]> git.p6c8.net - policy-templates.git/blobdiff - README.md
Correct typo
[policy-templates.git] / README.md
index af46f0fa8c51fcf3a5c0cee612eb9fce5cd7e5cc..e660b84e0d37e6da8502dbb06ae40fd037c2a79d 100644 (file)
--- a/README.md
+++ b/README.md
@@ -2,7 +2,24 @@
 
 **You should use the [officially released versions](https://github.com/mozilla/policy-templates/releases) if you are deploying changes.**
 
-Policies can be specified using the [Group Policy templates on Windows](https://github.com/mozilla/policy-templates/tree/master/windows), [Intune on Windows](https://support.mozilla.org/kb/managing-firefox-intune), [configuration profiles on macOS](https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`.  On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution or you can specify system-wide policy by placing the file in `/etc/firefox/policies`.
+Official policy documentation has been moved to https://mozilla.github.io/policy-templates/.
+
+I'm maintaining things in the README.md until we can update links in Firefox.
+
+Firefox policies can be specified using the [Group Policy templates on Windows](https://github.com/mozilla/policy-templates/tree/master/windows), [Intune on Windows](https://support.mozilla.org/kb/managing-firefox-intune), [configuration profiles on macOS](https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`.  On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution or you can specify system-wide policy by placing the file in `/etc/firefox/policies`.
+
+Unfortunately, JSON files do not support comments, but you can add extra entries to the JSON to use as comments. You will see an error in about:policies, but the policies will still work properly. For example:
+
+```
+{
+  "policies": {
+    "Authentication": {
+      "SPNEGO": ["mydomain.com", "https://myotherdomain.com"]
+    }
+    "Authentication_Comment": "These domains are required for us"
+  }
+}
+```
 
