X-Git-Url: https://git.p6c8.net/policy-templates.git/blobdiff_plain/88ca0c4977fa3052fa154d9e1db715d532f0c3c1..7efaff0bd4d48e963adb67a252ec164631afbb1e:/README.md diff --git a/README.md b/README.md index 712a26e..b894da4 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,8 @@ Policies can be specified using the Group Policy templates on Windows (https://g | **[`DisableSystemAddonUpdate`](#disablesystemaddonupdate)** | Prevent system add-ons from being installed or update. | **[`DisableTelemetry`](#disabletelemetry)** | DisableTelemetry | **[`DisplayBookmarksToolbar`](#displaybookmarkstoolbar)** | Set the initial state of the bookmarks toolbar. -| **[`DisplayMenuBar`](#displaymenubar)** | Set the initial state of the menubar. +| **[`DisplayMenuBar (Deprecated)`](#displaymenubar-deprecated)** | Set the initial state of the menubar. +| **[`DisplayMenuBar`](#displaymenubar)** | Set the state of the menubar. | **[`DNSOverHTTPS`](#dnsoverhttps)** | Configure DNS over HTTPS. | **[`DontCheckDefaultBrowser`](#dontcheckdefaultbrowser)** | Don't check if Firefox is the default browser at startup. | **[`DefaultDownloadDirectory`](#defaultdownloaddirectory)** | Set the default download directory. @@ -117,7 +118,7 @@ Configure sites that support integrated authentication. See https://developer.mozilla.org/en-US/docs/Mozilla/Integrated_authentication for more information. -**Compatibility:** Firefox 60, Firefox ESR 60 (AllowNonFQDN added in 62/60.2, AllowProxies added in 70/68.2)\ +**Compatibility:** Firefox 60, Firefox ESR 60 (AllowNonFQDN added in 62/60.2, AllowProxies added in 70/68.2, Locked added in 71/68.3)\ **CCK2 Equivalent:** N/A\ **Preferences Affected:** `network.negotiate-auth.trusted-uris`,`network.negotiate-auth.delegation-uris`,`network.automatic-ntlm-auth.trusted-uris`,`network.automatic-ntlm-auth.allow-non-fqdn`,`network.negotiate-auth.allow-non-fqdn`,`network.automatic-ntlm-auth.allow-proxies`,`network.negotiate-auth.allow-proxies` @@ -133,6 +134,7 @@ Software\Policies\Mozilla\Firefox\Authentication\AllowNonFQDN\SPNEGO = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Authentication\AllowNonFQDN\NTLM = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\SPNEGO = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\NTLM = 0x1 | 0x0 +Software\Policies\Mozilla\Firefox\Authentication\Locked = 0x1 | 0x0 ``` #### macOS ``` @@ -168,6 +170,8 @@ Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\NTLM = 0x1 | 0x0 NTLM | + Locked + | ``` @@ -186,7 +190,8 @@ Software\Policies\Mozilla\Firefox\Authentication\AllowProxies\NTLM = 0x1 | 0x0 "AllowProxies": { "SPNEGO": true | false, "NTLM": true | false - } + }, + "Locked": true | false } } } @@ -533,7 +538,7 @@ Software\Policies\Mozilla\Firefox\Cookies\Locked = 0x1 | 0x0 "Allow": ["http://example.org/"], "Block": ["http://example.edu/"], "Default": true | false, - "AcceptThirdParty": "always" | "never" | "from-visited"], + "AcceptThirdParty": "always" | "never" | "from-visited", "ExpireAtSessionEnd": true | false, "RejectTracker": true | false, "Locked": true | false @@ -831,6 +836,33 @@ Software\Policies\Mozilla\Firefox\DisableFormHistory = 0x1 | 0x0 } } ``` +### DisablePasswordReveal +Do not allow passwords to be shown in saved logins + +**Compatibility:** Firefox 71, Firefox ESR 68.3\ +**CCK2 Equivalent:** N/A +**Preferences Affected:** N/A + +#### Windows (GPO) +``` +Software\Policies\Mozilla\Firefox\DisablePasswordReveal = 