Deploying and Managing Firefox Enterprise Policies

Thanks to this wonderful global pandemic known as COVID-19 my kids are having to do school online. As such I've had to do something, I wasn't planning on for a few more year; I have to buy them laptops. I've been expecting to have to buy them laptops at some point which is why I've been researching how to apply parental controls on the systems. Currently I have Google Chrome managed through GSuite, my kids have Google family child accounts, they have child accounts on Microsoft, and parental controls on Edge. One thing was missing however; Firefox.


If you've been reading my articles for a bit, you'll probably know that I'm not as "antigoogle" as a lot of people are; however, I'm wanted to give my kids an option to use Firefox. The problem I have with Firefox is that it's not centrally managed like Chrome or Edge are. Chrome is a really simple browser to roll out to an enterprise (or family) because the entire thing can be managed from the GSuite admin dashboard. I can make changes to almost anything and it applies to every computer that has my GSuite Chrome Management Policy GPO installed. Edge isn't as powerful; but Microsoft does allow parents to make some good changes through the family portal. Firefox however doesn't have a system to manage it like that. While Firefox does technically have an enterprise version of Firefox it's nowhere near as easy to deploy as Chrome.


I tried and failed multiple time to get this to work, and if you're curious about what I was dealing with I'll write a blog post about it at some point. The Firefox enterprise page doesn't give you almost any information on how to do this. Firefox states that it's variables should be managed by GPOs but in a different page it says using autoconfig.js and finally on the GitHub page it says using policies.json. I wasn't able to actually get the GPOS working correctly. I would get Firefox to see that I had a policy in place but it would error on me every time. The GitHub page talks about using a CCK2 to create the polices. I looked into that and discovered that it's no longer supported. So how did I manage Firefox enterprise?


It was actually simpler than I thought it was going to be; this may not be the best way, but it works.

  1. Download this extension for Firefox.
    1. From the research I did it appears that this extension is the unofficial replacement for CCK2. This extension is pretty great. It displays all the policies that can be managed in Firefox and gives you easy check boxes that can be toggled. At the end it will generate a policies.json file for you. No coding required.
  2. Navigate to your Firefox folder.
    1. For most users this will be in C:\Program Files\Mozilla Firefox
  3. Create a distribution folder
    1. You'll need admin rights for this
  4. Place the policies.json file into that newly created distribution folder.
  5. Close and restart Firefox.

Your Firefox should now be managed with the settings you checked through the extension. If you want to modify the policies you can open the policies.json file and make changes, save, and restart Firefox.

The benefit to using this policies.json file is that it's easy to create, and since it's placed in a Windows's System folder it applies to all user profiles on the system.

The downside of using this instead of Active Directory managed GPOs is that you have to place this file on every system in your enterprise. If you are an organization like the Government then manually placing a file on all of the millions of computers is not a feasible possibility (also you're probably not reading a random guy's website on how to manage Firefox). This becomes exponentially troublesome when you have to update the policies. It's simply not possible.


Thankfully for me I only have 5 computers with Firefox to manage. Still 5 computers will take me too much time if I'm having to log into each one and copy/paste a new policies file. So, I had to come up with a plan for that. For this I'm using Powershell remote scripting to automatically place the file into the correct directory on. I'll cover that on another day.


So, there you have it, if you are a parent and want to let your kids use Firefox but you want to be able to apply some controls on it here you go.


Author's Note: There was some wonkiness with this that I came across. I'll outline them here.

  1. Forcing the installation of extensions requires an ID that isn't readily accessible.
    1. One of the benefits of being controlling policies is that you can control what extensions your users are able to install. You can even force the installation of certain ones; however, to force an extension you need to know some information about it.
      1. You'll need to know the install URL for the extension. This can be obtained by right clicking on the install option for the addon and clicking "copy link address".
      2. You'll also need the addon ID. This ID isn't readily available and there doesn't seem to be a standard way these IDs are done. I've found two ways to get the ID.
        1. First: Install the Addon then go to about:memory. Start a memory test then Ctrl+F and search extensions. This will list out all the extensions with their IDs.
        2. The second way I've found you can get them is by just putting a random ID in there and deploying the policy file. Then launch Firefox and go to about:policies. You'll see an error tab now. In that error tab it will say something akin to Firefox expected the ID of XYZ and got ID ABC. You now know what ID to use.
  2. The next wonkiness thing dealt with URL blocking and actually took me quite a bit of headache to figure out.
    1. I'll put this right up front. To URL block the URL must end with a /
      1. It took me far too long to figure that out, and the policy documentation isn't very specific. In fact, the policy documentation only talks about blocking everything and whitelisting specific domains.
    2. All domains you need to block both HTTP and HTTPS.
      1. Blocking only HTTP isn't enough as most websites will redirect you HTTPS automatically, which completely bypasses the HTTP block.
      2. You also need to use *.website to block all subdomains under that domain. An example of this is youtube. There are several youtube variants; m.youtube, gaming.youtube, www.youtube, music.youtube, etc. The * will wildcard all subdomains under youtube.
    3. The file block should look like this: https://*.youtube.com/
    4. Personally, I find blocking URLs to be simpler with a pihole, but that can be beaten with a VPN or changing DNS servers where the policies can't; however, if you get into the habit of manually blocking individual domains you'll quickly find that you can never keep up, so use this sparingly.


That's all I have for you. If you found this helpful let me know in the comments below. Thanks.