Fórum da Comunidade de Firefox para Empresa

I am wondering if I can get some help configuring some GPO for Firefox on our new domain we are building. I want to be able to block private browsing as well as I was wondering if there is an option to force firefox to sign in with certain accounts only so we can monitor students as we are a school district

Good morning,

Can you please answer some questions regarding the Rapid Risk Assessment tool that is available at the following link:

https://infosec.mozilla.org/guidelines/risk/rapid_risk_assessment.html

1. Will any information input into the tool be hosted within the United Kingdom's Servers? 2. Can you please clarify if any information submitted to the RRA toll is retained on your Servers? 3. Is there the option to configure the tool so that no information submitted is retained after the session has terminated.

Kind Regards,

Mark Gormley.

Hi

i need to know how to achieve the following using windows 10 registry.

1. Block Extension installations and disable existing installed extensions.

2. Allow only approved extensions so that users could install it from the store.

These settings were able to configure easily for Chrome and Edge browsers.

Thanks Muja

Hello, and good day. Some of my employees in our org have been using Mozilla as their preferred browser; however, I am having difficulty deploying or managing the browser to deploy the Torii Extension/add-on.

Torii provided me with this link https://support.toriihq.com/hc/en-us/.../5148326594203-Deploy-the-Firefox-Extension to deploy the extension but still to no avail. Can someone assist me with getting this tested and deployed?

Thank you!

We use Firefox ESR for along time in our organisation but with the last update, a specific page wont redirect to the ADFS page. In the latest normal version of Firefox it works and also other browser but not in ESR.

The webpage is https://rx-base.nl/ and https://preprod.rx-base.nl/

We are using the latest version of ESR. It gives a blank page with in the console a error:

Uncaught (in promise) TypeError: Fout bij het oplossen van modulespecificatie ‘@rxbase/root’. Relatieve modulespecificaties moeten beginnen met ‘./’, ‘../’ of ‘/’.

Please advise on what to do.

We are looking to mass deploy Firefox x64 for Windows to all staff in our organization, using SCCM. I know you can set a default home page in mozilla.cfg for all users, including future users who don't yet have a profile on the computer Firefox is installed on. Is there a similar option so I can configure Firefox to always show the menu bar for all users? Preferably, another line I can add to mozilla.cfg so that I can easily copy that to all our machines? Thanks.

I've successfully added all the admx profile settings we want for our deployment except I can't seem to get right syntax for adding multiple sites to the exception list. We've successfully blocked all urls in the block oma-uri but for the exception it only shows a single example not multiple. (https://github.com/mozilla/policy-templates#websitefilter site) OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/B_WebsiteFilter_Exceptions

Value (string):

<enabled/> <data id="WebsiteFilter" value="1*://*companyurl.com/*"/>

this works.. all internal sites are accessable. what i want to do is as well make these sites avail as well *://company.sharepoint.com/* accessable and

• //login.microsoftonline.com/*

I've looked at https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Match_patterns but i can't seem to find proper format for multiple that doesn't cause line to either be ignored or errored out

any assistance would be appreciated

I am using the most recent Firefox ADMX templates and I am unable to get bookmarks to show up using JSON. I have verified that the GPO is applied, and there is a registry key being created under the user's profile, however it is not the right registry key.

The key it is creating: SOFTWARE\Policies\Mozilla\Firefox\Bookmarks Type: Reg_Multi-SZ

If I rename this registry key from Bookmarks to ManagedBookmarks, the bookmarks show up and work as intended.

I do not see "ManagedBookmarks" in the GPO anywhere. If I am not setting "ManagedBookmarks" in the correct location then please show me where I am supposed to set them. I am tempted to just modify the ADMX template and have it create the registry key "ManagedBookmarks" instead of "Bookmarks" as that seems to work, but I can't imagine this is how the devs wanted this.

We downloaded the GPO Templates for AD and looking to customize Firefox.

We would like to disable Forms and Autofill: Autofill addresses Autofill credit cards

Also would like to lock down so they can't reenable if possible.

We would like to do this all through GPOs if possible. I found these in the about:config: extensions.formautofill.addresses.enabled extensions.formautofill.creditCards.enabled

But again want to do through the GPO. Is this possible?

