Automatic updates

We have recently enabled background updates in our organization, however I noticed that a requirement for this to work is that Firefox needs to be run with the default pr… (read more)

We have recently enabled background updates in our organization, however I noticed that a requirement for this to work is that Firefox needs to be run with the default profile at least once after the feature is enabled. The issue we have is that not all users are actively using Firefox and therefore they are not being updated. I realize the security flaws won't be exposed if it's not in use, but management doesn't like seeing out of date browsers. Is there a way to force auto updates on all device where Firefox isn't not being used. Background updating is working for the majority of those that do use Firefox.

Also, we do have a couple of users reporting a credential prompt when updating from 119 to 119.0.1. These same users had no issues updating from 118 to 119. I have not figured out why this is happening just yet and why only for a handful of users so far. Would anyone have an idea why that is happening?

Asked by rob.scott1 3 months ago

Last reply by Mike Kaply 3 months ago

ESR 115 Windows - background update without user ever logging in or launching FF?

Hello, We want to run Firefox in our environment which is constantly scanned by a security scanner, and deducts points for applications which have a vulnerability that h… (read more)

Hello,

We want to run Firefox in our environment which is constantly scanned by a security scanner, and deducts points for applications which have a vulnerability that has an available patch, but the patch has not been installed. These are on shared Windows terminal servers. Firefox is one of two browsers, Edge being the other one.

If users do not launch firefox at least once, then Firefox never gets updated.

Yes, we have the background update service installed, but it sets itself to manual, and if I try to start it, it simply gives the error "error 1: incorrect function"

How can we configure Firefox 115ESR to be able to run this service automatically, check for updates, and install, without a user on a particular terminal server ever having launched the application once?

Asked by zach.heise 5 months ago

Last reply by Mike Kaply 3 months ago

in a corporate environment, using Kerberos authentication to authenticate AD user to OKTA (IdP) via Firefox

We have used Firefox in our environment for well over a year in the configuration explained here: https://help.okta.com/en-us/content/topics/directory/ad-dsso-configure-b… (read more)

We have used Firefox in our environment for well over a year in the configuration explained here: https://help.okta.com/en-us/content/topics/directory/ad-dsso-configure-browsers.htm

OKTA is our Identity provider to do Single Sign on to our SaaS applications.

today when version 118 rolled out, this functionality stopped working. Can you help me to get this working again. Chrome and Edge are not affected, so we have options, but we would really like to use Firefox.

Thanks so much for your help

Scott

Asked by Scott Voll 5 months ago

Last reply by Mike Kaply 4 months ago

GPO, Reg Key, Nothing works to force add/install an extension.

I am writing from an enterprise environment and I have been directed to the community page by Mozilla support to seek answers. This approach seems somewhat unreasonable f… (read more)

I am writing from an enterprise environment and I have been directed to the community page by Mozilla support to seek answers. This approach seems somewhat unreasonable for an enterprise setting and it has led me to consider discontinuing their product within our organization. I had requested support to send me a copy of my previous correspondence as I had forgotten some details, but this request was ignored, which is disappointing.

I am skeptical about receiving the help or answers I need here. If there is a more direct line to Mozilla support, I would greatly appreciate being redirected there.

We are currently using Firefox 121.0 and are attempting to implement the Applied Epic extension. I have updated the ADMX policy.

Originally, the reg key flip I created did work but something has changed since then. See screenshot of this. I followed the guide provided at https://github.com/mozilla/policy-templates/blob/v5.5/docs/index.md, which instructed me to place the registry key in Software\Policies\Mozilla\Firefox\Extensions\Install\1. However, the guide did not specify whether this should be in HKLM or HKCU. I tried this instead, and it did not work.

I also attempted to implement the extension via GPO, but this was unsuccessful. I tried the new Extension Management system as well, but to no avail.

Here is the JSON configuration I used: {

 "AppliedEpicExtension@gmail.com": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/file/4143256/applied_epic_extension-3.16.3.xpi"
 }

}

Despite following the guide and trying multiple methods, none of the options seem to work. I would appreciate any guidance on what I might be doing wrong.