0x1 | 0x0 +``` + +#### macOS +``` + + DisablePasswordReveal + | + +``` +#### policies.json +``` +{ + "policies": { + "DisablePasswordReveal": true | false + } +} +``` ### DisablePocket Remove Pocket in the Firefox UI. It does not remove it from the new tab page. @@ -1081,7 +1113,7 @@ Software\Policies\Mozilla\Firefox\DisplayBookmarksToolbar = 0x1 | 0x0 } } ``` -### DisplayMenuBar +### DisplayMenuBar (Deprecated) Set the initial state of the menubar. A user can still hide it and it will stay hidden. **Compatibility:** Firefox 60, Firefox ESR 60 (Windows, some Linux)\ @@ -1107,6 +1139,40 @@ Software\Policies\Mozilla\Firefox\DisplayMenuBar = 0x1 | 0x0 } } ``` +### DisplayMenuBar +Set the state of the menubar. + +`always` means the menubar is shown and cannot be hidden. + +`never` means the menubar is hidden and cannot be shown. + +`default-on` means the menubar is on by default but can be hidden. + +`default-off` means the menubar is off by default but can be shown. + +**Compatibility:** Firefox 73, Firefox ESR 68.5 (Windows, some Linux)\ +**CCK2 Equivalent:** `displayMenuBar`\ +**Preferences Affected:** N/A + +#### Windows (GPO) +``` +Software\Policies\Mozilla\Firefox\DisplayMenuBar = "always", "never", "default-on", "default-off" +``` +#### macOS +``` + + DisplayMenuBar + always | never | default-on | default-off + +``` +#### policies.json +``` +{ + "policies": { + "DisplayMenuBar": "always", "never", "default-on", "default-off" + } +} +``` ### DNSOverHTTPS Configure DNS over HTTPS. @@ -1259,8 +1325,10 @@ If `Cryptomining` is set to true, cryptomining scripts on websites are blocked. If `Fingerprinting` is set to true, fingerprinting scripts on websites are blocked. -**Compatibility:** Firefox 60, Firefox ESR 60 (Cryptomining and Fingerprinting added in 70/68.2)\ -**CCK2 Equivalent:** `dontCheckDefaultBrowser`\ +`Exceptions` are origins for which tracking protection is not enabled. + +**Compatibility:** Firefox 60, Firefox ESR 60 (Cryptomining and Fingerprinting added in 70/68.2, Exceptions added in 73/68.5)\ +**CCK2 Equivalent:** N/A\ **Preferences Affected:** `privacy.trackingprotection.enabled`,`privacy.trackingprotection.pbmode.enabled`,`privacy.trackingprotection.cryptomining.enabled`,`privacy.trackingprotection.fingerprinting.enabled` #### Windows (GPO) @@ -1269,6 +1337,7 @@ Software\Policies\Mozilla\Firefox\EnableTrackingProtection\Value = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\EnableTrackingProtection\Locked = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\EnableTrackingProtection\Cryptomining = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\EnableTrackingProtection\Fingerprinting = 0x1 | 0x0 +Software\Policies\Mozilla\Firefox\EnableTrackingProtection\Exceptions\1 = "https://example.com" ``` #### macOS ``` @@ -1277,12 +1346,16 @@ Software\Policies\Mozilla\Firefox\EnableTrackingProtection\Fingerprinting = 0x1 Value | - + | - + | - + | + Exceptions + + https://example.com + ``` @@ -1294,7 +1367,8 @@ Software\Policies\Mozilla\Firefox\EnableTrackingProtection\Fingerprinting = 0x1 "Value": [true, false], "Locked": [true, false], "Cryptomining": [true, false], - "Fingerprinting": [true, false] + "Fingerprinting": [true, false], + "Exceptions": ["https://example.com"] } } ``` @@ -1397,7 +1471,8 @@ Software\Policies\Mozilla\Firefox\ExtensionSettings (REG_MULTI_SZ) = "*": { "blocked_install_message": "Custom error