 | Policy Name | Description
 | --- | --- |
@@ -23,6 +40,7 @@ Policies can be specified using the [Group Policy templates on Windows](https://
 | **[`Certificates`](#certificates)** |
 | **[`Certificates -> ImportEnterpriseRoots`](#certificates--importenterpriseroots)** | Trust certificates that have been added to the operating system certificate store by a user or administrator.
 | **[`Certificates -> Install`](#certificates--install)** | Install certificates into the Firefox certificate store.
+| **[`Containers`](#containers)** | Set policies related to [containers](https://addons.mozilla.org/firefox/addon/multi-account-containers/).
 | **[`Cookies`](#cookies)** | Configure cookie preferences.
 | **[`DefaultDownloadDirectory`](#defaultdownloaddirectory)** | Set the default download directory.
 | **[`DisableAppUpdate`](#disableappupdate)** | Turn off application updates.
@@ -47,7 +65,9 @@ Policies can be specified using the [Group Policy templates on Windows](https://
 | **[`DisableSetDesktopBackground`](#disablesetdesktopbackground)** | Remove the "Set As Desktop Background..." menuitem when right clicking on an image.
 | **[`DisableSystemAddonUpdate`](#disablesystemaddonupdate)** | Prevent system add-ons from being installed or updated.
 | **[`DisableTelemetry`](#disabletelemetry)** | DisableTelemetry
+| **[`DisableThirdPartyModuleBlocking`](#disablethirdpartymoduleblocking)** | Do not allow blocking third-party modules.
 | **[`DisplayBookmarksToolbar`](#displaybookmarkstoolbar)** | Set the initial state of the bookmarks toolbar.
+| **[`DisplayBookmarksToolbar (Deprecated)`](#displaybookmarkstoolbar-deprecated)** | Set the initial state of the bookmarks toolbar.
 | **[`DisplayMenuBar`](#displaymenubar)** | Set the state of the menubar.
 | **[`DisplayMenuBar (Deprecated)`](#displaymenubar-deprecated)** | Set the initial state of the menubar.
 | **[`DNSOverHTTPS`](#dnsoverhttps)** | Configure DNS over HTTPS.
@@ -985,6 +1005,91 @@ Value (string):
   }
 }
 ```
+### Containers
+Set policies related to [containers](https://addons.mozilla.org/firefox/addon/multi-account-containers/).
+
+Currently you can set the initial set of containers.
+
+For each container, you can specify the name, icon, and color.
+
+| Name | Description |
+| --- | --- |
+| `name`| Name of container
+| `icon` | Can be `fingerprint`, `briefcase`, `dollar`, `cart`, `vacation`, `gift`, `food`, `fruit`, `pet`, `tree`, `chill`, `circle`, `fence`
+| `color` | Can be `blue`, `turquoise`, `green`, `yellow`, `orange`, `red`, `pink`, `purple`, `toolbar`
+
+**Compatibility:** Firefox 113\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** N/A
+
+#### Windows (GPO)
+Software\Policies\Mozilla\Firefox\Containers (REG_MULTI_SZ) =
+```
+{
+  "Default": [
+    {
+      "name": "My container",
+      "icon": "pet",
+      "color": "turquoise"
+    }
+  ]
+}
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/Containers
+```
+Value (string):
+```
+<enabled/>
+<data id="JSON" value='
+{
+  "Default": [
+    {
+      "name": "My container",
+      "icon": "pet",
+      "color": "turquoise"
+    }
+  ]
+}
+'/>
+```
+#### macOS
+```
+<dict>
+  <key>Default</key>
+  <dict>
+    <key>Containers</key>
+    <array>
+      <dict>
+        <key>name</key>
+        <string>My container</string>
+        <key>icon</key>
+        <string>pet</string>
+        <key>color</key>
+        <string>turquoise</string>
+      </dict>
+    </array>
+  </dict>
+</dict>
+```
+#### policies.json
+```
+{
+  "policies": {
+    "Containers": {
+      "Default": [
+        {
+          "name": "My container",
+          "icon": "pet",
+          "color": "turquoise"
+        }
+      ]
+    }
+  }
+}
+```
 ### Cookies
 Configure cookie preferences.
 
@@ -999,7 +1104,7 @@ Configure cookie preferences.
 `BehaviorPrivateBrowsing` sets the default behavior for cookies in private browsing based on the values below.
 
 | Value | Description
-| --- | ---
+| --- | --- |
 | accept | Accept all cookies
 | reject-foreign | Reject third party cookies
 | reject | Reject all cookies
@@ -1209,6 +1314,7 @@ Value (string):
 {
   "policies": {
     "DefaultDownloadDirectory": "${home}/Downloads"
+  }
 }
 ```
 #### policies.json (Windows)
@@ -1216,6 +1322,7 @@ Value (string):
 {
   "policies": {
     "DefaultDownloadDirectory": "${home}\\Downloads"
+  }
 }
 ```
 ### DisableAppUpdate
@@ -2049,7 +2156,71 @@ Value (string):
   }
 }
 ```
+### DisableThirdPartyModuleBlocking
+Do not allow blocking third-party modules from the `about:third-party` page.
+
+This policy only works on Windows through GPO (not policies.json).
+
+**Compatibility:** Firefox 110 (Windows only, GPO only)\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** N/A
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\DisableThirdPartyModuleBlocking = = 0x1 | 0x0
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/DisableThirdPartyModuleBlocking
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
 ### DisplayBookmarksToolbar
+Set the initial state of the bookmarks toolbar. A user can still change how it is displayed.
+
+`always` means the bookmarks toolbar is always shown.
+
+`never` means the bookmarks toolbar is not shown.
+
+`newtab` means the bookmarks toolbar is only shown on the new tab page.
+
+**Compatibility:** Firefox 109, Firefox ESR 102.7\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** N/A
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\DisplayBookmarksToolbar = "always", "never", "newtab"
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/DisplayBookmarksToolbar_Enum
+```
+Value (string):
+```
+<enabled/>
+<data id="DisplayBookmarksToolbar" value="always | never | newtab"/>
+```
+#### macOS
+```
+<dict>
+  <key>DisplayBookmarksToolbar</key>
+  <string>always | never | newtab</string>
+</dict>
+```
+#### policies.json
+```
+{
+  "policies": {
+    "DisplayBookmarksToolbar": "always" | "never" | "newtab"
+  }
+}
+```
+### DisplayBookmarksToolbar (Deprecated)
 Set the initial state of the bookmarks toolbar. A user can still hide it and it will stay hidden.
 
