AARI Extensions Enterprise IT Setup Guide

Information on setting up Automation Anywhere Automation Co-Pilot


This guide is intended for Enterprise IT Administrators provisioning AARI Extensions within their organization.

The Automation Anywhere Automation Co-Pilot documentation can be found at Automation Co-Pilot using Chrome extension

AARI Extensions have been renamed Automation Co-Pilot Extensions. This documentation page will be updated to reflect the name change

There are two scenarios for deploying AARI Extensions.

The "Lite" Integration approach is convenient if you're embedding the Co-Pilot Widget for a small number of users and do not need to make direct API calls (e.g., Bot Deploy API) from the Browser Extension to the Control Room.


"Full" Integration

  • The Control Room is used as the source of truth for users and extension entitlement

  • Server-server link between PixieBrix and Control Room

  • Browser authenticates API calls using Automation Anywhere OAuth2 Services

  • Manage users and entitlements in Control Room

  • Automatic authentication with SAML/SSO

  • Included in the AARI License

  • Requires SAML/SSO to use AuthConfig App

  • More initial setup β€” AuthConfig App and server-server link

"Lite" Integration

  • Users are managed both in PixieBrix and the Control Room β€” no server-server link

  • PixieBrix is used as the source of truth for extension entitlement

  • End-user configures password or API credential for browser extension API calls

  • Less IT infrastructure setup β€” no server-server link is created

  • Available without SAML/SSO

  • End-users must configure password or API credentials for extension API calls

  • Users cannot be logged into the Control Room Web Interface and make Control Room API calls at the same time

Data Flow / Architecture Diagram

System Components

  • Automation Anywhere Control Room: source of truth for user entitlements, Process Requests, Bot Tasks, and API Tasks

  • PixieBrix: source of truth for Automation Co-Pilot Extension definitions. Hosted on Salesforce Heroku (in the United States) and utilizes Cloudflare as a Content Delivery Network (CDN)

  • Automation Anywhere AuthConfig App/Auth0: OAuth2 client authentication between the browser and the Control Room

  • Datadog: browser extension application error telemetry. Datadog is out-of-band from PixieBrix to facilitate service disruption detection and response

Data Categories

  • Automation Co-Pilot Extension Definitions: define where and how the extension operates on a page. Similar to a Automation Anywhere Bot definition that instructs what steps for a bot to take when executed on a machine.

  • Automation Co-Pilot Extension Metadata: available Automation Co-Pilot extension metadata, e.g., name and version

  • User Entitlements: Automation Co-Pilot assignments for a user

  • OAuth2 Authentication: OAuth2 PKCE authentication to obtain JWT, the JWT is used for the browser extension to authenticate with the Automation Anywhere Control Room and the PixieBrix service

  • Browser Extension Application Error Telemetry: user information (browser version, IP address, team id, browser extension version) and error information (error message, error type, code version, code stack trace, timestamp). Does not include page content.

Data Flows for "Full" Integration

  • Outgoing connections from the Browser to:

    • Automation Anywhere Control Room: Co-pilot Widget, Bot/API Task Deployment API, other Control Room API calls

    • PixieBrix: Browser requests Automation Co-Pilot Extension Definitions and sends business telemetry to surface in Admin Console (errors, usage of each extension), receives Co-Pilot Extension Definitions. Browsing data is not transferred to PixieBrix

    • Auth0: OAuth2 PKCE authentication flow to obtain JSON Web Token (JWT) for calls to PixieBrix and Automation Anywhere Control Room

    • Websites/SaaS: user accesses via browser as usual

    • Datadog: browser extension application error telemetry. Browsing data is not transferred to Datadog

  • Outgoing connections from PixieBrix to:

    • Automation Anywhere Control Room: PixieBrix pushes Automation Co-Pilot Extension metadata, and requests user entitlement information. The Control Room responds with user entitlements

    • Datadog: application error and security telemetry

    • For a full list of PixieBrix's service providers, see our Privacy Policy

  • Outgoing connections from the Control Room to:

    • Automation Anywhere Auth Config App: to set up OAuth2 services

    • PixieBrix: there are no outgoing connections from the Control Room to PixieBrix

    • 3rd Party APIs: API Task calls

Networking/Firewall Rules

Outbound Hostnames from the Browser

Outbound hosts to allowlist from client devices:

  • Automation Anywhere Control Room host

  • app.pixiebrix.com: PixieBrix package registry

  • https://*.browser-intake-datadoghq.com: error telemetry

  • fonts.gstatic.com: font content delivery network

For more information, see Network/Email Firewall Configuration.

Inbound On-Premise Control Room Firewall Rules

Before configuring your Control Room in the Admin Console, contact PixieBrix support ([email protected]) to enable the static IP feature for your PixieBrix team.

Firewall, port, and protocol requirements for Automation Anywhere deployment: Automation 360 Ports, protocols, and firewall requirements.

The PixieBrix Web Service makes API calls to the Control Room API for syncing permissions and AARI Extensions. If you’re running your Control Room behind a firewall (e.g. inside a Virtual Private Cloud or on-premise), the firewall may block inbound traffic from the PixieBrix Web Service, causing the Control Room connection to fail:

To enable the connection from PixieBrix to your Control Room, you’ll need to allowlist incoming traffic from the PixieBrix server in your firewall configuration.

