Prisma Browser Beyond
Focus
Focus
Prisma Browser

Prisma Browser Beyond

Table of Contents

Prisma Browser Beyond

This is the base user guide for Prisma Browser Beyond.
Where Can I Use This?What Do I Need?
  • Prisma Browser Pro tier, or Prisma Browser Platinum tier, or standalone data protection add-on.
  • Active Prisma Browser subscription
Prisma Browser Beyond extends Prisma Browser's security capabilities beyond the browser into the desktop operating system. While Prisma Browser manages web applications within the browser environment, Prisma Browser Beyond provides unified visibility and policy enforcement for desktop applications, ensuring consistent security across both web and desktop workloads.
The solution utilizes a lightweight kernel-level driver on Windows 11 that monitors application launches in real-time. Deployment is managed directly through the Prisma Browser SCM console, requiring no third-party MDM tools. Integration is activated via the Prisma Browser Local Extender control within the Browser Customization rules.

Requirements

RequirementDetail
Operating SystemWindows 11
Installation PrivilegesPrisma Browser must be deployed with admin privileges - this is required so that Prisma Browser Beyond can be deployed.
macOS devices are currently not supported.

Deploy Prisma Browser Beyond

Prisma Browser Beyond offers a streamlined deployment process managed directly through the Prisma Browser SCM console, eliminating the need for complex MDM integrations or third-party software distribution tools. This centralized approach ensures that security administrators can easily extend protection from the browser to the desktop environment by leveraging the existing Prisma Browser infrastructure. The deployment mechanism activates a lightweight kernel-level driver on Windows 11 devices, which is essential for real-time monitoring and unified policy enforcement across both web and desktop applications.
  1. Access Browser Customization
    1. Open the Prisma Browser SCM console.
    2. Select ConfigurationPolicyRules.
    3. Click the Browser Customization tab at the top.
  2. Create a new Policy Rule
    1. Click Create and select New Rule.
    2. Provide a descriptive name for the rule (for example - Prisma Browser Beyond Deployment). You can optionally add a description.
  3. Define Deployment Scope
    1. Click the Scope tab.
    2. Select the Users or User Groups where Prisma Browser Beyond should be enforced.
  4. Activate Prisma Browser Beyond
    1. Click the Browser Customization Controls tab.
    2. Locate the Prisma Browser Desktop Extender control.
    3. Open the Desktop Extender control and click Activate.
    4. Click Set.
    Once the policy is published, Prisma Browser Beyond will be deployed to all devices that are in scope.

Monitor Deployment Status

After you publish the policy, monitor the rollout from the Devices page in the SCM console. You can open the Devices page by selecting InsightsDeploymentDevices. Apply the Prisma Browser Desktop Extender filter to see status across your fleet.
Device Status
StatusDefinition
ActivePrisma Browser Beyond is successfully installed and running.
InactivePrisma Browser Beyond is not installed on the device
Not SupportedThe device does not meet the OS or browser version requirements.
FailureInstallation or runtime failure - for example, missing admin privileges.

Application Control

Visibility into Desktop Application Events

  1. Open the Prisma Browser SCM console.
  2. Select InsightsAnalyticsEvents.
  3. Filter by Type = "Desktop app access" to view all desktop application events.
  4. Each Event includes the following details:
    • Application Attributes - Executable identifiers independent of the display name.
      • Original File Name - The executable's internal metadata name - used as the primary policy identifier.
      • File Description - Metadata description embedded in the executable.
      • Product Name - The software suite containing the application.
    • Execution Context - How and where the application is running:
      • Process Path - The absolute directory path on the local disk where the application resides.
      • Parent Process - The application that launched this process (e.g., identifies whether a script was launched by cmd.exe or explorer.exe).

Application Usage

The Application Usage page gives you an organizational-wide view of how applications are being used across your fleet. To focus on thick desktop applications in Prisma Browser Beyond, filter by App Type = Local Desktop. This dashboard provides a high-level summary of software adoption and behavior, allowing administrators to identify applications that are running on managed devices.
The page shows each application's classification, total number of events, and number of users running it. You can interact with the data by clicking any row to drill down for more detail, such as specific user activity logs and device-level execution paths.

