Re: [Mozilla Enterprise] Deploy Firefox with MSI installers

2020-02-14 Thread Sébastien CLEMENT
Hello, 

In my opinion, the esasiest way  to configure Firefox in a
Microsoft environnement is to use policy template
(https://github.com/mozilla/policy-templates). 

Parameters you are
looking for can be managed with it. 

Regards, 

Cordialement, 

-- 


Sébastien CLÉMENT
Direction des Systèmes d'Information
Pôle Ressources
Organisation et Modernisation
Tél: 03 86 72 87 32
16-18 Boulevard de la
Marne - 89089 Auxerre Cedex 

Pour le respect de l'environnement,
veuillez n'imprimer ce message ainsi que les pièces jointes qu'en cas de
nécessité. 

Le contenu de ce courrier et ses éventuelles pièces jointes
sont confidentiels. Ils s'adressent exclusivement à la personne
destinataire. Si cet envoi ne vous est pas destiné, ou si vous l'avez
reçu par erreur, et afin de ne pas violer le secret des correspondances,
vous ne devez pas le transmettre à d'autres personnes ni le reproduire.
Merci de le renvoyer à l'émetteur et de le détruire. 

Le 2020-02-14
01:38, Eddie Rowe a écrit :

> I have not edit the MSI file for Firefox
with Orca (I have used the tool with a couple other products).  I would
suggest using a preference that sets the home page and allow the
employee to change it, in case they wish to do so.  See
https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig
[1].  I would also suggest setting up the policies.json to control
other options through policy
https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise
[2].  At a minimum you need to take out the support for DNS Over HTTPS
via a policy! 
> 
> It takes a little bit of reading to put everything
together, but well worth it and you can begin adopting security controls
and settings to help reduce the attack surface at your organization.  I
put off the work far too long because at first glance it looked too
difficult, but once I sat down, read the web pages and made some notes
it wasn't nearly that much work.  Pretty well thought out options given
how the software has changed over the years.  There is sometimes overlap
between a preference and policy. 
> 
> When you are done reading and
configuring here is what you will have for x64 Firefox: 
> 
> ·   
autoconfig.js goes into C:\Program Files\Mozilla Firefox\defaults\pref\

> 
> a.  This tells Firefox what firefox.cfg file to use. 
> 
> ·  
firefox.cfg goes into C:\Program Files\Mozilla Firefox\ 
> 
> a.   
 This is the Firefox configuration file.  I started with a CIS baseline
for Firefox ESR that was very old and adjusted where it made sense.  I
highly recommend putting comments in the file with "//" at the start of
the line.  I used the CIS benchmark control number to keep my sanity. 
Preferences in here can be locked where employees cannot change them,
default ones, etc.  All of mine are locked since I focused on security
items - we have a bias in the organization for IE because of internal
web apps that have UNC links that don't work elsewhere (unless someone
recodes the app).  We try to keep our apps setup pretty generic, but you
can go to down with this file and preferences. 
> 
> ·   
policies.json goes into C:\Program Files\Mozilla Firefox\distribution\

> 
> a.  This is the policies file and has more capabilities than
using the GPO option.  All manner of goodness can go in this file such
as making sure the MenuBar is ALWAYS available, configuring servers you
know need pop-ups to work, disabling evil third party cookies, but allow
exceptions where you really need them, blocking evil extensions and only
allowing those you have reviewed and approved, etc.  I push out all of
these files via Group Policy Preference so they end up on the Windows
boxes (all that we have) in such a way that regular users cannot change,
but if someone changed, we would overwrite at next enforcement. 
> 
>
FROM: Enterprise  ON BEHALF OF Michael
Tran via Enterprise
> SENT: Thursday, February 13, 2020 6:09 PM
> TO:
enterprise@mozilla.org
> SUBJECT: Re: [Mozilla Enterprise] Deploy
Firefox with MSI installers 
> 
> Hello folks, 
> 
> I'm trying to use
the MSI installers to deploy Firefox through SCCM.  Beside changing
existing values for the PROPERTIES by using ORCA, is there a way to set
HOME page in it?  What about prevent Firefox to perform check the
default browser? Thanks for any help. 
> 
> MICHAEL TRAN 
> 
>
Information Systems Division - Service Desk 
> 
> Oregon Department of
Fish and Wildlife 
> 
> michael.c.t...@state.or.us 
> 
> (503)947-6347

