Firefox for Enterprise Community Forum

Hello community :)

hope everybody is doing well. I´m coming here with with asking for a help.

I´m managing browsers (Google Chrome, MS Edge and Firefox) in my company via GPOs. What we´ve been dealing with since 135 version came up is having the "Did Not Connect: Potential Security Issue error page , Error insufficient cert transparency" while visiting our internal resources.

Despite of having the security.pki.certificate_transparency.disable_for_spki_hashes set up -> main three certificate hashes are correctly added, basically copying the setup from Chromium browsers , where everything works as expected , Firefox is not.

The only way how to make it work is via security.pki.certificate_transparency.disable_for_hosts , which is , of course, not desirable , because of the security risks.

Does anyone face the same issues ?

Thank you very much ya´ll

The recommended methods, changing to this in the registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates] "ImportEnterpriseRoots"=dword:00000000

Reverts back to 00000001

Put this policies.json and did nothing: {

 "policies": {
   "Certificates": {
     "ImportEnterpriseRoots": false
   }
 }

} What am I missing or what's changed?

My specific need at the moment is to add another search engine option in about:preferences#search

Thanks.

I look after about 20 PCs. All Windows 10. All were running Firefox ESR ranging from 115 - 128. As I get time I update each to the latest 128.x. Using group policies I've disabled all update settings.

However, on two of the PCs, they have updated to v139.0.1. Both of the users swear they did not manually do any update. I can't figure out how they got downgraded to the retail channel.

So my question is, since 128 < 139 how can I get them back on to the ESR channel, without loosing history, bookmarks, passwords and saved logins? I gather FF's installer will detect 128 as an older version and throw an error?

ESR -> Retail to me is a downgrade. So is it possible then to upgrade back to 128.11.x?

Each PC is refreshed annually and the only backup of the profile folder I have is from the last refresh, which in most cases in 8-9 months old.

Is there any way to find out why the downgrade happened when group policy forbids it, and the user did not manually download and install the latest version?

When these downgrades happen they break things. For example, when one PC was downgraded to retail his outlook.com email no longer works. If he uses his laptop which is on 128.11.0 it works fine.

Until recently the Firefox docs described how to use the CDP-based Remote Agent at [this url](https://firefox-source-docs.mozilla.org/remote/cdp/Usage.html), now defunct. Here is the latest archive version I can find from the end of last year: https://web.archive.org/web/20241126214503/https://firefox-source-docs.mozilla.org/remote/cdp/Usage.html

One usage example looked like this:

% firefox --remote-debugging-port DevTools listening on ws://localhost:9222/devtools/browser/7b4e84a4-597f-4839-ac6d-c9e86d16fb83

I have tried the same but get no websocket address returned:- ``` % firefox-esr Mozilla Firefox 128.11.0esr ``` ``` % firefox-esr -h ... ... --remote-debugging-port [<port>] Start the Firefox Remote Agent,

                    which is a low-level remote debugging interface used for WebDriver
                    BiDi and CDP. Defaults to port 9222.

... ... ```

`% firefox-esr --remote-debugging-port` command exits with nothing returned

I have `remote.active-protocols` set to 3 in my Firefox prefs.

Please advise how I get the Remote Agent to return a websocket address for use with BiDi with FF 128. My OS is Debian-based Linux.

TIA

I am a DNS administator at my employers and notice that on my employers network that aus3.mozilla.org and aus4.mozilla.org seem to be returning NXDOMAIN both with our on prem DNS and via the public dns providers when a browser attempts update it can fail.

