Best practice to deploy Firefox/Thunderbird custom config without AD/GPO

614 views
Skip to first unread message

IT A

unread,
Jun 10, 2021, 10:55:51 AM6/10/21
to enter...@mozilla.org

Dear all,

I've already posted the question here https://support.mozilla.org/en-US/questions/1339661 but was advised to post it in the Enterprise group (makes sense).

I found https://groups.google.com/a/mozilla.org/g/enterprise/c/s5DM-gVxx6Y/m/1DoYfYnLDAAJ which would have been a great option (remote policies.json), but it seems below options can currently considered


So this was my question:


Dear community,

we are an international Non-for profit organization with mostly small offices of about 2-10 staff on 3 continents. The majority of those offices does not have IT staff/knowledge, and infrastructure is often sketchy. We use mostly Windows, but have some offices with Linux. We currently use local users, and after an initial configuration of e.g. Firefox/Thunderbird, we don't have any way to intervene automatically.

So we are looking for an efficient way to control software configurations after deployment without the need for manual intervention. The scope would initially not be a lot, mostly installing/uninstalling addons. E.g. if a malicious addon is found, we want to have a way to uninstall it on all devices. Right now, we have to ask all staff to do this, and evidently this doesn't work out all the time.

Firefox and Thunderbird are 2 key programs installed on all devices, although evidently we use other software as well. I think that with TB78 the policies.json implementation might not be yet finished completely, but for now, Firefox would be more critical (also some staff tend to install addons we do not want on the device).

As far as I know, when it comes ways how to centrally manage Firefox/Thunderbird without a domain controller/GPO, there are some options:

1) Azure AD: Identity management, and maybe also ways to configure Thunderbird/Firefox (although Azure AD does not seem to have GPO, but maybe scripts could be executed at the endpoint?). Won't work for Linux I guess. Also Azure could be based in a US datacenter, and as an European NGO we have much less data protection for US-based data.

2) third party management tool (e.g. like Teamviewer remote management, or chocolately) which allows remote execution of scripts. We could update the policies.json file in the firefox profile via a chocolately/Teamviewer script to uninstall/install addons, etc. Not sure if chocolately works on Linux.

3) GPOs with Domain Controller after all via a pre-auth VPN. Won't work for Linux I guess, but maybe script to deploy policies.json. Also there would be yet another thing to potentially fail (VPN connection), and we would need 2 different deployment methods (GPO for Windows, scripts for Linux).

4) write an Firefox/Thunderbird addon which simply downloads a policies.json file from a central location, and places it in the users FF/TB profile folder. upon restart of FF/TB it should deploy the changes based on the new policies.json file. A bit cumbersome, and doesn't cover other software.

5) a simple bat/sh script which is executed upon start.Not very flexible if something goes wrong, or isn't covered in the deployed script.

To me, it seems a third party tool (teamviewer, chocolately) seems the best option, as it could cover FF/TB, but also other software which is installed.

Before we proceed I would like to know of experiences, and best practices: could anybody provide some information how this was achieved?

kind regards,

Maxime Accadia

unread,
Jun 11, 2021, 4:55:11 AM6/11/21
to IT A, enterprise
Hi,

I think you would benefit from setting up a configuration management system not specific to Firefox or Thunderbird.

Some open source solutions that I know of :
You also have adavanced configuration management tools like Puppet, Salt, Ansible (https://en.wikipedia.org/wiki/Comparison_of_open-source_configuration_management_software).

I not sure all off them can work over the Internet (or are secure enough) ; you may need to set up a VPN. I'm also curious about what could work securly over the Internet.

Maxime

De: "enterprise" <enter...@mozilla.org>
À: "enterprise" <enter...@mozilla.org>
Envoyé: Jeudi 10 Juin 2021 16:55:50
Objet: [Mozilla Enterprise] Best practice to deploy Firefox/Thunderbird custom config without AD/GPO

--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/77b21766-10ef-449c-8003-b9c9e5df2e98n%40mozilla.org.

Marco Gaiarin

unread,
Jun 11, 2021, 11:50:11 AM6/11/21
to enter...@mozilla.org
Mandi! Maxime Accadia
In chel di` si favelave...

> I think you would benefit from setting up a configuration management system not
> specific to Firefox or Thunderbird.

+1

> Some open source solutions that I know of :
> • chocolatey
> • wapt (https://www.wapt.fr/en/)
> • OCS Inventory

I add to the list WPKG.

--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797

Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Reply all
Reply to author
Forward
0 new messages