Defining Custom Desktop Applications

If an application is not already in the Prisma Browser desktop application catalog, you must define it manually before creating an access or data control policy for it. This manual definition process ensures that even bespoke, proprietary internal tools or specialized legacy software can be effectively managed and secured within the Prisma Browser Beyond framework. By registering these applications, administrators can extend unified visibility and granular policy enforcement to non-standard executables that are critical to their organization's workflow.
  1. Open the Prisma Browser SCM console.
  2. Select ConfigurationPolicy ObjectsApplications.
  3. Select the Desktop Applications tab.
  4. Click Add Desktop App and enter the required fields to catalog the executable. This process registers the application metadata as a unique identifier for policy enforcement.
    • Name - Name that will be displayed in the console.
    • Description - Notes about the application's use (optional).
    • Icon -An icon that will be used for the application.
    • Original file name - The original File Name uses the metadata of the executable (e.g., notepad++.exe), ensuring the policy works even if the file is renamed on the desktop.
      You can view the Original File Name in the event details in the console or by manually inspecting the exe files on your desktop.
    • Classification - Optionally assign the application to a group (for example - Productivity Tools).

Set Up Access Control Policies

Once your custom or cataloged applications are defined within the SCM console, you can create granular Access & Data Control rules to Allow or Block their execution on managed endpoints.
Default Security Posture: By default, Prisma Browser Beyond allows the execution of any desktop applications to ensure no disruption to existing workflows.
To configure an access control policy, follow these steps:
  1. Navigate to Configuration → Policy → Rules in the Prisma Browser SCM console and click Create and select New Rule.
  2. Select Access & Data Control as the rule type.
  3. Under the Applications tab, define the scope of the rule:
    • Search for and select a specific Desktop Application using its Original File Name identifier.
    • Alternatively, select an Application Group (such as the built-in Consumer Browsers group) to apply the rule to multiple executables simultaneously.
  4. Navigate to the Access tab to choose the enforcement action:
    • Allow: Grants unrestricted access to the application.
    • Block: Prevents the application from launching or running.
    • Prompt: This action is currently not supported for desktop applications. If selected, the system will automatically default to Block to maintain your security posture.
  5. Save and Publish the changes to push the updated policy to all devices in scope.
Enforcement:Access control policies are evaluated top-down. If a block policy is applied to an application that is already running, the enforcement will take effect upon the next launch of that process.
  1. Navigate to Configuration → Policy → Rules in the Prisma Browser SCM console and click Create and select New Rule.
  2. Select Access & Data Control as the rule type to govern how applications interact with your environment.
  3. Define the application scope under the Applications tab:
    • Search for and select a specific Desktop Application (using its Original File Name identifier), or
    • Select an Application Group to apply the rule to multiple related executables (e.g., the built-in Consumer Browsers group).
  4. Navigate to the Access tab to choose the enforcement action:
    • Allow - Grants unrestricted access, allowing the application to launch and run as intended.
    • Block - Actively prevents the application from launching or running, effectively mitigating risks from unauthorized software.
    • Prompt - Note that interactive user prompts are not supported for desktop applications. To maintain a strict security posture, the system will automatically default this selection to Block.
  5. Save your configuration and Publish the changes to push the updated policy to all applicable devices within the defined scope.

Known Limitations

The following limitations apply to Prisma Browser Beyond in its current Early Availability release
LimitationDetails
Prompt action not supportedThe Prompt action is not supported for desktop application policies. If configured, the system defaults to Block.
No custom dialog messageEnd users see a standard Windows toast notification when an application is blocked. Custom dialogs are not supported for desktop applications at this time (supported for browser only).
End user notification suppressedNotifications will not appear if the user is in Do Not Disturb mode, is sharing their screen, or has disabled this notification type on their device. Admins can use GPO to prevent users from disabling PBY notifications.

