In this article I’ll try to describe the configuration management of modern Mozilla Firefox versions via Group Policies in a corporate environment (Microsoft Active Directory-based domain environment).
The Issues of Centralized Management of Firefox Settings
Earlier, it wasn’t too hard to manage Firefox settings in the corporate environment, since as any normal Windows application, all Firefox settings were stored in the registry. You could find or write the necessary GPO administrative templates to make it easier for administrators. (For example, Google has developed and is supporting a set of adm/admx templates for Chrome.) However, Mozilla decided to make it different, and now Firefox stores its settings in the files located in the user profile.
After digging in the Internet for a long time, I’ve found some “solutions” of this problem. But none of them is operational on different reasons. The common idea of these solutions is to create a GPO, make changes to the specific registry branch and then specify the necessary parameters in Firefox configuration files using a Visual Basic script. At the first glance, it is convenient and consistent, but … there is always a slight hitch. Mozilla developers change both the location of the configuration files and the names of these files, etc.
The method described in this article has been tested in modern Firefox versions (Firefox 43.0.2 and higher).
The Peculiarities of Firefox Management in the Domain Environment
There is a number of Firefox settings to be used both for preconfiguration and to disable or block something in a enterprise environment, where the users, as a rule, do not have the administrator privileges, and IT specialists have to determine, which browser settings are allowed to change and which settings are left preset and unchangeable in this environment.
This can, for example, include:
- Import Wizard – Firefox runs this wizard at the first start to import the settings from other installed browsers. You would like to disable this wizard.
- Automatic updates for Firefox – Options -> Advanced -> Update -> Firefox updates. Firefox is better to update centrally, but not separately for every user computer. Automatic updates for the extensions can be left, since they are stored in the user computer.
- Mozilla Maintenance Service – Firefox installs the update service, which allows to automatically update Firefox without prompting UAC permissions.
- Default browser check – Options -> Advanced -> General – Always check to see if Firefox is the default browser on startup. If Microsoft Internet Explorer is selected as a default browser in the corporate environment, this check has to be disabled and the opportunity to make Firefox a default browser by a user has to be blocked.
- At the first start, disable ‘Welcome to Firefox’ tab, as well as ‘Know your rights’ and ‘Improve Firefox’ notifications.
How to Manage and Lock Firefox Settings
Firefox can be configured with the default settings, which are locked for any new user profile. Thus, the settings will contain all necessary parameters. Mozilla has made it easier (I don’t think so!) to deploy Firefox with the preconfigured settings by means of adding some special files during the installation (or, for example, when a computer is connecting to the domain network). It is supposed, that Firefox is installed in the default folder:
- %ProgramFiles%\Mozilla Firefox\browser\defaults\pref\all-settings.js
- %ProgramFiles%\Mozilla Firefox\Mozilla.cfg
Then Firefox will be configured with the default settings and all necessary parameters will be locked.
See http://kb.mozillazine.org/Locking_preferences for more details. Please note that the article is a bit obsolete, but the main principles are still working.
To configure user settings, you have to use the feature of locking user preferences.
The File all-settings.js
The file all-settings.js allows to make Firefox read some configuration settings from the file Mozilla.cfg. Just add two lines to all-settings.js:
The File Mozilla.cfg
Here we can determine and lock the specific Firefox settings. For instance, in the example below, the automatic update feature, “Welcome to Firefox” tab and “Know your rights” and “Improve Firefox” notifications are blocked. The last line prevents making Firefox a default browser.
- All parameters in Mozilla.cfg has to be written starting from the second line. Don’t ask me why. For example, try to put a comment // in the first line.
- The parameters and all settings are case-sensitive. If you make a mistake, Firefox won’t start.
A sample of Mozilla.cfg used in the real corporate environment is shown below.
// Parameters keywords.
// sets the preference as if a user had set it, every time you start the browser.
// So users can make changes, but they will be erased on restart. If you set a
// particular preference this way, it shows up in about:config as “user set”.
// is used to alter the default value, though users can set it normally and their
// changes will be saved between sessions. If preferences are reset to default
// through the GUI or some other method, this is what they will go back to.
// Appears in about:config as “default”.
// is used to lock preferences so they cannot be changed through the GUI or about:config.
// In many cases the GUI will change to reflect this, graying out or removing options.
// Appears in about:config as “locked”. Some config items require lockPref to be set,
// such as app.update.enabled. It will not work if it set with just pref.
// can be used to “blank” certain preferences. This can be useful e.g. to disable functions
// that rely on comparing version numbers.
// Set browser custom home-page
// Proxy settings
pref(“network.proxy.ftp”, “192.168.1.11”); // the domain name can be specified
pref(“network.proxy.ftp_port”, 3128); // proxy-server port number
pref(“network.proxy.http”, “192.168.1.11”); // the domain name can be specified
pref(“network.proxy.http_port”, 3128); // proxy-server port number
pref(“network.proxy.socks”, “192.168.1.11”); // the domain name can be specified
pref(“network.proxy.socks_port”, 3128); // proxy-server port number
pref(“network.proxy.ssl”, “192.168.1.11”); // the domain name can be specified
pref(“network.proxy.ssl_port”, 3128); // proxy-server port number
// Check default browser
// Disable updater
// Make absolutely sure it is really off
// Disable Add-ons compatibility checking
// Don’t show ‘know your rights’ on first run
// Don’t show WhatsNew on first run after every update
// Disable the internal PDF viewer
// Don’t ask to install the Flash plugin
//Disable plugin checking
// Disable health reporter
// Disable all data upload (Telemetry and FHR)
// Disable telemetry
// Disable Health report
// Disable warning OnClose multiple tabs
Other parameters to your taste can be selected at the Firefox page about:config
How to Copy Files Containing Firefox Settings to User Computers Using GPP
Then you have to copy these files to the computers of your users. To do it, create the rules of deleting/copying files using Group Policy preferences (GPP).
- You can locate your files in NETLOGON folder – but it is a mauvais ton : )
- You can locate files in a network share and allow Domain Computers to read these files. I have to remind that it happens when starting the computer and logging on the domain, i. e. during the StartUp, when there is no user, start with the SYSTEM privileges
I have these files located in Firefox folder in the network share.
A couple of points:
- The enforced policy is used, which is applied every time when a computer connects to the network.
- Each time the files are deleted and then copied back again. Why? It is convenient for me. Nothing more.
Copy/delete the files using GPP: Computer Configuration –> Preferences –> Windows Settings -> Files
It will look like that:
That is almost all. We have configured the file Mozilla.cfg and copied it to the user computers. Now you can create your own Mozilla.cfg, determine your settings, and lock those settings you wouldn’t like to be changed by the users.