X-Git-Url: https://git.p6c8.net/policy-templates.git/blobdiff_plain/cee2d8c33d058d8a72fe5b06d04ad3970e2bc402..10994ad4dd35d60d01114e0db206de01dfc6a320:/README.md diff --git a/README.md b/README.md index b9de695..e0af1d4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,24 @@ **You should use the [officially released versions](https://github.com/mozilla/policy-templates/releases) if you are deploying changes.** -Policies can be specified using the [Group Policy templates on Windows](https://github.com/mozilla/policy-templates/tree/master/windows), [Intune on Windows](https://support.mozilla.org/kb/managing-firefox-intune), [configuration profiles on macOS](https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`. On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution or you can specify system-wide policy by placing the file in `/etc/firefox/policies`. +Official policy documentation has been moved to https://mozilla.github.io/policy-templates/. + +I'm maintaining things in the README.md until we can update links in Firefox. + +Firefox policies can be specified using the [Group Policy templates on Windows](https://github.com/mozilla/policy-templates/tree/master/windows), [Intune on Windows](https://support.mozilla.org/kb/managing-firefox-intune), [configuration profiles on macOS](https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called `policies.json`. On Windows, create a directory called `distribution` where the EXE is located and place the file there. On Mac, the file goes into `Firefox.app/Contents/Resources/distribution`. On Linux, the file goes into `firefox/distribution`, where `firefox` is the installation directory for firefox, which varies by distribution or you can specify system-wide policy by placing the file in `/etc/firefox/policies`. + +Unfortunately, JSON files do not support comments, but you can add extra entries to the JSON to use as comments. You will see an error in about:policies, but the policies will still work properly. For example: + +``` +{ + "policies": { + "Authentication": { + "SPNEGO": ["mydomain.com", "https://myotherdomain.com"] + } + "Authentication_Comment": "These domains are required for us" + } +} +``` | Policy Name | Description | --- | --- | @@ -23,6 +40,7 @@ Policies can be specified using the [Group Policy templates on Windows](https:// | **[`Certificates`](#certificates)** | | **[`Certificates -> ImportEnterpriseRoots`](#certificates--importenterpriseroots)** | Trust certificates that have been added to the operating system certificate store by a user or administrator. | **[`Certificates -> Install`](#certificates--install)** | Install certificates into the Firefox certificate store. +| **[`Containers`](#containers)** | Set policies related to [containers](https://addons.mozilla.org/firefox/addon/multi-account-containers/). | **[`Cookies`](#cookies)** | Configure cookie preferences. | **[`DefaultDownloadDirectory`](#defaultdownloaddirectory)** | Set the default download directory. | **[`DisableAppUpdate`](#disableappupdate)** | Turn off application updates. @@ -47,6 +65,7 @@ Policies can be specified using the [Group Policy templates on Windows](https:// | **[`DisableSetDesktopBackground`](#disablesetdesktopbackground)** | Remove the "Set As Desktop Background..." menuitem when right clicking on an image. | **[`DisableSystemAddonUpdate`](#disablesystemaddonupdate)** | Prevent system add-ons from being installed or updated. | **[`DisableTelemetry`](#disabletelemetry)** | DisableTelemetry +| **[`DisableThirdPartyModuleBlocking`](#disablethirdpartymoduleblocking)** | Do not allow blocking third-party modules. | **[`DisplayBookmarksToolbar`](#displaybookmarkstoolbar)** | Set the initial state of the bookmarks toolbar. | **[`DisplayBookmarksToolbar (Deprecated)`](#displaybookmarkstoolbar-deprecated)** | Set the initial state of the bookmarks toolbar. | **[`DisplayMenuBar`](#displaymenubar)** | Set the state of the menubar. @@ -62,7 +81,6 @@ Policies can be specified using the [Group Policy templates on Windows](https:// | **[`ExtensionSettings`](#extensionsettings)** | Manage all aspects of extensions. | **[`ExtensionUpdate`](#extensionupdate)** | Control extension updates. | **[`FirefoxHome`](#firefoxhome)** | Customize the Firefox Home page. -| **[`FlashPlugin (Deprecated)`](#flashplugin-deprecated)** | Configure the default Flash plugin policy as well as origins for which Flash is