Prikaz označenih pitanja: Prikaži sva pitanja
  • Riješeno
  • Arhivirano

How to disable QUIC http3 in Firefow either by Windows Registry editor o by AMDX template

Hello I am looking for a way to disable the QUIC protocol in Firefox by GPO. I got your latest AMDX templates but I don't see the option to modify network.http.http3.ena… (pročitajte više)

Hello

I am looking for a way to disable the QUIC protocol in Firefox by GPO. I got your latest AMDX templates but I don't see the option to modify network.http.http3.enabled.

Either an AMDX template with this option or a Registry will do the trick

Thanks

Asked by rmirandacr prije 1 godina

Answered by rmirandacr prije 11 mjeseci

  • Riješeno
  • Arhivirano

how to disable common users to modify the settings of "No proxy for" in "Connection Settings"

I am an admin of some servers, i modify the proxy settings of firefox in a GPO, and it works, but now ont thing is that users can modify the settings of "No proxy for" in… (pročitajte više)

I am an admin of some servers, i modify the proxy settings of firefox in a GPO, and it works, but now ont thing is that users can modify the settings of "No proxy for" in Connection Settings, then add the urls, then users can access to any web site which they want to, is there a method to disable this? thanks.

Asked by fas910 prije 8 mjeseci

Answered by Mike Kaply prije 8 mjeseci

  • Riješeno
  • Arhivirano

GPO Settings for AutoFill Address and Credit Cards

We downloaded the GPO Templates for AD and looking to customize Firefox. We would like to disable Forms and Autofill: Autofill addresses Autofill credit cards Also wou… (pročitajte više)

We downloaded the GPO Templates for AD and looking to customize Firefox.

We would like to disable Forms and Autofill: Autofill addresses Autofill credit cards

Also would like to lock down so they can't reenable if possible.

We would like to do this all through GPOs if possible. I found these in the about:config: extensions.formautofill.addresses.enabled extensions.formautofill.creditCards.enabled

But again want to do through the GPO. Is this possible?

Side note while working on GPOs, I set Exceptions for the popup blocker and they are not showing up in the browser. I also filled out to remove Search Engines but they all still appear in the browsers. These two GPO settings don't appear to be working.

Asked by Joshua_Calais prije 9 mjeseci

Answered by Mike Kaply prije 9 mjeseci

  • Riješeno
  • Arhivirano

Windows GPO Help with JSON configs

Environment: Windows 10 22h2 clients, latest ESR build, Domain servers Windows 2016 or better. So I followed the guide https://github.com/mozilla/policy-templates/blob/m… (pročitajte više)

Environment: Windows 10 22h2 clients, latest ESR build, Domain servers Windows 2016 or better.

So I followed the guide https://github.com/mozilla/policy-templates/blob/master/README.md#extensionsettings and tried to set up the config. We are using the latest ESR build but after the settings is applied I still dont have working extensions.

Here is the code

{
     "*": {
           "blocked_install_message": "Addon or Extension is not approved. Please submit a ticket to Help Desk if you need access to this extension.",
           "install_sources": ["https://addons.mozilla.org/"],
           "installation_mode": "blocked"
     },
     "{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}": {
           "installation_mode": "allowed",
           "install_url": "https://addons.mozilla.org/firefox/downloads/latest/adblock-plus/latest.xpi"
           },
     "ciscowebexstart1@cisco.com": {
           "installation_mode": "allowed",
           "install_url": "https://addons.mozilla.org/firefox/downloads/latest/cisco-webex-extension/latest.xpi"
     },
     "{d0210f13-a970-4f1e-8322-0f76ec80adde}": {
           "installation_mode": "allowed",
           "install_url": "https://addons.mozilla.org/firefox/downloads/latest/instapaper-official/latest.xpi"
           },
     "appstore-mini@feedly.com": {
           "installation_mode": "allowed",
           "install_url": "https://addons.mozilla.org/firefox/downloads/latest/feedly_mini/latest.xpi"
           },
     "extension@one-tab.com": {
           "installation_mode": "allowed",
           "install_url": "https://addons.mozilla.org/firefox/downloads/latest/onetab/latest.xpi"
           },
     "support@lastpass.com": {
           "installation_mode": "allowed",
           "install_url": "https://addons.mozilla.org/firefox/downloads/latest/lastpass-password-manager/latest.xpi"
           },
     "sweb2pdfextension.4@kofax.com": {
           "installation_mode": "allowed",
           "install_url": "https://addons.mozilla.org/firefox/downloads/latest/kofax-pdf-create-4-0/latest.xpi"
           },
     "Aternity-WebExt-12.1.4@aternity.com": {
           "installation_mode": "allowed",
           },
     "its_addons_wrap@onelog.com": {
           "installation_mode": "allowed",
           "install_url": "https://extensions.onelog.com/extension/onelog.xpi"
     }

