Deploying Firefox Settings using Microsoft Endpoint Manager

During a number of my recent deployment of Microsoft Endpoint Manager and conversation I have had with customers. One thing that always comes up is security from the different browsers the end-users run to perform their daily tasks. A recent discussion we touched on Mozilla Firefox and how it can be managed using Microsoft Endpoint Manager as they currently perform this tasks with on-premises GPOs.

Like Google Chrome, Firefox can also be managed using a Custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Firefox ADMX file to the Intune managed device. The second part of the policy is used to manage the settings ofchoice.

Ingest the Firefox ADMX file

The Firefox ADMX file has been made available on GitHub. Download this file as it will be required later within this blog post.

We now need to sign-in to the Microsoft Endpoint Manager portal.

  • Sign-in to the Endpoint Management Portal
  • Browse to the following location (1) Devices – (2) Windows
  • On the (3) Configuration Profiles tab click (4) Create profile
Create Policy

Select Windows 10 and later –> Custom –> Create

Windows 10 or later –> Custom –> Create

We will now need to populate the Name field for this profile, you can also provide a description to get more information about what this profile does. Once you have populated the required information press Configure under Settings and Add

Now we are going to be adding rows to the profile, the first row will be ingestion of the Firefox ADMX file followed by any Firefox profiles you would like to introduce. Please follow the text and screenshots below

Name: Firefox ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

The value information could be different to what is shown in the screenshot above, so to validate this open the .admx in Notepad or another program.

At the top of the opened file you will see the value which will need to copy and added to your row.

<?xml version=”1.0″ encoding=”utf-8″?>
<policyDefinitions revision=”1.14″ schemaVersion=”1.0″>
<policyNamespaces>
<target prefix=”firefox” name=”Mozilla.Policies.Firefox”/>
<using prefix=”Mozilla” name=”Mozilla.Policies”/>
</policyNamespaces>
<resources minRequiredRevision=”1.14″/>

Understanding the OMA-URL for configuring policies

Now this was something very new to me and I have had to learn exactly how to intepret the ADMX file to obtain the required information to create the OMA-URL for each setting I would like to apply.

Lets split up the OMA-URI in separate parts to make sure you fully understand how the OMA-URL is put together. First of all the default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/
So you will always require this when adding a new row for a policy. I am going to use DisablePrivatingBrowsing as an example of how we achieve the required outcome.

The part that comes next is not always the same, we need to follow some rules:

It starts with Firefox (this is the file name of the admx template firefox.admx) followed by Policy and every word is separated with the following sign ~ as shown below.

Firefox~Policy~


The next part is split into two different categories. The first category is always found at the top of the ADMX file and as you can see its called “firefox”

The next category will be one of the following;

  • firefox
  • Authentication
  • Popups
  • Cookies
  • Addons
  • Flash
  • Bookmarks
  • Homepage
  • Certificates
  • Extensions
  • Search
  • Permissions
  • Camera
  • Microphone
  • Location
  • Notifications
  • Autoplay
  • Preferences
  • SanitizeOnShutdown
  • TrackingProtection

As we are configure DisablePrivateBrowsing the catergory required is called firefox so my complete OMA-URL would be ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~firefox/DisablePrivateBrowsing including /settingname as shown below

Now that we understand the OMA-URI, we now need to provide string value information to enable this new policy. For this particular policy, we just need to put <enabled/>. In order to make it active.

Now you have completed the basics you can go visit the ReadMe file to see what other policy settings you can implement https://github.com/mozilla/policy-templates/blob/master/README.md

Regards
The Author – Blogabout.Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *