X-Git-Url: https://git.p6c8.net/policy-templates.git/blobdiff_plain/8cb45e9bf6f5ed3c4de3f38a1d88d8942a4dcc95..9d157baef353ef8292667af13158dc0715a0a64d:/README.md?ds=sidebyside
diff --git a/README.md b/README.md
index 14c4f4d..91ce04b 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,8 @@ Policies can be specified using the [Group Policy templates on Windows](https://
| **[`AppAutoUpdate`](#appautoupdate)** | Enable or disable automatic application update.
| **[`AppUpdateURL`](#appupdateurl)** | Change the URL for application update.
| **[`Authentication`](#authentication)** | Configure sites that support integrated authentication.
-| **[`BackgroundAppUpdate`](#backgroundappupdate)** | Enable or disable automatic application update in the background, when the application is not running.
+| **[`AutoLaunchProtocolsFromOrigins`](#autolaunchprotocolsfromorigins)** | Define a list of external protocols that can be used from listed origins without prompting the user.
+| **[`BackgroundAppUpdate`](#backgroundappupdate)** | Enable or disable the background updater (Windows only).
| **[`BlockAboutAddons`](#blockaboutaddons)** | Block access to the Add-ons Manager (about:addons).
| **[`BlockAboutConfig`](#blockaboutconfig)** | Block access to about:config.
| **[`BlockAboutProfiles`](#blockaboutprofiles)** | Block access to About Profiles (about:profiles).
@@ -101,6 +102,7 @@ Policies can be specified using the [Group Policy templates on Windows](https://
| **[`SupportMenu`](#supportmenu)** | Add a menuitem to the help menu for specifying support information.
| **[`UserMessaging`](#usermessaging)** | Don't show certain messages to the user.
| **[`WebsiteFilter`](#websitefilter)** | Block websites from being visited.
+| **[`WindowsSSO`](#windowssso)** | Allow Windows single sign-on for Microsoft, work, and school accounts.
### 3rdparty
@@ -118,7 +120,7 @@ If you have disabled updates via DisableAppUpdate, this policy has no effect.
**Compatibility:** Firefox 75, Firefox ESR 68.7\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** app.update.auto
+**Preferences Affected:** `app.update.auto`
#### Windows (GPO)
```
@@ -370,6 +372,98 @@ Value (string):
}
}
```
+### AutoLaunchProtocolsFromOrigins
+Define a list of external protocols that can be used from listed origins without prompting the user. The origin is the scheme plus the hostname.
+
+The syntax of this policy is exactly the same as the [Chrome AutoLaunchProtocolsFromOrigins policy](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=AutoLaunchProtocolsFromOrigins) except that you can only use valid origins (not just hostnames). This also means that you cannot specify an asterisk for all origins.
+
+The schema is:
+```
+{
+ "items": {
+ "properties": {
+ "allowed_origins": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "protocol",
+ "allowed_origins"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+}
+```
+**Compatibility:** Firefox 90, Firefox ESR 78.12\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** N/A
+
+#### Windows (GPO)
+Software\Policies\Mozilla\Firefox\AutoLaunchProtocolsFromOrigins (REG_MULTI_SZ) =
+```
+[
+ {
+ "protocol": "zoommtg",
+ "allowed_origins": [
+ "https://somesite.zoom.us"
+ ]
+ }
+]
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/AutoLaunchProtocolsFromOrigins
+```
+Value (string):
+```
+
+
+```
+#### macOS
+```
+
+ AutoLaunchProtocolsFromOrigins
+
+
+ protocol
+ zoommtg
+ allowed_origins
+
+ https://somesite.zoom.us
+
+
+
+
+```
+#### policies.json
+```
+{
+ "policies": {
+ "AutoLaunchProtocolsFromOrigins": [{
+ "protocol": "zoommtg",
+ "allowed_origins": [
+ "https://somesite.zoom.us"
+ ]
+ }]
+ }
+}
+```
### BackgroundAppUpdate
Enable or disable **automatic** application update **in the background**, when the application is not running.
@@ -378,9 +472,9 @@ If set to true, application updates may be installed (without user approval) in
If set to false, the application will not try to install updates when the application is not running.
-If you have disabled updates via `DisableAppUpdate` or disabled automatic updates via `AppUpdateAuto`, this policy has no effect.
+If you have disabled updates via `DisableAppUpdate` or disabled automatic updates via `AppAutoUpdate`, this policy has no effect.
-**Compatibility:** Firefox 90\
+**Compatibility:** Firefox 90 (Windows only)\
**CCK2 Equivalent:** N/A\
**Preferences Affected:** `app.update.background.enabled`
@@ -792,7 +886,7 @@ Configure cookie preferences.
**Compatibility:** Firefox 60, Firefox ESR 60 (RejectTracker added in Firefox 63, AllowSession added in Firefox 79/78.1)\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `network.cookie.cookieBehavior`,`network.cookie.lifetimePolicy`
+**Preferences Affected:** `network.cookie.cookieBehavior`, `network.cookie.lifetimePolicy`
#### Windows (GPO)
```
@@ -1408,7 +1502,7 @@ Turn off saving information on web forms and the search bar.
**Compatibility:** Firefox 60, Firefox ESR 60\
**CCK2 Equivalent:** `disableFormFill`\
-**Preferences Affected:** ` browser.formfill.enable`
+**Preferences Affected:** `browser.formfill.enable`
#### Windows (GPO)
```
@@ -1659,7 +1753,7 @@ Prevent the user from bypassing security in certain cases.
**Compatibility:** Firefox 60, Firefox ESR 60\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `security.certerror.hideAddException`,`browser.safebrowsing.allowOverride`
+**Preferences Affected:** `security.certerror.hideAddException`, `browser.safebrowsing.allowOverride`
#### Windows (GPO)
```
@@ -1751,7 +1845,7 @@ Mozilla recommends that you do not disable telemetry. Information collected thro
**Compatibility:** Firefox 60, Firefox ESR 60\
**CCK2 Equivalent:** `disableTelemetry`\
-**Preferences Affected:** `datareporting.healthreport.uploadEnabled,datareporting.policy.dataSubmissionEnabled,toolkit.telemetry.archive.enabled`
+**Preferences Affected:** `datareporting.healthreport.uploadEnabled`, `datareporting.policy.dataSubmissionEnabled`, `toolkit.telemetry.archive.enabled`
#### Windows (GPO)
```
@@ -1899,7 +1993,7 @@ Configure DNS over HTTPS.
**Compatibility:** Firefox 63, Firefox ESR 68 (ExcludedDomains added in 75/68.7)\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `network.trr.mode`,`network.trr.uri`
+**Preferences Affected:** `network.trr.mode`, `network.trr.uri`
#### Windows (GPO)
```
@@ -2016,7 +2110,7 @@ You can use ${home} for the native home directory.
**Compatibility:** Firefox 68, Firefox ESR 68\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `browser.download.dir`,`browser.download.folderList`
+**Preferences Affected:** `browser.download.dir`, `browser.download.folderList`
#### Windows (GPO)
```
@@ -2060,7 +2154,7 @@ You can use ${home} for the native home directory.
**Compatibility:** Firefox 68, Firefox ESR 68\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `browser.download.dir`,`browser.download.folderList`,`browser.download.useDownloadDir`
+**Preferences Affected:** `browser.download.dir`, `browser.download.folderList`, `browser.download.useDownloadDir`
#### Windows (GPO)
```
@@ -2114,7 +2208,7 @@ If `Fingerprinting` is set to true, fingerprinting scripts on websites are block
**Compatibility:** Firefox 60, Firefox ESR 60 (Cryptomining and Fingerprinting added in 70/68.2, Exceptions added in 73/68.5)\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `privacy.trackingprotection.enabled`,`privacy.trackingprotection.pbmode.enabled`,`privacy.trackingprotection.cryptomining.enabled`,`privacy.trackingprotection.fingerprinting.enabled`
+**Preferences Affected:** `privacy.trackingprotection.enabled`, `privacy.trackingprotection.pbmode.enabled`, `privacy.trackingprotection.cryptomining.enabled`, `privacy.trackingprotection.fingerprinting.enabled`
#### Windows (GPO)
```
@@ -2780,7 +2874,7 @@ Customize the Firefox Home page.
