Enterprise Policy Support in Firefox

Last year, Mozilla ran a survey to find out top enterprise requirements for Firefox. Policy management (especially Windows Group Policy) was at the top of that list.

For the past few months we’ve been working to build that support into Firefox in the form of a policy engine. The policy engine adds desktop configuration and customization features for enterprise users to Firefox. It works with any tool that wants to set policies including Windows Group Policy.

I’m excited to announce that our work on the policy engine has reached a major milestone and is available in the latest Firefox 60 beta.

We’d really like for folks to take a look at what we’ve done and provide feedback. We would especially like to know what kinds of things folks are doing that require AutoConfig, so we can investigate adding those things to the policy engine. This is important because we are planning to sandbox AutoConfig to only its original API in Rapid Release, probably in version 62. You can get more detail about that in bug 1455601.

We’ve set up a survey to get a lot more details about requirements. Click here for that. (Yes, I know we’ve been doing lots of surveys. We appreciate your help as we define requirements.)

If you run into specific problems you can opens bugs Github or in Bugzilla.

For a detailed list of all the policies that are available and how to use them in a policies.json file, you can check out the README.

It also includes information on which policies only work on the ESR.

If you’re using Windows, you can download the ADMX templates.

We’re currently in the process of standing up more documentation and a support forum on support.mozilla.org.

In the meantime, we have some initial documentation.

Folks are also asking what this means for the future of CCK2. I’m planning to make as much CCK2 functionality as I can available for Firefox 60. I’ll be doing another blog post soon about that.


Comments

15 responses to “Enterprise Policy Support in Firefox”

  1. Tustamido Avatar
    Tustamido

    Just for clarify, even future ESR versions like 67 will not have sandboxed AutoConfig? Or just ESR 60? I hope there will be some “permanent” way to run unlimited AutoConfig. Ideally Developer Edition and Nightly, but at least all ESR.

    1. James Pearson Avatar
      James Pearson

      I would also like to know the answer to this as well …

      1. Mike Kaply Avatar
        Mike Kaply

        The current plan is to only sandbox AutoConfig on non ESR release.

        My hope is that we can get to a world where any use case you can come up with that requires AutoConfig is handled.

  2. Hi Mike,

    Great work on this. I suggest that you contact the IT departments of companies like Oracle that have Firefox as the default browser (vs. Chrome). Their deployment scenarios should provide you with enough coverage for features baked into FF 60 Beta.

    Good luck with the release.

  3. Any chance you’ll add macOS preference domain (plist) support? We’d love to use a configuration profile (macOS’s equivalent to group policy) to configure Firefox.

  4. Michael Arlt Avatar
    Michael Arlt

    Hi Mike,

    many thanks for your posts and cck!

    Is it / when will it be possible to change any about:confing setting (with all variants like lockPref, pref, …) e..g with a generic gpo?

    Is it possible to deny xpi installation for the user and deliver xpi’s as preinstalled without unpacking, examining install.rdf, renaming directory and moving to browser\extensions? I will try policies->Extensions.

    Are the possibilities in gpo and json the same?

    1. Michael Arlt Avatar
      Michael Arlt

      generic gpo: unfortunately rejected (github)

      xpi: yes, but the addOns are activated and unpacked into user profile – i prefer delivering via browser\extensions\ folder

      1. Mike Kaply Avatar
        Mike Kaply

        I can’t guarantee that putting extensions in browser/extensions will always be supported, but you are free to do that.

        The proper place to put extensions is in the users profile directory.

        1. Michael Arlt Avatar
          Michael Arlt

          browser/extensions has two advantages:

          1st: You can ensure which plugins are installed (and which are removed) because you deliver the result with this folder. This is in contrast to the gpo. Since i don’t know how long someone does not use firefox, i must collect all former addOns in a long gpu absent list.

          2nd: The plugins are not activated

          1. Mike Kaply Avatar
            Mike Kaply

            You’ll probably need to continue to use browser/extensions then. There’s no plan to do anything like that (and no other browser supports that in their policy)

    2. Mike Kaply Avatar
      Mike Kaply

      There are no plans to make all preferences available via GPO. If you have specific preferences you need, please request them here: https://github.com/mozilla/policy-templates.

      Yes, you can use Policies to deliver an XPI yet deny XPI installation.

      And yes, GPO and JSON are the same.

      1. Michael Arlt Avatar
        Michael Arlt

        Yes it’s a pity.

        We deliver about 130 additional settings (security.tls/ssl/warn/OCSP/enable, plugin.state.*, dom.* browser.safebrowsing.*, addOn-configuration, media.*, social.*, webgl.*, services.sync, …).

        The advantage of gpo would be that i can see which settings are removed. But should i report 130 settings?

        1. Mike Kaply Avatar
          Mike Kaply

          Yes, please open a bug so we can at least see the list.

          I’m honestly curious as to understand what these things are and why you are changing them. Is the default configuration really that bad?

          You’ll probably end up needing to continue to AutoConfig.

  5. Jylppy Avatar
    Jylppy

    It’s so great that we finaly have GPO’s for Firefox as well. But I’m a bit confused. If I use GPO’s, can (or must) I still use the json file? There are some settings, that can’t be modified with the GPO at the moment (or at least I can’t find them, e.g. browser.sessionstore.interval), so do I have to use the json side by side with the GPO or am I out of luck?

    1. Mike Kaply Avatar
      Mike Kaply

      The JSON file is only needed on Mac and Linux or if you don’t have Group Policy. If you need to set preferences that are not in GPO, you can still use an Autoconfig file. Also please make sure to let us know what policies you need by reporting it on Github or Bugzilla.

Leave a Reply

Your email address will not be published. Required fields are marked *