Firefox policies can be specified using the [Group Policy templates on Windows](https://github.com/mozilla/policy-templates/tree/master/windows), [Intune on Windows](https://support.mozilla.org/kb/managing-firefox-intune), [configuration profiles on macOS](https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`. On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution or you can specify system-wide policy by placing the file in `/etc/firefox/policies`.
Unfortunately, JSON files do not support comments, but you can add extra entries to the JSON to use as comments. You will see an error in about:policies, but the policies will still work properly. For example:
-
```
{
"policies": {
}
}
```
+Note: The `policies.json` must use the UTF-8 encoding.
| Policy Name | Description
| --- | --- |
| **[`AppUpdatePin`](#appupdatepin)** | Prevent Firefox from being updated beyond the specified version.
| **[`AppUpdateURL`](#appupdateurl)** | Change the URL for application update.
| **[`Authentication`](#authentication)** | Configure sites that support integrated authentication.
+| **[`AutofillAddressEnabled`](#autofilladdressenabled)** | Enable autofill for addresses.
+| **[`AutofillCreditCardEnabled`](#autofillcreditcardenabled)** | Enable autofill for payment methods.
| **[`AutoLaunchProtocolsFromOrigins`](#autolaunchprotocolsfromorigins)** | Define a list of external protocols that can be used from listed origins without prompting the user.
| **[`BackgroundAppUpdate`](#backgroundappupdate)** | Enable or disable the background updater (Windows only).
| **[`BlockAboutAddons`](#blockaboutaddons)** | Block access to the Add-ons Manager (about:addons).
| **[`Handlers`](#handlers)** | Configure default application handlers.
| **[`HardwareAcceleration`](#hardwareacceleration)** | Control hardware acceleration.
| **[`Homepage`](#homepage)** | Configure the default homepage and how Firefox starts.
+| **[`HttpAllowlist`](#httpallowlist)** | Configure origins that will not be upgraded to HTTPS.
+| **[`HttpsOnlyMode`](#httpsonlymode)** | Configure HTTPS-Only Mode.
| **[`InstallAddonsPermission`](#installaddonspermission)** | Configure the default extension install policy as well as origins for extension installs are allowed.
| **[`LegacyProfiles`](#legacyprofiles)** | Disable the feature enforcing a separate profile for each installation.
| **[`LegacySameSiteCookieBehaviorEnabled`](#legacysamesitecookiebehaviorenabled)** | Enable default legacy SameSite cookie behavior setting.
| **[`Permissions`](#permissions)** | Set permissions associated with camera, microphone, location, and notifications.
| **[`PictureInPicture`](#pictureinpicture)** | Enable or disable Picture-in-Picture.
| **[`PopupBlocking`](#popupblocking)** | Configure the default pop-up window policy as well as origins for which pop-up windows are allowed.
+| **[`PostQuantumKeyAgreementEnabled`](#postquantumkeyagreementenabled)** | Enable post-quantum key agreement for TLS.
| **[`Preferences`](#preferences)** | Set and lock preferences.
| **[`PrimaryPassword`](#primarypassword)** | Require or prevent using a primary (formerly master) password.
| **[`PrintingEnabled`](#printingenabled)** | Enable or disable printing.
| **[`SSLVersionMin`](#sslversionmin)** | Set and lock the minimum version of TLS.
| **[`StartDownloadsInTempDirectory`](#startdownloadsintempdirectory)** | Force downloads to start off in a local, temporary location rather than the default download directory.
| **[`SupportMenu`](#supportmenu)** | Add a menuitem to the help menu for specifying support information.
+| **[`TranslateEnabled`](#translateenabled)** | Enable or disable webpage translation.
| **[`UserMessaging`](#usermessaging)** | Don't show certain messages to the user.
| **[`UseSystemPrintDialog`](#usesystemprintdialog)** | Print using the system print dialog instead of print preview.
| **[`WebsiteFilter`](#websitefilter)** | Block websites from being visited.