Side note while working on GPOs, I set Exceptions for the popup blocker and they are not showing up in the browser. I also filled out to remove Search Engines but they all still appear in the browsers. These two GPO settings don't appear to be working.

I am pushing out bookmarks company-wide through Intune on users Laptops. I spoke with Microsoft support and the configuration policy is created correctly and I followed Firefox's support page in creating them. It seems that the new JSON script that tells Firefox what bookmarks is unable to parse.

Anyone know if Firefox had an update that prevents intune from sending the JSON file?

Error message given through firefox.

"Unable to parse JSON for ManagedBookmarks"

We try to deploy Extension Management Settings via GPO.

Goal is to allow only whitelisted extensions, but don't block themes, dictionaries and locales.

Below find the JSON-settings deployed to the client, which should allow all themes and whitelisted extensions. Unfortunately this blocks everything except whitelisted IDs. See example screenshot with error-message, when trying to install a theme. We don't want to whitelist locales or themes, they should be still allowed for installation.

What I'm doing wrong? - Thanks for your feedback.

##############

{
"*": {
"installation_mode": "blocked",
"allowed_types": ["theme"]
},
"uBlock0@raymondhill.net": {
"installation_mode": "allowed"
},
"jid1-ZSMfwe4lCAw9oQ@jetpack": {
"installation_mode": "allowed"
}
}

I work in an enterprise environment. We have certain requirements that we must maintain for our system to maintain accreditation. One of these requirements is to prevent the installation of add-ons using the policies.json file.

We are also trying to develop an extension that adds banners to each page the user interacts with. I understand this can be loaded using the process [https://support.mozilla.org/en-US/kb/deploying-firefox-with-extensions|he...] and does not have to be signed following this [https://support.mozilla.org/en-US/kb/install-system-add-ons-firefox-enter...] .

My question is, before embarking on the journey to create this web extension, can it still be installed following the enterprise process, despite being denied by default by the policies.json? Or is there a way to allow for the extension to be installed by changing the policy?

Been managing bookmarks for users through Intune, but for some reason on my HP Elitebook 840 I keep getting an error "Unable to parse JSON for ManagedBookmarks" I haven't changed anything to the bookmarks before swapping to the HP laptop from a Dell 5410. I have double-checked GitHub for the proper string for bookmarks and everything looks to be correct as well as submitting a support case with Microsoft who checked it and say it is something on Firefox's side that needs fixing.

I am also constantly getting this unknown extension setting. Not sure why I have this or where I can remove it.

ExtensionSettings {"firefoxhpsureclicksecurebrowsing@bromium.com":{"installation_mode":"blocked"},"firefoxhpwolfsecurityextension@bromium.com":{"installation_mode":"blocked"}}

We have Firefox-ESR in use and we are using Applocker.

When we enable applocker dll Rule policys and start https://shaka-player-demo.appspot.com page clearkey addon crashes.

We have allowed widevinedrm.dll in applocker rule policys, and we have used Process Monitor to track which dll file / files are being "locked" but we cant seem to pinpoint it.

Where does Firefox-ESR run DRM content and which dll files are needed to run ?

What we know that it is caused by applocker DLL rule policys, when disabling it clearkey addon does not crash and drm content can be played.

Also Applocker eventlogs does not show anything related to this.

br Ben

Hello. I have trying to test a GPO this week that will lock down the use of extensions. In summary we are shifting to a complete "deny all/allow by exception format".

As a reference I have been using the below article as my source on how to set this up. https://github.com/mozilla/policy-templates#extensionsettings

After reading through the article the base example they have works flawlessly. I have put this base example below.

{

 "*": {
   "blocked_install_message": "Custom error message.",
   "install_sources": ["https://yourwebsite.com/*"],
   "installation_mode": "blocked",
   "allowed_types": ["extension"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
 },
 "https-everywhere@eff.org": {
   "installation_mode": "allowed"
 }

}

The minute I try to change it though the whole thing breaks. For context, I have tried adding 1 password as a forced installed add in, and also try placing it below under allowed. See my example below of the one where I am putting it is allowed. Any idea of what I am doing wrong?

