Locking down Firefox in a corporate environment
Fox on the run
Specifically in a corporate environment (or even some home
environments) there may be a need to prevent people from accessing
Private Browsing, and prevent them from deleting their browsing
history. I'm sure there is a way to hide some of those menu options
(security through obscurity) which I'd be interested in knowing how to
do. However ideally I'd like to know how to block those features
(much like you'd do with Group Policy for IE). I know you can use
user.js to set static settings (homepage, popup blocking, proxy
settings, any other preference you can set in Firefox). But this file
needs to reside in the FF user's profile directory which means a savvy
user could edit it (unless you can set ownership of that file and
permission on it such that the end user cannot do that).
Anybody know of a white paper or some such document on best practices
in deploying Firefox in a corporate environments?
JB
Fox on the run
Google is my friend... I found the following: http://sourceforge.net/projects/firefoxadm/
Anyone using FirefoxADM? If so, does it work well? Can you prohibit
private browsing (didn't see that mentioned on the information page).
JB
Fox on the run
Ok, found another solution at http://www.frontmotion.com/FMFirefoxCE/index.htm.
But again, any personal experience/advice is welcomed.
JB
Sjouke Burry
Fox on the run
wrote:
Excuse me?
goodwin
>>
>>> Anybody know of a white paper or some such document on best practices
>>> in deploying Firefox in a corporate environments?
>>
>>> JB
>>
>> If I knew, you could wait until doomsday for an answer.
>
> Excuse me?
Your question really applies to a system admin issue, not every day
users group cup of tea.
Which begs the question - if you are asking here, maybe you may want to
reconsider your plan.
Poutnik
@x13g2000vbe.googlegroups.com>, jjrbo...@gmail.com says...
Partial solution of allowed browsing scope could be implementation
of usage of public OpenDNS servers. The OpenDNS account
can be configured to fool DNS queries for domains
of "bad category" types.
--
Poutnik
Fox on the run
Agreed, there are no doubt other places I could ask that would be more
in line with sysadmin duties. However I'm not on any of those lists
so figured I'd fire something out on this one where I was just looking
to be pointed in the direction of another resource I could digest at
my leisure. But the response from Sjouke Burry did not make his
intended message clear enough for me to be sure what he meant by it
hence my response to him.
JB
Fox on the run
> In article <909b604e-95b4-4542-adc2-f9d2be451fb0
Thanks Poutnik. I was aware of using a proxy server in a corporate/
government environment as a solution, as well as using a hardware
firewall as a possible component to a solution. I was not aware of
OpenDNS. It sounds quite interesting. I may have to play around with
that. I was focusing particularly on solutions that would be deployed
to the desktop in a similar fashion to Group Policies for IE. I
figured someone on this list must have deployed FF in such an
environment and may be aware of best practices/documentation to assist
with doing that. Obviously for a browser to be considered in a
corporate/government environment it needs to offer the ability to lock
down certain settings in order to ensure compliance with policies and
mitigate some of the risks that would manifest itself should a
solution be deployed that didn't provide that level of control.
As I stated to goodwin, I fully realize that this is not the most
appropriate list to ask. However I figured it was a good starting
point if nothing else given I'm not on other lists where such a
question would be applicable.
JB
Jay Garcia
--- Original Message ---
Well, I see you're getting a plethora of replies but none that hit the
jackpot ... No answer here but I would at least suggest you post this in:
mozilla.dev.apps.firefox
--
*Jay Garcia - Netscape/Flock Champion*
www.ufaq.org
Netscape - Firefox - SeaMonkey - Flock - Thunderbird
*DISCLAIMER: I have no authority here, therefore all replies other than
factual support answers are my opinions only.*
Greywolf
He meant he doesn't approve of your goal.
Wolf K.
Fox on the run
> On 16/02/2011 5:48 AM, Fox on the run wrote:
>
>
>
>
>
>
>
>
>
> > On Feb 16, 3:42 am, goodwin<conny...@cox.net> wrote:
> >> On 02/15/2011 09:00 PM, Fox on the run wrote:
>
> >>>>> Anybody know of a white paper or some such document on best practices
> >>>>> in deploying Firefox in a corporate environments?
>
> >>>>> JB
>
> >>>> If I knew, you could wait until doomsday for an answer.
>
> He meant he doesn't approve of your goal.
