Firefox, Group Policy and Active Directory

One of the complaints that seems to come up a lot with regards to Firefox in the enterprise is the lack of support for management via Active Directory (using Group Policies). There have actually been a couple attempts to solve this including FirefoxADM and WetDog. There is even a company, FrontMotion, that makes custom Firefox MSIs that can be managed via Active Directory.

I decided I don’t know enough about this area, so I’ve spent the past couple weeks investigating what Microsoft provides and the results actually surprised me: IE configuration via Group Policies seems to focus much more on customizing the browser(*) than it does on configuring individual preferences. Learning this made me wonder what exactly it is that people mean when the say that Firefox has a lack of support for Active Directory. Do they mean using Active Directory to manage install and updates? Or do they mean the types of customization that are provided via IE’s Group Policy.

So I’d like to pose a few questions to my readers:

  1. Do you use Active Directory and Group Policy to manage Internet Explorer? If so, what policies are most important to you?
  2. Do you use FirefoxADM or WetDog to manage Firefox? If so, what features are most important to you?
  3. If support for Group Policies was implemented for Firefox, should it focus more on customizing the browser or setting preferences?

For more information on this subject, here are some links:

(*) By customizing the browser I mean things like removing printing, removing the help menu, removing view source, removing the context menu, preventing saving files to disk, removing the ability to open new windows, turning off tabbed browing, removing access to bookmarks, etc.

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

21 thoughts on “Firefox, Group Policy and Active Directory

  1. At one time, I do some IE restriction with the GPO. They are very usefull notably in a kiosk like environnement ( web cafe, public internet access, job center born ).
    Indeed it allow to provide a fully restricted IE environnement ( most of the time, the browser only display one site defined by the sysadmin ) and thus even if the user is using an Admistrator account ( that’s why preventing saving files to disk is usefull for example ).
    Possibility to restrict options like Proxy settings, startup pages are also usefull.

    Restrictions interestings for Firefox with GPO :
    – proxy settings
    – startup pages
    – ability to add extensions
    – ability to disable or restrict search engine in search bar
    – all the restrictions supported by IE ( except the ActiveX ones 😉 )
    – ability to print
    – ability to print in color ( printing in B&W or grayscale allow to save toner ) or to select the printer ( restrict the user to a specific printer )

  2. For me, as a user, the only resistance I have found is the use of automatic proxy configuration via a javascript file. It’s ok for someone like to do, but for joe user it means they can’t access anything.

    oh, and secondly, use of NTLM is everywhere. it’s quite useful with intranets. i think NTLM dialog could be improved to state it’s Windows authentication, and how the use should state their id in the DOMAIN\USERNAME form; ideally the trusted NTLM domains list could be added to with another checkbox.

    sorry; the second one is core, rather than specific to your question.

    i hope this is of use; i’ve recently been trying to get an abandoned intranet project (abandoned by the developer) running for a global company who use AD and expect single sign on; i’ve been using FF to build it as it’s late and i don’t have time for IE to render pages ;-), and these are the main issues for me, but not only me as i’m also having to handle some support and the NTLM dialog is so confusing to jo user.

  3. I used to work for a company that implemented security policies against IE based on AD. Things that where blocked out (that come to me immediately) was
    1. The ability to download.
    2. The File->Open menu, or any other menu that would allow you to browse the hard drive.
    3. Internet Options.
    4. The abillity to add favorites or make any other permanent changes to the browser settings.

  4. Hi Mike
    Active Directory and Group Policy support means actually two things:
    1. Support for installing Firefox, Extensions and Plugins (MSI-package)
    2. Support for configuring preferences (ADM-template)

    …and something that glues these two nicely together.

    (“Installing” covers actually the whole setup concept including installing, updating/patching and uninstalling.)

    First one – the MSI-package – is a problem for enterprises because there isn’t any. You’ll have to make the MSI by yourself. Repackaging requires a person with the time, skills and tools to get the job done. Or then you could buy the MSI e.g. from FrontMotion. Nevertheless these MSI’s aren’t official. You’ll have to do the same job every time Firefox gets an update and there always the risk that something has changed since the last version so you always have to test the new package carefully. This is what enterprises currently do. Would’t it be great if you could skip the repackaging part and just grab a new MSI from mozilla.com when it’s time to update?

