X-Git-Url: https://git.p6c8.net/policy-templates.git/blobdiff_plain/2b2f74f676dc9123fa1aca040465eaa2af2c1cab..7b2ba00905c94c65b51a2ca8ca7ee4e3763668e1:/README.md diff --git a/README.md b/README.md index 7271582..90c901f 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ **These policies are in active development and so might contain changes that do not work with current versions of Firefox.** -**You should use the officially released versions (https://github.com/mozilla/policy-templates/releases) if you are deploying changes.** +**You should use the [officially released versions](https://github.com/mozilla/policy-templates/releases) if you are deploying changes.** -Policies can be specified using the Group Policy templates on Windows (https://github.com/mozilla/policy-templates/tree/master/windows), configuration profiles on macOS (https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`. On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution. +Policies can be specified using the [Group Policy templates on Windows](https://github.com/mozilla/policy-templates/tree/master/windows), [Intune on Windows](https://support.mozilla.org/kb/managing-firefox-intune), [configuration profiles on macOS](https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`. On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution or you can specify system-wide policy by placing the file in `/etc/firefox/policies`. | Policy Name | Description | --- | --- | @@ -49,6 +49,7 @@ Policies can be specified using the Group Policy templates on Windows (https://g | **[`DefaultDownloadDirectory`](#defaultdownloaddirectory)** | Set the default download directory. | **[`DownloadDirectory`](#downloaddirectory)** | Set and lock the download directory. | **[`EnableTrackingProtection`](#enabletrackingprotection)** | Configure tracking protection. +| **[`EncryptedMediaExtensions`](#encryptedmediaextensions)** | Enable or disable Encrypted Media Extensions and optionally lock it. | **[`EnterprisePoliciesEnabled`](#enterprisepoliciesenabled)** | Enable policy support on macOS. | **[`Extensions`](#extensions)** | Control the installation, uninstallation and locking of extensions. | **[`ExtensionSettings`](#extensionsettings)** | Manage all aspects of extensions. @@ -68,6 +69,7 @@ Policies can be specified using the Group Policy templates on Windows (https://g | **[`OverrideFirstRunPage`](#overridefirstrunpage)** | Override the first run page. | **[`OverridePostUpdatePage`](#overridepostupdatepage)** | Override the upgrade page. | **[`PasswordManagerEnabled`](#passwordmanagerenabled)** | Remove (some) access to the password manager. +| **[`PDFjs`](#pdfjs)** | Disable or configure PDF.js, the built-in PDF viewer. | **[`Permissions`](#permissions)** | Set permissions associated with camera, microphone, location, and notifications. | **[`PopupBlocking`](#popupblocking)** | Configure the default pop-up window policy as well as origins for which pop-up windows are allowed. | **[`Preferences`](#preferences)** | Set and lock some preferences. @@ -175,9 +177,11 @@ Configure sites that support integrated authentication. See https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication for more information. -**Compatibility:** Firefox 60, Firefox ESR 60 (AllowNonFQDN added in 62/60.2, AllowProxies added in 70/68.2, Locked added in 71/68.3)\ +`PrivateBrowsing` enables integrated authentication in prviate browsing. + +**Compatibility:** Firefox 60, Firefox ESR 60 (AllowNonFQDN added in 62/60.2, AllowProxies added in 70/68.2, Locked added in 71/68.3, PrivateBrowsing added in 77/68.9)\ **CCK2 Equivalent:** N/A\ -**Preferences Affected:** `network.negotiate-auth.trusted-uris`,`network.negotiate-auth.delegation-uris`,`network.automatic-ntlm-auth.trusted-uris`,`network.automatic-ntlm-auth.allow-non-fqdn`,`network.negotiate-auth.allow-non-fqdn`,`network.automatic-ntlm-auth.allow-proxies`,`network.negotiate-auth.allow-proxies` +**Preferences