{

 "*": {
   "blocked_install_message": "Custom error message.",
   "install_sources": ["https://yourwebsite.com/*"],
   "installation_mode": "blocked",
   "allowed_types": ["extension"]
 },
 "uBlock0@raymondhill.net": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
 },
 "*": {
   "installation_mode": "force_installed",
   "install_url": "https://addons.mozilla.org/firefox/downloads/latest/1password-x-password-manager/latest.xpi"
 }

}

This might be a simple question. Does Firefox ESR still supports NTLM v1 ? Can we still add the value "network.negotiate-auth.delegation-uris" in preference. Does that enabled NTLM v1. Is there any document or release notes that states Firefox is disabling this setting from Firefox 78 and later. Some how I am not able to find it in release notes.

Hi there,

we trying to restrict internet access that used Mozilla Firefox on client computers through Microsoft Intune.

We have already configured policy by uploading ADMX template & Custom OMA-URI as described in https://github.com/mozilla/policy-templates/blob/master/README.md 

We are trying to add custom allowed web sites to "WebsiteFilter" OMA-URI ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/B_WebsiteFilter_Exceptions. added web sites are not allowed. my question is what is the best way to enter URLs (I mean format) to allow list & how I can used wild card to allow all the web sites of one specific domain. eg:- microsoft

I am looking for information regarding the support life for settings that are defined in the Preferences (Deprecated) section of the ADMX templates provided in GitHub. There doesn't appear to be a definitive answer as to when these preferences are no longer applicable to a version of Firefox. The term "Deprecated" certainly applies they're on their way to extinction. But only a small handful of preferences have been ported over to non-deprecated template settings (like Auto Update). Is there an expected version of Firefox where all these preferences are meaningless? Or will they be supported indefinitely? "Industry recommendations' from 3rd party security vendors are bloating my policies in the domain space and I can't definitively say they are 'no longer supported as of version xyz' for all these Firefox Preference settings, which happen to be about 80% of the security parameters defined by STIG and/or CIS Workbench.

in our organisation i need several domainnames to be added in network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris, so that sso for some webapplications is working. some are allready in the list. when i make changes to the list, everything is working ok, but when i clos all mozilla windows and restart mozilla, the changes are gone.

Hello,

I have a problem with a pac file in our org. We download it from a server. The basic functionality is applied and it does redirect the desired traffic to the proxy. The problem occurs when the proxy goes down, it then should automaticaly start making direct connections, but the connections fail. We want to proxy only http and https and event that with some exceptions.

It was done according to https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file#example_6

Is there any problem with PAC file or does the browser have issues with the config?

Thanks for any help.

function FindProxyForURL(url, host) {

   /* Our proxy list */
   OURPROXY = "PROXY 172.22.59.X:3128; DIRECT"
   INOUR = "ourgroup.internal"

   /* Normalize the URL and HOST for pattern matching */
   url = url.toLowerCase();
   host = host.toLowerCase();

   /* Our Network Entry */
   if (isResolvable(INOUR)) {
       /* Don't proxy local services */
       if (isInNet(host, "10.0.0.0", "255.0.0.0")
       ) {
           return "DIRECT";
       }

       /* Proxy only http & https */
       if (url.substring(0, 5) == "http:" || url.substring(0, 6) == "https:") {
           /* Don't proxy local hostnames (without dots) */
           if (isPlainHostName(host)) {
               return "DIRECT";
           }
           /* END: Don't proxy local hostnames */
           /* START: Internal systems */
           if (shExpMatch(host, "*.example.com") ||
               shExpMatch(host, "example.com") ||
               /* END: Internal systems */
               /* START: Split VPN tunnel */
               shExpMatch(host, "*.example2.com") ||
               shExpMatch(host, "example2.com") ||
               /* END: Split VPN tunnel */
           ) {
               return "DIRECT";
           }
           /* END: Don't proxy to internal systems */
           return OURPROXY;
       } else {
         return "DIRECT";
       }
       /* END: Proxy only http & https */
   } else {
     return "DIRECT";
   }
   /* END: Our Network Entry */
   return "DIRECT";

}