]> git.p6c8.net - policy-templates.git/blobdiff - README.md
Merge branch 'master' into master
[policy-templates.git] / README.md
index df2ccf43d2f394a6461315f337fb9b5436d0c24b..f51ef9a0ca94165acf6082da8877afa6779dbfd6 100644 (file)
--- a/README.md
+++ b/README.md
@@ -6,9 +6,9 @@ Policies can be specified using the Group Policy templates on Windows (https://g
 
 | Policy Name | Description
 | --- | --- |
-| **[`AppAutoUpdate`](#AppAutoUpdate)** |  Enable or disable automatic application update.
-| **[`AppUpdateURL`](#AppUpdateURL)** | Change the URL for application update.
-| **[`Authentication`](#Authentication)** | Configure sites that support integrated authentication.
+| **[`AppAutoUpdate`](#appautoupdate)** |  Enable or disable automatic application update.
+| **[`AppUpdateURL`](#appupdateurl)** | Change the URL for application update.
+| **[`Authentication`](#authentication)** | Configure sites that support integrated authentication.
 | **[`BlockAboutAddons`](#blockaboutaddons)** | Block access to the Add-ons Manager (about:addons).
 | **[`BlockAboutConfig`](#blockaboutconfig)** | Block access to about:config.
 | **[`BlockAboutProfiles`](#blockaboutprofiles)** | Block access to About Profiles (about:profiles).
@@ -23,6 +23,7 @@ Policies can be specified using the Group Policy templates on Windows (https://g
 | **[`DisableMasterPasswordCreation`](#disablemasterpasswordcreation)** | Remove the master password functionality.
 | **[`DisableAppUpdate`](#disableappupdate)** | Turn off application updates.
 | **[`DisableBuiltinPDFViewer`](#disablebuiltinpdfviewer)** | Disable the built in PDF viewer.
+| **[`DisabledCiphers`](#disabledciphers)** | Disable ciphers.
 | **[`DisableDefaultBrowserAgent`](#disabledefaultbrowseragent)** | Prevent the default browser agent from taking any actions (Windows only).
 | **[`DisableDeveloperTools`](#disabledevelopertools)** | Remove access to all developer tools.
 | **[`DisableFeedbackCommands`](#disablefeedbackcommands)** | Disable the menus for reporting sites.
@@ -690,6 +691,69 @@ Software\Policies\Mozilla\Firefox\DisableBuiltinPDFViewer = 0x1 | 0x0
   }
 }
 ```
+### DisabledCiphers
+Disable specific cryptographic ciphers.
+
+**Compatibility:** Firefox 76, Firefox ESR 68.8\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** N/A
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_RSA_WITH_AES_128_CBC_SHA = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_RSA_WITH_AES_256_CBC_SHA = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x1 | 0x0
+```
+#### macOS
+```
+<dict>
+  <key>DisabledCiphers</key>
+    <dict>
+      <key>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</key>
+      <true/> | <false/>
+      <key>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</key>
+      <true/> | <false/>
+      <key>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA</key>
+      <true/> | <false/>
+      <key>TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA</key>
+      <true/> | <false/>
+      <key>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</key>
+      <true/> | <false/>
+      <key>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</key>
+      <true/> | <false/>
+      <key>TLS_RSA_WITH_AES_128_CBC_SHA</key>
+      <true/> | <false/>
+      <key>TLS_RSA_WITH_AES_256_CBC_SHA</key>
+      <true/> | <false/>
+      <key>TLS_RSA_WITH_3DES_EDE_CBC_SHA</key>
+      <true/> | <false/>
+    </dict>
+</dict>
+```
+#### policies.json
+```
+{
+  "policies": {
+    "DisabledCiphers" {
+      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA": true | false,
+      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA": true | false,
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": true | false,
+      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": true | false,
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": true | false,
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": true | false,
+      "TLS_RSA_WITH_AES_128_CBC_SHA": true | false,
+      "TLS_RSA_WITH_AES_256_CBC_SHA": true | false,
+      "TLS_RSA_WITH_3DES_EDE_CBC_SHA": true | false
+    }
+  }
+}
+```
 ### DisableDefaultBrowserAgent
 Prevent the default browser agent from taking any actions. Only applicable to Windows; other platforms don’t have the agent.
 
@@ -1239,7 +1303,9 @@ Configure DNS over HTTPS.
 
 `Locked` prevents the user from changing DNS over HTTPS preferences.
 
-**Compatibility:** Firefox 63, Firefox ESR 68\
+`ExcludedDomains` excludes domains from DNS over HTTPS.
+
+**Compatibility:** Firefox 63, Firefox ESR 68 (ExcludedDomains added in 75/68.7)\
 **CCK2 Equivalent:** N/A\
 **Preferences Affected:** `network.trr.mode`,`network.trr.uri`
 
@@ -1248,6 +1314,7 @@ Configure DNS over HTTPS.
 Software\Policies\Mozilla\Firefox\DNSOverHTTPS\Enabled = 0x1 | 0x0
 Software\Policies\Mozilla\Firefox\DNSOverHTTPS\ProviderURL = "URL_TO_ALTERNATE_PROVIDER"
 Software\Policies\Mozilla\Firefox\DNSOverHTTPS\Locked = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\DNSOverHTTPS\ExcludedDomains\1 = "example.com"
 ```
 #### macOS
 ```
@@ -1260,6 +1327,10 @@ Software\Policies\Mozilla\Firefox\DNSOverHTTPS\Locked = 0x1 | 0x0
     <string>URL_TO_ALTERNATE_PROVIDER</string>
     <key>Locked</key>
     <true/> | <false/>
+    <key>ExcludedDomains</key>
+    <array>
+      <string>example.com</string>
+    </array>
   </dict>
 </dict>
 ```
@@ -1270,7 +1341,8 @@ Software\Policies\Mozilla\Firefox\DNSOverHTTPS\Locked = 0x1 | 0x0
     "DNSOverHTTPS": {
       "Enabled":  true | false,
       "ProviderURL": "URL_TO_ALTERNATE_PROVIDER",
-      "Locked": true | false
+      "Locked": true | false,
+      "ExcludedDomains": ["example.com"]
     }
   }
 }
@@ -2109,9 +2181,11 @@ Set permissions associated with camera, microphone, location, notifications, and
 
 `Locked` prevents the user from changing preferences for the feature.
 
