**These policies are in active development and so might contain changes that do not work with current versions of Firefox.**
-**You should use the officially released versions (https://github.com/mozilla/policy-templates/releases) if you are deploying changes.**
+**You should use the [officially released versions](https://github.com/mozilla/policy-templates/releases) if you are deploying changes.**
-Policies can be specified using the Group Policy templates on Windows (https://github.com/mozilla/policy-templates/tree/master/windows), configuration profiles on macOS (https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`. On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution.
+Policies can be specified using the [Group Policy templates on Windows](https://github.com/mozilla/policy-templates/tree/master/windows), [Intune on Windows](https://support.mozilla.org/kb/managing-firefox-intune), [configuration profiles on macOS](https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`. On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution.
| Policy Name | Description
| --- | --- |
| **[`DefaultDownloadDirectory`](#defaultdownloaddirectory)** | Set the default download directory.
| **[`DownloadDirectory`](#downloaddirectory)** | Set and lock the download directory.
| **[`EnableTrackingProtection`](#enabletrackingprotection)** | Configure tracking protection.
+| **[`EncryptedMediaExtensions`](#encryptedmediaextensions)** | Enable or disable Encrypted Media Extensions and optionally lock it.
| **[`EnterprisePoliciesEnabled`](#enterprisepoliciesenabled)** | Enable policy support on macOS.
| **[`Extensions`](#extensions)** | Control the installation, uninstallation and locking of extensions.
| **[`ExtensionSettings`](#extensionsettings)** | Manage all aspects of extensions.
| **[`OverrideFirstRunPage`](#overridefirstrunpage)** | Override the first run page.
| **[`OverridePostUpdatePage`](#overridepostupdatepage)** | Override the upgrade page.
| **[`PasswordManagerEnabled`](#passwordmanagerenabled)** | Remove (some) access to the password manager.
+| **[`PDFjs`](#pdfjs)** | Disable or configure PDF.js, the built-in PDF viewer.
| **[`Permissions`](#permissions)** | Set permissions associated with camera, microphone, location, and notifications.
| **[`PopupBlocking`](#popupblocking)** | Configure the default pop-up window policy as well as origins for which pop-up windows are allowed.
| **[`Preferences`](#preferences)** | Set and lock some preferences.
See https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication for more information.
-**Compatibility:** Firefox 60, Firefox ESR 60 (AllowNonFQDN added in 62/60.2, AllowProxies added in 70/68.2, Locked added in 71/68.3)\
+`PrivateBrowsing` enables integrated authentication in prviate browsing.
+
+**Compatibility:** Firefox 60, Firefox ESR 60 (AllowNonFQDN added in 62/60.2, AllowProxies added in 70/68.2, Locked added in 71/68.3, PrivateBrowsing added in 77/68.9)\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `network.negotiate-auth.trusted-uris`,`network.negotiate-auth.delegation-uris`,`network.automatic-ntlm-auth.trusted-uris`,`network.automatic-ntlm-auth.allow-non-fqdn`,`network.negotiate-auth.allow-non-fqdn`,`network.automatic-ntlm-auth.allow-proxies`,`network.negotiate-auth.allow-proxies`
+**Preferences Affected:** `network.negotiate-auth.trusted-uris`,`network.negotiate-auth.delegation-uris`,`network.automatic-ntlm-auth.trusted-uris`,`network.automatic-ntlm-auth.allow-non-fqdn`,`network.negotiate-auth.allow-non-fqdn`,`network.automatic-ntlm-auth.allow-proxies`,`network.negotiate-auth.allow-proxies`,`network.auth.private-browsing-sso`
#### Windows (GPO)
```
Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\SPNEGO = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\NTLM = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\Authentication\Locked = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\Authentication\PrivateBrowsing = 0x1 | 0x0
```
#### Windows (Intune)
OMA-URI:
```
OMA-URI:
```
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageStartPage
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Authentication/Authentication_Locked
```
Value (string):
```
-<enabled/>
-<data id="StartPage" value="none | homepage | previous-session"/>
+<enabled/> or <disabled/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Authentication/Authentication_PrivateBrowsing
+```
+Value (string):
+```
+<enabled/> or <disabled/>
```
#### macOS
```
</dict>
<key>Locked</key>
<true/> | <false/>
+ <key>PrivateBrowsing</key>
+ <true/> | <false/>
</dict>
</dict>
```
"SPNEGO": true | false,
"NTLM": true | false
},
- "Locked": true | false
+ "Locked": true | false,
+ "PrivateBrowsing": true | false
}
}
}
{
"policies": {
"DisableSecurityBypass": {
- "InvalidCertificate": true false,
- "SafeBrowsing": true false
+ "InvalidCertificate": true | false,
+ "SafeBrowsing": true | false
}
}
}
{
"policies": {
"EnableTrackingProtection": {
- "Value": [true, false],
- "Locked": [true, false],
- "Cryptomining": [true, false],
- "Fingerprinting": [true, false],
+ "Value": true | false,
+ "Locked": true | false,
+ "Cryptomining": true | false,
+ "Fingerprinting": true | false,
"Exceptions": ["https://example.com"]
}
}
```
+### EncryptedMediaExtensions
+Enable or disable Encrypted Media Extensions and optionally lock it.
