Firefox for Enterprise Support Forum

We try to deploy Extension Management Settings via GPO.

Goal is to allow only whitelisted extensions, but don't block themes, dictionaries and locales.

Below find the JSON-settings deployed to the client, which should allow all themes and whitelisted extensions. Unfortunately this blocks everything except whitelisted IDs. See example screenshot with error-message, when trying to install a theme. We don't want to whitelist locales or themes, they should be still allowed for installation.

What I'm doing wrong? - Thanks for your feedback.

##############

{
"*": {
"installation_mode": "blocked",
"allowed_types": ["theme"]
},
"uBlock0@raymondhill.net": {
"installation_mode": "allowed"
},
"jid1-ZSMfwe4lCAw9oQ@jetpack": {
"installation_mode": "allowed"
}
}

I am pushing out bookmarks company-wide through Intune on users Laptops. I spoke with Microsoft support and the configuration policy is created correctly and I followed Firefox's support page in creating them. It seems that the new JSON script that tells Firefox what bookmarks is unable to parse.

Anyone know if Firefox had an update that prevents intune from sending the JSON file?

Error message given through firefox.

"Unable to parse JSON for ManagedBookmarks"

I work in an enterprise environment. We have certain requirements that we must maintain for our system to maintain accreditation. One of these requirements is to prevent the installation of add-ons using the policies.json file.

We are also trying to develop an extension that adds banners to each page the user interacts with. I understand this can be loaded using the process [https://support.mozilla.org/en-US/kb/deploying-firefox-with-extensions|he...] and does not have to be signed following this [https://support.mozilla.org/en-US/kb/install-system-add-ons-firefox-enter...] .

My question is, before embarking on the journey to create this web extension, can it still be installed following the enterprise process, despite being denied by default by the policies.json? Or is there a way to allow for the extension to be installed by changing the policy?

Been managing bookmarks for users through Intune, but for some reason on my HP Elitebook 840 I keep getting an error "Unable to parse JSON for ManagedBookmarks" I haven't changed anything to the bookmarks before swapping to the HP laptop from a Dell 5410. I have double-checked GitHub for the proper string for bookmarks and everything looks to be correct as well as submitting a support case with Microsoft who checked it and say it is something on Firefox's side that needs fixing.

I am also constantly getting this unknown extension setting. Not sure why I have this or where I can remove it.

ExtensionSettings {"firefoxhpsureclicksecurebrowsing@bromium.com":{"installation_mode":"blocked"},"firefoxhpwolfsecurityextension@bromium.com":{"installation_mode":"blocked"}}

We have Firefox-ESR in use and we are using Applocker.

When we enable applocker dll Rule policys and start https://shaka-player-demo.appspot.com page clearkey addon crashes.

We have allowed widevinedrm.dll in applocker rule policys, and we have used Process Monitor to track which dll file / files are being "locked" but we cant seem to pinpoint it.

Where does Firefox-ESR run DRM content and which dll files are needed to run ?

What we know that it is caused by applocker DLL rule policys, when disabling it clearkey addon does not crash and drm content can be played.

Also Applocker eventlogs does not show anything related to this.

br Ben

Hello. I have trying to test a GPO this week that will lock down the use of extensions. In summary we are shifting to a complete "deny all/allow by exception format".

As a reference I have been using the below article as my source on how to set this up. https://github.com/mozilla/policy-templates#extensionsettings

After reading through the article the base example they have works flawlessly. I have put this base example below.

{

 "*": {
   "blocked_install_message": "Custom error message.",
   "install_sources": ["https://yourwebsite.com/*"],
   "installation_mode": "blocked",
   "allowed_types": ["extension"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
 },
 "https-everywhere@eff.org": {
   "installation_mode": "allowed"
 }

}

The minute I try to change it though the whole thing breaks. For context, I have tried adding 1 password as a forced installed add in, and also try placing it below under allowed. See my example below of the one where I am putting it is allowed. Any idea of what I am doing wrong?

{

 "*": {
   "blocked_install_message": "Custom error message.",
   "install_sources": ["https://yourwebsite.com/*"],
   "installation_mode": "blocked",
   "allowed_types": ["extension"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
 },
 "*": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi"
 }

}

I have one extension to be installed on the enterprise network machines. There are host permissions required to access All websites data. How can I, as an Admin, enable this host permissions for the installation ?

Hi there,

we trying to restrict internet access that used Mozilla Firefox on client computers through Microsoft Intune.

We have already configured policy by uploading ADMX template & Custom OMA-URI as described in https://github.com/mozilla/policy-templates/blob/master/README.md 

We are trying to add custom allowed web sites to "WebsiteFilter" OMA-URI ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/B_WebsiteFilter_Exceptions. added web sites are not allowed. my question is what is the best way to enter URLs (I mean format) to allow list & how I can used wild card to allow all the web sites of one specific domain. eg:- microsoft

I am looking for information regarding the support life for settings that are defined in the Preferences (Deprecated) section of the ADMX templates provided in GitHub. There doesn't appear to be a definitive answer as to when these preferences are no longer applicable to a version of Firefox. The term "Deprecated" certainly applies they're on their way to extinction. But only a small handful of preferences have been ported over to non-deprecated template settings (like Auto Update). Is there an expected version of Firefox where all these preferences are meaningless? Or will they be supported indefinitely? "Industry recommendations' from 3rd party security vendors are bloating my policies in the domain space and I can't definitively say they are 'no longer supported as of version xyz' for all these Firefox Preference settings, which happen to be about 80% of the security parameters defined by STIG and/or CIS Workbench.

in our organisation i need several domainnames to be added in network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, so that sso for some webapplications is working. some are allready in the list. when i make changes to the list, everything is working ok, but when i clos all mozilla windows and restart mozilla, the changes are gone.