 **Compatibility:** Firefox 60, Firefox ESR 60\
@@ -2334,6 +2505,8 @@ If `Cryptomining` is set to true, cryptomining scripts on websites are blocked.
 
 If `Fingerprinting` is set to true, fingerprinting scripts on websites are blocked.
 
+If `EmailTracking` is set to true, hidden email tracking pixels and scripts on websites are blocked. (Firefox 112)
+
 `Exceptions` are origins for which tracking protection is not enabled.
 
 **Compatibility:** Firefox 60, Firefox ESR 60 (Cryptomining and Fingerprinting added in 70/68.2, Exceptions added in 73/68.5)\
@@ -4512,22 +4685,30 @@ spellchecker. (Firefox 84, Firefox ESR 78.6)
 toolkit.legacyUserProfileCustomizations.stylesheets (Firefox 95, Firefox ESR 91.4)
 ui.
 widget.
+xpinstall.signatures.required (Firefox ESR 102.10, Firefox ESR only)
 ```
 as well as the following security preferences:
+
 | Preference | Type | Default
-| --- | --- | ---
+| --- | --- | --- |
 | security.default_personal_cert | string | Ask Every Time
 | &nbsp;&nbsp;&nbsp;&nbsp;If set to Select Automatically, Firefox automatically chooses the default personal certificate.
 | security.insecure_connection_text.enabled | bool | false
 | &nbsp;&nbsp;&nbsp;&nbsp;If set to true, adds the words "Not Secure" for insecure sites.
 | security.insecure_connection_text.pbmode.enabled | bool | false
 | &nbsp;&nbsp;&nbsp;&nbsp;If set to true, adds the words "Not Secure" for insecure sites in private browsing.
-| security.insecure_field_warning.contextual.enabled | bool | true
-| &nbsp;&nbsp;&nbsp;&nbsp;If set to false, remove the warning for inscure login fields.
 | security.mixed_content.block_active_content | boolean | true
 | &nbsp;&nbsp;&nbsp;&nbsp;If false, mixed active content (HTTP and HTTPS) is not blocked.
 | security.osclientcerts.autoload | boolean | false
 | &nbsp;&nbsp;&nbsp;&nbsp;If true, client certificates are loaded from the operating system certificate store.
+| security.OCSP.enabled | integer | 1
+| &nbsp;&nbsp;&nbsp;&nbsp;If 0, do not fetch OCSP. If 1, fetch OCSP for DV and EV certificates. If 2, fetch OCSP only for EV certificates
+| security.OCSP.require | boolean | false
+| &nbsp;&nbsp;&nbsp;&nbsp; If true, if an OCSP request times out, the connection fails.
+| security.osclientcerts.assume_rsa_pss_support | boolean | true
+| &nbsp;&nbsp;&nbsp;&nbsp; If false, we don't assume an RSA key can do RSA-PSS (Firefox 114, Firefox ESR 102.12).
+| security.ssl.enable_ocsp_stapling | boolean | true
+| &nbsp;&nbsp;&nbsp;&nbsp; If false, OCSP stapling is not enabled.
 | security.ssl.errorReporting.enabled | boolean | true
 | &nbsp;&nbsp;&nbsp;&nbsp;If false, SSL errors cannot be sent to Mozilla.
 | security.tls.enable_0rtt_data | boolean | true
@@ -4538,7 +4719,6 @@ as well as the following security preferences:
 | &nbsp;&nbsp;&nbsp;&nbsp;If true, browser will accept TLS 1.0. and TLS 1.1 (Firefox 86, Firefox 78.8).
 | security.warn_submit_secure_to_insecure | boolean | true
 | &nbsp;&nbsp;&nbsp;&nbsp;If false, no warning is shown when submitting a form from https to http.
-&nbsp;
 
 Using the preference as the key, set the `Value` to the corresponding preference value.
 
@@ -4662,7 +4842,7 @@ Set and lock certain preferences.
 **Preferences Affected:** See below
 
 | Preference | Type | Compatibility | Default
-| --- | --- | --- | ---
+| --- | --- | --- | --- |
