Firefox for Enterprise Community Forum

I am trying to use group policy to block all extensions from being installed and only allow approved extensions.

I have followed the article:

https://firefox-admin-docs.mozilla.org/reference/policies/extensionsettings/

And here is my JSON config but it doesnt seem to be working and I can still install any extension.

{

 "*": { 

"blocked_install_message": "Please email the IT Helpdesk if you think an extension should be unblocked.", "installation_mode": "blocked" }, "com.abr.startapp@adminbyrequest.com": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/admin-by-request/latest.xpi" } }

Please can anyone advise or confirm if this is a bug.

We are using firefox version 147.0.4 (64-bit)

Thanks

Hi,

When switching from FF 128esr to 140esr our customers noticed a massive impact in performance for certain webapplications. All Applications effected heavily use pdf-files, users are working mostly exclusive in firefox. Performance is ok when the day starts but gets bad fast. Sooner or later working is no longer possible and firefox needs to be restarted.

The users work on Citrix Desktops, but difference in performance is also seen in Firefox localy (not as bad but its there). Cross-tests with another browser are not possible, because the application works only in FF.

We tried removing almost all policies effective to rule out a specific hardening setting We tried every setting we could find linked to cache (as it seemed related to that) but without success. We collected logs with the Firefox-internal Tools but could not identify a specific Problem.

Any Help is apreciated, thx in advance

Hello, For FF on Linux running in KIOSK mode, is there a way to allow the user to perform a refresh like you can do in normal mode by pressing F5 ? This seems to be disabled in KIOSK mode.

Thank you, Tom

We are currently rolling out a profile management solution based on Ivanti User Environment Manager. In order to configure file includes and excludes in the profile management tool, we have to “standardize” the Firefox profile path in the filesystem. We have implemented a PowerShell script, which reads the currently used profile from %appdata%\Mozilla\Firefox\install.ini, renames the appropriate profile subfolder to “firefox.default-esr” and replaces the entries in installs.ini and profiles.ini.

The script seems to be reliable. However, for around 10% of the users, we are seeing issues when the user launches Firefox after the “firefox profile migration” happened. Firefox opens but none of the GUI controls is accessible. Firefox is completely unusable. See screenshot attached.

We do have workarounds to resolve this issue, such as completely wiping the %appdata%\Mozilla\Firefox folder and let Firefox re-build everything from scratch. But we are still trying to find the root cause the issue, because our customers have more than 100k clients, what will be a big impact and hard to handle for the helpdesk.

We are currently unable to reproduce the issue on test clients. Even copied Firefox profile folders form affected clients don’t show the issue on other clients.

Therefore we want to find out and ask for your help:

- Is there a supported way to “standardize” the filesystem folder name of the Mozilla Firefox (ESR) profile of a user? - What are the files within a Firefox profile that are required for the profile and the application itself to properly start? - Do you have any idea which files in a Firefox profile (in a corrupted state) could cause our issue?

I would like access to Firefox Stories but the policy setting for FirefoxHome Stories is false. How do I get to these settings to change the false to true?

Until about a week ago the stories showed up on the New Tab. There is a side section on New Tab for customizing and the section had an option to see the stories. Now that section has no reference to the option.

Any suggestions?

Thanks,

There is a enterprise download for windows and Apple but i do not see a download option for Linux from this site. https://www.firefox.com/en-CA/browsers/enterprise/

But there is a download for the ESR version from https://ftp.mozilla.org/pub/firefox/releases/

Is there a reason why Linux is not on the main enterprise download page ?

Cree una política para filtrado web donde bloquea por ejemplo páginas de juegos de azar, sin embargo, varias páginas las está dejando abrir, para contrarestar eso, por medio de indicadores bloquee las páginas que deja pasar pero aún así está dejando abrir ciertas páginas, por ejemplo betplay, para solventar eso apliqué una política de filtrado web, para esto importé el admx de Mozilla, sin embargo en Mozilla todavía está dejando entrar a esa página.

Is there a way to push a policy that will allow device and apps and local netwrok access via MDM (https://support.mozilla.org/en-US/kb/control-personal-device-local-network-permissions-firefox)? We need to allow Firefox to access an app agent that is running on a device via localhost. We would like to do it with a macOS profile, Windows GPO and a json policy for linux. I can't seem to find this setting in policy templates.

How to disable Firefox add-ons in order to block to install temporary extensions. I am generating policies via Firefox Policy generator. {

 "name": "myconfig",
 "time": "2025-12-14T13:17:27.479Z",
 "configuration": {
   "arrayfields": {},
   "checkboxes": {
     "BlockAboutAddons": true,
     "BlockAboutConfig": true,
     "BlockAboutProfiles": true
   },
   "input": {},
   "textareas": {},
   "select": {}
 }

}

Hello Everyone,

I am seeking assistance to configure Firefox browser so that internet access is blocked when the browser cannot download or access the proxy Auto-configuration (PAC) file. Our organisation enforces all web traffic through proxy servers defined by a PAC file. For compliance and security reasons, users should not have any direct internet access unless the browser is able to successfully retrieve and apply the PAC file.

The desired behaviour is:

1. Firefox attempts to download the PAC file from a defined URL. 2. If the PAC file is unreachable or fails to load (e.g., due to network restrictions or the device being outside the corporate network), Firefox should "fail closed" - meaning it should not allow any direct internet traffic. 3. This is effectively a "fail-block" mode: no fallback to direct connections, and no cached or bypassed proxy settings should allow internet browsing.