Asked by BM 2 months ago

Last reply by Mike Kaply 1 month ago

Official Documentation required: Export Control Classification Number (ECCN)

My company needs to follow regulation on Export rules. I need to provide our ITAR regulation team "Vendor documentation" regarding the Export Control Classification Numb… (read more)

My company needs to follow regulation on Export rules. I need to provide our ITAR regulation team "Vendor documentation" regarding the Export Control Classification Number (ECCN) for Mozilla Firefox ESR. They will not accept a blog or article. Any one from Mozilla able to provide this in an official capacity?

Asked by Michael.Klein2 4 months ago

Last reply by Mike Kaply 4 months ago

Proxy not working

Hello, from Terminal Servers, it is not possible to browse the Internet via FortiGate's explicit proxy from the Firefox browser, while there is no problem with Chrome or … (read more)

Hello, from Terminal Servers, it is not possible to browse the Internet via FortiGate's explicit proxy from the Firefox browser, while there is no problem with Chrome or Edge. When the user tries to browse external sites, the proxy sends the error page "You need to authenticate to use this service". It seems that Firefox does not pass user authentication to FortiGate. The proxy authenticates users per session via Kerberos tickets.

Firefox version: 115.5.0esr

I also performed the following settings to pass the Kerberos ticket to the proxy without success: https://people.redhat.com/mikeb/negotiate/

I also noticed that it is not possible to change the "network.negotiate-auth.allow-proxies" setting from "false" to "true." Is this my problem? Is it normal that it cannot be changed?

Attached are the settings.

Thank you in advance.

Asked by akas89 3 months ago

Last reply by Mike Kaply 3 weeks ago

How to disable welcome back notification?

Seems to be new in 122.0 because i never received that before. It asks if you want to open links with Firefox and if you do, it sets file associations for htm / html and … (read more)

Seems to be new in 122.0 because i never received that before. It asks if you want to open links with Firefox and if you do, it sets file associations for htm / html and things like that. However in a company environment i want to supress that notification

Asked by Tynth 1 month ago

Last reply by Mike Kaply 1 month ago

What does pref.browser.language.disable_button.remove do?

I am reviewing my user.js and pref.js files in anticipation of deploying policy settings in GPO. As a part of the review, I am trying to document what each of the prefere… (read more)

I am reviewing my user.js and pref.js files in anticipation of deploying policy settings in GPO. As a part of the review, I am trying to document what each of the preferences in those files actually do, in order to be able to see in the future why a setting was set the way it was.

I am presently at the preference "pref.browser.language.disable_button.remove". Based on the name of the preference, I would think that if set to true, it would disable the remove button in the Webpage Language Settings window. (Hamburger menu -> Settings -> General -> Language -> Choose your preferred language for displaying pages)

When I set it to true, it does not disable the remove button but when I use the remove button, the preference is set to false.

Am I misunderstanding the purpose of this preference or is there more to using this preference than just setting its value in about:config?

Also, I see there are a number of other preferences that contain disable_button but that only one, "pref.privacy.disable_button.view_passwords", has a GPO policy for setting. I would expect that these preferences containing disable_button would all work in a similar way just each for a different button in the Firefox GUI.

If it matters, I'm running Firefox 115.3.1esr 64-bit en-ca on Windows 10.

Asked by Numbers 4 months ago

Last reply by Mike Kaply 4 months ago

Fail to update firefox

We're exploring the possibility of implementing a mass update for Firefox through backend management, leveraging PowerShell scripts or any applicable method that can stre… (read more)

We're exploring the possibility of implementing a mass update for Firefox through backend management, leveraging PowerShell scripts or any applicable method that can streamline the update process for our users.

Additionally, we've encountered instances where users have installed Firefox via local profiles, posing challenges for centralized updates. I'd appreciate any insights or guidance on how we can address this issue effectively to ensure these installations align with our centralized management approach.