Frequently-Asked Questions

Q1: What is the official product name?
A: Prisma Browser Beyond (PBY). Previously known as PBL, PABL, Prisma Browser Desktop Extender, and PBB.
Q2: So what does Prisma Browser Beyond do?
A: Prisma Browser Beyond extends Prisma Browser's security capabilities beyond the browser into the desktop operating system.
Q3: How is Prisma Browser Beyond different from Prisma Browser?
A: Prisma Browser controls web applications inside the browser environment. Prisma Browser Beyond extends that control to desktop applications and the operating system. Together, they provide unified visibility and enforcement across both web and desktop workloads.

Features and Capabilities

Q4: What can Prisma Browser Beyond do?
A: Prisma Browser Beyond V1 provides:
  • Desktop Application Catalog - Browse and manage all applications across your organization.
  • Real-time Application Visibility - Logs and analytics of every application launch.
  • Access Control Policies - Block/allow rules for desktop applications (file-sharing apps, unauthorized AI tools, etc).
  • Single Browser Enforcement - Block consumer browsers, making Prisma Browser the only browser on the device.
Q5: Does PBY do encryption?
A: No. Prisma Browser Beyond does not encrypt files. It tags files and blocks access to them for unsanctioned applications. It prevents protected files from leaving the secure perimeter (no USB, Bluetooth, shared folders, etc.).
Q6: Is PBY content-based or context-based?
A: Currently, Prisma Browser Beyond is context-based only. It does not perform content inspection. For example, blocking a file upload to WhatsApp is based on context (whether WhatsApp is in your sanctioned application list), not on the content of the file. Content inspection is on the roadmap for a future release.
Q7: Does PBY support printing control?
A: This is under evaluation. Printing control is a known use case (especially for healthcare and regulated industries), but it is not currently implemented in.
Q8: Can PBY block other browsers?
A: Yes. Prisma Browser Beyond can enforce "single browser" policies, blocking consumer browsers and making Prisma Browser the only browser allowed on the device. To do this, create a "Block Access" policy and select the Consumer Browsers out-of-the-box application group.
Q9: Can you create custom application groups?
A: Yes. In addition to the out-of-the-box application groups (e.g., Consumer Browsers), you can create custom groups from any applications in the catalog. These groups can then be used in access control policies just like built-in groups.
Q10: What does the end user see when an application is blocked?
A: The end user receives a Windows toast notification informing them that a restricted application was blocked by their company policy. Notifications will not appear if the user is in Do Not Disturb mode, sharing their screen, or has disabled this notification type on their device
Admins can configure a GPO policy to prevent end users from disabling or dismissing Prisma Browser Beyond notifications, ensuring the block message always reaches the user.
Q11: Are application events available for SIEM or compliance export?
A: Yes. Prisma Browser Beyond events - including every application launch, block, and policy evaluation - are available for export in the same way as all other Prisma Browser events, and can be forwarded to your SIEM for compliance and security investigations.

Deployment and Availability

Q12: What are the prerequisites for Prisma Browser Beyond?
A: The prerequisites are the same as for any managed device running Prisma Browser:
  • Prisma Browser must be installed with admin privileges.
  • The device must be running Windows 11.
    At this time, there is no tamper-proof mechanism to prevent a user with local admin rights from uninstalling Prisma Browser or Prisma Browser Beyond. Enforced uninstall protection is a roadmap item.
Q13: How do I deploy PBY across my organization?
A: No MDM or third-party deployment tool is required. Prisma Browser Beyond is deployed directly from the Prisma Browser SCM console:
  • Go to Rules → Browser Customization and create a new rule.
  • Define the scope (users or user groups to target).
  • Under Browser Customization Controls, find the Prisma Browser Local Extender control and set it to Activate.
To monitor deployment, go to the Devices page and check the status for each device: Active, Inactive, Not Supported, or Failure.
Q14: How is Prisma Browser Beyond licensed?
A: Prisma Browser Beyond is not included in the Prisma Browser Core license. It is available in two ways: Included with Prisma Browser Premium As a standalone data protection add-on Prisma Browser Beyond cannot be sold as a standalone product - an active Prisma Browser subscription is required as a prerequisite.