Have other Australian users reported such behavior and are these hosts still valid

DIG

grudd@crayon:~$ dig @8.8.8.8 aus3.mozilla.org

<<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> @8.8.8.8 aus3.mozilla.org

(1 server found)

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40382

flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

OPT PSEUDOSECTION:

EDNS: version: 0, flags:; udp: 512

QUESTION SECTION:

aus3.mozilla.org. IN A

AUTHORITY SECTION:

mozilla.org. 2 IN SOA infoblox1.private.mdc1.mozilla.com. hostmaster.mozilla.com. 2024020614 180 180 1209600 60

Query time: 0 msec

SERVER: 8.8.8.8#53(8.8.8.8) (UDP)

WHEN: Mon Jun 02 10:04:52 AEST 2025

MSG SIZE rcvd: 126

grudd@crayon:~$ dig stun.services.mozilla.com

<<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> stun.services.mozilla.com

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56679

flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

OPT PSEUDOSECTION:

EDNS: version: 0, flags:; udp: 1280

QUESTION SECTION:

stun.services.mozilla.com. IN A

AUTHORITY SECTION:

services.mozilla.com. 836 IN SOA ns-679.awsdns-20.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

Query time: 0 msec

SERVER: 10.67.10.62#53(10.67.10.62) (UDP)

WHEN: Mon Jun 02 10:13:11 AEST 2025

MSG SIZE rcvd: 138

grudd@crayon:~$ dig @8.8.8.8 stun.services.mozilla.com

<<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> @8.8.8.8 stun.services.mozilla.com

(1 server found)

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62337

flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

OPT PSEUDOSECTION:

EDNS: version: 0, flags:; udp: 512

QUESTION SECTION:

stun.services.mozilla.com. IN A

AUTHORITY SECTION:

services.mozilla.com. 127 IN SOA ns-679.awsdns-20.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

Query time: 0 msec

SERVER: 8.8.8.8#53(8.8.8.8) (UDP)

WHEN: Mon Jun 02 10:13:19 AEST 2025

MSG SIZE rcvd: 135

grudd@crayon:~$ dig @8.8.8.8 aus4.mozilla.org

<<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> @8.8.8.8 aus4.mozilla.org

(1 server found)

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15261

flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

OPT PSEUDOSECTION:

EDNS: version: 0, flags:; udp: 512

QUESTION SECTION:

aus4.mozilla.org. IN A

AUTHORITY SECTION:

mozilla.org. 40 IN SOA infoblox1.private.mdc1.mozilla.com. hostmaster.mozilla.com. 2024020614 180 180 1209600 60

Query time: 4 msec

SERVER: 8.8.8.8#53(8.8.8.8) (UDP)

WHEN: Mon Jun 02 10:24:30 AEST 2025

MSG SIZE rcvd: 126

grudd@crayon:~$ dig @8.8.8.8 aus4.mozilla.org

<<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> @8.8.8.8 aus4.mozilla.org

(1 server found)

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26928

flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

OPT PSEUDOSECTION:

EDNS: version: 0, flags:; udp: 512

QUESTION SECTION:

aus4.mozilla.org. IN A

AUTHORITY SECTION:

mozilla.org. 35 IN SOA infoblox1.private.mdc1.mozilla.com. hostmaster.mozilla.com. 2024020614 180 180 1209600 60

Query time: 0 msec

SERVER: 8.8.8.8#53(8.8.8.8) (UDP)

WHEN: Mon Jun 02 10:24:32 AEST 2025

MSG SIZE rcvd: 126

grudd@crayon:~$ dig @8.8.8.8 aus5.mozilla.org

<<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> @8.8.8.8 aus5.mozilla.org

(1 server found)

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37023

flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

OPT PSEUDOSECTION:

EDNS: version: 0, flags:; udp: 512

QUESTION SECTION:

aus5.mozilla.org. IN A

ANSWER SECTION:

aus5.mozilla.org. 48 IN CNAME balrog-aus5.r53-2.services.mozilla.com. balrog-aus5.r53-2.services.mozilla.com. 58 IN CNAME prod.balrog.prod.cloudops.mozgcp.net. prod.balrog.prod.cloudops.mozgcp.net. 984 IN A 35.244.181.201

Query time: 4 msec

SERVER: 8.8.8.8#53(8.8.8.8) (UDP)

WHEN: Mon Jun 02 10:24:43 AEST 2025

MSG SIZE rcvd: 163

grudd@crayon:~$ dig @8.8.8.8 aus5.mozilla.org SOA

<<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> @8.8.8.8 aus5.mozilla.org SOA

