Firefox for Enterprise Isithangami Sokwesekwa

I am trying to reach an internal company website (www.gqma.drw), with a certificate chain rooted in a company certificate authority. This works fine in Chrome, and worked in Firefox on my previous computer. But i recently got a new machine, and something somewhere is not quite right. I get an error message looking like this (between the ~~~s):

~~~ Someone could be trying to impersonate the site and you should not continue.

Web sites prove their identity via certificates. Firefox does not trust www.gqma.drw because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

Error code: SEC_ERROR_UNKNOWN_ISSUER

View Certificate ~~~

If i click on the error code, i get these details:

~~~ https://www.gqma.drw/

Peer's Certificate issuer is not recognised.

HTTP Strict Transport Security: false HTTP Public Key Pinning: false

Certificate chain:

MIICczCCAhigAwIBAgIUcg0ZTKoxYO3E5288qtNnymZ/L6AwCgYIKoZIzj0EAwIw NzEMMAoGA1UEChMDRFJXMRQwEgYDVQQLDAtJU1NAZHJ3LmNvbTERMA8GA1UEAxMI U1NETlMgQ0EwHhcNMjIwMzA5MTQxOTAwWhcNMjQwMzA4MTQxOTAwWjA5MQwwCgYD VQQKEwNEUlcxFDASBgNVBAsMC0lTU0BkcncuY29tMRMwEQYDVQQDEwoqLmdxbWEu ZHJ3MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfXDxyLTebEuPHmneR4faNHoQ PouLPrBqOKnDOW/T+eexbAHcghiZqcQHoHW/Qo/kNQZYPhoHeMZK1ACdvnFTUaOB /zCB/DAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T AQH/BAIwADAdBgNVHQ4EFgQUvuzqIs1O1ioHT3qF+olSZ3dDseEwHwYDVR0jBBgw FoAUjGD9eMez/VkLc5nlNkg/U6dBgmUwNQYIKwYBBQUHAQEEKTAnMCUGCCsGAQUF BzABhhlodHRwOi8vb2NzcC5pc3MuZHJ3L3NzZG5zMB8GA1UdEQQYMBaCCiouZ3Ft YS5kcneCCGdxbWEuZHJ3MC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9jZXJ0cy5p c3MuZHJ3L3NzZG5zL2NybDAKBggqhkjOPQQDAgNJADBGAiEAtEj7K/C2IHMzh175 9TpPu74YktH/1WJM12zUNIioi30CIQDpLqn09bmTFDgQDkg+0YHu1YSBTlCArWYJ KUxQUa0KPQ==

MIIB3DCCAYKgAwIBAgIUeLNrkgHyp2GhO6Ee4fyvVbGaUg0wCgYIKoZIzj0EAwIw OjEMMAoGA1UEChMDRFJXMRQwEgYDVQQLDAtJU1NAZHJ3LmNvbTEUMBIGA1UEAxML SVNTIFJvb3QgQ0EwHhcNMTcwMzAxMjA0MzAwWhcNMjcwMjI3MjA0MzAwWjA6MQww CgYDVQQKEwNEUlcxFDASBgNVBAsMC0lTU0BkcncuY29tMRQwEgYDVQQDEwtJU1Mg Um9vdCBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAjg18NvaBfwKP0BC/9U Cppc1W2rfSqzsY4KCRIAubItoMyQ13zp25KjVg9IF7Uru7cWQcUMvwf4+2Gb/4m4 sFSjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1Ud DgQWBBSA3cairIJP/ooZLqrq+L9hSNwxczAfBgNVHSMEGDAWgBSA3cairIJP/ooZ Lqrq+L9hSNwxczAKBggqhkjOPQQDAgNIADBFAiAgvGnmTJgMosKFYuRJ7HZMuD/p ZTNapVJltFiGzKAtewIhAJMVQ72U+m7kLNRw6ej7icBQ9d+T4MuhGyJEeYeX5wR4

