Currently, you cannot have both Group Policies and a policies.json file deployed at the same time.

Hi all,

sorry I am getting a bit lost here, as I am not able to found the needed information. Maybe my search context is not correct or there are way to many informations.

I understand that, a) there are some features which to be used via your ADMX policies b) there are other features which are only available using the .cfg files c) there are additinal features, which only can be deployed with the policies.json file. d) there are other features that I have to set in the registry (HKLM, HKCU / sotfware, policies, mozilla or software, mozilla)

What I do not understand: -- which of those can I combine? -- why do the admx's and the policies.json not provide the same features?

I am not able to find any best practice documentation about that.

Using the Firefox in an corporate environment, I have found out that some features are requested by "higher ups" so we have to use the FF, on others we might be able to use the FF ESR.

I was hoping that the ADMXs have priority over the json and cfg's.

As you can tell, I am in need for some help :)) Thank you.

The ADMX policies and policies.json file are interchangeable. They both provide identical customizations, with the only large difference being how they are implemented. ADMX policies can only be deployed on certain Windows computers, but policies.json can be deployed to any computer regardless of the operating system.

So to answer your second question, these two implementations do indeed offer the same features. In fact, you can't use both of them even if you wanted to, because ADMX policies will automatically prevent the policies.json from being read.

The CFG preferences are different from policies though. That gives you full control over any of the preferences on the about:config page. It's meant for tuning preferences that can't be adjusted using one of the policy implementations above.

There are some cases where something may overlap. For example, the DisableBuiltinPDFViewer policy to disable Firefox's builtin PDF viewer can be done with ADMX policies or policies.json, but it can also be done using CFG to set the pdfjs.disabled preference to true.

In the cases where they overlap, it would depend on what you already have setup on your environment. For example, if you already have ADMX or policies.json setup on your system, the preferred method for disabling the PDF viewer would be to use the policy. If you don't have ADMX or policies.json setup already but you do have the CFG setup, it's easier to implement it using the CFG preference.

There are only limited changes that can be implemented using all three of the above methods.

As for the registry changes, I don't know of any changes that specifically require a registry edit and can't be implemented using the other options.

Hope this answers your questions.

Wesley Branton said

The ADMX policies and policies.json file are interchangeable. They both provide identical customizations, with the only large difference being how they are implemented. ADMX policies can only be deployed on certain Windows computers, but policies.json can be deployed to any computer regardless of the operating system. So to answer your second question, these two implementations do indeed offer the same features. In fact, you can't use both of them even if you wanted to, because ADMX policies will automatically prevent the policies.json from being read. The CFG preferences are different from policies though. That gives you full control over any of the preferences on the about:config page. It's meant for tuning preferences that can't be adjusted using one of the policy implementations above. There are some cases where something may overlap. For example, the DisableBuiltinPDFViewer policy to disable Firefox's builtin PDF viewer can be done with ADMX policies or policies.json, but it can also be done using CFG to set the pdfjs.disabled preference to true. In the cases where they overlap, it would depend on what you already have setup on your environment. For example, if you already have ADMX or policies.json setup on your system, the preferred method for disabling the PDF viewer would be to use the policy. If you don't have ADMX or policies.json setup already but you do have the CFG setup, it's easier to implement it using the CFG preference. There are only limited changes that can be implemented using all three of the above methods. As for the registry changes, I don't know of any changes that specifically require a registry edit and can't be implemented using the other options. Hope this answers your questions.

Dear Wesley, I highly appreciate your quick response.

I have found that using the JSON-file might give me additional features, but also brings a huge risk (for my understanding).

Using the JSON, I have found out that, entering an (spelling-)error, disables the complete JSON configuration for our corporate restrictions!! :O

Which is unacceptable, espacially if with new versions, some features will be disabled or renamed.... which will potentially also result in a wide-opened firefox installation!

Correct?

I have been trying to give some "addons" using the ""ExtensionSettings": " to deploy some "addons" for the users, which are preinstalled, which can be disabled by the users. Somehow this also results in a broken JSON configuration...

Thank you again!

The policies.json file does not give you any different features compared to the ADMX policies. Every policy that the policies.json file can do (there's a list here) can also be done by the ADMX policies and vice versa.

You are somewhat correct in your understanding that a policies.json file does need to be entered correctly in order to work, but the same can be said about the ADMX policies as well. It doesn't necessarily make one more risky than the other.

And, theoretically, you are correct about it breaking if the policy names were to change or if policies were to be removed. However, I can't say I've ever seen them remove policies or change policy names in the past.

You'd run into the same problem if you don't update your ADMX policy templates when the changes are made, though. So again, it still doesn't make one implementation riskier than the other.

Dear Wesley,

Currently I am still struggeling with the firefox configuration files.

We have tried to run with the same configuration (GPO Settings or registry) for the 68 ESR and the 69 Firefox.

On the 68 ESR it works with the GPOs and Reg-Keys, the same settings we have tried to use for the 67 and 69... but they give us different error messages.

So, the question comes back to, on which of these features I have to use another configuration parameter and if this resets the first settings.

There is no best practice for this (not that I have found any...)

I appreciate your help. BR

Are you able to post what your policies.json file looks like? That would give us a good idea of what's going wrong.