBrix Web Service, causing the Control Room connection to fail:

To enable the connection from PixieBrix to your Control Room, you’ll need to allowlist incoming traffic from the PixieBrix server in your firewall configuration.

PixieBrix static outbound IP addresses and ports for the Control Room link:

The PixieBrix platform provides a load-balanced pair of outgoing IP addresses for the server-server Control Room connection. If one IP fails, traffic will automatically route through the second IP using automated failover:

• 3.222.129.4:9294

• 54.205.35.75:9294

Troubleshooting Connection Issues

• Ensure the DNS record you provide is for a publicly accessible destination. If the DNS record is for a private IP address on your network (e.g., starting 192.X.X.X or 172.X.X.X), the PixieBrix server will not be able to connect to your Control Room

• Ensure your firewall policy is set to allow incoming HTTPS traffic from the above IP addresses

Chrome Browser Extension Distribution

Browser Support

AARI Extensions officially supports the latest two versions of the Chrome Web Browser.

AARI Extensions is also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email [email protected]

Browser Extension Installation

Force install browser extension via Google Workspace, Group Policy, or your Enterprise Device Management policy:

• Display Name: PixieBrix

• Chrome Web Store ID: mpjjildhmpddojocokjkgmlkkkfjnepo

Browser Extension Managed Storage Configuration

Enterprise Browser Extensions are configured using Chrome’s managed storage feature. For end-users, set the following extension properties:

Locating the UUID of the PixieBrix tenant

The UUID of the PixieBrix tenant is in the URL path when the team is selected:

The team UUID in the URL

Windows

On Windows, use the registry to set the properties for the extension:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Google\\Chrome\\3rdparty\\extensions\\mpjjildhmpddojocokjkgmlkkkfjnepo\\policy

Authentication

Admin Login for Initial Setup:

• Login with Google: see Enabling Login with Google

• Login with Microsoft: see Enabling Login with Microsoft

• Login with Email (aka Magic Link): see Network/Email Firewall Configuration

Login with Automation Anywhere Control Room

See Use AuthConfig App to enable OAuth2 services in the Automation Anywhere documentation portal for how to set up Login with Automation Anywhere

Security Resources

Our Security and Compliance Overview and Privacy and Security Policies are available publicly.

Additional security information on the Chrome Browser Extension is available here: Security and Compliance

For a copy of our SOC 2 Type 2 report audited by A-LIGN (or other reports, e.g., Independent Penetration Test), please contact [email protected].

Frequently Asked Questions

Does PixieBrix work with on-premise Control Rooms?

Yes, PixieBrix works with cloud and on-premise Control Rooms. For the "Full" Integration, the only requirement is that incoming traffic from the PixieBrix service IPs can be allowlisted. See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.

My Control Room is on an intranet (e.g., accessed via IP address 192.168.XX.XXX). Do we need to allow incoming public traffic to use Automation Co-Pilot extensions?

For the "Full" Integration, you must allowlist incoming traffic from the PixieBrix service IPs. See the Data Flow / Architecture Diagram andNetworking/Firewall Rules sections above.

If you are using a hostname for your Control Room, ensure the DNS records are accessible.

Is an outgoing internet connection from the browser required for using PixieBrix with Automation Anywhere Business Co-Pilot?

Yes, an outgoing internet connection is required for two reasons:

• An external internet connection is required to use Automation Anywhere OAuth2 services

• An external internet connection is required to request extension definitions from the PixieBrix service, which is hosted on Heroku Salesforce (in the United States) and uses Cloudflare's Content Delivery Network (CDN)

See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.

Does PixieBrix offer a fixed IP address for outgoing traffic from the browser to PixieBrix?

No, because PixieBrix uses Cloudflare as a Content Delivery Network (CDN), there is no fixed IP address for outgoing traffic from the browser to the PixieBrix web service.

Why is the whitelisting of PixieBrix URLs required (e.g., app.pixiebrix.com)?

In the Automation Co-Pilot solution, the PixieBrix server acts as the source of truth for the extension definitions. The browser must be able to access the PixieBrix service to fetch Automation Co-Pilot Extension definitions.

Why is the "Lite" Integration easier to allowlist than the "Full" Integration?

The "Full" integration requires a server-server link integration initiated by the PixieBrix server (hosted on Amazon Web Services). Enabling the link requires allowlisting incoming traffic to the Control Room from PixieBrix's static IP addresses (see Networking/Firewall Rules).

Firewalls distinguish between incoming vs. outgoing traffic. IT security teams generally apply stricter policies to incoming traffic (i.e., traffic initiated from an external source). The "Lite" integration requires less setup/approvals because in the "Lite" integration, there is:

• No server-server link

• The only traffic with PixieBrix is initiated from the end-user’s browser (outgoing)

Does PixieBrix need permissions to "Read and Change all your data on all websites"?

Chrome shows this permission prompt on installation from the Chrome Web Store because PixieBrix utilizes Chrome's tabs and webNavigation API to detect page navigation in Single Page Applications (SPAs).

PixieBrix does not read/change data on websites unless you've activated a mod that performs those reads/changes data on a website.

You can prevent PixieBrix from having access to certain pages by setting the runtime_blocked_hosts and/or runtime_allowed_hosts policies in your extension configuration. See Browser Extension Securityfor more details.

The PixieBrix extension is source-available. You can view/audit the code on GitHub.

Do Automation Co-Pilot Extensions work on Microsoft Edge?

Automation Co-Pilot Extensions are also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email [email protected].

When a mod is created, where does PixieBrix store the code and data?

PixieBrix store team mod and brick definitions in your team's Package Registry. The Package Registry is hosted in the United State on Salesforce Heroku (backed by Amazon Web Services) and encrypted with AES-256 block-level encryption.

Similar to programming languages, you should avoid hard-coding secrets/credentials in definitions. Instead use PixieBrix's Integrations feature (see Integration Scenarios).

By default, PixieBrix does not transmit or store browsing data from the device. PixieBrix only transmits data if you activate a mod that uses an Integration and/or our Team Database.

What kind of information is going out to PixieBrix?

See the Data Categories section for the information transmitted by the PixieBrix browser extension and service.

What kind of information is coming in from PixieBrix?

See the Data Categoriessection for the information transmitted by the PixieBrix browser extension and service.

What kind of controls does PixieBrix have on transmitted and stored data?

PixieBrix's controls are audited for the SOC 2 Type 2 trust criteria of Security, Confidentiality, and Availability. For a complete list of audited technical controls, request a copy of our SOC 2 Type 2 report from [email protected].

For a public summary of our controls, see our Security and compliance overview.

Who has admin access to PixieBrix?

PixieBrix follows the Principle of Least Privilege. Platform admin access is restricted to members of our platform team that require access for site reliability. For a copy of our System Access Control policy, contact [email protected].

For teams, PixieBrix makes available Role-Based Access Control (RBAC) and Group-Based Access Control (GBAC). For more information, see Access Control. The PixieBrix support team can advise on configuring PixieBrix in a way that is consistent with your security goals.

What kind of controls does Automation Anywhere have on PixieBrix?

Teams using the "Full" Integration between PixieBrix and Automation Anywhere control end-user mod entitlements via their Control Room.

Automation Anywhere does not have access to the PixieBrix service or infrastructure.