 | accessibility.force_disabled | integer | Firefox 70, Firefox ESR 68.2 | 0
 | &nbsp;&nbsp;&nbsp;&nbsp;If set to 1, platform accessibility is disabled.
 | app.update.auto (Deprecated - Switch to AppAutoUpdate policy) | boolean | Firefox 68, Firefox ESR 68 | true
@@ -4765,6 +4945,7 @@ disabled
 | &nbsp;&nbsp;&nbsp;&nbsp;If false, the Alt key doesn't show the menubar on Windows.
 | widget.content.gtk-theme-override | string | Firefox 72, Firefox ESR 68.4 (Linux only) | N/A
 | &nbsp;&nbsp;&nbsp;&nbsp;If set, overrides the GTK theme for widgets.
+
 #### Windows (GPO)
 ```
 Software\Policies\Mozilla\Firefox\Preferences\boolean_preference_name = 0x1 | 0x0
@@ -4935,8 +5116,98 @@ Software\Policies\Mozilla\Firefox\Proxy\AutoLogin = 0x1 | 0x0
 Software\Policies\Mozilla\Firefox\Proxy\UseProxyForDNS = 0x1 | 0x0
 ```
 #### Windows (Intune)
+**Note**
+These setttings were moved to a category to make them easier to configure via Intune.
+
 OMA-URI:
 ```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_Locked
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_ConnectionType
+```
+Value (string):
+```
+<enabled/>
+<data id="Proxy_ConnectionType" value="none | system | manual | autoDetect | autoConfig"/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_HTTPProxy
+```
+Value (string):
+```
+<enabled/>
+<data id="Proxy_HTTPProxy" value="httpproxy.example.com"/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_UseHTTPProxyForAllProtocols
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_SSLProxy
+```
+Value (string):
+```
+<enabled/>
+<data id="Proxy_SSLProxy" value="sslproxy.example.com"/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_SOCKSProxy
+```
+Value (string):
+```
+<enabled/>
+<data id="Proxy_SOCKSProxy" value="socksproxy.example.com"/>
+<data id="Proxy_SOCKSVersion" value="4 | 5"/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_AutoConfigURL
+```
+Value (string):
+```
+<enabled/>
+<data id="Proxy_AutoConfigURL" value="URL_TO_AUTOCONFIG"/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_Passthrough
+```
+Value (string):
+```
+<enabled/>
+<data id="Proxy_Passthrough" value="&lt;local&gt;"/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_AutoLogin
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_UseProxyForDNS
+```
+Value (string):
+```
+<enabled/> or <disabled/>
+```
+OMA-URI (Old way):
+```
 ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/Proxy
 ```
 Value (string):
@@ -4944,11 +5215,11 @@ Value (string):
 <enabled/>
 <data id="ProxyLocked" value="true | false"/>
 <data id="ConnectionType" value="none | system | manual | autoDetect | autoConfig"/>
-<data id="HTTPProxy" value="https://httpproxy.example.com"/>
+<data id="HTTPProxy" value="httpproxy.example.com"/>
 <data id="UseHTTPProxyForAllProtocols" value="true | false"/>
-<data id="SSLProxy" value="https://sslproxy.example.com"/>
-<data id="FTPProxy" value="https://ftpproxy.example.com"/>
-<data id="SOCKSProxy" value="https://socksproxy.example.com"/>
+<data id="SSLProxy" value="sslproxy.example.com"/>
+<data id="FTPProxy" value="ftpproxy.example.com"/>
+<data id="SOCKSProxy" value="socksproxy.example.com"/>
 <data id="SOCKSVersion" value="4 | 5"/>
 <data id="AutoConfigURL" value="URL_TO_AUTOCONFIG"/>
 <data id="Passthrough" value="<local>"/>
@@ -5554,6 +5825,68 @@ Value (string):
 ```
 ### SecurityDevices
 
