AARI Extensions Enterprise IT Setup Guide
Information on setting up Automation Anywhere Automation Co-Pilot
Overview
This guide is intended for Enterprise IT Administrators provisioning AARI Extensions within their organization.
The Automation Anywhere Automation Co-Pilot documentation can be found at Automation Co-Pilot using Chrome extension
AARI Extensions have been renamed Automation Co-Pilot Extensions. This documentation page will be updated to reflect the name change
There are three scenarios for deploying AARI Extensions. Each are covered by your AARI license.
The "Lite" Integration is the fastest way to get started. We recommend to starting with the "Lite" integration for building prototypes and demonstrating the business case.
"Full" Integration The most comprehensive integration
The Control Room is used as the source of truth for users and extension entitlement
Server-server link between PixieBrix and Control Room
Manage users and entitlements in Control Room
Automatic authentication with SAML/SSO
Requires SAML/SSO to use AuthConfig App
More initial setup — AuthConfig App and server-server link
Requires allowlisting traffic from PixieBrix to your Control Room
"Lite" Integration The best way to build initial prototypes fast
Users are managed both in PixieBrix and the Control Room — no server-server link
PixieBrix is used as the source of truth for extension entitlement
End-user configures password or API credential for browser extension API calls
Less IT infrastructure setup — no server-server link is created
Available without SAML/SSO
End-users must configure password or API credentials for extension API calls
Users cannot be logged into the Control Room Web Interface and make Control Room API calls at the same time
Co-Pilot Widget Sidebar Integration The easiest way to embed Automation Co-Pilot on any site at scale Introduced July 2024
Extension fetches the Automation Co-Pilot sidebar and data mapping definitions
No server-server link required
Central shared secret management
No additional end-user account management in PixieBrix
Can only embed the Co-Pilot widget and define data mappings
Mods cannot make direct API/Bot Task calls to the Control Room
Data Flow / Architecture Diagram
System Components
Automation Anywhere Control Room: source of truth for user entitlements, Process Requests, Bot Tasks, and API Tasks
PixieBrix: source of truth for Automation Co-Pilot Extension definitions. Hosted on Salesforce Heroku (in the United States) and utilizes Cloudflare as a Content Delivery Network (CDN)
Automation Anywhere AuthConfig App/Auth0: OAuth2 client authentication between the browser and the Control Room
Datadog: browser extension application error telemetry. Datadog is out-of-band from PixieBrix to facilitate service disruption detection and response
Data Categories
Automation Co-Pilot Extension Definitions: define where and how the extension operates on a page. Similar to a Automation Anywhere Bot definition that instructs what steps for a bot to take when executed on a machine.
Automation Co-Pilot Extension Metadata: available Automation Co-Pilot extension metadata, e.g., name and version
User Entitlements: Automation Co-Pilot assignments for a user
OAuth2 Authentication: OAuth2 PKCE authentication to obtain JWT, the JWT is used for the browser extension to authenticate with the Automation Anywhere Control Room and the PixieBrix service
Browser Extension Application Error Telemetry: user information (browser version, IP address, team id, browser extension version) and error information (error message, error type, code version, code stack trace, timestamp). Does not include page content.
