All Products Community Forum

We're exploring adopting a default deny policy for Firefox extensions in our enterprise. However when I tested this by creating a custom policies.json Firefox unexpectedly removed all extensions for me, including the ones I thought I had allow listed. Here is my policies.json but just keeping in the Facebook Container add-on to illustrate:

{

   "policies": {
       "ExtensionSettings": {
           "*": {
               "blocked_install_message": "Only approved Firefox extensions can be installed, please email your request to itdept@example.org",
               "installation_mode": "blocked",
               "allowed_types": ["theme", "dictionary", "locale"]
           },
           "@contain-facebook.xpi": { "installation_mode": "allowed" }
       }
   }

}

What I would like is to to allow pre-approved extensions (including if they already are installed) and all other types of add-on, but remove and prohibit installation of unapproved extensions.

Can anyone assist, please?

We have Firefox deployed and managed through Intune/Endpoint and all works well but every device has an error with this line of the policy:

UserMessaging_FirefoxLabs [./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_FirefoxLabs] STATE Error SOURCE PROFILES Source Profile Mozilla_Firefox_Configuration ERROR CODE 0x87d1fde8

The error code is the same on all devices and is the only one present in on each device config.

Does anyone have any idea what the issue and resolution would be?

Thanks, Matt

We are currently considering using Firefox ESR as our default browser but experiencing a few issues and one of them is with our configured SailPoint IdentityIQ Single Sign-On Experience, which uses Basic Authentication.

Issue Description First, the login button needs to be clicked multiple times before access to the site is granted. Once signed in, the Firefox inbuilt authentication dialogue appears, prompting the user to log in again (see the attached screenshot). The landing page is only presented after clicking the login button several times. This creates a poor user experience, sometimes causing pages to load improperly. Interestingly, the same process works seamlessly in Edge Chromium.

Troubleshooting Steps Taken I have already attempted the following: 1. Temporarily disabled all custom and security settings in mozilla.cfg and config.json. 2. Temporarily disabled Firefox Tracking Protection. 3. Allowed third-party cookies for the specific URL. 4. Upgraded Firefox Version to 128.7.0 5. Since our Firefox browser is significantly hardened, I have also enabled and reconfigured the following settings in mozilla.cfg to ensure Basic Authentication is allowed, functions properly, and suppresses Firefox’s authentication prompt, but without success:

network.http.phishy-userpass-length = 255 network.http.use-basic-auth network.automatic-ntlm-auth.allow-non-fqdn network.automatic-ntlm-auth.trusted-uris security.enterprise_roots.enabled security.enterprise_roots.enabled

Observations from SailPoint Team Our colleagues from SailPoint have tested the setup in their environment, and according to them, it works as expected. However, their browser is not hardened, and they have leveraged the SailPoint UI for authentication instead of the built-in Firefox authentication prompt.

Further Investigation • Is there a specific configuration required in the user profile settings? • Network trace analysis shows 404 errors on GET requests and the following error codes on POST requests: • 302 Redirect: Mozilla Documentation • 408 Request Timeout: Mozilla Documentation

Next Steps Is there a specific security setting that needs to be enabled or disabled? Are there any particular Firefox enterprise policies we should modify? I have also attached screenshots for reference. Let me know if you need specific logs or network traces for further troubleshooting.

We are allowing end user to scan 2D matrix barcode using a wedge scanner in our application. We are facing a problem where different elements of the bar code are not getting split into the application. On investigating this further, we found that Firefox browser not recognising the FNC character(input character 29) coming from input stream (barcode scanner in this case).

I've been struggling for months to standardize a deployment of Firefox ESR across various client environments that reliably auto-updates and doesn't cause UAC prompts and XULRunner profile error pop-ups(I work in IT).

We deploy Firefox ESR in bulk on machines via a batch script which runs as SYSTEM, with msiexec /i and /qn flags.

Firefox installs fine, but then users are typically met with a UAC prompt when they first try to run Firefox. If they decline, then the UAC prompt comes back again next time and often fails to update at all, so the machine is left on an older, vulnerable version.

Regarding the environment: we have deployed the Firefox ESR admx templates and enabled the relevant auto update settings in Group Policy. But only some machines seem to stay up to date, and it seems like this only happens if a user with local administrative privileges has run the program at least once.

What I find unusual is that Firefox seems to attempt to make a "Background Updater" scheduled task for every user that runs the software on each PC, but these users do not have administrative privileges, and the scheduled task is set to only run when that user is logged in. Obviously a scheduled task running as a user with limited privileges isn't going to be able to update files in the Mozilla/Firefox subdirectory in "Program Files" as by default that's read-only access for non-admin users. And, obviously, if a user with local admin privileges DOES log into the machine, then it can update once, but then the scheduled task that it creates for that user (now with admin privileges) will only run when that user logs in - and we don't login as "admin"-privileged users day-to-day.