>
> Wolf K.
That's what I thought as well but just in case I misunderstood I was
giving him a chance to elaborate. It's a person's right to have an
opinion. But I was not looking to debate the topic and solicit other
people's opinion on it. I was simply looking for advice from those
that knew more on the topic of how to impose controls on Firefox when
deploying in a corporate or government environment. He has his
reasons for not approving and is entitled to have that opinion. I
have my reasons for asking about it. If I was looking for people's
opinion on the matter his post would have been more understandable. I
wasn't thus he simply should have stepped away from the keyboard and
moved on instead of responding as he did. That served no purpose but
attempt to flame the discussion which speaks to his character. Pretty
childish if you ask me. "Even if I knew I wouldn't tell you!" Sounds
more like a schoolyard argument between adolescents than an
intelligent discussion among adults.
JB
goodwin
Not for nothing, Greywolf, I'm not the one that wrote that line...
goodwin
If your servers are running linux, wouldn't IP tables do what you want?
I think they work 2 ways...
David McRitchie
> Is there a way to lock down certain features within Firefox?
Firefox has policy that can be put into user.js to override without
showing itself. But to really lock down a computer as in kiosks at
shopping malls, and other public access computers such as in Libraries
would suggest including kiosk in any search for a complete lockdown.
http://kb.mozillazine.org/Security_Policies
http://forums.mozillazine.org/viewtopic.php?f=19&t=1964777&start=0
Google search:
site:kb.mozillazine.org -intitle:talk -inurl:"/index.php?title=" capability.policy.policynames -intitle:talk
Fox on the run
Sorry goodwin, it does give that impression doesn't it. I know who
wrote it. Hopefully others do as well and didn't get confused in that
message and think it was you.
JB
Fox on the run
Quite possibly. I was looking in general terms for either Windows or
Linux environment ultimately, but focused more on Windows seeing it's
the dominant desktop OS.
Thanks,
JB
Fox on the run
> Fox on the run" ...
>
> > Is there a way to lock down certain features within Firefox?
>
> Firefox has policy that can be put into user.js to override without
> showing itself. But to really lock down a computer as in kiosks at
> shopping malls, and other public access computers such as in Libraries
> would suggest including kiosk in any search for a complete lockdown.
>
>
> Google search:
> site:kb.mozillazine.org -intitle:talk -inurl:"/index.php?title=" capability.policy.policynames -intitle:talk
Thanks David. I had heard about kiosk. I was looking for corporate/
government environments. In order for FF to be able to compete with
IE in that environment it must be able to provide the level of control
that is required in these environments to ensure users are in
compliance with policy. I was wondering what options were available
to make Firefox a viable solution where such controls are required. I
was aware of user.js but found some other good info concerning
mozilla.cfg and all.js to allow the locking down of certain settings.
JB
guanxi
In case you've given up on this thread, I'll cc your email address.
Here's a dump of links, accumulated over time because the info is hard
to find. Sorry, but I already spent 20 min. formatting it for this post;
I don't have time to clean it up more. I really should post these to a
website someplace, if anyone has ideas about where ...
*** These are rough accumulated notes. They're not well organized,
some links may be broken, etc. Corrections and additions are welcome!
Generally, the better resources are at the top of each section. We use a
variation of the Automatic Mozilla Configurator, simply because that's
what we mastered awhile ago.
DEPLOYMENT TOOLS (AFAIK)
* AutoConfig (a.k.a. Mission Control Desktop (MCD) seems to be the
most recommended
https://developer.mozilla.org/en/MCD,_Mission_Control_Desktop_AKA_AutoConfig
https://bugzilla.mozilla.org/show_bug.cgi?id=222973]
* Automatic Mozilla Configurator
https://developer.mozilla.org/En/Automatic_Mozilla_Configurator
* Client Customization Kit (CCK ): Aimed more at ISPs than
Enterprise IT?
