we are an international Non-for profit organization with mostly small offices of about 2-10 staff on 3 continents. The majority of those offices does not have IT staff/knowledge, and infrastructure is often sketchy. We use mostly Windows, but have some offices with Linux. We currently use local users, and after an initial configuration of e.g. Firefox/Thunderbird, we don't have any way to intervene automatically.
So we are looking for an efficient way to control software configurations after deployment without the need for manual intervention. The scope would initially not be a lot, mostly installing/uninstalling addons. E.g. if a malicious addon is found, we want to have a way to uninstall it on all devices. Right now, we have to ask all staff to do this, and evidently this doesn't work out all the time.
Firefox and Thunderbird are 2 key programs installed on all devices, although evidently we use other software as well. I think that with TB78 the policies.json implementation might not be yet finished completely, but for now, Firefox would be more critical (also some staff tend to install addons we do not want on the device).
As far as I know, when it comes ways how to centrally manage Firefox/Thunderbird without a domain controller/GPO, there are some options:
1) Azure AD: Identity management, and maybe also ways to configure Thunderbird/Firefox (although Azure AD does not seem to have GPO, but maybe scripts could be executed at the endpoint?). Won't work for Linux I guess. Also Azure could be based in a US datacenter, and as an European NGO we have much less data protection for US-based data.
2) third party management tool (e.g. like Teamviewer remote management, or chocolately) which allows remote execution of scripts. We could update the policies.json file in the firefox profile via a chocolately/Teamviewer script to uninstall/install addons, etc. Not sure if chocolately works on Linux.
3) GPOs with Domain Controller after all via a pre-auth VPN. Won't work for Linux I guess, but maybe script to deploy policies.json. Also there would be yet another thing to potentially fail (VPN connection), and we would need 2 different deployment methods (GPO for Windows, scripts for Linux).
4) write an Firefox/Thunderbird addon which simply downloads a policies.json file from a central location, and places it in the users FF/TB profile folder. upon restart of FF/TB it should deploy the changes based on the new policies.json file. A bit cumbersome, and doesn't cover other software.
5) a simple bat/sh script which is executed upon start.Not very flexible if something goes wrong, or isn't covered in the deployed script.
To me, it seems a third party tool (teamviewer, chocolately) seems the best option, as it could cover FF/TB, but also other software which is installed.
Before we proceed I would like to know of experiences, and best practices: could anybody provide some information how this was achieved?