So, various machines are out of date, running vulnerable Firefox 128 instead of 140 or 142 even though they're all deployed from the same image and have the same policies and restrictions, and ran the same installer for Firefox.

Is there some reason why the auto update scheduled task isn't created at installation time, when administrative privileges have been granted? It's very odd that it doesn't, because then every time a user logs into a machine it seems like Firefox ESR creates the background upgrade task under a non-admin user which simply won't work. I see machines having 4 or 5 background upgrade scheduled tasks, all created by Firefox ESR, and yet the software still won't update - there's a UAC prompt every time the program launches, and going to Help -> About shows "Restart Firefox to update..." but then when clicking the button to restart Firefox, we get the UAC prompt, user doesn't have privileges, so this goes around and around in circles.

Is there a reliable way to keep Firefox up to date without manually logging into each machine and going through the UAC prompts? Can we manually create a scheduled task with the correct user account that has privileges to actually upgrade Firefox?

The background auto update mechanism simply doesn't make sense to our team on a machine-wide install.

Greetings!

I am using the firefox enterprise version and I have noticed an issue that the browser does not capture mouse events when the pointer is at rightmost edge of the firefox window. For example, on this website near the edge the pointer would initially focus on the scroll bar and then lose focus at the edge (see attached images).

This issue does not persist on x11, and only seems to exist on wayland. It also exists on other flavours of firefox on wayland.

If more information is required, feel free to send me a ping.

Hi All, I want to block traffic on firefox externally for managed devices via Intune, following the import of the ADMX/ADML files into intune.

I have set '\Mozilla\Firefox\Exceptions to blocked websites' to the following

• //*.mydomain.com/*

which works, however, I also want to add hosts that are only resolving on IPs and not DNS. I can add specific IPs if known, but is there a way I can allow IP ranges? Ie

• //10.10.*/* (this doesn't currently work)

Of the included screenshot, only the wildcard for mydomain.com and the specific IP currently work

If there is a better way to do this via intune for firefox only, please let me know.

Thanks

I've been tasked with removing Firefox from all Windows workstations in our enterprise environment. Our users don't have local admin, so when they install Firefox, it is installed in the user's profile.

I've just installed Firefox 143.0.1 in my own user profile for testing purposes. However, when I attempt to uninstall, either from Control Panel or by running %localappdata%\Mozilla Firefox\uninstall\helper.exe manually, UAC prompts for elevation, even though I installed without elevating.

I've dug in a bit more, and I found this was an issue five years ago as well:

https://support.mozilla.org/en-US/questions/1286070

According to that post, the issue was resolved, but it seems to have come back.

Any help would be appreciated.

I am having the same issue as this other user here: https://www.reddit.com/r/sysadmin/comments/17wvuwh/help_pinning_extension_in_firefox_with_gpo/

Preliminaries -- Initially (before trying to force-pin), I had these GPOs enabled:

Extensions to Install -> https://addons.mozilla.org/firefox/downloads/file/4410896/bitwarden_password_manager-2024.12.4.xpi

Prevent extensions from being disabled or removed ->

• {446900e4-71c2-419f-a6a7-df9c091e268b}
• {3f6129fb-6c55-4452-ab6f-7c109b2301df}
• https://addons.mozilla.org/firefox/downloads/file/4410896/bitwarden_password_manager-2024.12.4.xpi

(Those GPOs above all work.)

What I'm trying to do: Force-pin Bitwarden.

I believe I've followed the documentation correctly (except for not including a "*" case): https://mozilla.github.io/policy-templates/#extensionsettings

I've enabled this GPO with this value:

Extension Management ->

{

 "{446900e4-71c2-419f-a6a7-df9c091e268b}": {
   "default_area": "navbar"
 }

}

After running various "GPUpdate"s and whatnot, the option to uncheck "Pin to toolbar" is still available to click.

I've verified in "about:policies#active" that the JSON item appears next to "ExtensionSettings" and that there are no errors listed in the "Errors" tab.

I've also verified that it appears in the correct location in the Registry.

Since another user had the same issue (Reddit link above), I figured it'd be a good idea to check in with y'all to see if we are missing something.

Thanks for your help!

Hi,

I need to ask regardining this security.cert_pinning.enforcement_level. how can i set this value using the windwos server GPO? i could not find this even after copying the firefox.admx file. could someone please guide me how can i acheive it?

I would really appreciate the help!

Regards Sheras

How to get rid of "Your browser is being managed by your organization"? This thing is driving me crazy(er)! Please 'dumb down' your reply, as I am not computer literate. If it's a malicious attack, my anti-virus is not picking it up. Thanks!

I want nothing to do with AI.

