Firefox for Enterprise Community Forum

I am trying to reach an internal company website ([URL]), with a certificate chain rooted in a company certificate authority. This works fine in Chrome, and worked in Firefox on my previous computer. But i recently got a new machine, and something somewhere is not quite right. I get an error message looking like this (between the ~~~s):

~~~ Someone could be trying to impersonate the site and you should not continue.

Web sites prove their identity via certificates. Firefox does not trust [URL] because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

View Certificate ~~~

If i click on the error code, i get these details:

~~~ [URL]

Peer's Certificate issuer is not recognised.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:

[certificate]

[certificate]

[certificate]

~~~

If i click 'View Certificate', i get a chain of three certificates:

1. Subject common name = [certificate]
2. Subject common name = [certificate]
3. Subject common name = [certificate]

If i go to Settings > Privacy & Security > View Certificates > Authorities, i can find both the [certificate] certificates. As far as i can tell, they are identical - i can open the certificate from 'View Certificate' and the corresponding one from the certificate manager and flip between tabs, and all the details are the same.

I am using Firefox 120.0, via a flatpak, on Ubuntu 22. I have given the flatpak access to /etc/ssl/certs, where my company's internal CA certificates are located.

To me, this seems like it should all work. The server has a certificate signed by an internal CA, which is signed by another internal CA, and both those internal CA certificates are in my certificate manager. So what is going wrong? Is there any way i can debug this?

Hi team,

I am trying to deploy policy form intune to turn off enhanced tracking mode for firefox. Followed the guide from firefox: about:policies#documentation --https://mozilla.github.io/policy-templates/#enabletrackingprotection Windows (Intune)

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/A_TrackingProtection_Value

Value (string):

<enabled/> or <disabled/>

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/B_TrackingProtection_Cryptomining

Value (string):

<enabled/> or <disabled/>

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/C_TrackingProtection_Fingerprinting

Value (string):

<enabled/> or <disabled/>

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/D_TrackingProtection_Exceptions

Value (string):

<enabled/> <data id="TrackingProtection_Exceptions" value="1https://example.com"/>

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/E_TrackingProtection_Locked

Value (string):

<enabled/> or <disabled/>

I tried to add the OMA-URI as string and add <enabled/> <data id="TrackingProtection_Exceptions" value="1https://example.com"/>. The policy saves but errors on delpoying to device. Changed it to string XML with xml content like this: <data id="TrackingProtection_Exceptions" value="1https://www.example.com"/>, this seems to be deloyed since it says successful however when checking on about: policies it does not seem to be applying. Can I please get some help. We need to whitelist some websites to turn off enhanced trackign mode. Please Help.

Dear Team,

When my Client device installs From Firefox 102.7.0 ESR to Firefox 128.7.0 from SCCM. (The case is First install the Version 102.7.0 then save the Bookmarks and then uninstall. Second Install the 128.7.0 then check the bookmarks)

user profile Bookmarks are not mapped in Firefox. When I check C:\Users\Tests\AppData\Roaming\Mozilla\Firefox\Profiles I can see the xxxx.defaultesr

I don't understand why the bookmarks are not linked in Firefox. Can you please help? I would be thankful to you if you could share me the .bat script

Thank you

Hello,

For enterprise solutions, for our browser extension can we disable the switch button where user can turn-off the "Access your data for all websites"?

This can be informed to the end user and also approved by the IT admins.

But the option to disable at runtime on the fly needs to be disabled.

I have received the .xpi file from LabStats and verified that the Firefox ADMX Templates are on the DC. I'm having trouble getting this to work though. Can I have someone look over the settings in case I missed something obvious? The GPO is enabled and set to a test group of PCs. I have ran GPupdate /Force each time I make a change and then checked about:policies & about:addons and never see LabStats show up. Thanks,

Hi, I keep getting a message that I should update to a newer version of Firefox on Ubuntu. The problem is: I click on the install for 64 bit button, A ...tar.xz file downloads to my desktop, and the process ends completely. How to proceed?