}

I have placed the settings in HKCU but also tried in HKLM and there has been no difference. in each case I get Unable to parse JSON for Extensionsettings when checking the about:policies section and when I look at the registry I see the REG_MULTI_SZ value but when i click on it to read it I get another error message. Cannot edit ExtensionSettings: Error reading the values contents.

I tried re-entering the code and tried not listing the install URLs and even tried only listing 1 item. I haven't been able to get past this error so any help would be greatly appreciated.

Asked by daniel.david.white prije 1 godina

Answered by Mike Kaply prije 1 godina

  • Riješeno
  • Arhivirano

Firefox Policies

We try to deploy Extension Management Settings via GPO. Goal is to allow only whitelisted extensions, but don't block themes, dictionaries and locales. Below find the J… (pročitajte više)

We try to deploy Extension Management Settings via GPO.

Goal is to allow only whitelisted extensions, but don't block themes, dictionaries and locales.

Below find the JSON-settings deployed to the client, which should allow all themes and whitelisted extensions. Unfortunately this blocks everything except whitelisted IDs. See example screenshot with error-message, when trying to install a theme. We don't want to whitelist locales or themes, they should be still allowed for installation.

What I'm doing wrong? - Thanks for your feedback.

##############
{
"*": {
"installation_mode": "blocked",
"allowed_types": ["theme"]
},
"uBlock0@raymondhill.net": {
"installation_mode": "allowed"
},
"jid1-ZSMfwe4lCAw9oQ@jetpack": {
"installation_mode": "allowed"
}
}

Asked by Mario.Daub prije 10 mjeseci

Answered by Mike Kaply prije 10 mjeseci

  • Riješeno
  • Arhivirano

Group Policy Templates / Preferences (Deprecated)

I am looking for information regarding the support life for settings that are defined in the Preferences (Deprecated) section of the ADMX templates provided in GitHub. Th… (pročitajte više)

I am looking for information regarding the support life for settings that are defined in the Preferences (Deprecated) section of the ADMX templates provided in GitHub. There doesn't appear to be a definitive answer as to when these preferences are no longer applicable to a version of Firefox. The term "Deprecated" certainly applies they're on their way to extinction. But only a small handful of preferences have been ported over to non-deprecated template settings (like Auto Update). Is there an expected version of Firefox where all these preferences are meaningless? Or will they be supported indefinitely? "Industry recommendations' from 3rd party security vendors are bloating my policies in the domain space and I can't definitively say they are 'no longer supported as of version xyz' for all these Firefox Preference settings, which happen to be about 80% of the security parameters defined by STIG and/or CIS Workbench.

Asked by rott3nhippi3 prije 11 mjeseci

Answered by TyDraniu prije 11 mjeseci

  • Riješeno
  • Arhivirano

network.negotiate-auth content changes are deleted after restart mozilla

in our organisation i need several domainnames to be added in network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, so that sso for some webappl… (pročitajte više)

in our organisation i need several domainnames to be added in network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, so that sso for some webapplications is working. some are allready in the list. when i make changes to the list, everything is working ok, but when i clos all mozilla windows and restart mozilla, the changes are gone.