### 3rdparty
-Allow WebExtensions to configure policy. For more information, see [Adding policy support to your extension](https://extensionworkshop.com/documentation/enterprise/adding-policy-support-to-your-extension/).
+Allow WebExtensions to configure policy. For more information, see [Adding policy support to your extension](https://extensionworkshop.com/documentation/enterprise/enterprise-development/#how-to-add-policy).
For GPO and Intune, the extension developer should provide an ADMX file.
}
}
```
+### AutofillAddressEnabled
+
+Enables or disables autofill for addresses.
+
+This only applies when address autofill is enabled for a particular Firefox version or region. See [this page](https://support.mozilla.org/kb/automatically-fill-your-address-web-forms) for more information.
+
+**Compatibility:** Firefox 125, Firefox ESR 115.10\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** `extensions.formautofill.addresses.enabled`
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\AutofillAddressEnabled = 0x1 | 0x0
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/AutofillAddressEnabled
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
+#### macOS
+```
+<dict>
+ <key>AutofillAddressEnabled</key>
+ <true/> | <false/>
+</dict>
+```
+#### policies.json
+```
+{
+ "policies": {
+ "AutofillAddressEnabled": true | false
+ }
+}
+```
+### AutofillCreditCardEnabled
+
+Enables or disables autofill for payment methods.
+
+This only applies when payment method autofill is enabled for a particular Firefox version or region. See [this page](https://support.mozilla.org/kb/credit-card-autofill) for more information.
+
+**Compatibility:** Firefox 125, Firefox ESR 115.10\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** `extensions.formautofill.creditCards.enabled`
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\AutofillCreditCardEnabled = 0x1 | 0x0
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/AutofillCreditCardEnabled
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
+#### macOS
+```
+<dict>
+ <key>AutofillCreditCardEnabled</key>
+ <true/> | <false/>
+</dict>
+```
+#### policies.json
+```
+{
+ "policies": {
+ "AutofillCreditCardEnabled": true | false
+ }
+}
+```
### AutoLaunchProtocolsFromOrigins
Define a list of external protocols that can be used from listed origins without prompting the user. The origin is the scheme plus the hostname.
`Locked` prevents the user from changing cookie preferences.
+`Default` determines whether cookies are accepted at all. (*Deprecated*. Use `Behavior` instead)
+
+`AcceptThirdParty` determines how third-party cookies are handled. (*Deprecated*. Use `Behavior` instead)
+
+`RejectTracker` only rejects cookies for trackers. (*Deprecated*. Use `Behavior` instead)
+
+`ExpireAtSessionEnd` determines when cookies expire. (*Deprecated*. Use [`SanitizeOnShutdown`](#sanitizeonshutdown-selective) instead)
+
**Compatibility:** Firefox 60, Firefox ESR 60 (RejectTracker added in Firefox 63, AllowSession added in Firefox 79/78.1, Behavior added in Firefox 95/91.4)\
**CCK2 Equivalent:** N/A\
**Preferences Affected:** `network.cookie.cookieBehavior`, `network.cookie.cookieBehavior.pbmode`, `network.cookie.lifetimePolicy`
Software\Policies\Mozilla\Firefox\Cookies\Allow\1 = "https://example.com"
Software\Policies\Mozilla\Firefox\Cookies\AllowSession\1 = "https://example.edu"
Software\Policies\Mozilla\Firefox\Cookies\Block\1 = "https://example.org"
-Software\Policies\Mozilla\Firefox\Cookies\Default = 0x1 | 0x0
-Software\Policies\Mozilla\Firefox\Cookies\AcceptThirdParty = "always" | "never" | "from-visited"
-Software\Policies\Mozilla\Firefox\Cookies\ExpireAtSessionEnd = 0x1 | 0x0
-Software\Policies\Mozilla\Firefox\Cookies\RejectTracker = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\Cookies\Behavior = "accept" | "reject-foreign" | "reject" | "limit-foreign" | "reject-tracker" | "reject-tracker-and-partition-foreign"