message.", "install_sources": ["https://addons.mozilla.org/"], - "installation_mode": "blocked" + "installation_mode": "blocked", + "allowed_types": ["extension"] }, "uBlock0@raymondhill.net": { "installation_mode": "force_installed", @@ -1420,6 +1495,10 @@ Software\Policies\Mozilla\Firefox\ExtensionSettings (REG_MULTI_SZ) = installation_mode blocked + allowed_types + + extension + uBlock0@raymondhill.net @@ -1439,7 +1518,8 @@ Software\Policies\Mozilla\Firefox\ExtensionSettings (REG_MULTI_SZ) = "*": { "blocked_install_message": "Custom error message.", "install_sources": ["https://addons.mozilla.org/"], - "installation_mode": "blocked" + "installation_mode": "blocked", + "allowed_types": ["extension"] }, "uBlock0@raymondhill.net": { "installation_mode": "force_installed", @@ -1962,7 +2042,7 @@ Software\Policies\Mozilla\Firefox\PasswordManagerEnabled = 0x1 | 0x0 } ``` ### Permissions -Set permissions associated with camera, microphone, location, and notifications +Set permissions associated with camera, microphone, location, and notifications. Because these are origins, not domains, entries with unique ports must be specified separately. See examples below. `Allow` is a list of origins where the feature is allowed. @@ -1979,6 +2059,7 @@ Set permissions associated with camera, microphone, location, and notifications #### Windows (GPO) ``` Software\Policies\Mozilla\Firefox\Permissions\Camera\Allow\1 = "https://example.org" +Software\Policies\Mozilla\Firefox\Permissions\Camera\Allow\2 = "https://example.org:1234" Software\Policies\Mozilla\Firefox\Permissions\Camera\Block\1 = "https://example.edu" Software\Policies\Mozilla\Firefox\Permissions\Camera\BlockNewRequests = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Permissions\Camera\Locked = 0x1 | 0x0 @@ -2005,6 +2086,7 @@ Software\Policies\Mozilla\Firefox\Permissions\Notifications\Locked = 0x1 | 0x0 Allow https://example.org + https://example.org:1234 Block @@ -2069,7 +2151,7 @@ Software\Policies\Mozilla\Firefox\Permissions\Notifications\Locked = 0x1 | 0x0 "policies": { "Permissions": { "Camera": { - "Allow": ["https://example.org"], + "Allow": ["https://example.org","https://example.org:1234"], "Block": ["https://example.edu"], "BlockNewRequests": true | false, "Locked": true | false @@ -2163,27 +2245,29 @@ Set and lock certain preferences. |     If true, bookmarks are exported on shutdown. | browser.bookmarks.file | string | Firefox 70, Firefox ESR 68.2 | N/A |     If set, the name of the file where bookmarks are exported and imported. -| browser.bookmarks.restore_default_bookmarks | string | Firefox 70, Firefox ESR 68.2 | N/A +| browser.bookmarks.restore_default_bookmarks | boolean | Firefox 70, Firefox ESR 68.2 | N/A |     If true, bookmarks are restored to their defaults. | browser.cache.disk.enable | boolean | Firefox 68, Firefox ESR 68 | true |     If false, don't store cache on the hard drive. -| browser.cache.disk.parent_directory | string | Firefox 68, Firefox ESR 68 | Profile temporary directory -|     If set, changes the location of the disk cache. +| ~browser.cache.disk.parent_directory~ | string | Firefox 68, Firefox ESR 68 | Profile temporary directory +|     ~If set, changes the location of the disk cache.