(1 server found)

global options: +cmd

Got answer:

->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65395

flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

OPT PSEUDOSECTION:

EDNS: version: 0, flags:; udp: 512

QUESTION SECTION:

aus5.mozilla.org. IN SOA

ANSWER SECTION:

aus5.mozilla.org. 42 IN CNAME balrog-aus5.r53-2.services.mozilla.com. balrog-aus5.r53-2.services.mozilla.com. 52 IN CNAME prod.balrog.prod.cloudops.mozgcp.net.

AUTHORITY SECTION:

balrog.prod.cloudops.mozgcp.net. 300 IN SOA ns-cloud-d1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300

Query time: 108 msec

SERVER: 8.8.8.8#53(8.8.8.8) (UDP)

WHEN: Mon Jun 02 10:24:49 AEST 2025

MSG SIZE rcvd: 237

grudd@crayon:~$

I'm using Firefox ESR 128.10.1esr on Kali, and I'm encountering an issue where the 'Refresh Firefox' option is missing from the ☰ → Help → Troubleshooting more Information. This is preventing me from restoring Firefox to its default settings. I've already tried the following:

   Restarting Firefox

   Clearing the startup cache

   Confirmed there are no extensions installed

None of these steps have fixed the issue. I need a way to reset Firefox ESR to factory defaults, but I can't find an option to do so. Attached is a screenshot of the Troubleshooting Information page.

Any assistance would be greatly appreciated!

Hello,

We are trying to automate updating Firefox ESR from 32bit to 64bit. There seems to be an issue with getting user's profiles to properly migrate for ESR. If we do a plain 32bit uninstall and 64bit installation, a new "default-esr-1" profile gets created (which is expected behavior from these Mozilla docs for new installs). But, when we set the MOZ_LEGACY_PROFILES=1 policy, this reverts to using the "default" profile instead of "default-esr" profile that was previously in use.

Are there any known ways around this which does not require user intervention to manually change back to the "default-esr" profile?

Thank you

We're exploring adopting a default deny policy for Firefox extensions in our enterprise. However when I tested this by creating a custom policies.json Firefox unexpectedly removed all extensions for me, including the ones I thought I had allow listed. Here is my policies.json but just keeping in the Facebook Container add-on to illustrate:

{

   "policies": {
       "ExtensionSettings": {
           "*": {
               "blocked_install_message": "Only approved Firefox extensions can be installed, please email your request to itdept@example.org",
               "installation_mode": "blocked",
               "allowed_types": ["theme", "dictionary", "locale"]
           },
           "@contain-facebook.xpi": { "installation_mode": "allowed" }
       }
   }

}

What I would like is to to allow pre-approved extensions (including if they already are installed) and all other types of add-on, but remove and prohibit installation of unapproved extensions.

Can anyone assist, please?