Software\Policies\Mozilla\Firefox\Cookies\BehaviorPrivateBrowsing = "accept" | "reject-foreign" | "reject" | "limit-foreign" | "reject-tracker" | "reject-tracker-and-partition-foreign"
Software\Policies\Mozilla\Firefox\Cookies\Locked = 0x1 | 0x0
```
OMA-URI:
```
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Cookies/Cookies_Default
-```
-Value (string):
-```
-<enabled/> or <disabled/>
-```
-OMA-URI:
-```
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Cookies/Cookies_AcceptThirdParty
-```
-Value (string):
-```
-<enabled/>
-<data id="Cookies_AcceptThirdParty" value="always | never | from-visited"/>
-```
-OMA-URI:
-```
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Cookies/Cookies_ExpireAtSessionEnd
-```
-Value (string):
-```
-<enabled/> or <disabled/>
-```
-OMA-URI:
-```
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Cookies/Cookies_RejectTracker
-```
-Value (string):
-```
-<enabled/> or <disabled/>
-```
-OMA-URI:
-```
./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Cookies/Cookies_Locked
```
Value (string):
<array>
<string>http://example.org</string>
</array>
- <key>Default</key>
- <true/> | <false/>
- <key>AcceptThirdParty</key>
- <string>always | never | from-visited</string>
- <key>ExpireAtSessionEnd</key>
- <true/> | <false/>
- <key>RejectTracker</key>
- <true/> | <false/>
<key>Locked</key>
<true/> | <false/>
<key>Behavior</key>
"Allow": ["http://example.org/"],
"AllowSession": ["http://example.edu/"],
"Block": ["http://example.edu/"],
- "Default": true | false,
- "AcceptThirdParty": "always" | "never" | "from-visited",
- "ExpireAtSessionEnd": true | false,
- "RejectTracker": true | false,
"Locked": true | false,
"Behavior": "accept" | "reject-foreign" | "reject" | "limit-foreign" | "reject-tracker" | "reject-tracker-and-partition-foreign",
"BehaviorPrivateBrowsing": "accept" | "reject-foreign" | "reject" | "limit-foreign" | "reject-tracker" | "reject-tracker-and-partition-foreign",
**Compatibility:** Firefox 60, Firefox ESR 60\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** N/A
+**Preferences Affected:** `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features`
#### Windows (GPO)
```
| `restricted_domains` | An array of domains on which content scripts can't be run. This setting can be used only for the default configuration.
| `updates_disabled` | (Firefox 89, Firefox ESR 78.11) Boolean that indicates whether or not to disable automatic updates for an individual extension.
| `default_area` | (Firefox 113) String that indicates where to place the extension icon by default. Possible values are `navbar` and `menupanel`.
+| `temporarily_allow_weak_signatures`| (Firefox 127) A boolean that indicates whether to allow installing extensions signed using deprecated signature algorithms.
**Compatibility:** Firefox 69, Firefox ESR 68.1 (As of Firefox 85, Firefox ESR 78.7, installing a theme makes it the default.)\
**CCK2 Equivalent:** N/A\
}
}
```
+### HttpAllowlist
+Configure sites that will not be upgraded to HTTPS.
+
+The sites are specified as a list of origins.
+
+**Compatibility:** Firefox 127\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** N/A
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\HttpAllowlist\1 = "http://example.org"
+Software\Policies\Mozilla\Firefox\HttpAllowlist\2 = "http://example.edu"
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/HttpAllowlist
+```
+Value (string):
+```
+<enabled/>
+<data id="List" value="1http://example.org2http://example.edu"/>
+```
+#### macOS
+```
+<dict>
+ <key>HttpAllowlist </key>
+ <array>
+ <string>http://example.org</string>
+ <string>http://example.edu</string>
+ </array>
+</dict>
+```
+#### policies.json
+```
+{
+ "policies": {
+ "HttpAllowlist ": ["http://example.org",
+ "http://example.edu"]
+ }
+}
+```
+### HttpsOnlyMode
+Configure HTTPS-Only Mode.