+
+If `Enabled` is set to false, encrypted media extensions (like Widevine) are not downloaded by Firefox unless the user consents to installing them.
+
+If `Locked` is set to true and `Enabled` is set to false, Firefox will not download encrypted media extensions (like Widevine) or ask the user to install them.
+
+**Compatibility:** Firefox 77, Firefox ESR 68.9\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** `media.eme.enabled`
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\EncryptedMediaExtensions\Enabled = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\EncryptedMediaExtensions\Locked = 0x1 | 0x0
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~EncryptedMediaExtensions/EncryptedMediaExtensions_Enabled
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~EncryptedMediaExtensions/EncryptedMediaExtensions_Locked
+```
+Value (string):
+```
+<enabled/>or <disabled/>
+```
+#### macOS
+```
+<dict>
+ <key>EncryptedMediaExtensions</key>
+ <dict>
+ <key>Enabled</key>
+ <true/> | <false/>
+ <key><Locked</key>
+ <true/> | <false/>
+ </dict>
+</dict>
+```
+#### policies.json
+```
+{
+ "policies": {
+ "EncryptedMediaExtensions": {
+ "Enabled": true | false,
+ "Locked": true | false
+ }
+}
+```
### EnterprisePoliciesEnabled
Enable policy support on macOS.
}
}
```
+### PDFjs
+Disable or configure PDF.js, the built-in PDF viewer.
+
+If `Enabled` is set to false, the built-in PDF viewer is disabled.
+
+If `EnablePermissions` is set to true, the built-in PDF viewer will honor document permissions like preventing the copying of text.
+
+Note: DisableBuiltinPDFViewer has not been deprecated. You can either continue to use it, or switch to using PDFjs->Enabled to disable the built-in PDF viewer. This new permission was added because we needed a place for PDFjs->EnabledPermissions.
+
+**Compatibility:** Firefox 77, Firefox ESR 68.9\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** `pdfjs.diabled`,`pdfjs.enablePermissions`
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\PDFjs\Enabled = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\PDFjs\EnablePermissions = 0x1 | 0x0
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~PDFjs/PDFjs_Enabled
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~PDFjs/PDFjs_EnablePermissions
+```
+Value (string):
+```
+<enabled/>or <disabled/>
+```
+#### macOS
+```
+<dict>
+ <key>PDFjs</key>
+ <dict>
+ <key>Enabled</key>
+ <true/> | <false/>
+ <key><EnablePermissions</key>
+ <true/> | <false/>
+ </dict>
+</dict>
+```
+#### policies.json
+```
+{
+ "policies": {
+ "PSFjs": {
+ "Enabled": true | false,
+ "EnablePermissions": true | false
+ }
+}
+```
### Permissions
Set permissions associated with camera, microphone, location, notifications, and autoplay. Because these are origins, not domains, entries with unique ports must be specified separately. See examples below.
Value (string):
```
<enabled/> or <disabled/>
+```
#### macOS
```
<dict>
| If false, the geolocation API is disabled. | Language dependent
| intl.accept_languages | string | Firefox 70, Firefox ESR 68.2
| If set, preferred language for web pages.
-| media.eme.enabled | boolean | Firefox 70, Firefox ESR 68.2 | true
+| media.eme.enabled (Deprecated - Switch to EncryptedMediaExtensions policy) | boolean | Firefox 70, Firefox ESR 68.2 | true
| If false, Encrypted Media Extensions are not enabled.
| media.gmp-gmpopenh264.enabled | boolean | Firefox 68, Firefox ESR 68 | true
| If false, the OpenH264 plugin is not downloaded.
"policies": {
"Proxy": {
"Mode": "none", "system", "manual", "autoDetect", "autoConfig",
- "Locked": [true, false],
+ "Locked": true | false,
"HTTPProxy": "hostname",
- "UseHTTPProxyForAllProtocols": [true, false],
+ "UseHTTPProxyForAllProtocols": true | false,
"SSLProxy": "hostname",
"FTPProxy": "hostname",
"SOCKSProxy": "hostname",
"SOCKSVersion": 4 | 5
"Passthrough": "<local>",
"AutoConfigURL": "URL_TO_AUTOCONFIG",
- "AutoLogin": [true, false],
- "UseProxyForDNS": [true, false]
+ "AutoLogin": true | false,
+ "UseProxyForDNS": true | false
}
}
}
Value (string):
```
<enabled/>
-<data id="SecurityDevices" name="NAME_OF_DEVICE" value="PATH_TO_LIBRARY_FOR_DEVICE"/>
+<data id="SecurityDevices" value="NAME_OF_DEVICEPATH_TO_LIBRARY_FOR_DEVICE"/>
```
#### macOS
```