Technical Architecture

Q15: How does Prisma Browser Beyond protect itself against tampering?
A: Prisma Browser Beyond is designed to be resilient against local bypass attempts. The tamper protection will prevent users or local utilities from bypassing policy by halting services, terminating processes, or modifying core files and registry settings.
Q16: What is the performance impact of Prisma Browser Beyond?
AA: Prisma Browser Beyond is designed to be lightweight with minimal performance impact.
Q17: How does PBY work?
A: Prisma Browser Beyond installs a lightweight kernel-level driver that monitors every application launch in real-time. When an employee attempts to run an application:
  • The system checks it against your security policies.
  • It either allows or blocks the application in a fraction of a second.
  • No user-visible delay occurs.
  • Every attempt (allowed or blocked) is logged for compliance and security investigations.
Because enforcement happens at the OS level, it cannot be bypassed or disabled by users.
Q18: What happens when PBY loses connectivity?
Prisma Browser Beyond operates in offline mode when connectivity is lost. It stores the last known policies locally and continues to enforce them on the device. However, events generated during the offline period are not retained - they will be lost and will not sync to the cloud once connectivity is restored.
Q19: How does PBY identify applications?
A: Prisma Browser Beyond identifies applications using the Original File Name - metadata embedded within the executable itself. This identifier cannot be easily spoofed: renaming the executable file does not change the Original File Name.
The full set of attributes captured per application is:
Attribute Description
Original File NameThe executable's internal metadata name - used as the primary policy identifier
File DescriptionMetadata description embedded in the executable
Product NameThe application's software suite
Process PathThe absolute directory on the local disk where the application resides.
Parent ProcessThe application that launched this process (e.g., cmd.exe, explorer.exe)
Currently, Original File Name is the only supported policy identifier.
Q20: Can PBY block a specific version of an application?
A: Not currently. Prisma Browser Beyond does not support version-level blocking (e.g., via hash). This is intentional - hashes change with every application update, which would make policies fragile and high-maintenance. The Original File Name approach is designed to be version-agnostic.

Deployment and Behavior Edge Cases

Q21: What is the default behavior if no access control policy exists?
A: By default, all desktop applications are allowed.
Q28: What happens with multiple Prisma Browser profiles on the same device?
A: Prisma Browser Beyond only supports a single Prisma Browser profile - specifically, the first profile that was logged in on the device. Additional profiles are ignored.

Use Cases and Customer Scenarios

Q22: What are the primary use cases for Prisma Browser Beyond?
A: The following use cases are currently in scope:
  • Shadow IT Control - Discover and block unauthorized desktop applications (file-sharing tools, unauthorized AI tools, etc).
  • Unified Application Control - Apply the same security policies to desktop apps as you do to SaaS apps.
  • Compliance & Visibility - Maintain audit logs of all application launches for compliance investigations.
  • Single Browser Enforcement - Ensure Prisma Browser is the only browser on managed devices

Positioning and Competitive Context

Q23: Does Prisma Browser Beyond replace endpoint DLP agents?
A: Prisma Browser Beyond is complementary to endpoint DLP, not a replacement. The key difference is in the approach:
  • Endpoint DLP is content-based - it inspects file contents using classification profiles, regex patterns, and data fingerprints. This is powerful but comes with significant operational overhead, complex tuning, and high false positive rates.
  • Prisma Browser Beyond is context-based - it controls data flows based on context. Moving data between applications inside the "sanctioned boundary" is allowed (e.g., copying from a corporate Excel file to corporate Gmail), while moving data outside is blocked (e.g., copying from a corporate Excel file to personal WhatsApp for Desktop). This means no classification profiles to maintain, no false positives, and far less operational overhead.
Organizations may use both, but Prisma Browser Beyond offers a simpler path to application-level data protection without the complexity of traditional DLP.
Q24: How does Prisma Browser Beyond compare to EDR solutions?
A: EDR: Focuses on threat detection and incident response
Prisma Browser Beyond: Focuses on application access control and data protection They serve different purposes and are designed to be used together.
Q25: Is Prisma Browser Beyond a replacement for virtual desktop or virtual app solutions?
A: No. Prisma Browser Beyond is an alternative approach to controlling desktop applications. Some customers use virtual desktops or virtual apps; Prisma Browser Beyond provides a different model with lower infrastructure overhead.