-**Compatibility:** Firefox 62, Firefox ESR 60.2 (Autoplay added in Firefox 74, Firefox ESR 68.6\
+`Default` specifies the default value for Autoplay. block-audio-video is not supported on Firefox ESR 68.
+
+**Compatibility:** Firefox 62, Firefox ESR 60.2 (Autoplay added in Firefox 74, Firefox ESR 68.6, Autoplay Default/Locked added in Firefox 76, Firefox ESR 68.8)\
 **CCK2 Equivalent:** N/A\
-**Preferences Affected:** `permissions.default.camera`,`permissions.default.microphone`,`permissions.default.geo`,`permissions.default.desktop-notification`
+**Preferences Affected:** `permissions.default.camera`,`permissions.default.microphone`,`permissions.default.geo`,`permissions.default.desktop-notification`,`media.autoplay.default`
 
 #### Windows (GPO)
 ```
@@ -2134,6 +2208,8 @@ Software\Policies\Mozilla\Firefox\Permissions\Notifications\BlockNewRequests = 0
 Software\Policies\Mozilla\Firefox\Permissions\Notifications\Locked = 0x1 | 0x0
 Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Allow\1 = "https://example.org"
 Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Block\1 = "https://example.edu"
+Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Default = "allow-audio-video" | "block-audio" | "block-audio-video"
+Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Locked = 0x1 | 0x0
 ```
 #### macOS
 ```
@@ -2152,9 +2228,9 @@ Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Block\1 = "https://exampl
         <string>https://example.edu</string>
       </array>
       <key>BlockNewRequests</key>
-      <true/>
+      <true/> | <false/>
       <key>Locked</key>
-      <true/>
+      <true/> | <false/>
     </dict>
     <key>Microphone</key>
     <dict>
@@ -2167,9 +2243,9 @@ Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Block\1 = "https://exampl
         <string>https://example.edu</string>
       </array>
       <key>BlockNewRequests</key>
-      <true/>
+      <true/> | <false/>
       <key>Locked</key>
-      <true/>
+      <true/> | <false/>
     </dict>
     <key>Location</key>
     <dict>
@@ -2182,9 +2258,9 @@ Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Block\1 = "https://exampl
         <string>https://example.edu</string>
       </array>
       <key>BlockNewRequests</key>
-      <true/>
+      <true/> | <false/>
       <key>Locked</key>
-      <true/>
+      <true/> | <false/>
     </dict>
     <key>Notifications</key>
     <dict>
@@ -2211,6 +2287,10 @@ Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Block\1 = "https://exampl
       <array>
         <string>https://example.edu</string>
       </array>
+      <key>Default</key>
+      <string>allow-audio-video | block-audio | block-audio-video</string>
+      <key>Locked</key>
+      <true/> | <false/>
     </dict>
   </dict>
 </dict>
@@ -2246,7 +2326,9 @@ Software\Policies\Mozilla\Firefox\Permissions\Autoplay\Block\1 = "https://exampl
       },
       "Autoplay": {
         "Allow": ["https://example.org"],
-        "Block": ["https://example.edu"]
+        "Block": ["https://example.edu"],
+        "Default": "allow-audio-video" | "block-audio" | "block-audio-video",
+        "Locked": true | false
       }
     }
   }
@@ -2400,7 +2482,7 @@ disabled
 | &nbsp;&nbsp;&nbsp;&nbsp;If set to Select Automatically, Firefox automatically chooses the default personal certificate.
 | security.mixed_content.block_active_content | boolean | Firefox 70, Firefox ESR 68.2 | true
 | &nbsp;&nbsp;&nbsp;&nbsp;If false, mixed active content (HTTP and HTTPS) is not blocked.
-| security.osclientcerts.autoload | boolean | Firefox 72, Firefox ESR 68.4 (Windows only) | false
+| security.osclientcerts.autoload | boolean | Firefox 72 (Windows), Firefox 75 (macOS)  | false
 | &nbsp;&nbsp;&nbsp;&nbsp;If true, client certificates are loaded from the operating system certificate store.
 | security.ssl.errorReporting.enabled | boolean | Firefox 68, Firefox ESR 68 | true
 | &nbsp;&nbsp;&nbsp;&nbsp;If false, SSL errors cannot be sent to Mozilla.
@@ -2615,6 +2697,8 @@ or
   }
 }
 ```
+<a name="SanitizeOnShutdown"></a>
+
 ### SanitizeOnShutdown (Selective)
 Clear data on shutdown. Choose from Cache, Cookies, Download History, Form & Search History, Browsing History, Active Logins, Site Preferences and Offline Website Data.
 
@@ -2731,10 +2815,7 @@ Software\Policies\Mozilla\Firefox\SearchBar = "unified" | "separate"
   }
 }
 ```
-
-
-
-
+<a name="SearchEngines"></a>
 
 ### SearchEngines (This policy is only available on the ESR.)
 

patrick-canterino.de