Firefox 60 was released today with support for enterprise policies, including Windows Group Policy. If you’ve followed me or my blog for any length of time, you know that advocating for Firefox in the enterprise has been something that I’ve been doing a very long time.
The first version of the CCK Wizard was released on May 11, 2006 and was for Firefox 1.5
So, to say that I’m happy about this particular release would be an understatement. I’m absolutely ecstatic that Mozilla decided that adding support for enterprise features was important.
But I have to admit something; over the years in my zeal to get enterprise support into Firefox, I’ve encouraged just about every method possible to get customizations into Firefox. As a result, I know there are many installations of Firefox that use methods that are definitely not recommended anymore, especially now that we have real policy support. So, I want to take a moment to encourage everyone:
Please investigate using the new policy manager to replace any method you’ve used in the past, including the distribution directory, AutoConfig and CCK2. If you find things that you are not able to do with the policy engine, please let us know. There’s a possibility that some of these methods might not work in the future, so we’d like to find out now what we need to do to make things working.
If you find bugs or have feature requests, please report them on Github or in Bugzilla.
A couple other notes that might be useful:
- Updates to the policy code and additional policies are being allowed on the ESR. You will not be stuck with the existing implementation until the next major ESR. As we implement policies, they will be uplifted into the next minor ESR update.
- We are continuing to update the policy code to bring it as close as we can to CCK2 functionality.
- We are working on better support for macOS and Linux. We are investigating Managed Preferences on macOS and we are looking into reading the policies.json file from a different location on Linux (etc/opt/firefox).
- MSI is on our radar, but we’re not making any commitments at this time.
So now, let’s address the elephant in the room – CCK2.
First off, to support Firefox 60, I released a new version of the CCK2 yesterday. It’s not perfect, but it fixes some of the major issues (bookmarks and error popups). You should get automatically updated to this release. You’ll need repackage your configurations to get these fixes.
But what about the future?
CCK2 uses AutoConfig as the underlying technology to customize Firefox. We currently have plans to sandbox AutoConfig on Rapid Release starting with Firefox 62. This will mean the CCK2 will definitely not work with Rapid Release starting with Firefox 62.
On the ESR, I plan to keep CCK2 working, but I will not be implementing any new features except as they relate to making it easier to migrate to the policy manager. One example of that is providing the ability to remove all bookmarks added by CCK2. Once Firefox 52 is out of support, I will probably migrate CCK2 to use the policy manager internally. To enable that, we are investigating allow policies to be specified via AutoConfig as JSON files.
I always knew there would come a time when the CCK2 would not work anymore. My biggest concern was that there wouldn’t be a replacement. But I’m confident with the policy management support that we’ve implemented that we can make things even better.
I appreciate the support and encouragement folks have given me over the years with regards to the CCK2. I’m glad that the work that I’ve done will live on in the new policy manager on Firefox.
One final note. You will start to see a lot of my older blog posts disappear. This because I don’t want to recommend people use those methods anymore. The official place to get documentation and support is support.mozilla.org.
Hi, have been waiting for the 60.0 esr (64 bit) release to be able to try out your tool. But I got a “could not be installed because it is not compatible with Firefox 60.0.” Pop-up stop. How do I resolve this?
Thanx from Sweden
The CCK2 extension is a legacy extension so it requires Firefox 52. You use the wizard on 52 ESR, but the results are used with Firefox 60.
Although I do not recommend using the CCK2 if you can use our new policy engine instead.
Hello Mike,
first of all, thank you for all your effort you put in (since years) to make this version finally the start for something hassle-free in an enterprise environment.
But I think itwould be nice to have some clarification because of the different methods that can be used now to customize Firefox (GPO and config-file), so it would be nice to have an answer for the following questions.
1) Is GPO support only on ESR version or on Rapid Release, too?
2) Does the Firefox ESR 60 installer already contain the GPO (.adm or .admx) for Windows or do I have to donwload them manually from Github? If the second one, do I have to manually check for updated GPOs regularly?