> 
> ___
> Enterprise
mailing list
> Enterprise@mozilla.org
>
https://mail.mozilla.org/listinfo/enterprise
> 
> To unsubscribe from
this list, please visit https://mail.mozilla.org/listinfo/enterprise or
send an email to enterprise-requ...@mozilla.org with a subject of
"unsubscrib

Re: [Mozilla Enterprise] Deploy Firefox with MSI installers

2020-02-13 Thread Eddie Rowe
I have not edit the MSI file for Firefox with Orca (I have used the tool with a 
couple other products).  I would suggest using a preference that sets the home 
page and allow the employee to change it, in case they wish to do so.  See 
https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig.  I 
would also suggest setting up the policies.json to control other options 
through policy 
https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise.
  At a minimum you need to take out the support for DNS Over HTTPS via a policy!

It takes a little bit of reading to put everything together, but well worth it 
and you can begin adopting security controls and settings to help reduce the 
attack surface at your organization.  I put off the work far too long because 
at first glance it looked too difficult, but once I sat down, read the web 
pages and made some notes it wasn't nearly that much work.  Pretty well thought 
out options given how the software has changed over the years.  There is 
sometimes overlap between a preference and policy.

When you are done reading and configuring here is what you will have for x64 
Firefox:


*autoconfig.js goes into C:\Program Files\Mozilla Firefox\defaults\pref\

a.  This tells Firefox what firefox.cfg file to use.

*firefox.cfg goes into C:\Program Files\Mozilla Firefox\

a.  This is the Firefox configuration file.  I started with a CIS baseline 
for Firefox ESR that was very old and adjusted where it made sense.  I highly 
recommend putting comments in the file with "//" at the start of the line.  I 
used the CIS benchmark control number to keep my sanity.  Preferences in here 
can be locked where employees cannot change them, default ones, etc.  All of 
mine are locked since I focused on security items - we have a bias in the 
organization for IE because of internal web apps that have UNC links that don't 
work elsewhere (unless someone recodes the app).  We try to keep our apps setup 
pretty generic, but you can go to down with this file and preferences.

*policies.json goes into C:\Program Files\Mozilla Firefox\distribution\

a.  This is the policies file and has more capabilities than using the GPO 
option.  All manner of goodness can go in this file such as making sure the 
MenuBar is ALWAYS available, configuring servers you know need pop-ups to work, 
disabling evil third party cookies, but allow exceptions where you really need 
them, blocking evil extensions and only allowing those you have reviewed and 
approved, etc.  I push out all of these files via Group Policy Preference so 
they end up on the Windows boxes (all that we have) in such a way that regular 
users cannot change, but if someone changed, we would overwrite at next 
enforcement.


From: Enterprise  On Behalf Of Michael Tran via 
Enterprise
Sent: Thursday, February 13, 2020 6:09 PM
To: enterprise@mozilla.org
Subject: Re: [Mozilla Enterprise] Deploy Firefox with MSI installers

Hello folks,
I'm trying to use the MSI installers to deploy Firefox through SCCM.  Beside 
changing existing values for the PROPERTIES by using ORCA, is there a way to 
set HOME page in it?  What about prevent Firefox to perform check the default 
browser? Thanks for any help.

Michael Tran
Information Systems Division - Service Desk
Oregon Department of Fish and Wildlife
michael.c.t...@state.or.us<mailto:michael.c.t...@state.or.us>
(503)947-6347
[cid:image001.png@01D5E299.FCD615A0]

___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"


Re: [Mozilla Enterprise] Deploy Firefox with MSI installers

2020-02-13 Thread Michael Tran via Enterprise
Hello folks,
I'm trying to use the MSI installers to deploy Firefox through SCCM.  Beside 
changing existing values for the PROPERTIES by using ORCA, is there a way to 
set HOME page in it?  What about prevent Firefox to perform check the default 
browser? Thanks for any help.

Michael Tran
Information Systems Division - Service Desk
Oregon Department of Fish and Wildlife
michael.c.t...@state.or.us
(503)947-6347
[cid:image001.png@01D5E287.F6823B50]

___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"