MIICYjCCAgigAwIBAgIUDZxs4OPknZA8SgUkWZ7EncHkYVIwCgYIKoZIzj0EAwIw OjEMMAoGA1UEChMDRFJXMRQwEgYDVQQLDAtJU1NAZHJ3LmNvbTEUMBIGA1UEAxML SVNTIFJvb3QgQ0EwHhcNMTcwMzAxMjA0NDAwWhcNMjcwMjI3MjA0NDAwWjA3MQww CgYDVQQKEwNEUlcxFDASBgNVBAsMC0lTU0BkcncuY29tMREwDwYDVQQDEwhTU0RO UyBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNsaSU2QU1Z5ktRf19DaXZk6 TrPko0TPZFTSYFH9bPxVJ4guUfGnN5nZ7vQajX2NJJLZEL9TZGYSsE8RD/ftcsij ge4wgeswDgYDVR0PAQH/BAQDAgGmMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF BQcDAjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSMYP14x7P9WQtzmeU2 SD9Tp0GCZTAfBgNVHSMEGDAWgBSA3cairIJP/ooZLqrq+L9hSNwxczA1BggrBgEF BQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLmlzcy5kcncvc3NkbnMw LwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL2NlcnRzLmlzcy5kcncvc3NkbnMvY3Js MAoGCCqGSM49BAMCA0gAMEUCIBU5FNCu7ZmE7H1Oautblig4iA5JIgOO+4D/do2c pQ8IAiEAkIdZb5Doptfk1C5uofcvww3E0ZrSG98ZJ2+TW9sz4VA=

~~~

If i click 'View Certificate', i get a chain of three certificates:

1. Subject common name = *.gqma.drw, issuer common name = SSDNS CA, subject key ID = BE:EC:EA:22:CD:4E:D6:2A:07:4F:7A:85:FA:89:52:67:77:43:B1:E1
2. Subject common name = SSDNS CA, issuer common name = ISS Root CA, subject key ID = 8C:60:FD:78:C7:B3:FD:59:0B:73:99:E5:36:48:3F:53:A7:41:82:65
3. Subject common name = ISS Root CA, issuer common name = SS Root CA, subject key ID = 80:DD:C6:A2:AC:82:4F:FE:8A:19:2E:AA:EA:F8:BF:61:48:DC:31:73

If i go to Settings > Privacy & Security > View Certificates > Authorities, i can find both the SSDNS CA and ISS Root CA certificates. As far as i can tell, they are identical - i can open the certificate from 'View Certificate' and the corresponding one from the certificate manager and flip between tabs, and all the details are the same.

I am using Firefox 120.0, via a flatpak, on Ubuntu 22. I have given the flatpak access to /etc/ssl/certs, where my company's internal CA certificates are located.

To me, this seems like it should all work. The server has a certificate signed by an internal CA, which is signed by another internal CA, and both those internal CA certificates are in my certificate manager. So what is going wrong? Is there any way i can debug this?

From my point of view, the setting " What should Firefox do with other files?" has been added in the current ESR version.

"What should Firefox do with other files?" ("Wie soll Firefox mit anderen Dateien verfahren?") . "Save files" ("Dateien speichern") . "Ask whether to open or save files" ("Fragen, ob Dateien geöffnet oder gespeichert werden sollen")

How can I control/change this setting using mozilla.cfg?

By the way:

// What should Firefox do with other files? - Wie soll Firefox mit anderen Dateien verfahren? lockPref("applications-ask-before-handling", false);

// What should Firefox do with other files? - Wie soll Firefox mit anderen Dateien verfahren? lockPref("applications-ask-before-handling", true);

works detectably via about:config but does not change the setting for "What should Firefox do with other files?".