Affected:** `network.negotiate-auth.trusted-uris`,`network.negotiate-auth.delegation-uris`,`network.automatic-ntlm-auth.trusted-uris`,`network.automatic-ntlm-auth.allow-non-fqdn`,`network.negotiate-auth.allow-non-fqdn`,`network.automatic-ntlm-auth.allow-proxies`,`network.negotiate-auth.allow-proxies`,`network.auth.private-browsing-sso` #### Windows (GPO) ``` @@ -192,6 +196,7 @@ Software\Policies\Mozilla\Firefox\Authentication\AllowNonFQDN\NTLM = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\SPNEGO = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\NTLM = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Authentication\Locked = 0x1 | 0x0 +Software\Policies\Mozilla\Firefox\Authentication\PrivateBrowsing = 0x1 | 0x0 ``` #### Windows (Intune) OMA-URI: @@ -233,12 +238,19 @@ Value (string): ``` OMA-URI: ``` -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageStartPage +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Authentication/Authentication_Locked ``` Value (string): ``` - - + or +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Authentication/Authentication_PrivateBrowsing +``` +Value (string): +``` + or ``` #### macOS ``` @@ -276,6 +288,8 @@ Value (string): Locked | + PrivateBrowsing + | ``` @@ -295,7 +309,8 @@ Value (string): "SPNEGO": true | false, "NTLM": true | false }, - "Locked": true | false + "Locked": true | false, + "PrivateBrowsing": true | false } } } @@ -1544,8 +1559,8 @@ Value (string): { "policies": { "DisableSecurityBypass": { - "InvalidCertificate": true false, - "SafeBrowsing": true false + "InvalidCertificate": true | false, + "SafeBrowsing": true | false } } } @@ -2003,14 +2018,62 @@ Value (string): { "policies": { "EnableTrackingProtection": { - "Value": [true, false], - "Locked": [true, false], - "Cryptomining": [true, false], - "Fingerprinting": [true, false], + "Value": true | false, + "Locked": true | false, + "Cryptomining": true | false, + "Fingerprinting": true | false, "Exceptions": ["https://example.com"] } } ``` +### EncryptedMediaExtensions +Enable or disable Encrypted Media Extensions and optionally lock it. + +If `Enabled` is set to false, encrypted media extensions (like Widevine) are not downloaded by Firefox unless the user consents to installing them. + +If `Locked` is set to true and `Enabled` is set to false, Firefox will not download encrypted media extensions (like Widevine) or ask the user to install them. + +**Compatibility:** Firefox 77, Firefox ESR 68.9\ +**CCK2 Equivalent:** N/A\ +**Preferences Affected:** `media.eme.enabled` + +#### Windows (GPO) +``` +Software\Policies\Mozilla\Firefox\EncryptedMediaExtensions\Enabled = 0x1 | 0x0 +Software\Policies\Mozilla\Firefox\EncryptedMediaExtensions\Locked = 0x1 | 0x0 +``` +#### Windows (Intune) +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~EncryptedMediaExtensions/EncryptedMediaExtensions_Enabled +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~EncryptedMediaExtensions/EncryptedMediaExtensions_Locked +``` +Value (string): +``` +or +``` +#### macOS +``` + + EncryptedMediaExtensions + + Enabled + | + + | + + +``` +#### policies.json +``` +{ + "policies": { + "EncryptedMediaExtensions": { + "Enabled": true | false, + "Locked": true | false + } +} +``` ### EnterprisePoliciesEnabled Enable policy support on macOS. @@ -2416,7 +2479,9 @@ Configure the default homepage and how Firefox starts. `StartPage` is how Firefox starts. The choices are no homepage, the default homepage or the previous session. -**Compatibility:** Firefox 60, Firefox ESR 60 (StartPage was added in Firefox 60, Firefox ESR 60.4)\ +With Firefox 78, an additional option as added for `Startpage`, `homepage-locked`. This allows for locking the homepage, but still allowing the user to choose whether or not they want to restore their session. + +**Compatibility:** Firefox 60, Firefox ESR 60 (StartPage was added in Firefox 60, Firefox ESR 60.4, homepage-locked