GPO ineffective - Firefox ESR
We're looking at using the GPO functionality to start managing our existing Firefox deployments. We've loaded the ADMX file and have created a test GPO that does 2 things:
1. Enable AutoUpdate 2. Creates 2 bookmarks
We've deployed the GPO to a few machines, confirmed the GPO is applying via GPResult, and confirmed that there are corresponding entries in HKLM\Software\Policies\Mozilla\Firefox but we're not seeing the changes occurring in the browser. AutoUpdate is still disabled and greyed out (via the previously deployed local JSON config file) and the bookmarks aren't present.
Any idea why we wouldn't see the changes as effective in the browser? Browser is running 60.4.0 ESR (32-bit).
Izbrana rešitev
Vsi odgovori (7)
It sounds like you were controlling Firefox using a policies.json file previously and are now trying to change over to the equivalent group policy template instead. This may be a foolish question, but you have removed the policies.json files from your systems, correct?
If not, that file could be overriding the settings that you are trying to enable through GPO.
I'd previously inquired about GPO vs JSON (https://support.mozilla.org/en-US/questions/1239683) and was told GPO overrides JSON. We were trying to avoid deleting the local JSON file as a part of our GPO deployment.
The one thing I just noticed is I don't actually see us using a JSON file. What we have is a localsettings.js file located in C:\Program Files (x86)\Mozilla Firefox\defaults\pref, and that file points to mozilla.cfg in C:\Program Files (x86)\Mozilla Firefox. Within mozilla.cfg with the following content:
// WKS Mozilla Firefox Lockdown // Disable updater lockPref("app.update.enabled", false); // Make absolutely sure it is really off lockPref("app.update.auto", false); lockPref("app.update.mode", 0); lockPref("app.update.service.enabled", false); // Disable Add-ons compatibility checking clearPref("extensions.lastAppVersion"); // Don't show 'know your rights' on first run pref("browser.rights.3.shown", true); // Don't show WhatsNew on first run after every update pref("browser.startup.homepage_override.mstone","ignore"); // Don't show Windows 10 splash screen on first run pref("browser.usedOnWindows10", true); // Set default homepage lockPref("browser.startup.homepage","REDACTED"); // Disable the internal PDF viewer lockPref("pdfjs.disabled", true); // Disable the flash to javascript converter lockPref("shumway.disabled", true); // Don't ask to install the Flash plugin pref("plugins.notifyMissingFlash", false); // Disable plugin checking lockPref("plugins.hide_infobar_for_outdated_plugin", true); clearPref("plugins.update.url"); // Disable health reporter lockPref("datareporting.healthreport.service.enabled", false); // Disable all data upload (Telemetry and FHR) lockPref("datareporting.policy.dataSubmissionEnabled", false); // Disable crash reporter lockPref("toolkit.crashreporter.enabled", false); Components.classes["@mozilla.org/toolkit/crash-reporter;1"].getService(Components.interfaces.nsICrashReporter).submitReports = false; // Disable default browser check lockPref("browser.shell.checkDefaultBrowser", false); // Delete history on exit // lockPref("browser.history_expire_days", 0); // lockPref("browser.history_expire_days.mirror", 0); // lockPref("browser.formfill.enable", false); // lockPref("browser.download.manager.retention", 0); // lockPref("network.cookie.cookieBehavior", 0); // lockPref("network.cookie.lifetimePolicy", 2); // Disable password manager // lockPref("signon.rememberSignons", false); // lockPref("pref.privacy.disable_button.view_passwords", true); // Disable themes // lockPref("config.lockdown.disable_themes", true); // Enable Java Plugin lockPref("security.enable_java", true); // Automatically enable extensions lockPref("extensions.autoDisableScopes", 0);
This setup appears different than the normal JSON file setup I see documented elsewhere. Is it possible this file is preventing the GPO from applying properly?
You are running an AutoConfig file, which is different from a GPO or policies.json. It's designed to allow you to control preferences that can't be controlled by group policy, although it can overlap with your GPO.
For example, your specific code says:
// Disable updater
lockPref("app.update.enabled", false);
// Make absolutely sure it is really off lockPref("app.update.auto", false);
lockPref("app.update.mode", 0); lockPref("app.update.service.enabled", false);
This will override your GPO, which is why the update feature is still disabled and greyed out. It's because those preferences have been locked by this configuration.
On a test system, I'd recommend commenting out (putting a //
in front) of the lines that appear to control the updating function of Firefox. Do the same if you are having any other issues with it overriding your GPO.
Fortunately, whoever made that file added a lot of comments to tell you what each cluster of preferences does, so it should be fairly easy to find the ones that are causing issues.
After you get your test system working, you can push out the updates to that file globally to all systems on your network.
Rather than commenting out the specific lines, i just removed both the localsettings.js file and the mozilla.cfg file from the directory. That doesn't seem to have had any impact though. The bookmarks are still not showing up in the browser and I see no change in the auto-update availability.
Update: It appears the auto-update function is working, but the 2 bookmarks and the home page that are defined in the GPO are not effective. I can see the associated keys in the registry have been created, but the browser is not responding to these keys.
Here's the resulting keys: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Bookmarks]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Bookmarks\1] "Title"="TEST" "URL"="www.google.com" "Favicon"="" "Placement"="menu" "Folder"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Bookmarks\2] "Title"="TEST2" "URL"="www.cnn.com" "Favicon"="" "Placement"="menu" "Folder"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Homepage] "URL"="REDACTED" "Locked"=dword:00000001
Izbrana rešitev
The URLs need to be fully qualified:
Thanks for your help. We updated the URLs to be fully qualified and they successfully applied. In total, it took the removal of the local config file and the proper formatting within the GPO for the changes to be effective.