PixieBrix static outbound IP addresses and ports for the Control Room link:

The PixieBrix platform provides a load-balanced pair of outgoing IP addresses for the server-server Control Room connection. If one IP fails, traffic will automatically route through the second IP using automated failover:

Troubleshooting Connection Issues

  • Ensure the DNS record you provide is for a publicly accessible destination. If the DNS record is for a private IP address on your network (e.g., starting 192.X.X.X or 172.X.X.X), the PixieBrix server will not be able to connect to your Control Room

  • Ensure your firewall policy is set to allow incoming HTTPS traffic from the above IP addresses

Chrome Browser Extension Distribution

For detailed information on provisioning the Chrome Browser Extension to your organization, see: Browser Extension Installation and Configuration

Browser Support

AARI Extensions officially supports the latest two versions of the Chrome Web Browser.

AARI Extensions is also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email [email protected]

Browser Extension Installation

Force install browser extension via Google Workspace, Group Policy, or your Enterprise Device Management policy:

  • Display Name: PixieBrix

  • Chrome Web Store ID: mpjjildhmpddojocokjkgmlkkkfjnepo

Browser Extension Managed Storage Configuration

Enterprise Browser Extensions are configured using Chrome’s managed storage feature. For end-users, set the following extension properties:



REG_SZ (string)

The UUID of the PixieBrix tenant

Enforces association with a particular PixieBrix tenant


REG_SZ (string)


Applies Automation Anywhere branding and enforces Control Room authentication


REG_SZ (string)

URL (including scheme) of the Control Room to connect to

Pre-fills the controlRoomUrl for connecting the Automation Anywhere

Locating the UUID of the PixieBrix tenant

The UUID of the PixieBrix tenant is in the URL path when the team is selected:

The team UUID in the URL


On Windows, use the registry to set the properties for the extension:



The initial AARI Extensions setup requires the Admin to login via Google, Microsoft, or email. After the initial setup, AARI users will login with Automation Anywhere using Automation Anywhere OAuth2 services support.

Admin Login for Initial Setup:

Login with Automation Anywhere Control Room

See Use AuthConfig App to enable OAuth2 services in the Automation Anywhere documentation portal for how to set up Login with Automation Anywhere

Security Resources

Our Security and Compliance Overview and Privacy and Security Policies are available publicly.

Additional security information on the Chrome Browser Extension is available here: Security and Compliance

For a copy of our SOC 2 Type 2 report audited by A-LIGN, please contact [email protected].

Frequently Asked Questions

Does PixieBrix work with on-premise Control Rooms?

Yes, PixieBrix works with cloud and on-premise Control Rooms. For the "Full" Integration, the only requirement is that incoming traffic from the PixieBrix service IPs can be allowlisted. See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.

My Control Room is on an intranet (e.g., accessed via IP address 192.168.XX.XXX). Do we need to allow incoming public traffic to use Automation Co-Pilot extensions?

For the "Full" Integration, you must allowlist incoming traffic from the PixieBrix service IPs. See the Data Flow / Architecture Diagram andNetworking/Firewall Rules sections above.

If you are using a hostname for your Control Room, ensure the DNS records are accessible.

Is an outgoing internet connection from the browser required for using PixieBrix with Automation Anywhere Business Co-Pilot?

Yes, an outgoing internet connection is required for two reasons:

  • An external internet connection is required to use Automation Anywhere OAuth2 services

  • An external internet connection is required to request extension definitions from the PixieBrix service, which is hosted on Heroku Salesforce (in the United States) and uses Cloudflare's Content Delivery Network (CDN)

See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.

Does PixieBrix offer a fixed IP address for outgoing traffic from the browser to PixieBrix?

No, because PixieBrix uses Cloudflare as a Content Delivery Network (CDN), there is no fixed IP address for outgoing traffic from the browser to the PixieBrix web service.

Why is the whitelisting of PixieBrix URLs required (e.g., app.pixiebrix.com)?

In the Automation Co-Pilot solution, the PixieBrix server acts as the source of truth for the extension definitions. The browser must be able to access the PixieBrix service to fetch Automation Co-Pilot Extension definitions.

Why is the "Lite" Integration easier to allowlist than the "Full" Integration?

The "Full" integration requires a server-server link integration initiated by the PixieBrix server (hosted on Amazon Web Services). Enabling the link requires allowlisting incoming traffic to the Control Room from PixieBrix's static IP addresses (see Networking/Firewall Rules).

Firewalls distinguish between incoming vs. outgoing traffic. IT security teams generally apply stricter policies to incoming traffic (i.e., traffic initiated from an external source). The "Lite" integration requires less setup/approvals because in the "Lite" integration, there is:

  • No server-server link

  • The only traffic with PixieBrix is initiated from the end-user’s browser (outgoing)

Do Automation Co-Pilot Extensions work on Microsoft Edge?

Automation Co-Pilot Extensions are also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email [email protected].

Last updated