Firefox for Enterprise Community Forum

Hello community :)

hope everybody is doing well. I´m coming here with with asking for a help.

I´m managing browsers (Google Chrome, MS Edge and Firefox) in my company via GPOs. What we´ve been dealing with since 135 version came up is having the "Did Not Connect: Potential Security Issue error page , Error insufficient cert transparency" while visiting our internal resources.

Despite of having the security.pki.certificate_transparency.disable_for_spki_hashes set up -> main three certificate hashes are correctly added, basically copying the setup from Chromium browsers , where everything works as expected , Firefox is not.

The only way how to make it work is via security.pki.certificate_transparency.disable_for_hosts , which is , of course, not desirable , because of the security risks.

Does anyone face the same issues ?

Thank you very much ya´ll

I look after about 20 PCs. All Windows 10. All were running Firefox ESR ranging from 115 - 128. As I get time I update each to the latest 128.x. Using group policies I've disabled all update settings.

However, on two of the PCs, they have updated to v139.0.1. Both of the users swear they did not manually do any update. I can't figure out how they got downgraded to the retail channel.

So my question is, since 128 < 139 how can I get them back on to the ESR channel, without loosing history, bookmarks, passwords and saved logins? I gather FF's installer will detect 128 as an older version and throw an error?

ESR -> Retail to me is a downgrade. So is it possible then to upgrade back to 128.11.x?

Each PC is refreshed annually and the only backup of the profile folder I have is from the last refresh, which in most cases in 8-9 months old.

Is there any way to find out why the downgrade happened when group policy forbids it, and the user did not manually download and install the latest version?

When these downgrades happen they break things. For example, when one PC was downgraded to retail his outlook.com email no longer works. If he uses his laptop which is on 128.11.0 it works fine.

Until recently the Firefox docs described how to use the CDP-based Remote Agent at [this url](https://firefox-source-docs.mozilla.org/remote/cdp/Usage.html), now defunct. Here is the latest archive version I can find from the end of last year: https://web.archive.org/web/20241126214503/https://firefox-source-docs.mozilla.org/remote/cdp/Usage.html

One usage example looked like this:

% firefox --remote-debugging-port DevTools listening on ws://localhost:9222/devtools/browser/7b4e84a4-597f-4839-ac6d-c9e86d16fb83

I have tried the same but get no websocket address returned:- ``` % firefox-esr Mozilla Firefox 128.11.0esr ``` ``` % firefox-esr -h ... ... --remote-debugging-port [<port>] Start the Firefox Remote Agent,

                    which is a low-level remote debugging interface used for WebDriver
                    BiDi and CDP. Defaults to port 9222.

... ... ```

`% firefox-esr --remote-debugging-port` command exits with nothing returned

I have `remote.active-protocols` set to 3 in my Firefox prefs.

Please advise how I get the Remote Agent to return a websocket address for use with BiDi with FF 128. My OS is Debian-based Linux.

TIA

Hello,

We are trying to automate updating Firefox ESR from 32bit to 64bit. There seems to be an issue with getting user's profiles to properly migrate for ESR. If we do a plain 32bit uninstall and 64bit installation, a new "default-esr-1" profile gets created (which is expected behavior from these Mozilla docs for new installs). But, when we set the MOZ_LEGACY_PROFILES=1 policy, this reverts to using the "default" profile instead of "default-esr" profile that was previously in use.

Are there any known ways around this which does not require user intervention to manually change back to the "default-esr" profile?

Thank you

We're exploring adopting a default deny policy for Firefox extensions in our enterprise. However when I tested this by creating a custom policies.json Firefox unexpectedly removed all extensions for me, including the ones I thought I had allow listed. Here is my policies.json but just keeping in the Facebook Container add-on to illustrate:

{

   "policies": {
       "ExtensionSettings": {
           "*": {
               "blocked_install_message": "Only approved Firefox extensions can be installed, please email your request to itdept@example.org",
               "installation_mode": "blocked",
               "allowed_types": ["theme", "dictionary", "locale"]
           },
           "@contain-facebook.xpi": { "installation_mode": "allowed" }
       }
   }

}

What I would like is to to allow pre-approved extensions (including if they already are installed) and all other types of add-on, but remove and prohibit installation of unapproved extensions.

Can anyone assist, please?