Asked by bonami prije 11 mjeseci

Answered by bonami prije 11 mjeseci

  • Arhivirano

Wild Card URL & "Allowed URL" ADMX not working properly

Hi there, we trying to restrict internet access that used Mozilla Firefox on client computers through Microsoft Intune. We have already configured policy by uploading A… (pročitajte više)

Hi there,

we trying to restrict internet access that used Mozilla Firefox on client computers through Microsoft Intune.

We have already configured policy by uploading ADMX template & Custom OMA-URI as described in https://github.com/mozilla/policy-templates/blob/master/README.md 

We are trying to add custom allowed web sites to "WebsiteFilter" OMA-URI ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/B_WebsiteFilter_Exceptions. added web sites are not allowed. my question is what is the best way to enter URLs (I mean format) to allow list & how I can used wild card to allow all the web sites of one specific domain. eg:- microsoft

Asked by fmudiyanse prije 10 mjeseci

Last reply by Mike Kaply prije 10 mjeseci

Official Documentation required: Export Control Classification Number (ECCN)

My company needs to follow regulation on Export rules. I need to provide our ITAR regulation team "Vendor documentation" regarding the Export Control Classification Numb… (pročitajte više)

My company needs to follow regulation on Export rules. I need to provide our ITAR regulation team "Vendor documentation" regarding the Export Control Classification Number (ECCN) for Mozilla Firefox ESR. They will not accept a blog or article. Any one from Mozilla able to provide this in an official capacity?

Asked by Michael.Klein2 prije 5 mjeseci

Last reply by Mike Kaply prije 5 mjeseci

Bypass UAC prompts through GPO settings

We are currently attempting to automate our Firefox update processes. Currently we use robocopy to push out new versions on release, but ideally we'd like to use the back… (pročitajte više)

We are currently attempting to automate our Firefox update processes. Currently we use robocopy to push out new versions on release, but ideally we'd like to use the background updater instead. We are currently on 64-bit 119.0.1, on Windows 10 Pro 22H2. We'd prefer not to switch over to ESR if at all possible. I've already reactivated the AppAutoUpdate and BackgroundAppUpdate policies, and DisableAppUpdate is disabled, but I'm still being hit with a UAC Admin prompt when I try to launch Firefox. I tried to bypass it through the registry at [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers], with "C:\Program Files\Mozilla Firefox\firefox.exe" = "RUNASINVOKER", but that also doesn't seem to have done anything. Any and all assistance would be appreciated

Asked by ddrake1 prije 4 mjeseci

Last reply by Mike Kaply prije 3 mjeseci

  • Arhivirano

Group policy for PKCS11

Can we set up these gpo`s so that there is a check for dependencies? Windows (GPO) Software\Policies\Mozilla\Firefox\SecurityDevices\Add\NAME_OF_DEVICE_TO_ADD = PATH_TO… (pročitajte više)

Can we set up these gpo`s so that there is a check for dependencies?

Windows (GPO)

Software\Policies\Mozilla\Firefox\SecurityDevices\Add\NAME_OF_DEVICE_TO_ADD = PATH_TO_LIBRARY_FOR_DEVICE Software\Policies\Mozilla\Firefox\SecurityDevices\Remove\1 = NAME_OF_DEVICE_TO_REMOVE

Thank you.

Asked by desislava.ivanova prije 7 mjeseci

Last reply by Mike Kaply prije 7 mjeseci

  • Riješeno
  • Arhivirano

Disable "show in download folder"

I have a need to use regular browser (not kiosk), but disable the "open downloads folder" once a file has been downloaded. This is opening a file manager (thunar or alike… (pročitajte više)

I have a need to use regular browser (not kiosk), but disable the "open downloads folder" once a file has been downloaded. This is opening a file manager (thunar or alike) which then allows the user to browse the filesystem and open a terminal emulator from /usr/bin.

Using the policies, I am able to prompt for downloads, or select a download location, however I have been unable to completely stop the user from opening the download folder which opens a file browser.

Is there any way I can select policies or profile options for disabling the option for opening download folder?