+
+| Value | Description
+| --- | --- |
+| allowed | HTTPS-Only Mode is off by default, but the user can turn it on.
+| disallowed | HTTPS-Only Mode is off and the user can't turn it on.
+| enabled | HTTPS-Only Mode is on by default, but the user can turn it off.
+| force_enabled | HTTPS-Only Mode is on and the user can't turn it off.
+
+**Compatibility:** Firefox 127\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** `dom.security.https_only_mode`
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\HttpsOnlyMode = "allowed", "disallowed", "enabled", "force_enabled"
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/HttpsOnlyMode
+```
+Value (string):
+```
+<enabled/>
+<data id="HttpsOnlyMode" value="allowed | disallowed | enabled | force_enabled"/>
+```
+#### macOS
+```
+<dict>
+ <key>HttpsOnlyMode</key>
+ <string>allowed | disallowed | enabled | force_enabled</string>
+</dict>
+```
+#### policies.json
+```
+{
+ "policies": {
+ "HttpsOnlyMode": "allowed" | "disallowed" | "enabled" | "force_enabled"
+ }
+}
+```
### InstallAddonsPermission
Configure the default extension install policy as well as origins for extension installs are allowed. This policy does not override turning off all extension installs.
**Compatibility:** Firefox 60, Firefox ESR 60\
**CCK2 Equivalent:** `permissions.install`\
-**Preferences Affected:** `xpinstall.enabled`
+**Preferences Affected:** `xpinstall.enabled`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features`
#### Windows (GPO)
```
}
}
```
-
### PDFjs
Disable or configure PDF.js, the built-in PDF viewer.
}
}
```
+### PostQuantumKeyAgreementEnabled
+Enable post-quantum key agreement for TLS.
+
+**Compatibility:** Firefox 127\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** `security.tls.enable_kyber`, `network.http.http3.enable_kyber` (Firefox 128)
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\PostQuantumKeyAgreementEnabled = 0x1 | 0x0
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/PostQuantumKeyAgreementEnabled
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
+#### macOS
+```
+<dict>
+ <key>PostQuantumKeyAgreementEnabled</key>
+ <true/> | <false/>
+</dict>
+```
+#### policies.json
+```
+{
+ "policies": {
+ "PostQuantumKeyAgreementEnabled": true | false
+ }
+}
+```
### Preferences
Set and lock preferences.
places.
pref.
print.
+privacy.globalprivacycontrol.enabled (Firefox 127, Firefox ESR 128.0)
+privacy.userContext.enabled (Firefox 126, Firefox ESR 115.11)
+privacy.userContext.ui.enabled (Firefox 126, Firefox ESR 115.11)
signon. (Firefox 83, Firefox ESR 78.5)
spellchecker. (Firefox 84, Firefox ESR 78.6)
toolkit.legacyUserProfileCustomizations.stylesheets (Firefox 95, Firefox ESR 91.4)
| security.insecure_connection_text.pbmode.enabled | bool | false
| If set to true, adds the words "Not Secure" for insecure sites in private browsing.
| security.mixed_content.block_active_content | boolean | true
-| If false, mixed active content (HTTP and HTTPS) is not blocked.
+| If set to true, mixed active content (HTTP subresources such as scripts, fetch requests, etc. on a HTTPS page) will be blocked.
