- Create a workspace — your policy and audit boundary.
- Invite people by email and assign a role.
- Set one workspace policy: routing mode, work domains, bypass rules, categories and allowed egress regions.
- Users install the browser extension, sign in, and receive policy automatically. Current beta users install the Chrome/Chromium package.
- Monitor sessions, devices and audit events; revoke sessions from the cabinet.
Managed Browser Access
Managed browser access for teams — without a device VPN or OS agent
BusinessProxy gives small teams a controlled browser path without rolling out SASE or a device-wide VPN. Users install the browser extension, sign in, and inherit the workspace policy automatically. The current beta package is Chrome/Chromium-based.
On unmanaged devices, BusinessProxy governs only the browser profile where the extension is installed and enabled. Use Chrome Enterprise or MDM for the current Chrome/Chromium package when extension enforcement and locked settings are required.
Setup
Set up your team in five steps
Need a different ruleset for another group? Create another workspace. SSO/SAML, SCIM and dedicated enterprise controls are Enterprise/contact-only until implemented.
Routing
Routing modes
| Mode | How it works |
|---|---|
| All browser traffic | `proxy_all` uses Chrome `fixed_servers`. Routed browser requests go through BusinessProxy except local/API/bypass entries. |
| Work domains only | `work_only` uses a generated PAC script. Approved work domains use the proxy; everything else goes direct. |
| Bypass | Local, API and admin-defined bypass entries go direct. |
| Credentials | Random session credentials are short-lived and rotate automatically through the extension. |
What it controls
- Browser proxy settings while connected
- Workspace routing policy
- Domain/category/region decisions
- Session limits and revocation
- Extension managed settings when pushed by Chrome Enterprise/MDM
What it does not control
- Whole-device traffic
- Other browsers on unmanaged devices
- OS-level network stack
- Personal apps, calls, local tools
- Removal/disablement on unmanaged devices
How it works
How a session works
Short-lived, accountable and easy to revoke — so every session is simple to grant, simple to audit and simple to shut off.
Session model
Short-lived session model
When a user connects, the backend issues random, short-lived proxy session secrets (~2 min TTL) that the extension auto-rotates. They are validated server-side with a keyed one-way digest and never stored as a reusable plaintext credential — separate from the account password.
Accountability
Accountable access
Every session is tied to a verified user and a signed device key. Admins see who connected, from where, and can revoke in one click.
Security
Scoped security facts your reviewer can verify
- No TLS/HTTPS content inspection on the browser-proxy path.
- No content scripts in the extension package.
- All-sites host permission is used to answer proxy-auth challenges for routed requests.
- Proxy credentials are separate from account credentials.
- Private/internal network ranges are blocked by policy.
- Workspace audit events are retained separately from usage events.
Contractors
Managed browser access for external people
Give an external person a managed browser path for project work without issuing a device VPN or opening broad network access.
BYOD
Work browsing without device takeover
Keep work browsing accountable on personal laptops while personal apps, calls, banking, and local tools stay outside the proxy route.
Support & Ops
Controlled browsing that doesn't break the rest of the desk
Give support and ops teams a stable managed browser path for SaaS without breaking calls or non-browser work.
FAQ
Is BusinessProxy a VPN?
No. BusinessProxy does not install a device VPN and does not route the whole machine. It manages a browser path through a required browser extension. The current beta package is Chrome/Chromium-based. Non-browser traffic, local apps, calls and other browsers stay outside the BusinessProxy path.
Do users install anything?
Yes. Users need the BusinessProxy Chrome extension. The point is that there is no OS-level agent and no device-wide VPN client. For enforced deployments, admins should push the extension and managed settings through Chrome Enterprise or MDM.
Do you inspect HTTPS page content?
Not on the browser-proxy path. BusinessProxy enforces browser policy using domains, network metadata, category decisions and allow/deny rules. It does not decrypt HTTPS page content, read the page DOM, or inspect form fields on that path.
Why does the extension request access to all sites?
Chrome requires the all-sites host permission so the extension can receive and answer proxy-authentication challenges for requests that Chrome routes through the configured proxy. The extension has no content scripts and does not inject into pages or modify page content.
Can users bypass it on unmanaged devices?
Yes, outside the managed browser path. On an unmanaged device, a user can use another browser, another unmanaged profile, or remove/disable the extension. If bypass prevention matters for the current Chrome/Chromium package, deploy through Chrome Enterprise or MDM to require the extension and lock managed settings.
Are proxy credentials the account password?
No. Account login and proxy access use different secrets. Proxy credentials are random, short-lived session secrets. BusinessProxy validates them with a server-side keyed one-way digest and does not store the raw proxy secret or reuse the account password.
Start with a browser-extension pilot
In the current beta, lock the Chrome/Chromium package with Chrome Enterprise or MDM when enforcement matters.