3) What is the hierarchical order that Firefox ESR 60 checks for preconfigurations during startup?
So e.g. does it first of all checks GPO and than (CCK2) config files? Will the CCK2 setting only work when the corresponding GPO is not configured?
Would be nice to have some clarification!
Kind regards
Hannes
GPO support is in ESR and Rapid Release. Some policies are ESR only right now.
The installer does not contain the ADMX files. They must be downloaded separately. (This is consistent with other applications).
The order in which configurations are applied is dependent on the configuration, so I can’t give you an answer one way or another. The CCK2 and GPO use different mechanism.
I would not recommend setting any feature in both CCK2 and GPO.
Hi Mike, the link “https://mike.kaply.com/updates/cck2wizard/cck2wizard-latest.xpi” does point to CCK2 version 2.3.5 and not to version 2.4. But after building version 2.4 from github source it can not be installed on firefox version 60.0esr (64 bit) error message “could not be installed because it is not compatible with Firefox 60.0.” (As Gunér already wrote) !!
Do you have a solution for that problem already?
Hello Mike, it would be very nice if you could give me an feedback to my comment above, thanks.
I named the release incorrectly. It should be 2.2.4 and that is the version that cck2wizard-latest.xpi points to.
The CCK2 extension can only be used on Firefox 52. The configuration that is generated works with Firefox 60.
Ok, thank you for clearing up.
You say “I recommend using our policy engine if possible though, not CCK2.”, but the problem is that the current policy engine has a big lack in supported configuration options.
Are there plans to extend the possible configuration options and if yes which and when?
Yes, we are writing new policies now and they will be going into ESR updates.
What policies are missing for you? Have you reported them in GitHub or Bugzilla?
I’m experiencing the same problem reported by Gunér and Wolfgang.
Attempting to install the CCK2 plugin reports:
“could not be installed because it is not compatible with Firefox 60.0.”
I used the following links to download the CCK2.
https://mike.kaply.com/updates/cck2wizard/cck2wizard-latest.xpi noted here:
“First off, to support Firefox 60, I released a new version of the CCK2 yesterday. It’s not perfect, but it fixes some of the major issues (bookmarks and error popups). You should get automatically updated to this release. You’ll need repackage your configurations to get these fixes.”
https://mike.kaply.com/cck2/
Thank
The CCK2 Wizard can only be used on Firefox 52 because it is a legacy extension. It generates configurations that work on Firefox 60.
I recommend using our policy engine if possible though, not CCK2.
I’m working with the policies.json file supported by ESR 60.
Some of the settings are working. Others are not. I suspect a problem with my policies.json file. It is a correctly formatted JSON file, but I think I have keyed in something that Firefox does not like.
Some questionss from the noob.
1. Are you aware of a error/event log that I can inspect for policies.json issues?
2. I assumed settings that are not needed should not be included in the policies.json file. For example, if I don’t need the following:
“BlockAboutAddons”: true
I would not include it in the policies.json file. Is this correct?
3. I assumed that individual settings within, for example, the Homepage: option can be excluded:
Homepage”: {
“URL”: “http://example.com/”,
“Locked”: true,
“Additional”: [“http://example.org/”,
“http://example.edu/”]
}
For example, this (removing the additional parameter) would be a valid entry:
Homepage”: {
“URL”: “http://example.com/”,
“Locked”: true,
}
4. Double quotes are needed to supply an empty value. For example,
“Bookmarks”: [
{
“Title:” “Mike Kaply is the Dude”,
“URL”: “https://mike.kaply.com/category/mozilla/”,
“Favicon”: “”,
“Placement”: [“toolbar”, “menu”],
“Folder”: “”
}
],
I’m sure you are a busy guy. Any assistance will be greatly appreciated.
Some Settings like Deactivation of Auto-Updates only work with Firefox ESR. If you want to use the Rapid Release Version you can’t use all Policies.