added in Firefox 78)\ **CCK2 Equivalent:** `homePage`,`lockHomePage`\ **Preferences Affected:** `browser.startup.homepage`,`browser.startup.page` @@ -2426,7 +2491,7 @@ Software\Policies\Mozilla\Firefox\Homepage\URL = "https://example.com" Software\Policies\Mozilla\Firefox\Homepage\Locked = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Homepage\Additional\1 = "https://example.org" Software\Policies\Mozilla\Firefox\Homepage\Additional\2 = "https://example.edu" -Software\Policies\Mozilla\Firefox\Homepage\StartPage = "none" | "homepage" | "previous-session" +Software\Policies\Mozilla\Firefox\Homepage\StartPage = "none" | "homepage" | "previous-session" | "homepage-locked" ``` #### Windows (Intune) OMA-URI: @@ -2475,7 +2540,7 @@ Value (string): http://example.edu StartPage - none | homepage | previous-session + none | homepage | previous-session | homepage-locked ``` @@ -2488,7 +2553,7 @@ Value (string): "Locked": true | false, "Additional": ["http://example.org/", "http://example.edu/"], - "StartPage": "none" | "homepage" | "previous-session" + "StartPage": "none" | "homepage" | "previous-session" | "homepage-locked" } } } @@ -2902,6 +2967,56 @@ Value (string): } } ``` +### PDFjs +Disable or configure PDF.js, the built-in PDF viewer. + +If `Enabled` is set to false, the built-in PDF viewer is disabled. + +If `EnablePermissions` is set to true, the built-in PDF viewer will honor document permissions like preventing the copying of text. + +Note: DisableBuiltinPDFViewer has not been deprecated. You can either continue to use it, or switch to using PDFjs->Enabled to disable the built-in PDF viewer. This new permission was added because we needed a place for PDFjs->EnabledPermissions. + +**Compatibility:** Firefox 77, Firefox ESR 68.9\ +**CCK2 Equivalent:** N/A\ +**Preferences Affected:** `pdfjs.diabled`,`pdfjs.enablePermissions` + +#### Windows (GPO) +``` +Software\Policies\Mozilla\Firefox\PDFjs\Enabled = 0x1 | 0x0 +Software\Policies\Mozilla\Firefox\PDFjs\EnablePermissions = 0x1 | 0x0 +``` +#### Windows (Intune) +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~PDFjs/PDFjs_Enabled +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~PDFjs/PDFjs_EnablePermissions +``` +Value (string): +``` +or +``` +#### macOS +``` + + PDFjs + + Enabled + | + + | + + +``` +#### policies.json +``` +{ + "policies": { + "PSFjs": { + "Enabled": true | false, + "EnablePermissions": true | false + } +} +``` ### Permissions Set permissions associated with camera, microphone, location, notifications, and autoplay. Because these are origins, not domains, entries with unique ports must be specified separately. See examples below. @@ -3019,6 +3134,7 @@ OMA-URI: Value (string): ``` or +``` #### macOS ``` @@ -3293,7 +3409,7 @@ Set and lock certain preferences. |     If false, the geolocation API is disabled. | Language dependent | intl.accept_languages | string | Firefox 70, Firefox ESR 68.2 |     If set, preferred language for web pages. -| media.eme.enabled | boolean | Firefox 70, Firefox ESR 68.2 | true +| media.eme.enabled (Deprecated - Switch to EncryptedMediaExtensions policy) | boolean | Firefox 70, Firefox ESR 68.2 | true |     If false, Encrypted Media Extensions are not enabled. | media.gmp-gmpopenh264.enabled | boolean | Firefox 68, Firefox ESR 68 | true |     If false, the OpenH264 plugin is not downloaded. @@ -3504,17 +3620,17 @@ Value (string): "policies": { "Proxy": { "Mode": "none", "system", "manual", "autoDetect", "autoConfig", - "Locked": [true, false], + "Locked": true | false, "HTTPProxy": "hostname", - "UseHTTPProxyForAllProtocols": [true, false], + "UseHTTPProxyForAllProtocols": true | false, "SSLProxy": "hostname", "FTPProxy": "hostname", "SOCKSProxy": "hostname", "SOCKSVersion": 4 | 5 "Passthrough": "", "AutoConfigURL": "URL_TO_AUTOCONFIG", - "AutoLogin": [true, false], - "UseProxyForDNS": [true, false] + "AutoLogin": true | false, + "UseProxyForDNS": true | false } } }