Solved

Managing Firefox in AD Environment

Posted on 2013-11-21
4
794 Views
Last Modified: 2013-12-17
I have users in our environment using IE, Chrome and Firefox. The company wants me to manage settings across all three platform uniformly or as close as i can get. IE is easy, but Firefox, sheesh what a nightmare. Here is what i need to do:

Manage allowed cookies
Manage allowed pop ups
Manage homepage (lock it)

Three fairly simple things. I need to add trusted sites as well but these are the three basics. I have used something called cck wizard located here:

https://addons.mozilla.org/en-US/firefox/addon/cck/

It works great, I can change all of those settings and then some. One issue, it outputs an XPI file that i cant seem to deploy cleanly. I can get it so that GPMC pushes the file to the users default profile extensions directory for firefox, but they get a big scary prompt to install it and i know people will freak out. So, I would like to deploy this XPI silently to about 800 people in the domain.

Has anyone had experience with this and have any good suggestions? There is also a product called policypak that looks great but at $2500 minimum ill tell people to click on the big scary message.

One last thing, the different version of firefox may come into play here as well, I am testing this on 25, but i think a lot of our people are on 10.

Thanks as always in advance geniuses.
0
Comment
Question by:jthibeault
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 39667134
You can't control firefox or chrome with group policy, in the full sense of policy control. For the full control, the product itself must be group-policy aware. What this means is that whenever it reads a setting from the registry, it first has to try to read the same setting from the part of the registry that is controlled by group policy. For example, if Firefox is going to decide whether to accept a cookie or not. it should read something like software/mozilla/firefox/allowcookies, but first it has to try software/policies/mozilla/firefox/allowcookies. Group policy (or more specifically, winlogon.exe) maintains those parts of the registry. If the user goes and changes the value in the policy part (by going to application settings, or directly by regedit), in seconds winlogon will overwrite it with the value from the policy, so practically in no time the browser would be able to use wrong settings. That's how it was already in IE6, and then in later versions those settings that are controlled by GP are even dimmed out, so the user can't even change them.  Another part of the equation is that the browser has to read those settings from the registry on every operation - rather tnan do it once when it just has been launched, and then remember. That's exactly what makes it a policy, and as you can see it depends on whether the browser is programmed with policy in mind. Neither firefox, nor chrome do that. Those fake policies that are offered basically translate the settings into javascript-based settings, and give them to firefox. But then nothing prevents the user from changing them in the next moment. Of course, not many users will know to do that, so probably in 90% it would be sufficient, but technically, it's not how group policy is supposed to work.

Which means: if you really need policies, use IE, as it's the only browser that is fully compliant with them.

That said, I've found that it's better to focus security efforts on the proxy server and block bad websites, rather than control everyone's browser.
0
 

Author Comment

by:jthibeault
ID: 39667163
Yes all of that I understand and was hoping wouldn't be the case. I mean in this company we were flexible enough to allow these other browser in the first place so we aren't super controlling or haven't been in the past.

The xpi extension I have actually locks the user from changing the settings but it not manageable as if there is an update I need to push out, it would have to override this.

I know you can set the homepage in the registry but again, if they change it, the "policy" won't switch back until they reboot which people probably don't do often.
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 39669988
Hi.

For a very long time, frontmotion.com produced a special version of firefox called the Firefox CE (=firefox community edition). Together with Mozilla.adm (at the bottom of the download page) we could use GPOs to control it. You could basically control all settings that the normal firefox has when you navigate to the address about:config. Also it was packaged as MSI for easy deployment. The CE is technically the same as the normal Firefox, think of it as the fox with an GPO-addon.

Now for the best part: the project is still alive: http://www.frontmotion.com/FMFirefoxCE/index.htm
0
 

Author Closing Comment

by:jthibeault
ID: 39725224
It isnt really anything I can use in our environment but seems to have been the best alternative.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question