**Compatibility:** Firefox 68, Firefox ESR 68\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `browser.newtabpage.activity-stream.showSearch`,`browser.newtabpage.activity-stream.feeds.topsites`,`browser.newtabpage.activity-stream.feeds.section.highlights`,`browser.newtabpage.activity-stream.feeds.section.topstories`,`browser.newtabpage.activity-stream.feeds.snippets`
+**Preferences Affected:** `browser.newtabpage.activity-stream.showSearch`, `browser.newtabpage.activity-stream.feeds.topsites`, `browser.newtabpage.activity-stream.feeds.section.highlights`, `browser.newtabpage.activity-stream.feeds.section.topstories`, `browser.newtabpage.activity-stream.feeds.snippets`
#### Windows (GPO)
```
@@ -2891,7 +2985,7 @@ With Firefox 78, an additional option as added for `Startpage`, `homepage-locked
**Compatibility:** Firefox 60, Firefox ESR 60 (StartPage was added in Firefox 60, Firefox ESR 60.4, homepage-locked added in Firefox 78)\
**CCK2 Equivalent:** `homePage`,`lockHomePage`\
-**Preferences Affected:** `browser.startup.homepage`,`browser.startup.page`
+**Preferences Affected:** `browser.startup.homepage`, `browser.startup.page`
#### Windows (GPO)
```
@@ -3196,7 +3290,7 @@ Value (string):
toplevel_name
- My managed bookmarks folder
+ My managed bookmarks folder
url
example.com
@@ -3321,7 +3415,7 @@ Enable or disable network prediction (DNS prefetching).
**Compatibility:** Firefox 67, Firefox ESR 60.7\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `network.dns.disablePrefetch`,`network.dns.disablePrefetchFromHTTPS`
+**Preferences Affected:** `network.dns.disablePrefetch`, `network.dns.disablePrefetchFromHTTPS`
#### Windows (GPO)
```
@@ -3611,7 +3705,7 @@ Note: DisableBuiltinPDFViewer has not been deprecated. You can either continue t
**Compatibility:** Firefox 77, Firefox ESR 68.9\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `pdfjs.diabled`,`pdfjs.enablePermissions`
+**Preferences Affected:** `pdfjs.diabled`, `pdfjs.enablePermissions`
#### Windows (GPO)
```
@@ -3644,7 +3738,7 @@ Value (string):
```
{
"policies": {
- "PSFjs": {
+ "PDFjs": {
"Enabled": true | false,
"EnablePermissions": true | false
}
@@ -3666,7 +3760,7 @@ Set permissions associated with camera, microphone, location, notifications, aut
**Compatibility:** Firefox 62, Firefox ESR 60.2 (Autoplay added in Firefox 74, Firefox ESR 68.6, Autoplay Default/Locked added in Firefox 76, Firefox ESR 68.8, VirtualReality added in Firefox 80, Firefox ESR 78.2)\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `permissions.default.camera`,`permissions.default.microphone`,`permissions.default.geo`,`permissions.default.desktop-notification`,`media.autoplay.default`.`permissions.default.xr`
+**Preferences Affected:** `permissions.default.camera`, `permissions.default.microphone`, `permissions.default.geo`, `permissions.default.desktop-notification`, `media.autoplay.default`, `permissions.default.xr`
#### Windows (GPO)
```
@@ -4102,10 +4196,12 @@ as well as the following security preferences:
| If true, client certificates are loaded from the operating system certificate store.
| security.ssl.errorReporting.enabled | boolean | true
| If false, SSL errors cannot be sent to Mozilla.