~ This policy doesn't work. It's being worked on. | browser.fixup.dns_first_for_single_words | boolean | Firefox 68, Firefox ESR 68 | false |     If true, single words are sent to DNS, not directly to search. -| browser.places.importBookmarksHTML | string | Firefox 70, Firefox ESR 68.2 +| browser.newtabpage.activity-stream.default.sites | string | Firefox 72, ESR 68.4 | Locale dependent +|     If set, a list of URLs to use as the default top sites on the new tab page. +| browser.places.importBookmarksHTML | boolean | Firefox 70, Firefox ESR 68.2 |     If true, bookmarks are always imported on startup. -| browser.safebrowsing.phishing.enabled | string | Firefox 70, Firefox ESR 68.2 | true +| browser.safebrowsing.phishing.enabled | boolean | Firefox 70, Firefox ESR 68.2 | true |     If false, phishing protection is not enabled (Not recommended) -| browser.safebrowsing.malware.enabled | string | Firefox 70, Firefox ESR 68.2 | true -|     IF false, malware protection is not enabled (Not recommended) +| browser.safebrowsing.malware.enabled | boolean | Firefox 70, Firefox ESR 68.2 | true +|     If false, malware protection is not enabled (Not recommended) | browser.search.update | boolean | Firefox 68, Firefox ESR 68 | true |     If false, updates for search engines are not checked. -| browser.slowStartup.notificationDisabled | string | Firefox 70, Firefox ESR 68.2 | false +| browser.slowStartup.notificationDisabled | boolean | Firefox 70, Firefox ESR 68.2 | false |     If true, a notification isn't shown if startup is slow. | browser.tabs.warnOnClose | boolean | Firefox 68, Firefox ESR 68 | true |     If false, there is no warning when the browser is closed. -| browser.taskbar.previews.enable | string | Firefox 70, Firefox ESR 68.2 (Windows only) | false +| browser.taskbar.previews.enable | boolean | Firefox 70, Firefox ESR 68.2 (Windows only) | false |     If true, tab previews are shown in the Windows taskbar. | browser.urlbar.suggest.bookmark | boolean | Firefox 68, Firefox ESR 68 | true |     If false, bookmarks aren't suggested when typing in the URL bar. @@ -2193,7 +2277,7 @@ Set and lock certain preferences. |     If false, open tabs aren't suggested when typing in the URL bar. | datareporting.policy.dataSubmissionPolicyBypassNotification | boolean | Firefox 68, Firefox ESR 68 | false |     If true, don't show the privacy policy tab on first run. -| dom.allow_scripts_to_close_windows | string | Firefox 70, Firefox ESR 68.2 | false +| dom.allow_scripts_to_close_windows | boolean | Firefox 70, Firefox ESR 68.2 | false |     If false, web page can close windows. | dom.disable_window_flip | boolean | Firefox 68, Firefox ESR 68 | true |     If false, web pages can focus and activate windows. @@ -2205,36 +2289,53 @@ Set and lock certain preferences. |     See https://support.mozilla.org/en-US/kb/dom-events-changes-introduced-firefox-66 | dom.keyboardevent.keypress.hack.use_legacy_keycode_and_charcode.addl | string | Firefox 68, Firefox ESR 68 | N/A |     See https://support.mozilla.org/en-US/kb/dom-events-changes-introduced-firefox-66 -| extensions.blocklist.enabled | string | Firefox 70, Firefox ESR 68.2 | true +| dom.xmldocument.load.enabled | boolean | Firefox ESR 68.5 | true. +|     If false, XMLDocument.load is not available +| dom.xmldocument.async.enabled | boolean | Firefox ESR 68.5 | true +|     If false, XMLDocument.async is not available. +| extensions.blocklist.enabled | boolean | Firefox 70, Firefox ESR 68.2 | true |     If false, the extensions blocklist is not used (Not recommended) | extensions.getAddons.showPane | boolean | Firefox 68, Firefox ESR 68 | N/A |     If false, the Recommendations tab is not