Thanks, Ildikó

Hello everyone,

We have been using Mozilla Firefox ESR (32-bit) in the organization for several years. For installation on our clients, we use "Matrix42 Empirum" as the software distribution tool. All it does is install the MSI of Firefox.

However, for quite some time now (almost 2 years), we have been facing an issue where some installations are marked as successful (Error code 0), but once the MSI installer is automatically closed, files like "firefox.exe" disappear from the installation directory – despite the installation being marked as successful.

The problem doesn’t always occur, but a repair attempt usually resolves the issue.

In addition to Empirum, we also use Defender for Endpoint, but we couldn’t find any clues there.

Is this problem known, or are we the only ones experiencing it?

When a user logs onto the PC, FF creates the Task scheduler folder but not the task inside. This only get created once the user opens FF for the first time.

So as an admin how would I manage the updates for FF when the user never opens Firefox?

We are currently considering using Firefox ESR as our default browser but experiencing a few issues and one of them is with our configured SailPoint IdentityIQ Single Sign-On Experience, which uses Basic Authentication.

Issue Description First, the login button needs to be clicked multiple times before access to the site is granted. Once signed in, the Firefox inbuilt authentication dialogue appears, prompting the user to log in again (see the attached screenshot). The landing page is only presented after clicking the login button several times. This creates a poor user experience, sometimes causing pages to load improperly. Interestingly, the same process works seamlessly in Edge Chromium.

Troubleshooting Steps Taken I have already attempted the following: 1. Temporarily disabled all custom and security settings in mozilla.cfg and config.json. 2. Temporarily disabled Firefox Tracking Protection. 3. Allowed third-party cookies for the specific URL. 4. Upgraded Firefox Version to 128.7.0 5. Since our Firefox browser is significantly hardened, I have also enabled and reconfigured the following settings in mozilla.cfg to ensure Basic Authentication is allowed, functions properly, and suppresses Firefox’s authentication prompt, but without success:

network.http.phishy-userpass-length = 255 network.http.use-basic-auth network.automatic-ntlm-auth.allow-non-fqdn network.automatic-ntlm-auth.trusted-uris security.enterprise_roots.enabled security.enterprise_roots.enabled

Observations from SailPoint Team Our colleagues from SailPoint have tested the setup in their environment, and according to them, it works as expected. However, their browser is not hardened, and they have leveraged the SailPoint UI for authentication instead of the built-in Firefox authentication prompt.

Further Investigation • Is there a specific configuration required in the user profile settings? • Network trace analysis shows 404 errors on GET requests and the following error codes on POST requests: • 302 Redirect: Mozilla Documentation • 408 Request Timeout: Mozilla Documentation

Next Steps Is there a specific security setting that needs to be enabled or disabled? Are there any particular Firefox enterprise policies we should modify? I have also attached screenshots for reference. Let me know if you need specific logs or network traces for further troubleshooting.

Using group policy there is various settings required for our users. We have been using the preferences policy located at: Administrative Templates > Mozilla > Firefox > Preferences

This policy requires the use of JSON, we have been using the following which has been working ok:

{ "media.navigator.permission.disabled": { "Value": true, "Status": "user" }, "browser.warnOnQuit": { "Value": true, "Status": "user" }, "keyword.enabled": { "Value": false, "Status": "user" }, "browser.tabs.unloadOnLowMemory": { "Value": false, "Status": "user" }, }

Within the old "Preferences (Deprecated)" there is a setting called "intl.accept_languages" which we are wanting to use but I can't seem to find a way to include this within the JSON. We are wanting to set it to "en-GB".

If I enable this within the old deprecated preferences section it causes the Preferences with the JSON to stop working.

I have tried various combinations of including it within the JSON but neither are working:

"intl.accept_languages": { "Value": en-GB, "Status": "user" }

"intl.accept.languages": { "Value": en-GB, "Status": "user" }

I've checked the Mozilla website here: https://mozilla.github.io/policy-templates/ There doesn't seem to be any reference for the intl.accept_languages setting to be used within the JSON

Please can someone advise?

Dear Mozilla Firefox Team,