+| security.tls.enable_0rtt_data | boolean | true
+| If false, TLS early data is turned off (Firefox 93, Firefox 91.2, Firefox 78.15).
| security.tls.hello_downgrade_check | boolean | true
| If false, the TLS 1.3 downgrade check is disabled.
| security.tls.version.enable-deprecated | boolean | false
-| If true, browser will accept TLS 1.0. and TLS 1.1 (Firefox 86, Firefox 78.8)
+| If true, browser will accept TLS 1.0. and TLS 1.1 (Firefox 86, Firefox 78.8).
| security.warn_submit_secure_to_insecure | boolean | true
| If false, no warning is shown when submitting s form from https to http.
@@ -4445,7 +4541,7 @@ To specify ports, append them to the hostnames with a colon (:).
**Compatibility:** Firefox 60, Firefox ESR 60\
**CCK2 Equivalent:** `networkProxy*`\
-**Preferences Affected:** `network.proxy.type`,`network.proxy.autoconfig_url`,`network.proxy.socks_remote_dns`,`signon.autologin.proxy`,`network.proxy.socks_version`,`network.proxy.no_proxies_on`,`network.proxy.share_proxy_settings`,`network.proxy.http`,`network.proxy.http_port`,`network.proxy.ftp`,`network.proxy.ftp_port`,`network.proxy.ssl`,`network.proxy.ssl_port`,`network.proxy.socks`,`network.proxy.socks_port`
+**Preferences Affected:** `network.proxy.type`, `network.proxy.autoconfig_url`, `network.proxy.socks_remote_dns`, `signon.autologin.proxy`, `network.proxy.socks_version`, `network.proxy.no_proxies_on`, `network.proxy.share_proxy_settings`, `network.proxy.http`, `network.proxy.http_port`, `network.proxy.ftp`, `network.proxy.ftp_port`, `network.proxy.ssl`, `network.proxy.ssl_port`, `network.proxy.socks`, `network.proxy.socks_port`
#### Windows (GPO)
```
@@ -4606,7 +4702,7 @@ Previously, these values were always locked. Starting with Firefox 74 and Firefo
**Compatibility:** Firefox 68, Firefox ESR 68 (Locked added in 74/68.6)\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `privacy.sanitize.sanitizeOnShutdown`,`privacy.clearOnShutdown.cache`,`privacy.clearOnShutdown.cookies`,`privacy.clearOnShutdown.downloads`,`privacy.clearOnShutdown.formdata`,`privacy.clearOnShutdown.history`,`privacy.clearOnShutdown.sessions`,`privacy.clearOnShutdown.siteSettings`,`privacy.clearOnShutdown.offlineApps`
+**Preferences Affected:** `privacy.sanitize.sanitizeOnShutdown`, `privacy.clearOnShutdown.cache`, `privacy.clearOnShutdown.cookies`, `privacy.clearOnShutdown.downloads`, `privacy.clearOnShutdown.formdata`, `privacy.clearOnShutdown.history`, `privacy.clearOnShutdown.sessions`, `privacy.clearOnShutdown.siteSettings`, `privacy.clearOnShutdown.offlineApps`
#### Windows (GPO)
```
Software\Policies\Mozilla\Firefox\SanitizeOnShutdown\Cache = 0x1 | 0x0
@@ -4741,7 +4837,7 @@ Clear all data on shutdown, including Browsing & Download History, Cookies, Acti
**Compatibility:** Firefox 60, Firefox ESR 60\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `privacy.sanitize.sanitizeOnShutdown`,`privacy.clearOnShutdown.cache`,`privacy.clearOnShutdown.cookies`,`privacy.clearOnShutdown.downloads`,`privacy.clearOnShutdown.formdata`,`privacy.clearOnShutdown.history`,`privacy.clearOnShutdown.sessions`,`privacy.clearOnShutdown.siteSettings`,`privacy.clearOnShutdown.offlineApps`
+**Preferences Affected:** `privacy.sanitize.sanitizeOnShutdown`, `privacy.clearOnShutdown.cache`, `privacy.clearOnShutdown.cookies`, `privacy.clearOnShutdown.downloads`, `privacy.clearOnShutdown.formdata`, `privacy.clearOnShutdown.history`, `privacy.clearOnShutdown.sessions`, `privacy.clearOnShutdown.siteSettings`, `privacy.clearOnShutdown.offlineApps`
#### Windows (GPO)
```
Software\Policies\Mozilla\Firefox\SanitizeOnShutdown = 0x1 | 0x0
@@ -4790,7 +4886,7 @@ OMA-URI:
Value (string):
```
-
+
```
#### macOS
```
@@ -4958,7 +5054,9 @@ Add new search engines (up to five). This policy is only available on the ESR. `
`SuggestURLTemplate` is a search suggestions URL with {searchTerms} to substitute for the search term.