In /Library/Preferences/org.mozilla.firefox.plist:

``` <plist version="1.0"> <dict> <key>EnterprisePoliciesEnabled</key> <true /> <key>ExtensionSettings</key> <dict> <key>cloudmetering@snowsoftware.com</key> <dict> <key>install_url</key> <string>https://raw.githubusercontent.com/SnowSoftware/agent-firefox-extension/refs/heads/main/cloudmetering-v1.2.3.xpi</string> <key>installation_mode</key> <string>force_installed</string> </dict> </dict> </dict> </plist>```

In about:policies: {"cloudmetering@snowsoftware.com":{"installation_mode":"blocked","install_url":"https://raw.githubusercontent.com/SnowSoftware/agent-firefox-extension/refs/heads/main/cloudmetering-v1.2.3.xpi"}}

The plist file did read "blocked" at one point, but it no longer does. Why isn't firefox picking up the new value from the plist file? Restarting/refresing FF has not helped so far.

I confirmed this problem on two separate computers(windows 7 and windows 11) and version 115.23.0 of Firefox ESR can not properly play streams on twitch.tv

Audio will play, but the video does not load with only a black screen with question mark icon replacing video feed.

We recently update Firefox with version 138.0 and now getting the message "Gah. Your tab just crashed" when opening the browser.

We attempted to update and install version 138.0.1 only resulting with the same error. We also found and attempted the following all resulting with the same error: - change the about:config page for settings to false for both browser.tabs.remote.autostart and browser.tabs.remote.autostart.2

- clear browser cache.

- enable Temporary Mode in the Help menu. This appears to fix the problem but only for the current browser session. When a new Firefox window is opened, the error reappears.

What is needed to resolve this error or is there a way to permanently enable Temporary Mode or some similar setting? Thanks for all your help with this.

Hello,

Our organization is attempting to implement a Conditional Access policy that restricts access to certain websites to Intune joined devices only. The error message mentions that I need to enable a setting from within Firefox called Windows SSO, mentioned here: https://support.mozilla.org/en-US/kb/windows-sso. This setting is already enabled and I am still getting an error.

Is there anything else that could be causing this?

Добрый день Есть ли возможность установить плагин .xpi в mozilla через cmd. AltLinux. Конечно я уже прочел статьи существующие. Не сработали рекомендации. Можно ли сделать вывод что Firefox 128.0 ESR не поддерживает установку плагинов через cmd? Если да, то можем ли мы сослаться на официальный ответ firefox ? Благодарю за рекомендации.

Trying to block www.share365.net but it's not working

{

 "policies": {
     "WebsiteFilter": {
         "Block": [
           "*:share365.net",
           "*:www.share365.net",
           "*://share365.net/*"
         ]
     }
 }

}

I am going to deploy Firefox ESR in an environment where the default topsites provided by the top-sites.json included in omni.ja (namely Wikipedia, youtube and reddit) are not desirable, and I want to provide my own. I cannot find a way to do so.

Setting the browser.newtabpage.activity-stream.default.sites preference through the policies.json file does not work (the pref gets loaded but it does not influence the actual default topsites, which is not surprising since the default value of this pref has nothing to do with the actual default topsites).

Note that I am not seeking to remove the topsites from the homepage entirely (as would be achieved through the FirefoxHome/TopSites policy), I want to change the default ones.

I tried creating my own top-sites.json in /lib/firefox-esr/browser/ where omni.ja resides, but to no avail.

Hi, we use Firefox 128.9.0esr (64bit) on about 6000 workstations. We redirect the stored bookmarks on a personal network drive for each user. For that we use these settings via Windows group policy:

browser.bookmarks.file = P:\Firefox\Bookmarks browser.bookmarks.autoExportHTML = true browser.places.importBookmarksHTML = true

For some time the automatic export/import with that settings above does not work any more. When I close Firefox on workstation A, the bookmarks seem to be exported correctly in that export-file (check the file via editor). But when I use another workstation B an start Firefox, the exported file does not import on startup. But this worked fine in the past.

I found out, that the switch "browser.places.importBookmarksHTML" is obviously automtically set to false when I have startet Firefox (checking with about:config). I dont know if it is correct.

Any suggestions? Maybe it's a new bug?

Thanks Malte

I am trying to manage Firefox browser for our users with MDM. On doing so, I can't able to get expected output on blocking the camera access for certain websites with the following OMA-URI.

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Permissions~Camera/Camera_Block

I can add websites in allow section and even lock the setting so that the users can't change. But facing issues with blocking camera access.

Is there any place where I can see the log if there are any error encountering by any chance? Any insights or suggestions would be greatly appreciated.

Thanks in advance!

We have Firefox deployed and managed through Intune/Endpoint and all works well but every device has an error with this line of the policy:

UserMessaging_FirefoxLabs [./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_FirefoxLabs] STATE Error SOURCE PROFILES Source Profile Mozilla_Firefox_Configuration ERROR CODE 0x87d1fde8

The error code is the same on all devices and is the only one present in on each device config.

Does anyone have any idea what the issue and resolution would be?

Thanks, Matt