Firefox for Enterprise Community Forum

I've been tasked with removing Firefox from all Windows workstations in our enterprise environment. Our users don't have local admin, so when they install Firefox, it is installed in the user's profile.

I've just installed Firefox 143.0.1 in my own user profile for testing purposes. However, when I attempt to uninstall, either from Control Panel or by running %localappdata%\Mozilla Firefox\uninstall\helper.exe manually, UAC prompts for elevation, even though I installed without elevating.

I've dug in a bit more, and I found this was an issue five years ago as well:

https://support.mozilla.org/en-US/questions/1286070

According to that post, the issue was resolved, but it seems to have come back.

Any help would be appreciated.

Hello, Mozilla community.

I am trying to configure a Firefox ESR installation so that every new user on a computer automatically receives a visual customization (a logo change on about:home) through userChrome.css and userContent.css files.

My goal is to do this without using Group Policy (GPO) or logon scripts, by only modifying the files in the Firefox installation folder.

Environment:

Firefox Version: Firefox ESR 140.3.0esr

Operating System: Windows 11 Pro

Context: Standalone machine, managed without Active Directory.

My Question:

Is this method of deploying a default profile via installation files (defaults/profile or distribution.ini) still supported in recent versions of Firefox ESR?

Is there an additional step or configuration I am missing for Firefox to recognize and use the bundled profile when creating a user's first profile?

Is there any policy in policies.json that could be interfering or that is required to enable this behavior?

Thank you very much for your help and your time.

Recently we've began installing Firefox 140.2.0esr to our environment via the .msi file that Mozilla provides, however we're running in to a very odd incident.

After approximately 24 hours from installing Firefox esr to devices, it appears that the application is "updating" to 141.0.3 on the "release" channel. As far as I'm aware, this shouldn't be possible to begin with. But we've applied these settings via GPO:

Computer Config > Policies > Admin Templates > Mozilla > Firefox Application Autoupdate = Disabled Pin updates to a specific version = Enabled = Set to 140.2.0 Background updater = Disabled Disable Update = Enabled Manual Update Only = Enabled

After applying the GPO, confirmed this appears within the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\ AppAutoUpdate = 0 AppUpdatePin = 140.2.0 BackgroundAppUpdate = 0 DisableAppUpdate = 1 ManualAppUpdateOnly = 1

At this point, I'm at a loss. We cannot have rapid release be what's installed in our environment. Is there something broken with 140.2.0 or are we doing something wrong here?

We have Firefox deployed and managed through Intune/Endpoint and all works well but every device has an error with this line of the policy:

UserMessaging_FirefoxLabs [./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_FirefoxLabs] STATE Error SOURCE PROFILES Source Profile Mozilla_Firefox_Configuration ERROR CODE 0x87d1fde8

The error code is the same on all devices and is the only one present in on each device config.

Does anyone have any idea what the issue and resolution would be?

Thanks, Matt

Hi All, I want to block traffic on firefox externally for managed devices via Intune, following the import of the ADMX/ADML files into intune.

Having read https://support.mozilla.org/en-US/kb/managing-firefox-intune I have set '\Mozilla\Firefox\Exceptions to blocked websites' to the following; //*.mydomain.com/*

Which works, however, I also want to add hosts that are only resolving on IPs and not DNS. I can add specific IPs if known, but is there a way I can allow IP ranges? Ie

//10.10.*/* (this doesn't currently work) Of the included screenshot, only the wildcard for mydomain.com and the specific IP currently work

I've looked over the link that is recommened in the policy (indirectly) and can't see an option for allowing an IP range. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns

If there is a better way to do this via intune for firefox only, please let me know.

Thanks

I am having the same issue as this other user here: https://www.reddit.com/r/sysadmin/comments/17wvuwh/help_pinning_extension_in_firefox_with_gpo/

Preliminaries -- Initially (before trying to force-pin), I had these GPOs enabled:

Extensions to Install -> https://addons.mozilla.org/firefox/downloads/file/4410896/bitwarden_password_manager-2024.12.4.xpi

Prevent extensions from being disabled or removed ->

• {446900e4-71c2-419f-a6a7-df9c091e268b}
• {3f6129fb-6c55-4452-ab6f-7c109b2301df}
• https://addons.mozilla.org/firefox/downloads/file/4410896/bitwarden_password_manager-2024.12.4.xpi

(Those GPOs above all work.)

What I'm trying to do: Force-pin Bitwarden.

I believe I've followed the documentation correctly (except for not including a "*" case): https://mozilla.github.io/policy-templates/#extensionsettings

I've enabled this GPO with this value:

Extension Management ->

{

 "{446900e4-71c2-419f-a6a7-df9c091e268b}": {
   "default_area": "navbar"
 }

}

After running various "GPUpdate"s and whatnot, the option to uncheck "Pin to toolbar" is still available to click.

I've verified in "about:policies#active" that the JSON item appears next to "ExtensionSettings" and that there are no errors listed in the "Errors" tab.

I've also verified that it appears in the correct location in the Registry.

Since another user had the same issue (Reddit link above), I figured it'd be a good idea to check in with y'all to see if we are missing something.

Thanks for your help!

Firefox version

   128.2.0esr (64-bit)

Operating system

   Windows 10/Windows11 23H2 Septembre patch

Hello everyone,

maybe you can tell me/explain what the problem could be.