-**Compatibility:** Firefox ESR 60 (POST support in Firefox ESR 68)\
+`Encoding` is the query charset for the engine. It defaults to UTF-8.
+
+**Compatibility:** Firefox ESR 60 (POST support in Firefox ESR 68, Encoding support in Firefox 91)\
**CCK2 Equivalent:** `searchplugins`\
**Preferences Affected:** N/A
@@ -5046,7 +5144,7 @@ Enable search suggestions.
**Compatibility:** Firefox 68, Firefox ESR 68\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `browser.urlbar.suggest.searches`,`browser.search.suggest.enabled`
+**Preferences Affected:** `browser.urlbar.suggest.searches`, `browser.search.suggest.enabled`
#### Windows (GPO)
```
@@ -5299,7 +5397,7 @@ Prevent Firefox from messaging the user in certain situations.
**Compatibility:** Firefox 75, Firefox ESR 68.7\
**CCK2 Equivalent:** N/A\
-**Preferences Affected:** `browser.messaging-system.whatsNewPanel.enabled`,`browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons`,`browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features`,`browser.aboutwelcome.enabled`
+**Preferences Affected:** `browser.messaging-system.whatsNewPanel.enabled`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features`, `browser.aboutwelcome.enabled`
#### Windows (GPO)
```
@@ -5312,11 +5410,11 @@ Software\Policies\Mozilla\Firefox\UserMessaging\SkipOnboarding = 0x1 | 0x0
#### Windows (Intune)
OMA-URI:
```
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/UserMessaging_WhatsNew
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/UserMessaging_ExtensionRecommendations
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/UserMessaging_FeatureRecommendations
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/UserMessaging_UrlbarInterventions
-./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/UserMessaging_SkipOnboarding
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_WhatsNew
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_ExtensionRecommendations
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_FeatureRecommendations
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_UrlbarInterventions
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_SkipOnboarding
```
Value (string):
```
@@ -5358,6 +5456,10 @@ Value (string):
Block websites from being visited. The parameters take an array of Match Patterns, as documented in https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Match_patterns.
The arrays are limited to 1000 entries each.
+If you want to block all URLs, you can use `` or `*://*/*`. You can't have just a `*` on the right side.
+
+For specific protocols, use `https://*/*` or `http://*/*`.
+
As of Firefox 83 and Firefox ESR 78.5, file URLs are supported.
**Compatibility:** Firefox 60, Firefox ESR 60\
@@ -5376,8 +5478,7 @@ OMA-URI:
```
Value (string):
```
-
-
+
```
OMA-URI:
```
@@ -5416,3 +5517,33 @@ Value (string):
}
}
```
+### WindowsSSO
+Allow Windows single sign-on for Microsoft, work, and school accounts.
+
+If this policy is set to true, Firefox will use credentials stored in Windows to sign in to Microsoft, work, and school accounts.
+
+**Compatibility:** Firefox 91\
+**CCK2 Equivalent:** N/A\
+**Preferences Affected:** `network.http.windows-sso.enabled`
+
+#### Windows (GPO)
+```
+Software\Policies\Mozilla\Firefox\WindowsSSO = 0x1 | 0x0
+```
+#### Windows (Intune)
+OMA-URI:
+```
+./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/WindowsSSO
+```
+Value (string):
+```
+ or
+```
+#### policies.json
+```
+{
+ "policies": {
+ "WindowsSSO": true | false
+ }
+}
+```