Hello,

I have a problem with a pac file in our org. We download it from a server. The basic functionality is applied and it does redirect the desired traffic to the proxy. The problem occurs when the proxy goes down, it then should automaticaly start making direct connections, but the connections fail. We want to proxy only http and https and event that with some exceptions.

It was done according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file#example_6

Is there any problem with PAC file or does the browser have issues with the config?

Thanks for any help.

function FindProxyForURL(url, host) {

   /* Our proxy list */
   OURPROXY = "PROXY 172.22.59.X:3128; DIRECT"
   INOUR = "ourgroup.internal"

   /* Normalize the URL and HOST for pattern matching */
   url = url.toLowerCase();
   host = host.toLowerCase();

   /* Our Network Entry */
   if (isResolvable(INOUR)) {
       /* Don't proxy local services */
       if (isInNet(host, "10.0.0.0", "255.0.0.0")
       ) {
           return "DIRECT";
       }

       /* Proxy only http & https */
       if (url.substring(0, 5) == "http:" || url.substring(0, 6) == "https:") {
           /* Don't proxy local hostnames (without dots) */
           if (isPlainHostName(host)) {
               return "DIRECT";
           }
           /* END: Don't proxy local hostnames */
           /* START: Internal systems */
           if (shExpMatch(host, "*.example.com") ||
               shExpMatch(host, "example.com") ||
               /* END: Internal systems */
               /* START: Split VPN tunnel */
               shExpMatch(host, "*.example2.com") ||
               shExpMatch(host, "example2.com") ||
               /* END: Split VPN tunnel */
           ) {
               return "DIRECT";
           }
           /* END: Don't proxy to internal systems */
           return OURPROXY;
       } else {
         return "DIRECT";
       }
       /* END: Proxy only http & https */
   } else {
     return "DIRECT";
   }
   /* END: Our Network Entry */
   return "DIRECT";

}

Hi,

We are currently looking for a configuration profile to disable the sync option to the users, we allow the users to sign in but not to sync the bookmarks, history, etc.

We need to deploy this profile to all the users in our environment.

Regards, Jesus

Hello

I am looking for a way to disable the QUIC protocol in Firefox by GPO. I got your latest AMDX templates but I don't see the option to modify network.http.http3.enabled.

Either an AMDX template with this option or a Registry will do the trick

Thanks

I'm setting up addon installation through `policy.json`. Below is an example. I am wondering howto configure addons thus installed using the same file. Is it possible? If yes: where to find addon-specific keys/options? As an example: when providing below `policy.json`, starting any fresh firefox profile/installation produces the dialog "Startpage.com - Private Search Engine would like to change your default search engine from Google to Startpage.com - English. Is that OK?", followed by yes/no buttons. I would like to be able to just make the addon do so forgoing the dialog.

Thanks for any pointers.

{

 "policies": {
   "ExtensionSettings": {
     "*": {
       "blocked_install_message": "Installation of extensions only allowed from 'policy.json'.",
       "installation_mode": "blocked"
     },
     "{20fc2e06-e3e4-4b2b-812b-ab431220cada}": {
       "installation_mode": "force_installed",
       "install_url": "https://addons.mozilla.org/firefox/downloads/latest/startpage-private-search/latest.xpi"
     }
   },
   "ExtensionUpdate": true
 }

}

Hi Dear support mozila Firefox IT team,

I need to find out if there is an option on the user's computer in the local network, how to connect to the bypass list of the Firefox browser with a hidden version. Which aims to adjust, add and modify without bothering the user to quickly organize the work. If there is an option, please send me a guide.

In our organization, we enforce through group policy to clear cookies and site data each time the browser is closed. I see there's an exception list to define certain sites that it will not clear cookies or site data. Where in group policy can this exception be set.

This option can be seen (allow) from the article here under Block cookies and site data for more than one website > Step 3 https://support.mozilla.org/en-US/kb/block-websites-storing-cookies-site-data-firefox

Thanks,

on GitHub the commands are all based on Java https://github.com/mozilla/policy-templates#preferences

Is there a list of all available registry settings? Or where do these Java options come from, where can I read them out?

I am installing Firefox via microsoft endpoint, and deploying multi account containers with the OMA-URI policy for extensions. (this blog page is super helpful! https://securitygeneralist.blogspot.com/2019/08/auto-installing-extensions-on-firefox.html )

The extension by default has containers for Personal, Work, Banking, Shopping.

Is there a way to automatically remove that default container list as part of the install?

Even better, is there a way to create a different default containers list through Endpoint?

Thanks

We have a requirement to limit Firefox to just one internal website. Other browsers should have unlimited access, so we do not want to block websites on operating system level. I do not find any solutions in ADMX or add-ons. Please advise if anybody has a trick under the sleeves ? Thank you.