Not allowing any extensions to be manually installed is expected since you did:

"installation_mode": "blocked",

This would cover even force_installed extensions because the expectation is that they are already there.

The reason Okta install is failing is because of an incorrect ID:

Add-on downloaded from https://addons.mozilla.org/firefox/downloads/latest/okta-browser-plugin/latest.xpi had unexpected id (got plugin@okta.com expected Okta)

I saw that on the error console.

So change Okta to plugin@okta.com and you should be good.

I also verified that with your configuration I was able to install HTTPS everywhere (https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/)

and everything got auto installed after that change.

What "error console" are you referring to?

F12 console?

I'm trying your changes as I type this.

Sorry, Browser Console

Web Developer->Browser Console or Ctrl+Shift+J

I think the errors also would have shown up in about:policies in the Errors section

So I made the changes and still unable to force the okta Extension.

So I cleared out all the settings under Extension Management and it won't let me install any Extensions still.

Is there something I need to reset in the registry?

No, when you unset ExtensionManagement in GPO, it should go away.

So when you tried:

{

"*": {
  "blocked_install_message": "Custom error message.",
  "install_sources": ["about:addons","https://addons.mozilla.org/"],
  "installation_mode": "blocked",
  "allowed_types": ["extension"]
},
"uBlock0@raymondhill.net": {
  "installation_mode": "force_installed",
  "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
},
"plugin@okta.com": {
  "installation_mode": "force_installed",
  "install_url": "https://addons.mozilla.org/firefox/downloads/latest/okta-browser-plugin/latest.xpi"
},
"https-everywhere@eff.org": {
  "installation_mode": "allowed"
}

}

It didn't work?

can you go to about:policies and see if there are any errors?

Well, I've recreated the policy and had it set to disable. But i'm still getting the wrong json settings in that key.

I'm trying your json now.

I put in your json and I'm still getting this version in that registry key.

{

 "*": {
   "blocked_install_message": "Custom error message.",
   "install_sources": ["about:addons","https://addons.mozilla.org/"],
   "installation_mode": "blocked",
   "allowed_types": ["extension"]
 },
 "Okta": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/file/3701928/latest.xpi"
 }

}

I have no where this is coming from as I'm only setting it in the ExtensionSettings Policy setting.

I drop the regkey and I can install everything i want until the gpo kicks back in.

Is it possible you accidentally set that in the machine policy?

What do you see at:

HKEY_CURRENT_USER\SOFTWARE\Policies\Mozilla\Firefox ExtensionSettings versus HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox ExtensionSettings

in the registry?

I'm looking at the HKLM as I'm applying it at machine level. I've removed the policy all together and it still re-pops in after deleting the Mozilla key.

I don't even see it under HKCU.

This is all very odd that it keeps coming down even though I've removed it from the OU.

All right, let's get more detail.

Can you go to about:config and add a new string preference called:

browser.policies.loglevel

and set the value to debug

When you restart, it should give us more detail in the browser console as to where it's getting those values.

If you're up for it, we could jump on a screenshare and I'll help figure it out.

After much trouble shooting and trying various resets on the client I went down all the policies applied to my workstation and noticed that there were Firefox settings in the policy that isn't for Firefox.

I'm working good now thank you for the assist!

I do have one more question, wasn't there a extension that will give me the IDs of all the extensions? I thought I saw that in the documentation a bit ago.

Also is there a way to setup non-firefox hosted plugins like www.enpass.io ? It appears they aren't in the add-on store.

> I do have one more question, wasn't there a extension that will give me the IDs of all the extensions? I thought I saw that in the documentation a bit ago.

This addon shows you IDs and download URLs on AMO:

https://github.com/mkaply/queryamoid/releases

> Also is there a way to setup non-firefox hosted plugins like www.enpass.io ? It appears they aren't in the add-on store.

Yes. You can download and install it and then go to about:debugging and it will show you the addon ID. (spoiler alert -it's firefox-enpass@enpass.io ) And then you can install it like any other addon using their XPI URL.

https://dl.enpass.io/stable/extensions/firefox/versions/v6.6.0-8/enpass-firefox-6.6.0.xpi

Also, when you get a chance, can you pick the best reply that solves your problem?