SAML Configuration: SAML registration token to set up OAuth2 services
Data Flows for "Full" Integration
Outgoing connections from the Browser to:
Automation Anywhere Control Room: Co-pilot Widget, Bot/API Task Deployment API, other Control Room API calls
PixieBrix: Browser requests Automation Co-Pilot Extension Definitions and sends business telemetry to surface in Admin Console (errors, usage of each extension), receives Co-Pilot Extension Definitions. Browsing data is not transferred to PixieBrix
Auth0: OAuth2 PKCE authentication flow to obtain JSON Web Token (JWT) for calls to PixieBrix and Automation Anywhere Control Room
Websites/SaaS: user accesses via browser as usual
Datadog: browser extension application error telemetry. Browsing data is not transferred to Datadog
Outgoing connections from PixieBrix to:
Automation Anywhere Control Room: PixieBrix pushes Automation Co-Pilot Extension metadata, and requests user entitlement information. The Control Room responds with user entitlements
Datadog: application error and security telemetry
For a full list of PixieBrix's service providers, see our Privacy Policy
Outgoing connections from the Control Room to:
Automation Anywhere Auth Config App: to set up OAuth2 services
PixieBrix: there are no outgoing connections from the Control Room to PixieBrix
3rd Party APIs: API Task calls
Data Flows for Co-Pilot Widget Sidebar Integration
Outgoing connections from the Browser to:
Automation Anywhere Control Room: Co-pilot Widget (served in iframe)
PixieBrix: Browser requests Automation Co-Pilot Extension Definitions and sends business telemetry to surface in Admin Console (errors, usage of each extension), receives Co-Pilot Extension Definitions. Browsing data is not transferred to PixieBrix
Websites/SaaS: user accesses via browser as usual
Datadog: browser extension application error telemetry. Browsing data is not transferred to Datadog
Outgoing connections from PixieBrix to:
Datadog: application error and security telemetry
For a full list of PixieBrix's service providers, see our Privacy Policy
Networking/Firewall Rules
Outbound Hostnames from the Browser
Outbound hosts to allowlist from client devices:
Automation Anywhere Control Room host
app.pixiebrix.com
: PixieBrix package registryhttps://*.browser-intake-datadoghq.com
: error telemetryfonts.gstatic.com
: font content delivery network
For more information, see Network/Email Firewall Configuration.
Inbound On-Premise Control Room Firewall Rules
Before configuring your Control Room in the Admin Console, contact PixieBrix support ([email protected]) to enable the static IP feature for your PixieBrix team.
Firewall, port, and protocol requirements for Automation Anywhere deployment: Automation 360 Ports, protocols, and firewall requirements.
The PixieBrix Web Service makes API calls to the Control Room API for syncing permissions and AARI Extensions. If you’re running your Control Room behind a firewall (e.g. inside a Virtual Private Cloud or on-premise), the firewall may block inbound traffic from the PixieBrix Web Service, causing the Control Room connection to fail:
To enable the connection from PixieBrix to your Control Room, you’ll need to allowlist incoming traffic from the PixieBrix server in your firewall configuration.
PixieBrix static outbound IP addresses and ports for the Control Room link:
The PixieBrix platform provides a load-balanced pair of outgoing IP addresses for the server-server Control Room connection. If one IP fails, traffic will automatically route through the second IP using automated failover:
Troubleshooting Connection Issues
Ensure the DNS record you provide is for a publicly accessible destination. If the DNS record is for a private IP address on your network (e.g., starting 192.X.X.X or 172.X.X.X), the PixieBrix server will not be able to connect to your Control Room
Ensure your firewall policy is set to allow incoming HTTPS traffic from the above IP addresses
Chrome Browser Extension Distribution
For detailed information on provisioning the Chrome Browser Extension to your organization, see: Browser Extension Installation and Configuration
Browser Support
AARI Extensions officially supports the latest two versions of the Chrome Web Browser.
AARI Extensions is also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email [email protected]
Browser Extension Installation
Force install browser extension via Google Workspace, Group Policy, or your Enterprise Device Management policy:
Display Name: PixieBrix
Chrome Web Store ID:
mpjjildhmpddojocokjkgmlkkkfjnepo
Browser Extension Managed Storage Configuration
Enterprise Browser Extensions are configured using Chrome’s managed storage feature. For end-users, set the following extension properties:
managedOrganizationId
REG_SZ (string)
The UUID of the PixieBrix tenant
Enforces association with a particular PixieBrix tenant
partnerId
REG_SZ (string)
automation-anywhere
Applies Automation Anywhere branding and enforces Control Room authentication
controlRoomUrl
REG_SZ (string)
URL (including scheme) of the Control Room to connect to
Pre-fills the controlRoomUrl for connecting the Automation Anywhere
Locating the UUID of the PixieBrix tenant
The UUID of the PixieBrix tenant is in the URL path when the team is selected:
The team UUID in the URL
Windows
On Windows, use the registry to set the properties for the extension:
Authentication
The initial AARI Extensions setup requires the Admin to login via Google, Microsoft, or email. After the initial setup, AARI users will login with Automation Anywhere using Automation Anywhere OAuth2 services support.