Asked by Freddog prije 1 godina

Answered by Terry prije 1 godina

  • Arhivirano

I want to put Zscaler Root CA certificate for web access by terminal

Hi Team, I'm using the Zscaler in my network, when I use the Firefox, appear the error: "Software is Preventing Firefox From Safely Connecting to This Site www.googlead… (pročitajte više)

Hi Team, I'm using the Zscaler in my network, when I use the Firefox, appear the error:

"Software is Preventing Firefox From Safely Connecting to This Site

www.googleadservices.com is most likely a safe site, but a secure connection could not be established. This issue is caused by Zscaler Root CA, which is either software on your computer or your network.

What can you do about it?

www.googleadservices.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely...." Picture 1

I have root certificate in path: /usr/share/ca-certificates/mozilla$ Picture 2

I run the command for updates CA but it doesn't work: sudo update-ca-certificates

Errors keep popping up.

The certificate not appear in the Certificate manager > Authorities Picture 3

But if I open the firefox > Settings > Privacy & Security> Certifcates > View Certificates > Import And I import the certificate ZscalerRoot.crt and I mark the option "trust this CA to identify websites" the firefox works, and I can open the site without error message.

Picture 4

And the certificate appear in the manager certificate: Picture 5


How can I put the command terminal certificate, which I have on hundreds of machines?

Note: I need to put the certificate only for internet access.

Asked by walter.sena.m prije 1 godina

Last reply by cor-el prije 1 godina

  • Arhivirano

Firefox conflict with Windows HTTPS (DoH) -> Requipred DoH

When setting Windows to "Require DoH", firefox will not resolve DNS addresses, regardless of which "Enable secure DNS" setting is picked in FireFox security settings tab.… (pročitajte više)

When setting Windows to "Require DoH", firefox will not resolve DNS addresses, regardless of which "Enable secure DNS" setting is picked in FireFox security settings tab.

I expected at least "Off -- Use your default DNS resolver" to work.

If Windows is configured to just "Allow DoH", Firefox has no issues resolving DNS addresses, for any of the Firefox policy settings.

For reference, you can find the DoH policy setting in windows group policy editor, here:

gpedit.msc

Computer Configuration -> Administrative Templates -> Network -> DNS Client -> Configure DNS over HTTPS

(Have to enable it, then select Configure DoH options: Require DoH.)

you may need to issue a gpupdate /force for the setting to be picked up quickly.

Asked by s189 prije 6 mjeseci

Last reply by Valentin prije 5 mjeseci

  • Arhivirano

Automatic redirect in pac files doesn't work

Hello, I have a problem with a pac file in our org. We download it from a server. The basic functionality is applied and it does redirect the desired traffic to the prox… (pročitajte više)

Hello,

I have a problem with a pac file in our org. We download it from a server. The basic functionality is applied and it does redirect the desired traffic to the proxy. The problem occurs when the proxy goes down, it then should automaticaly start making direct connections, but the connections fail. We want to proxy only http and https and event that with some exceptions.

It was done according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file#example_6

Is there any problem with PAC file or does the browser have issues with the config?

Thanks for any help.

function FindProxyForURL(url, host) {

   /* Our proxy list */
   OURPROXY = "PROXY 172.22.59.X:3128; DIRECT"
   INOUR = "ourgroup.internal"
   /* Normalize the URL and HOST for pattern matching */
   url = url.toLowerCase();
   host = host.toLowerCase();
   /* Our Network Entry */
   if (isResolvable(INOUR)) {
       /* Don't proxy local services */
       if (isInNet(host, "10.0.0.0", "255.0.0.0")
       ) {
           return "DIRECT";
       }
       /* Proxy only http & https */
       if (url.substring(0, 5) == "http:" || url.substring(0, 6) == "https:") {
           /* Don't proxy local hostnames (without dots) */
           if (isPlainHostName(host)) {
               return "DIRECT";
           }
           /* END: Don't proxy local hostnames */
           /* START: Internal systems */
           if (shExpMatch(host, "*.example.com") ||
               shExpMatch(host, "example.com") ||
               /* END: Internal systems */
               /* START: Split VPN tunnel */
               shExpMatch(host, "*.example2.com") ||
               shExpMatch(host, "example2.com") ||
               /* END: Split VPN tunnel */
           ) {
               return "DIRECT";
           }
           /* END: Don't proxy to internal systems */
           return OURPROXY;
       } else {
         return "DIRECT";
       }
       /* END: Proxy only http & https */
   } else {
     return "DIRECT";
   }
   /* END: Our Network Entry */
   return "DIRECT";