+| security.mixed_content.block_display_content | boolean | false
+| If set to true, mixed passive/display content (HTTP subresources such as images, videos, etc. on a HTTPS page) will be blocked. (Firefox 127, Firefox ESR 128.0)
+| security.mixed_content.upgrade_display_content | boolean | true
+| If set to true, mixed passive/display content (HTTP subresources such as images, videos, etc. on a HTTPS page) will be upgraded to HTTPS. (Firefox 127, Firefox ESR 128.0)
| security.osclientcerts.autoload | boolean | false
| If true, client certificates are loaded from the operating system certificate store.
| security.OCSP.enabled | integer | 1
}
}
```
+### StartDownloadsInTempDirectory
+Force downloads to start off in a local, temporary location rather than the default download directory.
+
+**Compatibility:** Firefox 102\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** `browser.download.start_downloads_in_tmp_dir`
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\StartDownloadsInTempDirectory = 0x1 | 0x0
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/StartDownloadsInTempDirectory
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
+#### macOS
+```
+<dict>
+ <key>StartDownloadsInTempDirectory</key>
+ <true/> | <false/>
+</dict>
+```
+#### policies.json
+```
+{
+ "policies": {
+ "StartDownloadsInTempDirectory": true | false
+}
+```
### SupportMenu
Add a menuitem to the help menu for specifying support information.
}
}
```
-### StartDownloadsInTempDirectory
-Force downloads to start off in a local, temporary location rather than the default download directory.
+### TranslateEnabled
+Enable or disable webpage translation.
-**Compatibility:** Firefox 102\
+Note: Web page translation is done completely on the client, so there is no data or privacy risk.
+
+If you only want to disable the popup, you can set the pref `browser.translations.automaticallyPopup` to false using the [Preferences](#preferences) policy.
+
+**Compatibility:** Firefox 126\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `browser.download.start_downloads_in_tmp_dir`
+**Preferences Affected:** `browser.translations.enable`
#### Windows (GPO)
```
-Software\Policies\Mozilla\Firefox\StartDownloadsInTempDirectory = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\TranslateEnabled = 0x1 | 0x0
```
#### Windows (Intune)
OMA-URI:
```
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/StartDownloadsInTempDirectory
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/TranslateEnabled
```
Value (string):
```
#### macOS
```
<dict>
- <key>StartDownloadsInTempDirectory</key>
+ <key>TranslateEnabled</key>
<true/> | <false/>
</dict>
```
```
{
"policies": {
- "StartDownloadsInTempDirectory": true | false
+ "TranslateEnabled": true | false
+ }
}
```
### UserMessaging
Prevent Firefox from messaging the user in certain situations.
-`WhatsNew` Remove the "What's New" icon and menuitem.
+`WhatsNew` Remove the "What's New" icon and menuitem. (*Deprecated*)
`ExtensionRecommendations` If false, don't recommend extensions while the user is visiting web pages.
**Compatibility:** Firefox 75, Firefox ESR 68.7\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `browser.messaging-system.whatsNewPanel.enabled`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features`, `browser.aboutwelcome.enabled`, `browser.preferences.moreFromMozilla`
+**Preferences Affected:** `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features`, `browser.aboutwelcome.enabled`, `browser.preferences.moreFromMozilla`
#### Windows (GPO)
```
-Software\Policies\Mozilla\Firefox\UserMessaging\WhatsNew = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\UserMessaging\ExtensionRecommendations = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\UserMessaging\FeatureRecommendations = 0x1 | 0x0
Software\Policies\Mozilla\Firefox\UserMessaging\UrlbarInterventions = 0x1 | 0x0
#### Windows (Intune)
OMA-URI:
```
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_WhatsNew
./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_ExtensionRecommendations
./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_FeatureRecommendations
./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_UrlbarInterventions
<dict>
<key>UserMessaging</key>
<dict>
- <key>WhatsNew</key>
- <true/> | <false/>
<key>ExtensionRecommendations</key>
<true/> | <false/>
<key>FeatureRecommendations</key>
{
"policies": {
"UserMessaging": {
- "WhatsNew": true | false,
"ExtensionRecommendations": true | false,
"FeatureRecommendations": true | false,
"UrlbarInterventions": true | false,