We would like to install a custom search engine using Firefox policies. We have the latest version of Firefox installed. We have the latest admx files installed on our Domain Controllers. In the Policy, I go into the User -> Administrative Templates -> Mozilla -> Search and setup a search engine using Search Engine One. I then go into Default Search Engine and configure our custom search to be default. What we find is that the custom search engine never installs, so the custom search engine is not set at the default. If I manually add the custom search engine using the Search Engine Helper Add-on, I can verify that the custom search settings do indeed work. With that said, does anyone have thoughts on how to troubleshoot this issue? First, need to figure out why the custom engine isn't installing at all. Thanks.

We use Microsoft MDT for computer deployment. We have been installing the Standard version of Firefox for a long time with no problem. Recently we started using AD GPO Templates to configure firefox. To be able to configure certain settings you need to be running the ESR version. I downloaded the more recent ESR version: 102.12.0esr.msi file.

When deploying machine MDT to install Mozilla firefox I keep getting this error: Application Mozilla Firefox ESR returned an unexpected return code: 1618

This is the only application having issues and this issue only came up since I change the installation file to the ESR version.

This is the install command being used in MDT: msiexec /i "Firefoxesr.msi" /qn /norestart

I am posting here and not with MDT support, as this only started happening when I changed the installation file to the ESR version. Has anybody else had a problem deploying ESR version through MDT? Any help on how to fix?

We try to deploy Extension Management Settings via GPO.

Goal is to allow only whitelisted extensions, but don't block themes, dictionaries and locales.

Below find the JSON-settings deployed to the client, which should allow all themes and whitelisted extensions. Unfortunately this blocks everything except whitelisted IDs. See example screenshot with error-message, when trying to install a theme. We don't want to whitelist locales or themes, they should be still allowed for installation.

What I'm doing wrong? - Thanks for your feedback.

##############

{
"*": {
"installation_mode": "blocked",
"allowed_types": ["theme"]
},
"uBlock0@raymondhill.net": {
"installation_mode": "allowed"
},
"jid1-ZSMfwe4lCAw9oQ@jetpack": {
"installation_mode": "allowed"
}
}

I am looking for information regarding the support life for settings that are defined in the Preferences (Deprecated) section of the ADMX templates provided in GitHub. There doesn't appear to be a definitive answer as to when these preferences are no longer applicable to a version of Firefox. The term "Deprecated" certainly applies they're on their way to extinction. But only a small handful of preferences have been ported over to non-deprecated template settings (like Auto Update). Is there an expected version of Firefox where all these preferences are meaningless? Or will they be supported indefinitely? "Industry recommendations' from 3rd party security vendors are bloating my policies in the domain space and I can't definitively say they are 'no longer supported as of version xyz' for all these Firefox Preference settings, which happen to be about 80% of the security parameters defined by STIG and/or CIS Workbench.

Hello I have installed german Firefox Version 117.0 (Build-ID 20230824132758) on Windows 10.

The following ExtensionSettings policy works as expected. The addons ublock and TreeTabs are both installed automatically.

{

 "*": {
   "blocked_install_message": "My Message",
   "install_sources": ["https://addons.mozilla.org/"],
   "installation_mode": "blocked",
   "allowed_types": ["locale", "extension"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
   "default_area": "navbar"
 },
 "TreeTabs@jagiello.it": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/tree-tabs/latest.xpi"
 }

}

But I don't want TreeTabs to be installed automatically on all workstations. So I want to change installation_mode to allowed.

{

 "*": {
   "blocked_install_message": "My Message",
   "install_sources": ["https://addons.mozilla.org/"],
   "installation_mode": "blocked",
   "allowed_types": ["locale", "extension"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
   "default_area": "navbar"
 },
 "TreeTabs@jagiello.it": {
   "installation_mode": "allowed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/tree-tabs/latest.xpi"
 }

}

But with this setting I'm unable to install it manually from https://addons.mozilla.org/de/firefox/addon/tree-tabs/ The message "An unexpected error occurred during installation." and a popup with the "blocked_install_message" "My Message" is displayed.

