Firefox/EnterprisePolicies

From MozillaWiki
Jump to: navigation, search

This page documents the ongoing work to plan and implement a policy engine inside Firefox to be used by system administrators to configure Firefox in enterprise deployments.

Note: This is not a documentation of the feature, and anything here is subject to change. Final documentation will exist on MDN once the feature nears its completion.

Overview

The Firefox ESR (extended support release) is based on an official release of Firefox desktop for use by organizations including schools, universities, businesses, and others who need extended support for mass deployments. Since Firefox 10, ESR has grown in popularity and many large organizations rely on it to let their employees browse the Internet securely. We want to make customization of Firefox deployments simpler for system administrators and we want our next ESR version, Firefox 60, to include a policy engine that increases customization possibilities and integration into existing management systems. The policy engine is obviously not limited to the ESR channel but we expect it will mostly be used there.

Objective

Our key objective is to meet the demand for enterprise customization post-57 in time for the next ESR. We want to build a solution that will work with any tool that wants to set policies, not just Windows Group Policy. Given that we've never had any solution before, we want to make sure that the existing tools (Autoconfig, CCK2, Frontmotion) can work with whatever interface that we build.

The plan is to create a browser-wide policy manager that maintains the state of all of the policies. Initially, we will be focused on minimal set of policies that meet the current customization capabilities but we plan to grow them through enterprise users feedback and product features evolution.

Timing

ESR 60

Policy Engine

The Policy Engine will be a component in Firefox that reads some admin-specified configuration during Firefox's startup and properly configures features to respect those configurations.

Initially, the engine will use a platform-agnostic way to read these configurations, which will be a .json file to be added inside the installation folder of Firefox. In this file, the admin will be able to list the desired policies to activate, as well as parameters related to each policy.

Afterwards, we'll be looking at supporting OS-level administration features as other input sources of policies to follow. The first next step on this will be supporting Windows GPO. Once every policy is supported by the configuration file, we'll start adding support for the most important ones through GPO, with the goal of later achieving parity and supporting every policy through GPO and other forms of integration on other OSes.

Deploying the configuration file

To deploy the configuration file, a system administrator will need to drop the configuration.json file inside the installation directory of Firefox.

This is standard practice, and this means that in a correctly administered environment, a non-admin user of the machine won't have the ability to modify or remove this file.

Example JSON file

One example configuration.json file is given below: (Note: This json format is subject to change)

{
  policies: {
    "block_about_config": true,
    "blocked_domains": [
      "www.example.com",
      "www.example.org",
    ],
    "allow_popups_from": [
      "www.example.com",
      "www.example.org",
    ],
    "allow_plugins_from": [
      "www.example.com",
      "www.example.org",
    ],
    "bookmarks_on_toolbar": [
      {
        "title": "Download Firefox",
        "url": "https://www.mozilla.org/firefox/new/",
        "favicon": "http://www.mozilla.org/favicon.png"
      },
      {
        "title": "Example",
        "url": "https://www.example.com",
        "favicon": "http://www.example.com/favicon.png"
      }
    ]
  }
}

Policies

The list of policies to support is still being defined, and is based on previous experience with what enterprises have asked in the past. Stay tuned for an official list of policies to be announced in the near term.

Some possibilities that are being discussed are:

  • Disabling access to internal configuration features like about:config, about:addons, etc.
  • Adding a set of bookmarks to the toolbar and the bookmarks menu
  • Displaying the menu bar by default
  • Disabling Telemetry
  • Disabling features such as Pocket, Firefox Screenshots, Printing, Copy&Paste, etc.
  • Whitelist and blocklist of domains to be allowed to be accessed
  • Pre-populated permissions around cookies, storage, popups, plugins, etc.