This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox for Organizations: best practice to deploy custom config without AD/GPO

  • 3 balasan
  • 1 ada masalah ini
  • 1 paparan
  • Balasan terakhir oleh Mike Kaply

more options

Dear community,

we are an international Non-for profit organization with mostly small offices of about 2-10 staff on 3 continents. The majority of those offices does not have IT staff/knowledge, and infrastructure is often sketchy. We use mostly Windows, but have some offices with Linux. We currently use local users, and after an initial configuration of e.g. Firefox/Thunderbird, we don't have any way to intervene automatically.

So we are looking for an efficient way to control software configurations after deployment without the need for manual intervention. The scope would initially not be a lot, mostly installing/uninstalling addons. E.g. if a malicious addon is found, we want to have a way to uninstall it on all devices. Right now, we have to ask all staff to do this, and evidently this doesn't work out all the time.

Firefox and Thunderbird are 2 key programs installed on all devices, although evidently we use other software as well. I think that with TB78 the policies.json implementation might not be yet finished completely, but for now, Firefox would be more critical (also some staff tend to install addons we do not want on the device).

As far as I know, when it comes ways how to centrally manage Firefox/Thunderbird without a domain controller/GPO, there are some options:

1) Azure AD: Identity management, and maybe also ways to configure Thunderbird/Firefox (although Azure AD does not seem to have GPO, but maybe scripts could be executed at the endpoint?). Won't work for Linux I guess. Also Azure could be based in a US datacenter, and as an European NGO we have much less data protection for US-based data.

2) third party management tool (e.g. like Teamviewer remote management, or chocolately) which allows remote execution of scripts. We could update the policies.json file in the firefox profile via a chocolately/Teamviewer script to uninstall/install addons, etc. Not sure if chocolately works on Linux.

3) GPOs with Domain Controller after all via a pre-auth VPN. Won't work for Linux I guess, but maybe script to deploy policies.json. Also there would be yet another thing to potentially fail (VPN connection), and we would need 2 different deployment methods (GPO for Windows, scripts for Linux).

4) write an Firefox/Thunderbird addon which simply downloads a policies.json file from a central location, and places it in the users FF/TB profile folder. upon restart of FF/TB it should deploy the changes based on the new policies.json file. A bit cumbersome, and doesn't cover other software.

5) a simple bat/sh script which is executed upon start.

To me, it seems a third party tool (teamviewer, chocolately) seems the best option, as it could cover FF/TB, but also other software which is installed.

Before we proceed I would like to know of experiences, and best practices: could anybody provide some information how this was achieved?

kind regards,

Dear community, we are an international Non-for profit organization with mostly small offices of about 2-10 staff on 3 continents. The majority of those offices does not have IT staff/knowledge, and infrastructure is often sketchy. We use mostly Windows, but have some offices with Linux. We currently use local users, and after an initial configuration of e.g. Firefox/Thunderbird, we don't have any way to intervene automatically. So we are looking for an efficient way to control software configurations after deployment without the need for manual intervention. The scope would initially not be a lot, mostly installing/uninstalling addons. E.g. if a malicious addon is found, we want to have a way to uninstall it on all devices. Right now, we have to ask all staff to do this, and evidently this doesn't work out all the time. Firefox and Thunderbird are 2 key programs installed on all devices, although evidently we use other software as well. I think that with TB78 the policies.json implementation might not be yet finished completely, but for now, Firefox would be more critical (also some staff tend to install addons we do not want on the device). As far as I know, when it comes ways how to centrally manage Firefox/Thunderbird without a domain controller/GPO, there are some options: 1) Azure AD: Identity management, and maybe also ways to configure Thunderbird/Firefox (although Azure AD does not seem to have GPO, but maybe scripts could be executed at the endpoint?). Won't work for Linux I guess. Also Azure could be based in a US datacenter, and as an European NGO we have much less data protection for US-based data. 2) third party management tool (e.g. like Teamviewer remote management, or chocolately) which allows remote execution of scripts. We could update the policies.json file in the firefox profile via a chocolately/Teamviewer script to uninstall/install addons, etc. Not sure if chocolately works on Linux. 3) GPOs with Domain Controller after all via a pre-auth VPN. Won't work for Linux I guess, but maybe script to deploy policies.json. Also there would be yet another thing to potentially fail (VPN connection), and we would need 2 different deployment methods (GPO for Windows, scripts for Linux). 4) write an Firefox/Thunderbird addon which simply downloads a policies.json file from a central location, and places it in the users FF/TB profile folder. upon restart of FF/TB it should deploy the changes based on the new policies.json file. A bit cumbersome, and doesn't cover other software. 5) a simple bat/sh script which is executed upon start. To me, it seems a third party tool (teamviewer, chocolately) seems the best option, as it could cover FF/TB, but also other software which is installed. Before we proceed I would like to know of experiences, and best practices: could anybody provide some information how this was achieved? kind regards,

Diubah oleh it132

All Replies (3)

more options

I think a question with this detail probably belongs on our enterprise mailing list where you can connect with other folks who are deploying Firefox.

Most of the support here would be community support:

I would just join and then paste this exact question there.

https://groups.google.com/a/mozilla.org/g/enterprise/

more options

Thanks,

It seems that yesterday I completely oversaw the "new question" button in the firefox-enterprise part of this forum, sorry for that. Today I see it here: https://support.mozilla.org/en-US/questions/new/firefox-enterprise/form

You still recommend posting it in the google group? Or can my question be moved to the firefox-enterprise part here? Or should I repost here: https://support.mozilla.org/en-US/questions/new/firefox-enterprise/form

more options

I definitely recommend the enterprise group. That mailing list has hundreds of folks who install and configure Firefox for their companies, so they might have some suggestions.

These questions are primarily monitored by contributors and Mozilla employees (who don't necessarily have the breadth of experience of the folks on the list).