* Old version, not well supported any more:
http://www.mozilla.org/projects/cck/
In Win installer:
http://www.mozilla.org/projects/cck/firefox/wininstall.html
* Current version by long-time Mozilla developer Michael Kaply,
available as an addon
https://addons.mozilla.org/en-US/firefox/addon/2553
http://www.mozilla.org/projects/cck/firefox/
http://code.google.com/p/ff-cckwizard/
http://www.kaply.com/weblog/tag/cck/
http://kaply.com/weblog/2010/03/03/cck-wizard-updateand-faqs/
* Build Your Own Browser by Mozilla.
https://byob.mozilla.com/
* FrontMotion: Provides an MSI installer, Group Policy
templates, and add-on deployment integration.
http://www.frontmotion.com/Firefox/index.htm
* FirefoxADM deployment utility. Not sure how good it is.
http://sourceforge.net/projects/firefoxadm
* Mozptch: config and deployment utility.
http://mozptch.mozdev.org/
* FFDeploy: automated deployment utility by Bob Templeton
http://firefox.dbltree.com/
* Silence of the Foxes : Looks like a simple hack, but it's simplicity
might be useful.
http://www.msfn.org/board/topic/43168-silence-of-the-foxes/
REFERENCE
* Enterprise blog entries by Michael Kaply, long-time Mozilla developer.
http://www.kaply.com/weblog/tag/enterprise/
* Bug 267888 : Windows 2000/XP/2003 Group Policies support (make
firefox configurable with domain group policy objects)
https://bugzilla.mozilla.org/show_bug.cgi?id=267888
* More documentation here
http://kaply.com/weblog/2010/08/05/creating-a-customized-firefox-distribution/
* Installation and update category at Mozillazine's unofficial KB
http://kb.mozillazine.org/Category:Installation_and_update_%28Firefox%29
* Repackaging Firefox by MDC: For example, adding an add-on to the
default Firefox package.
https://developer.mozilla.org/En/Repackaging_Firefox
* Firefox Custom Setup Support: Looks like a sysadmin made this basic
outline and links.
http://mcmblog.sitesled.com/
OTHER TOOLS
* GPO For Firefox Add-on: Allows management of preferences from
Windows registry, to enable GPO
https://addons.mozilla.org/en-US/firefox/addon/51892/
* CLEO (Compact Library Extension Organizer ): Package multiple
extensions into one and deploy them all at once.
https://addons.mozilla.org/en-US/firefox/addon/2942
* Accountex: add-on exports/imports acct settings
https://addons.mozilla.org/en-US/firefox/addon/599
* MozBackup: reputedly can backup/restore settings
http://mozbackup.jasnapaka.com
* Rebrand add-on, also by Kaply. Changes Firefox branding, but as of
May 2009 it is out of date.
https://addons.mozilla.org/en-US/firefox/addon/2776
* Unofficial Firefox branding by "World of Scragz"
http://scragz.com/archived/mozilla/firefox-unofficial-branding
Fox on the run
>
> * Automatic Mozilla Configuratorhttps://developer.mozilla.org/En/Automatic_Mozilla_Configurator
>
> * Client Customization Kit (CCK ): Aimed more at ISPs than
> Enterprise IT?
>
> * Old version, not well supported any more:
> http://www.mozilla.org/projects/cck/
> In Win installer:http://www.mozilla.org/projects/cck/firefox/wininstall.html
>
> * Current version by long-time Mozilla developer Michael Kaply,
> available as an addon
> https://addons.mozilla.org/en-US/firefox/addon/2553
> http://www.mozilla.org/projects/cck/firefox/
> http://code.google.com/p/ff-cckwizard/
> http://www.kaply.com/weblog/tag/cck/
> http://kaply.com/weblog/2010/03/03/cck-wizard-updateand-faqs/
>
>
> * FrontMotion: Provides an MSI installer, Group Policy
>
> * FirefoxADM deployment utility. Not sure how good it is.http://sourceforge.net/projects/firefoxadm
>
> * Mozptch: config and deployment utility.http://mozptch.mozdev.org/
>
> * FFDeploy: automated deployment utility by Bob Templetonhttp://firefox.dbltree.com/
>
> * Silence of the Foxes : Looks like a simple hack, but it's simplicity
>
> REFERENCE
>
> * Enterprise blog entries by Michael Kaply, long-time Mozilla developer.http://www.kaply.com/weblog/tag/enterprise/
>
> * Bug 267888 : Windows 2000/XP/2003 Group Policies support (make
> firefox configurable with domain group policy objects)https://bugzilla.mozilla.org/show_bug.cgi?id=267888
>
>
> * Installation and update category at Mozillazine's unofficial KBhttp://kb.mozillazine.org/Category:Installation_and_update_%28Firefox%29
>
> * Repackaging Firefox by MDC: For example, adding an add-on to the
>
> * Firefox Custom Setup Support: Looks like a sysadmin made this basic
>
> OTHER TOOLS
>
> * GPO For Firefox Add-on: Allows management of preferences from
>
> * CLEO (Compact Library Extension Organizer ): Package multiple
>
> * Accountex: add-on exports/imports acct settingshttps://addons.mozilla.org/en-US/firefox/addon/599
>
> * MozBackup: reputedly can backup/restore settingshttp://mozbackup.jasnapaka.com
>
> * Rebrand add-on, also by Kaply. Changes Firefox branding, but as of
>
> * Unofficial Firefox branding by "World of Scragz"http://scragz.com/archived/mozilla/firefox-unofficial-branding
Thanks. You must have replied to both the list and my personal email
by mistake. I didn't realize that you had also posted to the list
when I replied to your email. Like I mentioned in the email, if
Firefox wants to be considered a viable option in a corporate/
government environment it should provide this functionality out of the
box. No IT department is going to want to deploy a browser that
cannot be locked down to ensure compliance with corporate/government
IT policies. Failing to provide this functionality limits their
competitiveness in this market.