Asked by slimmonkey 2 months ago

Last reply by Mike Kaply 2 months ago

How to Disable Saved Address and Credit Cards

During a client Audit earlier this week we were dinged on not having the option in Firefox ESR to block manually saving Addresses and Credit Cards. We have the autofill … (read more)

During a client Audit earlier this week we were dinged on not having the option in Firefox ESR to block manually saving Addresses and Credit Cards. We have the autofill disabled however users can still manually add credit cards and addresses and this poses an issue with our call center agents handling Credit Card info. I'd like to be able to gray out the Saved Addresses and Saved Credit Card boxes so as to prevent agents from manually entering card data into it using a GPO or Registry setting that we can push and apply to all our domain PCs. Ideally, if we could add an entry to the JSON preferences in the Mozilla GPO that would gray those options out that'd be best but any option that removes the users ability to add CC info would be acceptable.

Asked by rhall4 3 weeks ago

Last reply by Mike Kaply 5 days ago

Configure policies for Firefox

Hi there, We would like to disable ECH on our browsers as it is interfering with our Anti-virus Website blocks. I have identified the settings that need to be changed in… (read more)

Hi there,

We would like to disable ECH on our browsers as it is interfering with our Anti-virus Website blocks. I have identified the settings that need to be changed in about:config and was able to configure 2 of them to be controlled via a registry key but was not able to for another 3 as their keys should be placed in a different Key in the registry. I have searched all over but cannot identify the name for this Key.

The settings I need to manage are in the image. I was able to configure the settings beginning with network.dns but I am not sure how to manage the settings beginning with security.tls.ech

Any help would be much appreciated

Asked by Dhiren Hirani 4 months ago

Last reply by Dennis Jackson 4 months ago

Bypass UAC prompts through GPO settings

We are currently attempting to automate our Firefox update processes. Currently we use robocopy to push out new versions on release, but ideally we'd like to use the back… (read more)

We are currently attempting to automate our Firefox update processes. Currently we use robocopy to push out new versions on release, but ideally we'd like to use the background updater instead. We are currently on 64-bit 119.0.1, on Windows 10 Pro 22H2. We'd prefer not to switch over to ESR if at all possible. I've already reactivated the AppAutoUpdate and BackgroundAppUpdate policies, and DisableAppUpdate is disabled, but I'm still being hit with a UAC Admin prompt when I try to launch Firefox. I tried to bypass it through the registry at [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers], with "C:\Program Files\Mozilla Firefox\firefox.exe" = "RUNASINVOKER", but that also doesn't seem to have done anything. Any and all assistance would be appreciated

Asked by ddrake1 3 months ago

Last reply by Mike Kaply 2 months ago

Configuration via Windows GPO -> exclude second Firefox installation

Hi, we want to switch our Firefox configuration from file-based (policies.json) to GPO-based. We rolled out the GPO on some test clients and it worked like a charm. But… (read more)

Hi,

we want to switch our Firefox configuration from file-based (policies.json) to GPO-based. We rolled out the GPO on some test clients and it worked like a charm.

But... It shows that there are some clients which need a second firefox installation for a special purpose, which is not allowed to enter the internet or update itself.

The file-base configuration can handle these to different installations with two differend policies.json files.

Is there a way to accomplish this scenario with the use of GPOs? The GPO-base configuration seems to be global for every client.

At this moment i don't see a solution for our problem. Do you see one?

Asked by maik.w 3 months ago

Last reply by Mike Kaply 3 months ago

Disable Save menu entry from Firefox built-in PDF Viewer on local Linux system

I would like to prevent users to navigate on the Linux system when they view a PDF and then use the Save option. The "PDFjs" policy enables or disables the PDF Viewer but… (read more)

I would like to prevent users to navigate on the Linux system when they view a PDF and then use the Save option. The "PDFjs" policy enables or disables the PDF Viewer but does not control the built-in PDF Viewer menus.

Asked by InfoMaze 2 months ago

Last reply by zeroknight 2 minutes ago

Issues configuring browser extensions using Intune and ADMX templates

Hi All, I am trying to block the Last Pass extension in Firefox using Intune, and the ADMX configuration setting is not working on the endpoint. I've used the templates … (read more)

Hi All,

I am trying to block the Last Pass extension in Firefox using Intune, and the ADMX configuration setting is not working on the endpoint. I've used the templates found here

https://github.com/mozilla/policy-templates/releases / Target Extension "support@lastpass.com"

And have tried using the imported admx template as well as a single line OMA-URI.