}

Asked by piotr.jakub.kaczmarzyk prije 11 mjeseci

Last reply by Mike Kaply prije 11 mjeseci

Disable Firefox Password Manager Completely via plist

Attempting to disable FF Password manager completely for my org via a plist. Currently have the password manager itself disabled but can't figure out how to disable the … (pročitajte više)

Attempting to disable FF Password manager completely for my org via a plist.

Currently have the password manager itself disabled but can't figure out how to disable the Auto-fill settings with previously saved passwords prior to the password manager being disabled?

Is this possible? Or is this disabled already when the password manager itself is disabled?

Currently have this set via a plist:

<key>PasswordManagerEnabled</key> <false/>

Asked by Matthew L prije 2 dana

Last reply by Mike Kaply prije 1 dan

  • Arhivirano

Permission Problem with Camera

We have a customer using our SaaS solution running through Firefox 91.12.0 ESR. The web application we provide requires access to the camera on the local machine so we ca… (pročitajte više)

We have a customer using our SaaS solution running through Firefox 91.12.0 ESR. The web application we provide requires access to the camera on the local machine so we can capture a photo. We give them instructions and they configure their instance of Firefox to ALLOW access to the camera, along with several other adjustments (like allowing pop-ups, and no autofill).

However, whenever they restart Firefox the camera permission reverts back to the DEFAULT of Always Ask. The other settings adjustments we make, like pop-ups and no autofill stick around, but not the camera setting.

We've checked the PREF.js file in the Profile folder and that doesn't appear to be a problem. On our in-house machines we are running the same version of Windows and Firefox and cannot reproduce the problem.

The customer has recently applied the upgrade from an earlier version of Firefox ESR to 91.12.0. The customer has also imaged the PC and copied over to a large number of additional machines for use around their organization. This problem is causing a serious disruption to their deployment of the updated PC's as we work with them to try and troubleshoot the problem.

Any ideas on what to try would be appreciated.

Asked by mfranke62 prije 1 godina

Last reply by jscher2000 - Support Volunteer prije 1 godina

  • Arhivirano

GitHub Registry List

on GitHub the commands are all based on Java https://github.com/mozilla/policy-templates#preferences Is there a list of all available registry settings? Or where do thes… (pročitajte više)

on GitHub the commands are all based on Java https://github.com/mozilla/policy-templates#preferences

Is there a list of all available registry settings? Or where do these Java options come from, where can I read them out?

Asked by edv40038 prije 1 godina

Last reply by Mike Kaply prije 1 godina

Assistance Needed with Firefox Browser and Group Policy Settings

Hi there, We are currently utilizing Windows Server 2019 as our development server. To maintain security protocols, we have implemented a Group Policy to block internet … (pročitajte više)

Hi there,

We are currently utilizing Windows Server 2019 as our development server. To maintain security protocols, we have implemented a Group Policy to block internet access on this server. Initially, this configuration successfully restricted internet access on all browsers, including Firefox. However, recently we encountered an issue where internet access became available solely through the Firefox browser, posing a significant data security risk.

Upon investigation, we discovered that Firefox allows users to modify proxy settings, effectively bypassing our Group Policy restrictions. Unlike other browsers, Firefox permits users to adjust proxy settings without sufficient rights, thus overriding our established restrictions.

To mitigate this issue, we require guidance on enforcing Group Policy settings within Firefox to prevent unauthorized alterations to proxy settings and ensure internet access remains restricted. It's important to note that Firefox is exclusively utilized for development purposes on our server.

Your assistance in resolving this matter would be greatly appreciated.

Regards, Hiten

Asked by hitenj.trivedi prije 2 dana

Last reply by Mike Kaply prije 1 dan