Admin Login for Initial Setup:
Login with Google: see Enabling Login with Google
Login with Microsoft: see Enabling Login with Microsoft
Login with Email (aka Magic Link): see Network/Email Firewall Configuration
Login with Automation Anywhere Control Room
See Use AuthConfig App to enable OAuth2 services in the Automation Anywhere documentation portal for how to set up Login with Automation Anywhere
Security Resources
Our Security and Compliance Overview and Privacy and Security Policies are available publicly.
Additional security information on the Chrome Browser Extension is available here: Security and Compliance
For a copy of our SOC 2 Type 2 report audited by A-LIGN, please contact [email protected].
Frequently Asked Questions
Does PixieBrix work with on-premise Control Rooms?
Yes, PixieBrix works with cloud and on-premise Control Rooms. For the "Full" Integration, the only requirement is that incoming traffic from the PixieBrix service IPs can be allowlisted. See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.
My Control Room is on an intranet (e.g., accessed via IP address 192.168.XX.XXX). Do we need to allow incoming public traffic to use Automation Co-Pilot extensions?
For the "Full" Integration, you must allowlist incoming traffic from the PixieBrix service IPs. See the Data Flow / Architecture Diagram andNetworking/Firewall Rules sections above.
If you are using a hostname for your Control Room, ensure the DNS records are accessible.
Is an outgoing internet connection from the browser required for using PixieBrix with Automation Anywhere Business Co-Pilot?
Yes, an outgoing internet connection is required for two reasons:
An external internet connection is required to use Automation Anywhere OAuth2 services
An external internet connection is required to request extension definitions from the PixieBrix service, which is hosted on Heroku Salesforce (in the United States) and uses Cloudflare's Content Delivery Network (CDN)
See the Data Flow / Architecture DiagramandNetworking/Firewall Rules sections above.
Does PixieBrix offer a fixed IP address for outgoing traffic from the browser to PixieBrix?
No, because PixieBrix uses Cloudflare as a Content Delivery Network (CDN), there is no fixed IP address for outgoing traffic from the browser to the PixieBrix web service.
Why is the whitelisting of PixieBrix URLs required (e.g., app.pixiebrix.com)?
In the Automation Co-Pilot solution, the PixieBrix server acts as the source of truth for the extension definitions. The browser must be able to access the PixieBrix service to fetch Automation Co-Pilot Extension definitions.
Why is the "Lite" Integration easier to allowlist than the "Full" Integration?
The "Full" integration requires a server-server link integration initiated by the PixieBrix server (hosted on Amazon Web Services). Enabling the link requires allowlisting incoming traffic to the Control Room from PixieBrix's static IP addresses (see Networking/Firewall Rules).
Firewalls distinguish between incoming vs. outgoing traffic. IT security teams generally apply stricter policies to incoming traffic (i.e., traffic initiated from an external source). The "Lite" integration requires less setup/approvals because in the "Lite" integration, there is:
No server-server link
The only traffic with PixieBrix is initiated from the end-user’s browser (outgoing)
Does PixieBrix need permissions to "Read and Change all your data on all websites"?
Chrome shows this permission prompt on installation from the Chrome Web Store because PixieBrix utilizes Chrome's tabs
and webNavigation
API to detect page navigation in Single Page Applications (SPAs).
PixieBrix does not read/change data on websites unless you've activated a mod that performs those reads/changes data on a website.
You can prevent PixieBrix from having access to certain pages by setting the runtime_blocked_hosts
and/or runtime_allowed_hosts
policies in your extension configuration. See Browser Extension Securityfor more details.
The PixieBrix extension is source-available. You can view/audit the code on GitHub.
Do Automation Co-Pilot Extensions work on Microsoft Edge?
Automation Co-Pilot Extensions are also known to work on Microsoft Edge for most use cases. To confirm support for your use case, email [email protected].
Last updated