A lot of people ask me how to manage Firefox using Windows Group Policy. To that end, I have been working with a company called PolicyPak to help enhance their product to have more of the features that people are asking for (not just controlling preferences.) It’s taken about a year, but the results are available for download now.
You can now manage the following things (and more) using PolicyPak, Group Policy and Firefox:
- Set and lock almost all preference settings (homepage, security, etc) plus most settings in about:config
- Set site specific permissions for pop-ups, cookies, camera and microphone
- Add or remove bookmarks on the toolbar or in the bookmarks folder
- Blacklist or whitelist any type of add-on
- Add or remove certificates
- Disable private browsing
- Turn off crash reporting
- Prevent access to local files
- Always clear saved passwords
- Disable safe mode
- Remove Firefox Sync
- Remove various buttons from Options
If you want to see it in action, you can check out these videos.
And if you’ve never heard of PolicyPak, you might have heard of the guy who runs it – Jeremy Moskowitz. He’s a Group Policy MVP and literally wrote the book on Group Policy.
On a final note, if you decide to purchase, please let them know you heard about it from me.
In the next few weeks, I’ll be sunsetting the original CCK Wizard and removing it from AMO. It really doesn’t work well with current Firefox versions anyway, so I’m surprised it still has so many users.
If for some reason you’re still using the old CCK Wizard, please let me know why so I can make sure what you need is integrated into the CCK2.
I’m also looking for ideas for new posts for my blog, so if there is some subject around deploying or customizing Firefox that you want to know more about, please let me know.
If you haven’t checked out the CCK2 lately, you should.
One of the coolest features I’ve added recently is the ability to hide things on any arbitrary window that is opened by Firefox. For instance, if you want to hide the bottom box in the about dialog, you can add “#aboutDialog #bottomBox” to the hidden UI section. You can also use it to hide arbitrary content in about:addons. I’ve also done major work on the clipboard capabilities API, so it should be more robust. There have also been quite a few bug fixes. You can keep up on all the latest changes here.
Download the latest CCK2 by clicking here.
If you want to request a feature, you can do so on the CCK2 support site. Priority for any requests is given to paying customers.
And if the CCK2 saves you time and money, please consider getting a support contract. It ensures that I’ll be able to keep working on the CCK2.
I get asked a lot how to disable certain buttons in preferences like Make Firefox the default browser or the various buttons in the Startup groupbox. Firefox does have a way to disable these buttons, but it’s not very obvious. This post will attempt to remedy that.
These buttons are controlled through preferences that have the text “disable_button” in them. Just changing the preference to true isn’t enough, though. The preference has to be locked, either via the CCK2 or AutoConfig. What follows is a mapping of all the preferences to their corresponding buttons.
General->Use Current Pages
General->Restore to Default
Advanced->Update->Show Update History
Advanced->General->Make Firefox the default browser
As a bonus, there’s one more preference you can set and lock – pref.downloads.disable_button.edit_actions. It prevents the changing of any actions on the Applications page in preferences.
I just want to take a moment to remind everyone that the Firefox 24 ESR will be officially replaced by the Firefox 31 ESR this coming Tuesday, October 14, 2014. At that time, the Firefox 24 ESR will be unsupported. Firefox 24 ESR users will be automatically upgraded to the Firefox 31 ESR.
I would hope by now everyone has tested with the Firefox 31 ESR, but if you haven’t, it might be time to start.
The CCK2 has been fully updated to work with Firefox 31 and beyond.
On another note, there are major packaging changes coming to Firefox on Mac due to changes to the way applications are signed. You can read more about it in this bug. This will primarily impact the locations of autoconfig files, preferences and the distribution directory. I’ll try to find some time soon to document these changes.
One of the things that I get asked the most is how to prevent a user from accessing the local file system from within Firefox. This generally means preventing file:// URLs from working, as well as removing the most common methods of opening files from the Firefox UI (the open file button, menuitem and shortcut). Because I consider this outside of the scope of the CCK2, I wrote an extension to do this and gave it out to anyone that asked. Unfortunately over time it started to have a serious case of feature creep.
Going forward, I’ve decided to go back to basics and just produce a simple local file blocking extension. The only features that it supports are whitelisting by directory and whitelisting by file extension. I’ve made that available here. There is a README that gives full information on how to use it.
For the other functionality that used to be a part of FileBlock, I’m going to produce a specific extension for each feature. They will probably be AboutBlock (for blocking specific about pages), ChromeBlock (for preventing the loading of chrome files directly into the browser) and SiteBlock (for doing simple whitelisting).
Hopefully this should cover the most common cases. Let me know if you think there is a case I missed.
When I originally came up my CCK2 support options, I thought that folks would use the basic support option as a way to simply show their support for the CCK2. It hasn’t really turned out that way, and so effective immediately, I will no longer offer the CCK2 basic support option. I’m simply not getting enough business at that level to warrant the overhead.
Anyone that has already purchased basic support or is in the process of purchasing it will still receive the rest of their 1 year term. After that expires, they will have to choose the free or premium support option.
As far as premium support goes, I’m not planning any changes to that right now, but honestly it hasn’t been as successful as I thought it would. I know there are hundreds of companies using the CCK and CCK2, so I’m surprised how few are willing to pay for your support. If anyone has any suggestions on things I can do to encourage folks make the support more appealing, I would appreciate them.
I’m continuing to update the CCK2, so make sure you grab the latest version (2.0.12). There were some update issues, so not everybody was updated.
One of projects I’ve been working on is Webconverger. Webconverger is an open source Linux-based kiosk that uses a customized version of Firefox as the user interface.
Webconverger is a great choice if you are setting up a kiosk or digital signage. It can be quickly and easily deployed on any type of machine. It works especially well on legacy hardware because of its low resource requirements. It can even be installed onto a USB stick and simply plugged in to an existing machine.
The configuration for the kiosk is downloaded from a server allowing you to customize your kiosk remotely and it will pick up your latest changes. It has a full featured API that allows you to do things like customize the browser chrome or whitelist certain sites. Plus it even stays updated automatically if you choose by downloading the latest version in the background.
If you’re looking for a kiosk or digital sign solution, I would definitely recommend checking it out. Go to Webconverger.com for more information or email email@example.com.
I just learned that Firefox 31 contains a new Certificate Verification Library.
If you are running into certificate errors with Firefox 31 that were not happening before, it is important that you report them as soon as possible.
It’s also important that you test your infrastructure as soon as possible.
More information about this change can be found in this blog post and this Wiki article.
More information about testing can be found in this Wiki article.
If you run into problems you can change the preference security.use_mozillapkix_verification to false and this will turn off the new verification.
This is not recommended, though, because the old code will be removed in Firefox 33, so we need to make sure we get any problems worked out.
In my previous post about the Firefox 31 ESR, I missed one other big change; most plugins will be click-to-play by default. You can read more about things in this blog post, but the gist is that click-to-play will be the default for plugins except for Flash and plug-ins that have been accepted onto the whitelist. You can view the current whitelist here.
If you have a plugin that you use within your organization and you need to make sure is enabled, you have a few choices.
- Change the plugin.default.state preference back to 2 so that the default is not click-to-play.
- Add a preference specific to your plugin that makes it enabled by default. The format is plugin.state.FILENAME where FILENAME is the filename of the plugin, lowercased with no extension and trailing numbers removed. So for instance, on Windows, the preference for Adobe Acrobat is plugin.state.nppdf and should be set to 2. The preference name will be different for different operating systems.
- Use the CCK2 to enable your plugin for a specific domain.
- Use the Click-to-Play Manager extension to enable your plugin for a specific domain.