ADMX Help
Hello,
I am reaching out to gain information on ADMX GPO policies. We are retiring Policy Pak which used to add all the policies and secure Firefox for Enterprise. What we noticed is that Policy Pak used the app set to apply these policies and we are noticing that native GPO's for the most part to match the Policy Pak policies is not as accurate for GPO's My ask here is there any Most Viable Product suggestions to apply Native GPO's for securing Firefox.
All Replies (10)
Hello,
Here some examples of policies that were applied but I do not see a corresponding GPO that can give us the same policy. Can you look into these so we can determine what Windows GPO's match?
Logins and Passwords - Show Alerts about passwords for breached websites browser.urlbar.shortcuts.history browser.safebrowsing.provider.google.advisoryURL layers.gpu-process.max_restarts
These are just examples, and we have plenty more. We are looking for help with a GPO that matches these few examples.
You can use the Preferences policy to set these preferences:
https://mozilla.github.io/policy-templates/#preferences
Show Alerts about passwords for breached websites is the preference:
signon.management.page.breach-alerts.enabled
Hello,
Here are more Policy Pak policies that do not seem to have a match in ADMX Help. Please advise as to where we can find the native GPO's for Windows.
TABS
- Don't load tabs until selected
- Confirm before loading multiple tabs
- item Warn me when opening multiple tabs (might slow down Firefox)
UPDATES and DRM
- Browsing - Use autoscrolling
- Browsing - Recommend extensions as you browse
PRIVACY
- Logins and Passwords - Show Alerts about passwords for breached websites
- Address Bar - Open Tabs - Search Engines
SECURITY
- HTTPS-Only Mode - Don't enable HTTPS-Only mode
EXTRAS
- Disable "Show Update History" button
- Disable "History-Exceptions" button
- Disable "Show Cookies" button
- Disable "saved Passwords" button
- Disable "Security Passwords Exceptions" button
We definitively don't have all the policies that PolicyPak offers. They have much granular control over everything.
Many of what you've specified require that you set prefs.
> Don't load tabs until selected > Confirm before loading multiple tabs > Warn me when opening multiple tabs (might slow down Firefox) I don't know what these are. We don't have this in standard Firefox preferences
UPDATES and DRM
> Browsing - Use autoscrolling Preference general.autoScroll > Browsing - Recommend extensions as you browse https://mozilla.github.io/policy-templates/#usermessaging
PRIVACY
> Logins and Passwords - Show Alerts about passwords for breached websites Preferences signon.management.page.breach-alerts.enabled > Address Bar - Open Tabs - Search Engines I don't know what this is referring to
SECURITY
> HTTPS-Only Mode - Don't enable HTTPS-Only mode https://mozilla.github.io/policy-templates/#httpsonlymode
> Disable "Show Update History" button Not available
> Disable "History-Exceptions" button I don't know what button this is.
> Disable "Show Cookies" button Not available
> Disable "saved Passwords" button
you can turn off the password Manager completely:
https://mozilla.github.io/policy-templates/#passwordmanagerenabled
> Disable "Security Passwords Exceptions" button
We don't have a way to disable that button
PolicyPak was focused on providing total control in Firefox, that was never our goal with Firefox policy.
Hello,
Thanks for your response and we do understand that that Policy Pak is a lot more robust than a typical native GPO. What I would like to do is provide the settings with all the policy pak settings and if you have a link to provide the settings provide that to us or if not, we understand that it cannot be as robust as policy pak.
sanity-test. advanced-layers security. 0 CS P. enabled security. 0 CS P. timeoutM illiseconds. hard security. 0 CS P. timeoutM illiseconds. soft security. app_menu. recordE ventT elemetry security. bad_cert_domain_error. ur_fix_enabled security. certerrors. mitm. auto_enable_enterprise_roots security. certerrors. mitm. priming. enabled security. certerrors. mitm. priming. endpoint security. certerrors. permanent verride security. certerrors. recordE ventT elemetry security, csp. reporting, script-sample, max-length security. csp. truncate_blocked_uri_for_frame_navigations security.external_protocol_requires_permission security. identitypopup. recordE ventT elemetry security. insecure_connection_icon. enabled security. insecure_connection_icon. pbmode. enabled security. insecure_field_warning. ignore_local_ip_address security. intermediate_preloading_healer. timer_interval_ms security. osclientcerts. autoload security. osreauthenticator. password_last_changed_hi security. osreauthenticator. password_last_changed_lo security. pki. crlite_ct_merge_delay_seconds security. pki. crlite_mode security. pki. mitm_canary_issuer. enabled security. protectionspopup. recordE ventT elemetry security. remote_settings. crlite_filters. bucket security. remote_settings. crlite_filters. checked security. remote_settings. crlite_filters. collection security. remote_settings. crlite_filters. signer security. remote_settings. intermediates, bucket security. remote_settings. intermediates, checked security. remote_settings. intermediates, collection security. remote_settings. intermediates. downloads_per_poll security. remote_settings. intermediates, enabled security. remote_settings. intermediates. parallel_downloads security. remote_settings. intermediates, signer security. sandbox. gpu. level security. sandbox. plugin. tempD irS uffix security. sandbox. socket. process. level security, sandbox, socket. win32k-disable security. secure_connection_icon_color_gray security. signed_app_signatures. policy security. ssl3. rsa_aes_1 28_gcm_sha256 security. ssl3. rsa_aes_256_gcm_sha384 security. tls. enable_delegated_credentials security. tls. hello_downgrade_check security. warn_submit_secure_to_insecure security. xfocsp. errorR eporting. enabled Services and Signon services. blocklist. addons-mlbf. checked services. blocklist. addons. signer services. blocklist. gfx. Signer services. blocklist. plugins. signer services. common. log. logger. rest. request services. common. log. logger. rest. response services, common, log. logger, tokenserverclient services. common. uptake. sampleR ate services, settings. clock_skew_seconds services. settings. defaultbucket services. settings. last_etag services, settings. last_update_seconds services. settings. main. anti-tracking-url-decoration. lastchecl services. settings. main. cfr. last_check services. settings. main. doh-config. last_check services. settings. main. doh-providers. last_check services. settings. main. fxmonitor-breaches. last_check services, settings, main, hijack-blocklists. last_check services, settings, main, language-dictionaries. last_check services. settings. main. message-groups. last_check services. settings. main. nimbus-desktop-defaults. last_check services, settings, main, nimbus-desktop-experiments. last_che
There is no reason to explicitly set all of the preferences you are setting.
If there are specific things you are trying to do, you can let me know, but many of those are internal preferences that have no reason to be set.
Hello Mike,
Appreciate your help on this. would you be willing to give me your email address so I can send you a spreadsheet with all the settings that we may potentially need to add for firefox per our security, Thanks for your time.
Chris Weiderhold
I sent my email via a direct message on SUMO.
Hello Mike,
Can you tell me what SUMO is? I am not familiar.
Thanks
Sorry, this is SUMO :)
If you click on your name in the upper right, you'll see an Inbox option.