displayed in the Add-ons Manager. -| geo.enabled | string | Firefox 70, Firefox ESR 68.2 | true +| extensions.htmlaboutaddons.recommendations.enabled | boolean | Firefox 72, Firefox ESR 68.4 | true +|     If false, recommendations are not shown on the Extensions tab in the Add-ons Manager. +| geo.enabled | boolean | Firefox 70, Firefox ESR 68.2 | true |     If false, the geolocation API is disabled. | Language dependent | intl.accept_languages | string | Firefox 70, Firefox ESR 68.2 |     If set, preferred language for web pages. -| media.eme.enabled | string | Firefox 70, Firefox ESR 68.2 | true +| media.eme.enabled | boolean | Firefox 70, Firefox ESR 68.2 | true |     If false, Encrypted Media Extensions are not enabled. | media.gmp-gmpopenh264.enabled | boolean | Firefox 68, Firefox ESR 68 | true |     If false, the OpenH264 plugin is not downloaded. | media.gmp-widevinecdm.enabled | boolean | Firefox 68, Firefox ESR 68 | true |     If false, the Widevine plugin is not downloaded. +| media.peerconnection.enabled | boolean | Firefox 72, Firefox ESR 68.4 | true +|     If false, WebRTC is disabled +| media.peerconnection.ice.obfuscate_host_addresses.whitelist | string | Firefox 72, Firefox ESR 68.4 | N/A +|     If set, a list of domains for which mDNS hostname obfuscation is +disabled | network.dns.disableIPv6 | boolean | Firefox 68, Firefox ESR 68 | false |     If true, IPv6 DNS lokoups are disabled. | network.IDN_show_punycode | boolean | Firefox 68, Firefox ESR 68 | false |     If true, display the punycode version of internationalized domain names. | places.history.enabled | boolean | Firefox 68, Firefox ESR 68 | true |     If false, history is not enabled. -| print.save_print_settings | string | Firefox 70, Firefox ESR 68.2 | true +| print.save_print_settings | boolean | Firefox 70, Firefox ESR 68.2 | true |     If false, print settings are not saved between jobs. | security.default_personal_cert | string | Firefox 68, Firefox ESR 68 | Ask Every Time |     If set to Select Automatically, Firefox automatically chooses the default personal certificate. -| security.mixed_content.block_active_content | string | Firefox 70, Firefox ESR 68.2 | true +| security.mixed_content.block_active_content | boolean | Firefox 70, Firefox ESR 68.2 | true |     If false, mixed active content (HTTP and HTTPS) is not blocked. +| security.osclientcerts.autoload | boolean | Firefox 72, Firefox ESR 68.4 (Windows only) | false +|     If true, client certificates are loaded from the operating system certificate store. | security.ssl.errorReporting.enabled | boolean | Firefox 68, Firefox ESR 68 | true |     If false, SSL errors cannot be sent to Mozilla. +| security.tls.hello_downgrade_check | boolean | Firefox 72, Firefox ESR 68.4 | true +|     If false, the TLS 1.3 downgrade check is disabled. | ui.key.menuAccessKeyFocuses | boolean | Firefox 68, Firefox ESR 68 | true |     If false, the Alt key doesn't show the menubar on Windows. +| widget.content.gtk-theme-override | string | Firefox 72, Firefox ESR 68.4 (Linux only) | N/A +|     If set, overrides the GTK theme for widgets. #### Windows (GPO) ``` Software\Policies\Mozilla\Firefox\Preferences\boolean_preference_name = 0x1 | 0x0 @@ -2342,7 +2443,7 @@ Software\Policies\Mozilla\Firefox\Proxy\UseProxyForDNS = 0x1 | 0x0 Proxy Mode - none | system | manual | autoDetect| autoConfig + none | system | manual | autoDetect | autoConfig Locked | HTTPProxy