In our company we had Firefox version 115.14.0esr (64-bit) and then we updated to 128.2.0esr (64-bit).

Since version 128.2 ESR we have experienced problems in Firefox when trying to access DNN+ pages (with login). https://www.dnn.de/sport/regional/dresdner-sc-denkt-ueber-uebernahme-der-margon-arena-nach-C3IC74MZ6FE43AKGCZJSKUXA3I.html

In Firefox the content is cut off, in Edge it is displayed normally.

With Edge and Firefox 115.14.0esr the page is displayed normally. No AdBlock installed.

In developer mode I see the errors in the versions, so it shouldn't be that.

Cross-source (cross-origin) request blocked: The same-source rule prohibits reading the external resource on https://gum.criteo.com/sid/json?origi...AAAAAAAA&gdpr=1. (Reason: CORS request failed). Status code: (null).

Cross-source (cross-origin) request blocked: The same-source rule prohibits reading the external resource on https://id5-sync.com/api/config/prebid. (Reason: CORS request failed). Status code: (null).

Any ideas? Thank you very much! :)

I am trying to manage Firefox for company devices via Intune and would like to know if there is a way to uninstall all extensions/add-ons besides one or two approved ones.

I have been able to import the Firefox AMDX into Intune and have made a policy to install uBlock (which works without issue) and I can uninstall specific extensions/add-ins via their Extension ID (also without issue), however I can't see a way to uninstall all extensions. If I try and put a wildcard in the Extension ID field, nothing is affected.

We have a large number of devices with their own user-installed extensions so auditing this and then updating a policy manually with specific extension IDs may be quite painful.

Is there any parameter or group policy similar to Chrome "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls]", as we implemented application with Certificate sign-in, it pop-up every time when navigating to different on-prem servers, we enabled Group policy for MSEdge & Chrome, but need to do same for Mozilla Firefox.

I need expert advice on this subject matter.

Regards,

Kamal Kiri

the settings ExtessionSettings does not show up to be able to modify even tho it is on the ADMX file (5.11)? Should I use the older Extensions policies? I want to install and pin an extension from the store.

I'm a security analyst. I would like to get email notifications on security advisories, alerts and vulnerability information regarding Firefox to stay up to date. Please help on how I can get the subscription?

Hello,

I am trying to create a management policy for extensions where all themes are allowed, some extensions are force installed, other specified ones are allowed, and anything else is blocked. I have been scouring the web looking for samples and I just can't get it to work as intended. Here is a sample of what I have written.

{ "*": { "blocked_install_message": "IT has blocked the installation of UNAPPROVED add-ons. Please contact the IT Service Desk to request approval.", "install_sources": "https://addons.mozilla.org/*", "allowed_types": ["theme","extension"] }, "plugin@okta.com": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/file/3601147/okta_browser_plugin.xpi" }, "support@lastpass.com": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/lastpass-password-manager/latest.xpi" }, "developer@zoom.us": { "installation_mode": "allowed", "install_url": "https://addons.mozilla.org/firefox/downloads/file/4212428/zoom_new_scheduler-2.1.52.xpi" }, "info@katalon.com": { "installation_mode": "allowed", "install_url": "https://addons.mozilla.org/firefox/downloads/file/3826743/katalon_automation_record-5.5.3.xpi" } }

In this current state, I am allowed to install themes, I get the forced installs, but I can install ANY extension. I don't want that.

If I modify the blocking section with [ "installation_mode": "blocked", ], then I only get the force installed plugins and I can't do anything else. It even removes any previously installed themes or plugins not explicitly forced in. The allowed plugins can't be installed either.

I have also tried it without the "extensions" allowed_type but the result did not change. To recap, I need to block any extensions not explicitly pushed or allowed. Would anyone be able to assist and point out what I may be missing please?

~Regards

Dear Everyone, Facing issue with deploying Configuration Profile for Extension Settings via Intune. Tried ADMX imported template with adding there "block all extensions" and allow certain ones. Worked perfect in Jamf, for Intune failing all time. We are using Firefox v.121, policies are for v.120, but I am in doubt that this is the issue. Can someone review and let me know if there any issue or may be changes? Using latest instructions https://mozilla.github.io/policy-templates/#extensionsettings Also here is my OMA, very easy.

OMA used ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings

Value(string):

<enabled/> <data id="ExtensionSettings" value=' {

 "*": {
   "blocked_install_message": "Security Test",
   "installation_mode": "blocked",
   "allowed_types": ["extension"]
 },
 "{bf855ead-d7c3-4c7b-9f88-9a7e75c0efdf}": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/zoom-new-scheduler/latest.xpi"
 },
   "@react-devtools": {
   "installation_mode": "allowed"
 }

}'/>

We are working on implementing Firefox for Enterprise and rolling it out through Intune/Company Portal, one challenge we are encountering is that we have disabled Pocket as thoroughly as we can (followed the guide from Mozilla https://support.mozilla.org/en-US/kb/disable-or-re-enable-pocket-for-firefox) and we are still seeing requests go out to "img-getpocket.cdn.mozilla.net" we do not want Pocket available at all, we do not want queries made to those domains, is it not possible to completely eradicate Pocket?

It wouldn't be a problem but our AV solution (MDE) has a popup every time the URL is queried and blocked.

Attached image of our configuration profile for Pocket.