+Add or delete PKCS #11 modules.
+
+**Compatibility:** Firefox 114, Firefox ESR 112.12\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** N/A
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\SecurityDevices\Add\NAME_OF_DEVICE_TO_ADD = PATH_TO_LIBRARY_FOR_DEVICE
+Software\Policies\Mozilla\Firefox\SecurityDevices\Remove\1 = NAME_OF_DEVICE_TO_REMOVE
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/SecurityDevices/SecurityDevices_Add
+```
+Value (string):
+```
+<enabled/>
+<data id="SecurityDevices" value="NAME_OF_DEVICE_TO_ADD&#xF000;PATH_TO_LIBRARY_FOR_DEVICE"/>
+```
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/SecurityDevices/SecurityDevices_Delete
+```
+Value (string):
+```
+<enabled/>
+<data id="SecurityDevices" value="1&#xF000;NAME_OF_DEVICE_TO_REMOVE"/>
+```
+#### macOS
+```
+<dict>
+  <key>SecurityDevices</key>
+  <dict>
+    <key>Add<key>
+    <dict>
+      <key>NAME_OF_DEVICE_TO_ADD</key>
+      <string>PATH_TO_LIBRARY_FOR_DEVICE</string>
+    </dict>
+    <key>Delete</add>
+    <array>
+      <string>NAME_OF_DEVICE_TO_DELETE</string>
+    </array>
+  </dict>
+</dict>
+```
+#### policies.json
+```
+{
+  "policies": {
+    "SecurityDevices": {
+      "Add": {
+        "NAME_OF_DEVICE_TO_ADD": "PATH_TO_LIBRARY_FOR_DEVICE"
+      },
+      "Delete": ["NAME_OF_DEVICE_TO_DELETE"]
+    }
+  }
+}
+```
+### SecurityDevices (Deprecated)
+
 Install PKCS #11 modules.
 
 **Compatibility:** Firefox 64, Firefox ESR 60.4\
@@ -5584,7 +5917,6 @@ Value (string):
   </dict>
 </dict>
 ```
-
 #### policies.json
 ```
 {
@@ -5809,6 +6141,8 @@ Prevent Firefox from messaging the user in certain situations.
 
 `MoreFromMozilla` If false, don't show the "More from Mozilla" section in Preferences. (Firefox 98)
 
+`Locked` prevents the user from changing user messaging preferences.
+
 **Compatibility:** Firefox 75, Firefox ESR 68.7\
 **CCK2 Equivalent:** N/A\
 **Preferences Affected:** `browser.messaging-system.whatsNewPanel.enabled`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features`, `browser.aboutwelcome.enabled`, `browser.preferences.moreFromMozilla`
@@ -5821,6 +6155,7 @@ Software\Policies\Mozilla\Firefox\UserMessaging\FeatureRecommendations = 0x1 | 0
 Software\Policies\Mozilla\Firefox\UserMessaging\UrlbarInterventions = 0x1 | 0x0
 Software\Policies\Mozilla\Firefox\UserMessaging\SkipOnboarding = 0x1 | 0x0
 Software\Policies\Mozilla\Firefox\UserMessaging\MoreFromMozilla = 0x1 | 0x0
+Software\Policies\Mozilla\Firefox\UserMessaging\Locked = 0x1 | 0x0
 ```
 #### Windows (Intune)
 OMA-URI:
@@ -5831,6 +6166,7 @@ OMA-URI:
 ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_UrlbarInterventions
 ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_SkipOnboarding
 ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_MoreFromMozilla
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_Locked
 ```
 Value (string):
 ```
@@ -5853,6 +6189,8 @@ Value (string):
     <true/> | <false/>
     <key>MoreFromMozilla</key>
     <true/> | <false/>
+    <key>Locked</key>
+    <true/> | <false/>
   </dict>
 </dict>
 ```
@@ -5866,7 +6204,8 @@ Value (string):
       "FeatureRecommendations": true | false,
       "UrlbarInterventions": true | false,
       "SkipOnboarding": true | false,
-      "MoreFromMozilla": true | false
+      "MoreFromMozilla": true | false,
+      "Locked": true | false
     }
   }
 }
@@ -6001,3 +6340,4 @@ Value (string):
   }
 }
 ```
+

patrick-canterino.de