This behaviour is critical to prevent devices from accessing the internet without applying corporate proxy rules. I would like to know:

1/ Whether Firefox currently supports a setting or policy that enforces this fail-block condition when the PAC file is unavailable. 2/ If not, whether there are recommended configurations or enterprise policies (e.g., via `policies.json` or Group Policy templates) that could achieve equivalent enforcement.

Thank you for your assistance and guidance.

I've been struggling for months to standardize a deployment of Firefox ESR across various client environments that reliably auto-updates and doesn't cause UAC prompts and XULRunner profile error pop-ups(I work in IT).

We deploy Firefox ESR in bulk on machines via a batch script which runs as SYSTEM, with msiexec /i and /qn flags.

Firefox installs fine, but then users are typically met with a UAC prompt when they first try to run Firefox. If they decline, then the UAC prompt comes back again next time and often fails to update at all, so the machine is left on an older, vulnerable version.

Regarding the environment: we have deployed the Firefox ESR admx templates and enabled the relevant auto update settings in Group Policy. But only some machines seem to stay up to date, and it seems like this only happens if a user with local administrative privileges has run the program at least once.

What I find unusual is that Firefox seems to attempt to make a "Background Updater" scheduled task for every user that runs the software on each PC, but these users do not have administrative privileges, and the scheduled task is set to only run when that user is logged in. Obviously a scheduled task running as a user with limited privileges isn't going to be able to update files in the Mozilla/Firefox subdirectory in "Program Files" as by default that's read-only access for non-admin users. And, obviously, if a user with local admin privileges DOES log into the machine, then it can update once, but then the scheduled task that it creates for that user (now with admin privileges) will only run when that user logs in - and we don't login as "admin"-privileged users day-to-day.

So, various machines are out of date, running vulnerable Firefox 128 instead of 140 or 142 even though they're all deployed from the same image and have the same policies and restrictions, and ran the same installer for Firefox.

Is there some reason why the auto update scheduled task isn't created at installation time, when administrative privileges have been granted? It's very odd that it doesn't, because then every time a user logs into a machine it seems like Firefox ESR creates the background upgrade task under a non-admin user which simply won't work. I see machines having 4 or 5 background upgrade scheduled tasks, all created by Firefox ESR, and yet the software still won't update - there's a UAC prompt every time the program launches, and going to Help -> About shows "Restart Firefox to update..." but then when clicking the button to restart Firefox, we get the UAC prompt, user doesn't have privileges, so this goes around and around in circles.

Is there a reliable way to keep Firefox up to date without manually logging into each machine and going through the UAC prompts? Can we manually create a scheduled task with the correct user account that has privileges to actually upgrade Firefox?

The background auto update mechanism simply doesn't make sense to our team on a machine-wide install.

I previously posted this question: https://support.mozilla.org/en-US/questions/1495577

Asking how to use the "intl.accept_languages" setting within the JSON for the new preferences setting within group policy.

A moderator posted this as a comment which I have only just noticed: "The value is a string, so it has to be in quotes "en-GB"" - the post is now too old for me to reply.

I'm still having issues using this setting even after putting the name in quotes. I've tried:

"intl.accept_languages": { "Value": "en-GB", "Status": "user" }

"intl.accept.languages": { "Value": "en-GB", "Status": "user" }

But neither work, please can someone clarify what exactly needs to be used within the JSON?

I would like to know how the Firefox CVEs are affected on its version which are mentioned in NVD.

Let take mfsa2025-59, for example CVE-2025-8040, as per the NVD its says Firefox ESR < 140.1 is affected so does that mean it affect all the version which are lower than 140.1 which included the ESR 128 and ESR 115 versions or just the ESR 140 version series? then it raise on more question check this cve-2025-8029 in NVD it has specifically mentioned it only affect "Firefox ESR < 128.13, Firefox ESR < 140.1" and not the ESR 115 versions. Could anyone confirm it does not affect the ESR 115 versions or it affect all the versions? Now check this one cve-2025-8027, NVD clearly mentioned "Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1" are affected so what I understand is that if the Firefox ESR 115 is vulnerable to any CVE it would be mentioned in the NVD specifically.

My point is that if any Firefox CVEs are listed in NVD and it specify only one version like “Firefox ESR < 140.1” what does that mean? Does it affect all the versions which include ESR 128 and ESR 115 or just the ESR 140 series version only affected? If any CVEs are affected on the ESR 115 and ESR 128 does Mozilla specifically mentioned those versions are affected right? Just like its mentioned in the cve-2025-8027

Any help would be appreciated to clarify this.

I am working on a stig for Mozilla Firefox and I'm trying to do a scap compliance scan but or some reason I am getting a score of zero on all systems. We do patch regularly and at some point one of the version upgrades caused our compliance scans stopped working. I need a fix and cannot find anything when searching for this issue.

GNU nano 8.6 /etc/firefox/policies.json {

 "policies": {
   "DisableFirefoxStudies": true,
   "DisableTelemetry": true,
   "DisableSystemAddonUpdate": true

   "Preferences": {
     "app.normandy.enabled": false,
     "app.shield.optoutstudies.enabled": false,
     "extensions.autoDisableScopes": 15
    }
  }
} Hidden modifications to settings and extensions is absolutely not OK!!!!!!

This is a security environment.

I know nothing about the dev options for Internet settings and minor turned on and it says the remote server is set to production. No flipping idea what this is. Can somebody please help me?

I am logged on to my Credit Union and attempt to download my statements. When using Firefox I get the message: {"Errors":["Authorization has been denied for this request."]}

When I contacted my CU, they said to add an URL to the Manage Exceptions. This worked, but I want to know why Firefox needs this but Chrome doesn't.