-
Notifications
You must be signed in to change notification settings - Fork 0
/
12-firefox.Rmd
126 lines (96 loc) · 5.33 KB
/
12-firefox.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# Firefox Policy {#firefox}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("firefox-images/browse.png")
```
\index{Policies!Firefox}
Firefox Policy deploys a `policies.json` file to client machines to customize how Firefox looks and operates.
This policy is physically stored on the SYSVOL in **MACHINE/Registry.pol**. It is stored in registry format. See chapter \@ref(regpol) for details on how to manually modify this file.
## Server Side Extension
The Server Side Extension (SSE) for Firefox Policy is distributed via Administrative Templates (see chapter \@ref(sse) in section \@ref(admx)). This SSE uses the admx templates provided by Mozilla.
Setting up the ADMX templates for this policy is described in chapter \@ref(install-admx) section \@ref(install-admx-firefox).
\index{Server Side Extensions}
\index{Administrative Templates}
## Managing Firefox Policy via the GPME
Open the GPME and navigate to `Computer Configuration > Administrative Templates > Mozilla > Firefox`.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Mozilla Administrative Templates"}
knitr::include_graphics("firefox-images/gpme.png")
```
There are many options to choose from, but for this example we'll just test setting a homepage. Click on `Home page` in the tree, and we're going to modify both the `Start Page` and the `URL for Home page`.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Start Page"}
knitr::include_graphics("firefox-images/start-page.png")
```
First we'll set the `Start Page` to `Homepage (Locked)`. This requires the start page to always open the homepage, and the user will be unable to change it to point anywhere else.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Home Page"}
knitr::include_graphics("firefox-images/home-page.png")
```
Next we'll set the homepage URL, and check the box `Don't allow the homepage to be changed`. This will prevent the user from changing the homepage.
::: {#info style="color: green;"}
Note that when setting a home page, you *MUST* include the http or https prefix, or Firefox will ignore the policy.
:::
## Client Side Extension
The Firefox Client Side Extension (CSE) creates 2 policy files. One at `/usr/lib64/firefox/distribution/policies.json` and the other at `/etc/firefox/policies/policies.json`. These files will contain exactly the same information. The only reason there is a duplicate, is because different versions of Firefox require the policy file in different locations.
\index{Client Side Extensions}
Let’s list the Resultant Set of Policy to view policies we set in the previous section.
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: gp_firefox_ext
-----------------------------------------------------------
Policy Type: Software\Policies\Mozilla\Firefox\
Homepage\StartPage
-----------------------------------------------------------
homepage-locked
-----------------------------------------------------------
Policy Type: Software\Policies\Mozilla\Firefox\
Homepage\URL
-----------------------------------------------------------
https://samba.org
-----------------------------------------------------------
Policy Type: Software\Policies\Mozilla\Firefox\
Homepage\Locked
-----------------------------------------------------------
1
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
We see that the policy we set is listed. Next let's force an apply of the policy, and see what is logged in the Group Policy Cache.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='Mozilla/Firefox']" - \
| xmllint --format -
<gp_ext name="Mozilla/Firefox">
<attribute name="policies.json">
{"policies": {}}
</attribute>
</gp_ext>
```
There isn't much interesting in the cache, since it just tells us that we had no policies set previously. Let's look inside our policy file and see what was applied.
\index{Group Policy Cache}
```
> npx prettier /etc/firefox/policies/policies.json
{
"policies": {
"Homepage": {
"StartPage": "homepage-locked",
"URL": "https://samba.org",
"Locked": true
}
}
}
```
It appears that our policies are applied. Opening Firefox, we see that the policy is being enforced.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Firefox"}
knitr::include_graphics("firefox-images/home-page-set.png")
```
If you open your browser settings, you'll notice a warning message indicating that your organization is managing the browser. If Firefox encountered any problems enforcing the policy, a warning will be listed here.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Managed Firefox"}
knitr::include_graphics("firefox-images/managed.png")
```
Notice that the homepage settings are now grayed out in the settings dialog, and can't be modified by the user.