    I know you Mike tailor your very own Firefox setup-exe’s and that’s one solution. I dare to say that an un-modified and official Firefox MSI would fit to a majority of enterprises. That MSI, however, should never mess up the computers in the domain. I don’t believe Mozilla project is going to publish anything even close to that in many years.

    But the MSI is not enough if you can’t push the settings to users. Currently this requires some modifications to the plain vanilla Firefox and there are many (a way too many) ways to get to the goal. The problem here is that none of these ways is a official one and not very many enable control using Group Policies. (Mission Control might be considered to be official one, but it has nothing to do with Group Policies.) Mozilla project should create one – or just take FirefoxADM. So you pick up some solution, but even that’s not complete one. This bring us up to the second item – an ADM-template. Enterprise admins want to push Firefox settings to end users using GPO’s, but they also want – and suppose – this to be easy. Easy as enabling “Default home page”-policy setting and typing in the URL. Not easy as creating or editing your home-brewn ADM-file to include the setting for “browser.homepage.startup”, importing ADM file to GPO and finally making that simple setting. ADM-template should also be official one, published and maintained by Mozilla. But because ADM-template writes to registy and Firefox has it’s setting mainly in prefs.js & co, the official system between these two will be needed first. This is something Mozilla could do and should do before MSI-package.

    So, to answer the questions you made:

    1. Yes. For example default home page and various security settings.
    2. FirefoxADM. Disabling automatic updates.
    3. Preferences. Both locked and default-only-prefs. And the preferences should really cover every setting you can do from Firefox GUI – not just the ones that are in prefs.js.

  5. @Mikko

    The thing that confuses me the most here is that the group policy editor does NOT allow you to modify many IE preferences at all. It appears you are expected to use the IEAK to create a version of IE that has the preferences you want and then use group policy to lock the UI to prevent the changing of the preferences.

    So I’m unclear why people are expecting something out of Firefox ADM that even IE doesn’t provide.

    That is access to ALL preferences via group policy…

  6. Mike
    You’re right. Configuring IE with group policies is actually quite a mess. But that’s no excuse for Firefox not be configurable via group policies. And this is not about IE vs. Firefox. This is about system administrators’es needs to do the configurations with the tools (GP’s) that are native and ready-to-use in their environment (AD) and with the tools they are familiar with. People are expecting this because that is the way system configurations are done in many “small enterprises”. People want something a lot more easier than setting up an LDAP for Mission Control or preparing prefs.js and other files and repackaging Firefox to MSI-package.

    Currently you can do zero congurations to Firefox with group policies. Anything between zero and ALL would be a good start.

    And now that I’ve been thinking this a bit more I guess what is needed is “Group Policy Extension for Firefox”. Firefox has it’s settings in too many places and is too complex to be fully configurable using only ADM templates and FirefoxADM.

    And about configuring IE, there will be improvements with Windows Server 2008 and “Group Policy Preferences”:

  7. From personal experience, IE GPOs are primarily used for configuration management not feature customizations
    – configuration management: proxy settings, home pages
    – security settings: security zones, mime types, exposed protocols
    – functional defaults and restrictions: url shortcuts, search engines, active-x whitelists/blacklists, rss performance/behavior (IE7)

    We replicate virtually all policy settings with Mission Control for Firefox (I still owe you an article on that…) keeping the infrastructures safe and separate. Today we can do a little more with feature customizations in Firefox but a little less with security configurations (i.e. no straight forward way to set/lock security zones). There is definitely room for both IE and Firefox to beef up granularity on all functional fronts.

    With Firefox, we can also prepackage some extensions and then lock down/default whatever settings they expose to the profile. Extensions is the big differentiator here for the customizations you are referring to.