Roger that.
Thanks
1. You can turn on policy error logging by setting “browser.policies.loglevel” to “debug” in about:config.
2. Correct. If you don’t need a policy, leave it out.
3. Yes, they can be excluded.
4. You don’t need to supply empty values at all. And for placement, you are choosing between the two values.
I’m working on updating the JSON documentation to be more clear.
Excellent,
Thanks for you help.
Hello Mike,
The setting “browser.policies.loglevel” doesn’t exist in 60.0.1ESR.
I need it to get the AD policy setting “Extensions to install” to work.
Tried to automatically install uBlock Origin but can’t get it to work. Tried installing from the official Mozilla page (https://addons.mozilla.org/firefox/downloads/file/956394/ublock_origin-1.16.6-an+fx.xpi), from our network or even c:\temp but no go.
Got any pointers maybe?
You have to add it explicitly. Right click in about:config, select New->String and add it.
The extension stuff is working in our testing. I’ll be curious as to what the log says.
Yeah, figured that. Problem is we work in a VDI environment that is stateless so need to figure out how to add in in testing before starting Firefox.
Will let you know, thanks.
Were you able to figure this out?
Don’t know why, but in 60.0.2 ESR it works, the add-on installs without problems.
So…yes 🙂
Could you point me in the right direction for how I can add an SSL certificate to a Mac using Policies? I did some Googling, but can’t seem to find the right policy to add to the file.
Thanks for all your help, by the way. You do great work!
We don’t have support for adding certs yet via policy. I’m working on that.
Is there any way to add an SSL certificate to a Mac like you could with CCK2for either Rapid Release or ESR? We need it for our proxy, and having every user manually import it is not going to happen.
This is on the list for the policy manager. Hope to have it soon.
Mike, I have loved your work on CCK2 and knowing that you are part of the Firefox team makes me happy for it’s future.
I assume the policy manager is Windows only since you mention exploring options for Mac and Linux.
You also mentioned looking into Managed Preferences but as you will quickly find out, those are deprecated.
Please look into Configuration Profiles to manage Firefox. That would be easy, accessible, and portable across most any Mac admin team.
Thanks for all you do.
The policy manager is cross platform – we use a policies.json file in the distribution directory on the other platform.
As far as Mac goes, I’m looking at using the same thing Chrome uses (plist file with configuration). Is that configuration profiles?
The bug is here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1445943
So if I read this correctly, AutoConfig is not being deprecated for normal settings?
But what about stuff in custom.js and firefox.js?
custom.js is in %installdir%\defaults\pref\ and contains general.config.filename.
firefox.js is somewhat larger. It refers to an url with autoadmin.global_config_url, but it also has a couple of functions for new profiles. Of course I nicked this script from your website.
There is more than just certificate stuff in %installdir%\browser\defaults\profile.
It’s great there is finally done something about Firefox in the enterprise like this. I’m also asking what I should ask for in new policies. Do we want to cover most use cases and should I put all my missing things on github? I kinda want to move away from autoconfig, because of my deployment options. I never use GPOs, I always deploy the registry settings those GPOs set.
In your example, firefox.js is an AutoConfig file and will only support the standard API on Rapid Release. It will continue to work as expected for ESR.
As far as new policies, yes, please request them on Github.
Hi,
is it possible to add preferences with policy manager ?
We don’t allow arbitrary preference setting. We want to add policies for the things most people need to do. Please open issues at https://github.com/mozilla/policy-templates/issues/ for things you think are missing. You can also continue to use AutoConfig for preferences.
Hi there
First of all, the policy engine works great.
– But I can’t find the policy to configure “about:config” Settings, is there any possiblity?
Best regards
Sam
We don’t allow arbitrary preference setting. We want to add policies for the things most people need to do. Please open issues at https://github.com/mozilla/policy-templates/issues/ for things you think are missing. You can also continue to use AutoConfig for preferences.