I've worked with Microsoft, and they see the correct settings on the device as pushed out via Intune, so they said it is not on their end. Any ideas why blocking named browser extenstions is not working? I've configured a few other settings with Intune/ADMX templates and they work.

Thanks! -Doug

Asked by dgreene3206 5 months ago

Last reply by Mike Kaply 5 months ago

Firefox conflict with Windows HTTPS (DoH) -> Requipred DoH

When setting Windows to "Require DoH", firefox will not resolve DNS addresses, regardless of which "Enable secure DNS" setting is picked in FireFox security settings tab.… (read more)

When setting Windows to "Require DoH", firefox will not resolve DNS addresses, regardless of which "Enable secure DNS" setting is picked in FireFox security settings tab.

I expected at least "Off -- Use your default DNS resolver" to work.

If Windows is configured to just "Allow DoH", Firefox has no issues resolving DNS addresses, for any of the Firefox policy settings.

For reference, you can find the DoH policy setting in windows group policy editor, here:

gpedit.msc

Computer Configuration -> Administrative Templates -> Network -> DNS Client -> Configure DNS over HTTPS

(Have to enable it, then select Configure DoH options: Require DoH.)

you may need to issue a gpupdate /force for the setting to be picked up quickly.

Asked by s189 5 months ago

Last reply by Valentin 4 months ago

update extension installed with GPO

Hello, I have a plug-in installed on multiple machines using group policy. The installation source is a link to <my_add_on.xpi>. My question is regarding the upda… (read more)

Hello,

I have a plug-in installed on multiple machines using group policy. The installation source is a link to <my_add_on.xpi>. My question is regarding the updates approach. If I replace the source file with an updated version, but keeping the name/link the same. Will Firefox automatically update the plug-in? Only found brief docs here: https://github.com/mozilla/policy-templates/blob/master/README.md#extensionsettings """

If you need to update the extension, you can change the name of the extension and it will be automatically updated. Extensions installed from file URLs will additional be updated when their internal version changes.

""" I don't point to a local file, but rather a URL. Does that make a difference. Or I'll have to provide the updates.json in the plug-in manifest that points to the latest version?


Thank you.

Asked by pimenov 5 months ago

Last reply by Mike Kaply 5 months ago

Assistance with managing extensions on Mac OS

Hello, I am trying to manage extensions in my organization. What would be the best way to block all extensions by default and allow only certain specific extensions? I … (read more)

Hello, I am trying to manage extensions in my organization. What would be the best way to block all extensions by default and allow only certain specific extensions?

I am following the Mac OS Extension Settings Policy and adding this to a configuration profile, but I am not sure how to manipulate it to suit my needs.

What would be the best way to go about this, and what would the plist file look like?

Thanks!

Asked by tkozlofski 5 months ago

Last reply by Mike Kaply 5 months ago

Best Way to force firefox update without opening the application

We are currently looking at devices with out-of-date Firefox versions these are listed with vulnerabilities within our environment and need to be patched to the latest ve… (read more)

We are currently looking at devices with out-of-date Firefox versions these are listed with vulnerabilities within our environment and need to be patched to the latest version to cover those vulnerabilities.

With the volume of patching required, we want to be able to enable auto-update and allow the application to patch itself.

However, the current options via group policy don't seem to work as I've read on such threads https://bugzilla.mozilla.org/show_bug.cgi?id=1876302.

The application Autoupdate has been enabled within local group policy as a test and nothing seems to force the application to update unless a user enters the application and selects about.

Reading into how Firefox does this it doesn't seem viable to enable an auto-update feature without specifying the version it needs to upgrade to, we can currently patch to specific versions using SCCM.

Is anyone aware of a solution to this problem or another method?

Looked into calling updater.exe and the maintenance service but nothing i successful when trying to call on these.

Asked by oliver.gillman 3 weeks ago

Last reply by zeroknight 3 weeks ago