In /Library/Preferences/org.mozilla.firefox.plist:

``` <plist version="1.0"> <dict> <key>EnterprisePoliciesEnabled</key> <true /> <key>ExtensionSettings</key> <dict> <key>cloudmetering@snowsoftware.com</key> <dict> <key>install_url</key> <string>https://raw.githubusercontent.com/SnowSoftware/agent-firefox-extension/refs/heads/main/cloudmetering-v1.2.3.xpi</string> <key>installation_mode</key> <string>force_installed</string> </dict> </dict> </dict> </plist>```

In about:policies: {"cloudmetering@snowsoftware.com":{"installation_mode":"blocked","install_url":"https://raw.githubusercontent.com/SnowSoftware/agent-firefox-extension/refs/heads/main/cloudmetering-v1.2.3.xpi"}}

The plist file did read "blocked" at one point, but it no longer does. Why isn't firefox picking up the new value from the plist file? Restarting/refresing FF has not helped so far.

Hello,

Our organization is attempting to implement a Conditional Access policy that restricts access to certain websites to Intune joined devices only. The error message mentions that I need to enable a setting from within Firefox called Windows SSO, mentioned here: https://support.mozilla.org/en-US/kb/windows-sso. This setting is already enabled and I am still getting an error.

Is there anything else that could be causing this?

Trying to block www.share365.net but it's not working

{

 "policies": {
     "WebsiteFilter": {
         "Block": [
           "*:share365.net",
           "*:www.share365.net",
           "*://share365.net/*"
         ]
     }
 }

}

We have Firefox deployed and managed through Intune/Endpoint and all works well but every device has an error with this line of the policy:

UserMessaging_FirefoxLabs [./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_FirefoxLabs] STATE Error SOURCE PROFILES Source Profile Mozilla_Firefox_Configuration ERROR CODE 0x87d1fde8

The error code is the same on all devices and is the only one present in on each device config.

Does anyone have any idea what the issue and resolution would be?

Thanks, Matt

I am trying to reach an internal company website ([URL]), with a certificate chain rooted in a company certificate authority. This works fine in Chrome, and worked in Firefox on my previous computer. But i recently got a new machine, and something somewhere is not quite right. I get an error message looking like this (between the ~~~s):

~~~ Someone could be trying to impersonate the site and you should not continue.

Web sites prove their identity via certificates. Firefox does not trust [URL] because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

View Certificate ~~~

If i click on the error code, i get these details:

~~~ [URL]

Peer's Certificate issuer is not recognised.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:

[certificate]

[certificate]

[certificate]

~~~

If i click 'View Certificate', i get a chain of three certificates:

1. Subject common name = [certificate]
2. Subject common name = [certificate]
3. Subject common name = [certificate]

If i go to Settings > Privacy & Security > View Certificates > Authorities, i can find both the [certificate] certificates. As far as i can tell, they are identical - i can open the certificate from 'View Certificate' and the corresponding one from the certificate manager and flip between tabs, and all the details are the same.

I am using Firefox 120.0, via a flatpak, on Ubuntu 22. I have given the flatpak access to /etc/ssl/certs, where my company's internal CA certificates are located.

To me, this seems like it should all work. The server has a certificate signed by an internal CA, which is signed by another internal CA, and both those internal CA certificates are in my certificate manager. So what is going wrong? Is there any way i can debug this?

Hi All, I want to block traffic on firefox externally for managed devices via Intune, following the import of the ADMX/ADML files into intune.

I have set '\Mozilla\Firefox\Exceptions to blocked websites' to the following

• //*.mydomain.com/*

which works, however, I also want to add hosts that are only resolving on IPs and not DNS. I can add specific IPs if known, but is there a way I can allow IP ranges? Ie

• //10.10.*/* (this doesn't currently work)

Of the included screenshot, only the wildcard for mydomain.com and the specific IP currently work

If there is a better way to do this via intune for firefox only, please let me know.

Thanks

Hi All, I want to block traffic on firefox externally for managed devices via Intune, following the import of the ADMX/ADML files into intune.

Having read https://support.mozilla.org/en-US/kb/managing-firefox-intune I have set '\Mozilla\Firefox\Exceptions to blocked websites' to the following; //*.mydomain.com/*

Which works, however, I also want to add hosts that are only resolving on IPs and not DNS. I can add specific IPs if known, but is there a way I can allow IP ranges? Ie

//10.10.*/* (this doesn't currently work) Of the included screenshot, only the wildcard for mydomain.com and the specific IP currently work

I've looked over the link that is recommened in the policy (indirectly) and can't see an option for allowing an IP range. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns

If there is a better way to do this via intune for firefox only, please let me know.

Thanks

Hello. I know how to define a server certificate exception to avoid browser warnings in case of certificate issue with a website (see attachment). However, I'd like to apply that exception for all users with access to my machine using a GPO (for user or local machine). This is also a requirement in my work where many users run Firefox from a server and the face browser warnings all the time (related to self-signed certificates) so it would be great to apply an exception for all users through a GPO specifying the self-signed certificate warning we want Firefox to ignore. Thanks.