    Cheers!
    -y

  8. We use wetdog to set:
    – network.automatic-ntlm-auth.trusted-uris
    – network.proxy.http (actually for all protocols)
    – network.proxy.http (actually for all protocols)
    – network.proxy.no_proxies_on
    – network.proxy.share_proxy_settings
    – network.proxy.type

    We previously customized Firefox setup in:
    – browser.startup.homepage
    – browser.startup.homepage_reset
    – security.warn_submit_insecure
    – bookmarks of interest for our organization
    – disabled the migration wizard (import internet explorer settings)

  9. We need it to add and update company website bookmarks for every user in the organization.
    Not replace, but merge with the users own bookmarks. and preferably have them come up first on the ‘bookmarks toolbar’.
    That’s it, but as it is now I have to take controll of ALL the bookmarks by ‘hijacking’ the bookmarks.html or be content with setting the homepage.

  10. We’d like to deploy Firefox at our firm, but without a way to restrict extension installation and some of the configuration settings people have mentioned via Group Policy, then it may not happen.

    That would be a shame since we’d like to give our users the ability to use a non-IE browser for regular browsing. Personally, I’d like to limit IE’s use to just those sites that require ActiveX controls – in our environment that’s at least a dozen document review sites. Ideally, those sites would quit using ActiveX controls altogether, but sadly that’s unlikely.

    Chrome isn’t an option at all because Google refuses to let you choose where to install it or where it stores it’s data unless you get it from the google pack, which is patently unacceptable. Opera didn’t even come up in the survey we did asking some users which browsers they’d like the option to use here, and I don’t think many even know Safari is available for Windows.

    • Anything you want to customize in Firefox can be customized. If you have specific requirements, please let me know. I can take a look and see if I can help you.

      • I need to lock atleast the Advanced Tab in Firefox if not the whole Options menu item. How can this be done for Workstations. I tried installing and configuring FirefoxADM in Active Directory (2008), but it is of little help as the Advanced tab remains open on Client machines and the user can change them as they require.

          • I need help with this also because the firefoxadm has a setting to block this but, it is not. Basically if you open firefox > Tools > options > Advanced > Network. I want to disable network tab or advanced altogether to prevent users from taking themselves off the proxy. Doesn’t seem like setting in GPO for firefox is working. Any help would be appreciated. thanks

  11. How about an easy way to centrally administer and update firefox? Ya know, in case the enduser in an enterprise environment isn’t allowed to install anythine? As for locking down FF? easy peasy, just edit the config files and deny permissions, do it all the time

  12. Can we disable bookmark in Mozilla completely?
    I mean removing access to bookmark?
    & how?

    this is possible in IE by simply editing registry.
    Kindly reply ASAP.

  13. Hi,
    we have to do a large scale deployment of firefox in our enterprise, however, following are the significant challenges we are facing
    1. the employees ability to Save the web page (File, Save Page As etc.) preferable if we can disable File Tab for the employees.
    2. employees ability to modify the settings (such as proxy etc in the browser)

    In short, I need to be able to do every thing Mike mentioned in his post!!! 🙂

    “removing printing, removing the help menu, removing view source, removing the context menu, preventing saving files to disk, removing the ability to open new windows, turning off tabbed browing, removing access to bookmarks, etc.”

    Any help will be appreciated.

  14. Mike, I work for a library where we have over 500 public access computers. Obviously we need to be able to protect both the public access computers and the network that they are connected to. I have found that the best way to do this is to prevent users from accessing resources that I don’t want them tampering with, like the hard drive and most of the file system. Unfortunately the resources that I do want them to be allowed to access often need access to the hard drive and file system. The alternetive is to hide things like the C drive so that patrons can’t see them. In general Group Policy will let me do that but applications like browsers or word processors often circumvent the standard policies applied to Windows. So what I need to be able to do is restrict those options in Firefox that allow a user to access resources or modify resource options or preferences. At the same time I don’t want any restrictions that I apply to effect other users, like say the administrator account. You can see that I am mainly needing to configure the browser but there may be some user options that need tweeking as well. Thank you for asking, I have been wrestling with this issue for months.

    Tom