I hope this message finds you well.

We manage a network of workstations that frequently utilize the Mozilla Firefox browser. Recently, we have encountered a situation where many of our systems are showing vulnerabilities due to pending browser updates. The updates are being installed successfully; however, users often neglect to restart the browser, which is crucial for completing the update process and ensuring security.

To address this, we would like to inquire if there is an existing Group Policy that can be configured to automatically notify users when they need to restart their Firefox browser to apply the latest updates. Such a feature would greatly assist us in maintaining the security integrity of our workstations and ensuring that users are made aware of the importance of restarting their browsers when prompted.

If this functionality is not currently available, we would appreciate any insights on potential workarounds or future plans to incorporate such a feature.

Thank you for your attention to this matter. We look forward to your response.

Dear Mozilla Firefox Team,

I hope this message finds you well.

We manage a network of workstations that frequently utilize the Mozilla Firefox browser. Recently, we have encountered a situation where many of our systems are showing vulnerabilities due to pending browser updates. The updates are being installed successfully; however, users often neglect to restart the browser, which is crucial for completing the update process and ensuring security.

To address this, we would like to inquire if there is an existing Group Policy that can be configured to automatically notify users when they need to restart their Firefox browser to apply the latest updates. Such a feature would greatly assist us in maintaining the security integrity of our workstations and ensuring that users are made aware of the importance of restarting their browsers when prompted.

If this functionality is not currently available, we would appreciate any insights on potential workarounds or future plans to incorporate such a feature.

Thank you for your attention to this matter. We look forward to your response.

Hi All, I want to block traffic on firefox externally for managed devices via Intune, following the import of the ADMX/ADML files into intune.

I have set '\Mozilla\Firefox\Exceptions to blocked websites' to the following

• //*.mydomain.com/*

which works, however, I also want to add hosts that are only resolving on IPs and not DNS. I can add specific IPs if known, but is there a way I can allow IP ranges? Ie

• //10.10.*/* (this doesn't currently work)

Of the included screenshot, only the wildcard for mydomain.com and the specific IP currently work

If there is a better way to do this via intune for firefox only, please let me know.

Thanks

Hi All, I want to block traffic on firefox externally for managed devices via Intune, following the import of the ADMX/ADML files into intune.

Having read https://support.mozilla.org/en-US/kb/managing-firefox-intune I have set '\Mozilla\Firefox\Exceptions to blocked websites' to the following; //*.mydomain.com/*

Which works, however, I also want to add hosts that are only resolving on IPs and not DNS. I can add specific IPs if known, but is there a way I can allow IP ranges? Ie

//10.10.*/* (this doesn't currently work) Of the included screenshot, only the wildcard for mydomain.com and the specific IP currently work

I've looked over the link that is recommened in the policy (indirectly) and can't see an option for allowing an IP range. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns

If there is a better way to do this via intune for firefox only, please let me know.

Thanks

I'm developing a parental control add-on, installed with policies.json. It works... but it's easy to disable it by simply deactivating it in private windows + opening a private window, which kinda makes it useless.

Is there a way to force my add-on to work in private windows, regardless of user choice?

If that's not possible, is it possible to somehow disable private windows while the add-on is disabled in private windows.

Note: I know that I can disable private browsing entirely with policies.json `privatebrowsingmodeavailability`, but I'd rather avoid it. Kids browing privately is a good idea :)

Form History Control (II) FoxyProxy Standard

These 2 extensions just installed themselves in Firefox ESR and disabled ALL my current extensions!!? I can't seem to remove them either.. please help!

I'm running Parrot OS (Linux) and had just signed myself in @hackthebox.com , which is a friendly place where people can learn to develop their cybersecurity skills. security on this site should be great, i don't know if this could be the issue...

Thanks in regards!