I am having the same issue as this other user here: https://www.reddit.com/r/sysadmin/comments/17wvuwh/help_pinning_extension_in_firefox_with_gpo/

Preliminaries -- Initially (before trying to force-pin), I had these GPOs enabled:

Extensions to Install -> https://addons.mozilla.org/firefox/downloads/file/4410896/bitwarden_password_manager-2024.12.4.xpi

Prevent extensions from being disabled or removed ->

• {446900e4-71c2-419f-a6a7-df9c091e268b}
• {3f6129fb-6c55-4452-ab6f-7c109b2301df}
• https://addons.mozilla.org/firefox/downloads/file/4410896/bitwarden_password_manager-2024.12.4.xpi

(Those GPOs above all work.)

What I'm trying to do: Force-pin Bitwarden.

I believe I've followed the documentation correctly (except for not including a "*" case): https://mozilla.github.io/policy-templates/#extensionsettings

I've enabled this GPO with this value:

Extension Management ->

{

 "{446900e4-71c2-419f-a6a7-df9c091e268b}": {
   "default_area": "navbar"
 }

}

After running various "GPUpdate"s and whatnot, the option to uncheck "Pin to toolbar" is still available to click.

I've verified in "about:policies#active" that the JSON item appears next to "ExtensionSettings" and that there are no errors listed in the "Errors" tab.

I've also verified that it appears in the correct location in the Registry.

Since another user had the same issue (Reddit link above), I figured it'd be a good idea to check in with y'all to see if we are missing something.

Thanks for your help!

After updating to v132 I have noticed a significant increase in the load times for some websites that our users connect to. Using v131.0.3 I usually see < 1 second load times for the two websites I am monitoring but after upgrading to v132 it is consistently taking 18-19 seconds for the same page. I have tried uninstalling v132 and reverting to v131 and it immediately goes back to the much faster load times. I have also tried installing various v133 releases and I see the same performance issue as for v132.

The environment I am working in is behind a network firewall with relatively restrictive internet access and I am wondering whether there are sites that Firefox is trying to connect to for the new anti-tracking or suspicious activity features (or anything else) that are being blocked and are therefore causing timeouts and retries that are bumping the total load time up.

Can anyone think of anything else I could check or change?

Debian 12 Linux on Dell laptop. Current "updated version" Firefox ESR 128.4.0esr (64bit) I received an update notice for Firefox ESR this morning. After running the Update, I lost the status bar. How can I get it back?

I'm setting up a cloud-init to make it easier to deploy Linux workstations. I want to display the various links to my sites on my Firefox browser. Bookmark my services. Do you think this is possible? I've already applied a rule to retrieve certificates, but it seems complicated for bookmarks.

Here's an extract  :

{

 "policies": {
   "Bookmarks": [
     {
       "Title": "Main",
       "URL": "https://service.net",
       "Folder": "Bookmarks Toolbar"
     },
     {
       "Title": "Service 1",
       "URL": "https://service1.net",
       "Folder": "Bookmarks Toolbar"
     },
     {
       "Title": "Service 2",
       "URL": "https://service2.net",
       "Folder": "Bookmarks Toolbar"
     },
     {
       "Title": "Documentation",
       "URL": "https://docs.net",
       "Folder": "Bookmarks Toolbar"
     }
   ]
 }

}

Best Regards,

Dylan

Le 05 novembre 2024 Bonjour, Je ne parviens pas à faire la mise à jour FireFox. J'utilise un MAC OS X version 10.9.5 Processeur 2,7GHz Intel Core 15 Mémoire 8 Go 1600 MH DDR3 MERCI de bien vouloir me répondre en Français. Bonne journée. Cordialement.

Firefox version

   128.2.0esr (64-bit)

Operating system

   Windows 10/Windows11 23H2 Septembre patch

Hello everyone,

maybe you can tell me/explain what the problem could be.

In our company we had Firefox version 115.14.0esr (64-bit) and then we updated to 128.2.0esr (64-bit).

Since version 128.2 ESR we have experienced problems in Firefox when trying to access DNN+ pages (with login). https://www.dnn.de/sport/regional/dresdner-sc-denkt-ueber-uebernahme-der-margon-arena-nach-C3IC74MZ6FE43AKGCZJSKUXA3I.html

In Firefox the content is cut off, in Edge it is displayed normally.

With Edge and Firefox 115.14.0esr the page is displayed normally. No AdBlock installed.

In developer mode I see the errors in the versions, so it shouldn't be that.

Cross-source (cross-origin) request blocked: The same-source rule prohibits reading the external resource on https://gum.criteo.com/sid/json?origi...AAAAAAAA&gdpr=1. (Reason: CORS request failed). Status code: (null).

Cross-source (cross-origin) request blocked: The same-source rule prohibits reading the external resource on https://id5-sync.com/api/config/prebid. (Reason: CORS request failed). Status code: (null).

Any ideas? Thank you very much! :)