I have unticked perplexity.ai in preferences#search but every search from the search bar and address bar goes to perplexity.ai then immediately crashes and displays "Internal Error".

To use DDG I have to type duckduckgo.com on the address bar then search from there.

Firefox 140.4.0 ESR.

I've' scanned the PC with malwarebytes. I restored windows from a backup image I haven't made any changes to the PC at all. Was working fine in the AM but by later afternoon, it started using perplexity.ai exclusively.

How do I get rid of perplexity.ai

Hi All, I want to block traffic on firefox externally for managed devices via Intune, following the import of the ADMX/ADML files into intune.

Having read https://support.mozilla.org/en-US/kb/managing-firefox-intune I have set '\Mozilla\Firefox\Exceptions to blocked websites' to the following; //*.mydomain.com/*

Which works, however, I also want to add hosts that are only resolving on IPs and not DNS. I can add specific IPs if known, but is there a way I can allow IP ranges? Ie

//10.10.*/* (this doesn't currently work) Of the included screenshot, only the wildcard for mydomain.com and the specific IP currently work

I've looked over the link that is recommened in the policy (indirectly) and can't see an option for allowing an IP range. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns

If there is a better way to do this via intune for firefox only, please let me know.

Thanks

We are currently rolling out a profile management solution based on Ivanti User Environment Manager. In order to configure file includes and excludes in the profile management tool, we have to “standardize” the Firefox profile path in the filesystem. We have implemented a PowerShell script, which reads the currently used profile from %appdata%\Mozilla\Firefox\install.ini, renames the appropriate profile subfolder to “firefox.default-esr” and replaces the entries in installs.ini and profiles.ini.

The script seems to be reliable. However, for around 10% of the users, we are seeing issues when the user launches Firefox after the “firefox profile migration” happened. Firefox opens but none of the GUI controls is accessible. Firefox is completely unusable. See screenshot attached.

We do have workarounds to resolve this issue, such as completely wiping the %appdata%\Mozilla\Firefox folder and let Firefox re-build everything from scratch. But we are still trying to find the root cause the issue, because our customers have more than 100k clients, what will be a big impact and hard to handle for the helpdesk.

We are currently unable to reproduce the issue on test clients. Even copied Firefox profile folders form affected clients don’t show the issue on other clients.

Therefore we want to find out and ask for your help:

- Is there a supported way to “standardize” the filesystem folder name of the Mozilla Firefox (ESR) profile of a user? - What are the files within a Firefox profile that are required for the profile and the application itself to properly start? - Do you have any idea which files in a Firefox profile (in a corrupted state) could cause our issue?

Hello,

Our organization is attempting to implement a Conditional Access policy that restricts access to certain websites to Intune joined devices only. The error message mentions that I need to enable a setting from within Firefox called Windows SSO, mentioned here: https://support.mozilla.org/en-US/kb/windows-sso. This setting is already enabled and I am still getting an error.

Is there anything else that could be causing this?

I look after about 20 PCs. All Windows 10. All were running Firefox ESR ranging from 115 - 128. As I get time I update each to the latest 128.x. Using group policies I've disabled all update settings.

However, on two of the PCs, they have updated to v139.0.1. Both of the users swear they did not manually do any update. I can't figure out how they got downgraded to the retail channel.

So my question is, since 128 < 139 how can I get them back on to the ESR channel, without loosing history, bookmarks, passwords and saved logins? I gather FF's installer will detect 128 as an older version and throw an error?

ESR -> Retail to me is a downgrade. So is it possible then to upgrade back to 128.11.x?

Each PC is refreshed annually and the only backup of the profile folder I have is from the last refresh, which in most cases in 8-9 months old.

Is there any way to find out why the downgrade happened when group policy forbids it, and the user did not manually download and install the latest version?

When these downgrades happen they break things. For example, when one PC was downgraded to retail his outlook.com email no longer works. If he uses his laptop which is on 128.11.0 it works fine.

I'm developing a parental control add-on, installed with policies.json. It works... but it's easy to disable it by simply deactivating it in private windows + opening a private window, which kinda makes it useless.

Is there a way to force my add-on to work in private windows, regardless of user choice?

If that's not possible, is it possible to somehow disable private windows while the add-on is disabled in private windows.

Note: I know that I can disable private browsing entirely with policies.json `privatebrowsingmodeavailability`, but I'd rather avoid it. Kids browing privately is a good idea :)

I have recently needed to update my motherboard, and the workshop put my C: and D: drives into an old second-hand motherboard they had. I have now checked Firefox - which was on my C: drive, and it works with all my old bookmarks. However I seem to now be part of an 'Enterprise', which I do not want. How do I get rid of my involvement with an Enterprise within Firefox? Thanks for your help. Kanga85