JB
goodwin
<snip>
> Like I mentioned in the email, if
> Firefox wants to be considered a viable option in a corporate/
> government environment it should provide this functionality out of the
> box. No IT department is going to want to deploy a browser that
> cannot be locked down to ensure compliance with corporate/government
> IT policies. Failing to provide this functionality limits their
> competitiveness in this market.
>
I don't seem to recollect this opinion being put forth earlier in the
thread but
now that you said it, one has to ask - who's picking the cost?
The software programming itself would be a fortune. Firefox was never
meant to be an enterprise product AFAIK. Keeping Joe user happy is bad
enough, now you want to satisfy big business /and/ their ITs - good
luck, it ain't happening unless Mozilla has an IPO in the wings. Of
course, that possibility does exist.
Meanwhile the corporate sys admins should be able to control their own
networks - thats what they get paid for.
just my 2 cents...
guanxi
> On Feb 21, 9:48 pm, guanxi <guanx...@example.com> wrote:
>> In case you've given up on this thread, I'll cc your email address. ...
> Thanks. You must have replied to both the list and my personal email
> by mistake.
You must have skimmed the first sentence pretty quickly! :) Anyway, I
look at my return address ... I didn't get the email.
> Like I mentioned in the email, if
> Firefox wants to be considered a viable option in a corporate/
> government environment it should provide this functionality out of the
> box. No IT department is going to want to deploy a browser that
> cannot be locked down to ensure compliance with corporate/government
> IT policies. Failing to provide this functionality limits their
> competitiveness in this market.
As of the end of 2009, Firefox' marketshare was ~20% in businesses and
growing rapidly. But you are correct, and I and Mozilla Corp. people
agree (AFAIK; I don't represent them):
IIRC, it's been decided that it's not worth dedicating Mozilla's limited
resources to corporate IT. (It's tough enough keeping up with the
resources of Microsoft and Google!) As you probably know, it requires
not only automated deployment, configuration, and compliance features ...
* It requires platform stability (supporting, patching, etc. old
versions of Firefox for years). For example, Microsoft is supporting
Windows XP, released in 2001, until 2014. Mozilla supports only one
previous version. By Microsoft's standard, Mozilla would still be
dedicating engineering resources to Mozilla Suite 1.x and Firefox 1.x,
patching security holes, etc.
* It requires a high level of support. I think support.mozilla.org now
has four employees. (Someone recently had a great blog post: How to
support 400 million users with a staff of four.)
Firefox can be locked down and managed using the tools above, but it
costs more than it does for apps with better features. Firefox' reduced
exposure to malware compared with IE makes up for the extra
administrative costs for many organizations. Plus, users like it.
Fox on the run
I understood Mozilla generates revenues at least in part through
Google by having it as its search engine. I read somewhere in the
past that the revenues were in the order of $25 million per year
(don't quote me on that). So I guess the potential revenue increase
would be from such agreements by increasing the user base. But I
appreciate what you are saying in the meantime.
JB
Fox on the run
Valid points that I hadn't given much thought about to be honest.
It's too bad it's not in the cards, but understandable given their
current business model.
JB