The same error occurs without the line (and the comma) "install_url": "https://addons.mozilla.org/firefox/downloads/latest/tree-tabs/latest.xpi"

I don't know why this does not work. Please help. Thank you.

Hello, I am trying to create a deny all & white list only gpo for Firefox extensions.

I am using the gpo; Computer Configuration/Policies/Administrative Templates/Mozilla/Firefox/Extensions/Extension Management

I started out simple using a template which worked.

{ "*": { "blocked_install_message": "Your Company Blocked Message", "installation_mode": "blocked" }, "uBlock0@raymondhill.net": { "installation_mode": "allowed" } }

However, when I tried to add in more allowed extensions it now longer worked and was able to install any extension.

{ "*": { "blocked_install_message": "Your Company Blocked Message", "installation_mode": "blocked" }, "uBlock0@raymondhill.net": { "installation_mode": "allowed" }, "querymoid@kaply.com": { "installation_mode": "allowed" } }

Hi All,

I have recently been enhaciing our security posture and have started sorting out our browser extensions, however I seem to be having errors allowing 2 extensions

• 1Password; and
• Firefox Multi Containers.

This is my json:

{ "*": { "blocked_install_message": "version 0.4 - Addon or Extension is not approved. Please submit a ticket to Help Desk if you need access to this extension.", "install_sources": ["https://addons.mozilla.org/"], "installation_mode": "blocked" }, "{bc8367b6-d946-484e-8da6-37691f23ee64}": { "installation_mode": "allowed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi" }, "{2a28e7e4-64c9-4e7f-81fb-0475af840c0f}": { "installation_mode": "allowed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/multi-account-containers/latest.xpi" } }

I have tried the obvious and removed the {} from both extensions, however still having troubles.

Is someone able to point me in the right direction?

Hi All, I have been on the struggle bus lately trying to get the application handlers set properly in our GPO. I am trying to get PDF, webp, avif to open in browser, and jnlp to auto launch Java. Any help will be greatly appreciated!

{"application/pdf":{"action":3,"extensions":["pdf"]},"image/webp":{"action":3,"extensions":["webp"]},"image/avif":{"action":3,"extensions":["avif"]},"application/x-java-jnlp-file":{"action":4,"handlers":[{"name":"javaws.exe","path":"C:\\Program Files (x86)\\Java\\jre-1.8\\bin\\javaws.exe"}],"extensions":["jnlp"]}}

I am installing Firefox via microsoft endpoint, and deploying multi account containers with the OMA-URI policy for extensions. (this blog page is super helpful! https://securitygeneralist.blogspot.com/2019/08/auto-installing-extensions-on-firefox.html )

The extension by default has containers for Personal, Work, Banking, Shopping.

Is there a way to automatically remove that default container list as part of the install?

Even better, is there a way to create a different default containers list through Endpoint?

Thanks

We use Firefox ESR for along time in our organisation but with the last update, a specific page wont redirect to the ADFS page. In the latest normal version of Firefox it works and also other browser but not in ESR.

The webpage is https://rx-base.nl/ and https://preprod.rx-base.nl/

We are using the latest version of ESR. It gives a blank page with in the console a error:

Uncaught (in promise) TypeError: Fout bij het oplossen van modulespecificatie ‘@rxbase/root’. Relatieve modulespecificaties moeten beginnen met ‘./’, ‘../’ of ‘/’.

Please advise on what to do.

In my environment, we have Firefox version 117. Users get this pop up "You must log in to this network before you can access the Internet" (see snip 1) when they launch firefox. In order to get rid of we can toggle this preference setting to TRUE ""network.captive-portal-service.enabled" in the user's browser, which works fine. But i want to control this setting from GPO. I'm unable to find the GPO for the same in the GPO hive for FF. See snip 2 for 'Preferences' related GPOs.

