I WANT YOU TO GIVE ME A SOLUTION NOT THE F'N COMMUNITY BOARD .

Hi Sonia, the "ImportEnterpriseRoots" policy instructs Firefox to trust certificates added to the Windows certificate store, not just the ones that Mozilla provides. It locks this checkbox on the Settings page to being checked:

"Allow Firefox to automatically trust third-party root certificates you install"

This article has more information: Automatically trust third-party root certificates.

But why does the policy exist? Unfortunately, there's no simple way to know what program created the policy, but usually it is added by your security software to facilitate intercepting and cleaning your browsing (otherwise, Firefox would reject its fake certificates).

If that is okay with you, then there's no need to remove the policy you found. But if that is NOT okay with you, then there are two possibly places that policy could have been added:

(1) Windows Registry (2) A policies.json file in a specific subfolder of your Firefox program folder

Do you want the steps to do the cleaning?

I have the same problem on macos - I don't have an organization, I downloaded this from mozilla.org and I there isn't a policies.json in the Firefox.app package.

I do have this in my Info.plist for Firefox.app, however:

<dict> <key>org.mozilla.updater</key> <string>identifier "org.mozilla.updater" and anchor apple generic and certificate1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "43AQ936H96"</string> </dict>

Which, as far as I can tell, is in every macos Info.plist for firefox.

Could that be the reason? If not, are you sure this isn't the way Firefox default installs in macos?

Edit: it is the reason. If I comment out that part of the Info.plist, I can turn disable ImportEnterpriseRoots (and the mitm option as well). Makes pages render terribly, but you can get to the managed settings and turn those off. If I uncomment that <dict> entry, the setting returns enabled.

Firefox needs to come up with a better way to convey that to the user, as it isn't really managed, it's just that Firefox imports the root certificates from the Root keychain on MacOS.

Edit: it is the reason. If I comment out that part of the Info.plist, I can disable ImportEnterpriseRoots (and the mitm option as well). Makes pages render terribly, but you can get to the managed settings and turn those off. If I uncomment that <dict> entry, the setting returns enabled.

Firefox needs to come up with a better way to convey that to the user, as it isn't really managed, it's just that Firefox imports the root certificates from the Root keychain on MacOS.

I don't use Windows that often, but I suspect it's a similar situation, grabbing Windows' root certificates.

Sorry, I tried to edit my previous post, but it won't let me, throws an error.

Hi Bob, there actually are some support articles referring to the .plist file, but as a Windows person, I had never encountered it before:

• Customize Firefox on macOS using configuration profiles
• Manage policies on macOS desktops

Thank you for connecting those dots.