One of our vendors websites does not load under Firefox ESR, with errors in the console pointing to CSP. Error is: Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src")

However if I load the site under the normal Firefox release, it displays correctly. When looking at errors in console, it is showing 3 errors for CSP, however it does not stop the site from working correctly. Content-Security-Policy: The page's settings blocked the loading of a resources at https://..... ("connect-src") or ("img-src")

The site is https://app.approvalmax.com If you get the login screen then the site is working otherwise just getting a green background when it is not working.

I am unsure why ESR and RR versions are behaving differently in this case. Using the latest versions of each.

Hi!

Using Intune, we are setting some settings in Firefox. One that is a bit troublesome is the ExtensionSettings

Currently looks like this:

{

 "*": {
   "blocked_install_message": "Blocked.",
   "installation_mode": "blocked"
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "allowed"
 },
 "addon@darkreader.org": {
   "installation_mode": "allowed"
 },
 "@react-devtools": {
   "installation_mode": "allowed"
 }

}

I get the Blocked message if I try any of the allowed extentions like uBlock, Dark Reader or React Dev Tools.

I can add that uBlock had "force_installed" (With URL since that is required for force) and that worked fine.

Hello,

I'm trying to deploy Firefox with several languages.

I followed the guide on [https://support.mozilla.org/en-US/kb/deploying-firefox-language-packs].

Everything work fine until I set up ExtensionSettings policy. This policy hide and block languages menu.

After scratching my head for a while, I finally figured out how to do it. I would to like to know if an easier way to whitelist all locales and dictionaries. I would like to only control the extensions.

<enabled/> <data id="ExtensionSettings" value=' {

 "*": {
   "blocked_install_message": "Blocked by your administrator.",
   "installation_mode": "blocked",
   "allowed_types": ["extensions", "dictionary", "locale"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
 },

"qwantcomforfirefox@jetpack": {

   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/file/3658805/latest.xpi"

}, "langpack-en-CA@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-en-GB@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-en-US@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-es-AR@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-es-CL@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-es-ES@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-es-MX@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-fr@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-pt-BR@firefox.mozilla.org": {

 "installation_mode": "allowed"

}, "langpack-pt-PT@firefox.mozilla.org": {

 "installation_mode": "allowed"

} }'/>

Thank you

Hello

I am looking for a way to disable the QUIC protocol in Firefox through Jamf Pro. tried by below value but its not working, anyone did the settings for Mac?

<plist version="1.0"> <dict> <key>Preferences</key> <dict> <key>network.http.http3.enable</key> <dict> <key>Value</key> <false/> <key>Status</key> <string>user</string> </dict> <key>network.http.http3.enable_0rtt</key> <dict> <key>Value</key> <false/> <key>Status</key> <string>user</string> </dict> </dict> </dict> </plist>

Thanks

Locking this thread.
Please continue here: [/questions/1430409]
In my environment, we have Firefox version 117. Users get this pop up "You must log in to this network before you can access the Internet" (see snip 1) when they launch firefox. In order to get rid of we can toggle this preference setting to TRUE ""network.captive-portal-service.enabled" in the user's browser, which works fine. But i want to control this setting from GPO. I'm unable to find the GPO for the same in the GPO hive for FF. See snip 2 for 'Preferences' related GPOs.

Hello,

I am managing Firefox for a very large organization. We have several extension that we deploy using registry keys and we don't allow users to install additional addons. However, since version 102.3 I noticed some extensions that are present on the machine as .xpi files, but should not install unless a specific application is also present, are also being activated. They are enabled in the add-on manager, the information is present in the "extensions.json" and "extension-preferences.json" files. This should not happen. Is there any way to prevent the activation of these files?

Thank you!

in our organisation i need several domainnames to be added in network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, so that sso for some webapplications is working. some are allready in the list. when i make changes to the list, everything is working ok, but when i clos all mozilla windows and restart mozilla, the changes are gone.