allowed. | **[`GoToIntranetSiteForSingleWordEntryInAddressBar`](#gotointranetsiteforsinglewordentryinaddressbar)** | Force direct intranet site navigation instead of searching when typing single word entries in the address bar. | **[`Handlers`](#handlers)** | Configure default application handlers. | **[`HardwareAcceleration`](#hardwareacceleration)** | Control hardware acceleration. @@ -986,6 +1004,91 @@ Value (string): } } ``` +### Containers +Set policies related to [containers](https://addons.mozilla.org/firefox/addon/multi-account-containers/). + +Currently you can set the initial set of containers. + +For each container, you can specify the name, icon, and color. + +| Name | Description | +| --- | --- | +| `name`| Name of container +| `icon` | Can be `fingerprint`, `briefcase`, `dollar`, `cart`, `vacation`, `gift`, `food`, `fruit`, `pet`, `tree`, `chill`, `circle`, `fence` +| `color` | Can be `blue`, `turquoise`, `green`, `yellow`, `orange`, `red`, `pink`, `purple`, `toolbar` + +**Compatibility:** Firefox 113\ +**CCK2 Equivalent:** N/A\ +**Preferences Affected:** N/A + +#### Windows (GPO) +Software\Policies\Mozilla\Firefox\Containers (REG_MULTI_SZ) = +``` +{ + "Default": [ + { + "name": "My container", + "icon": "pet", + "color": "turquoise" + } + ] +} +``` +#### Windows (Intune) +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/Containers +``` +Value (string): +``` + + +``` +#### macOS +``` + + Default + + Containers + + + name + My container + icon + pet + color + turquoise + + + + +``` +#### policies.json +``` +{ + "policies": { + "Containers": { + "Default": [ + { + "name": "My container", + "icon": "pet", + "color": "turquoise" + } + ] + } + } +} +``` ### Cookies Configure cookie preferences. @@ -1000,7 +1103,7 @@ Configure cookie preferences. `BehaviorPrivateBrowsing` sets the default behavior for cookies in private browsing based on the values below. | Value | Description -| --- | --- +| --- | --- | | accept | Accept all cookies | reject-foreign | Reject third party cookies | reject | Reject all cookies @@ -2052,6 +2155,28 @@ Value (string): } } ``` +### DisableThirdPartyModuleBlocking +Do not allow blocking third-party modules from the `about:third-party` page. + +This policy only works on Windows through GPO (not policies.json). + +**Compatibility:** Firefox 110 (Windows only, GPO only)\ +**CCK2 Equivalent:** N/A\ +**Preferences Affected:** N/A + +#### Windows (GPO) +``` +Software\Policies\Mozilla\Firefox\DisableThirdPartyModuleBlocking = = 0x1 | 0x0 +``` +#### Windows (Intune) +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/DisableThirdPartyModuleBlocking +``` +Value (string): +``` + or +``` ### DisplayBookmarksToolbar Set the initial state of the bookmarks toolbar. A user can still change how it is displayed. @@ -2379,6 +2504,8 @@ If `Cryptomining` is set to true, cryptomining scripts on websites are blocked. If `Fingerprinting` is set to true, fingerprinting scripts on websites are blocked. +If `EmailTracking` is set to true, hidden email tracking pixels and scripts on websites are blocked. (Firefox 112) + `Exceptions` are origins for which tracking protection is not enabled. **Compatibility:** Firefox 60, Firefox ESR 60 (Cryptomining and Fingerprinting added in 70/68.2, Exceptions added in 73/68.5)\ @@ -2920,87 +3047,6 @@ Value (string): } } ``` -### FlashPlugin (Deprecated) -Configure the default Flash plugin policy as well as origins for which Flash is allowed. - -`Allow` is a list of origins where Flash are allowed. - -`Block` is a list of origins where Flash is not allowed. - -`Default` determines whether or not Flash is allowed by default. - -`Locked` prevents the user from changing Flash preferences. - -**Compatibility:** Firefox 60, Firefox ESR 60\ -**CCK2 Equivalent:** `permissions.plugin`\ -**Preferences Affected:** `plugin.state.flash` - -#### Windows (GPO) -``` -Software\Policies\Mozilla\Firefox\FlashPlugin\Allow\1 = "https://example.org" -Software\Policies\Mozilla\Firefox\FlashPlugin\Block\1 = "https://example.edu" -Software\Policies\Mozilla\Firefox\FlashPlugin\Default = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\FlashPlugin\Locked = 0x1 | 0x0 -``` -#### Windows (Intune) -OMA-URI: -``` -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Flash/FlashPlugin_Allow -``` -Value (string): -``` - - -``` -OMA-URI: -``` -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Flash/FlashPlugin_Locked -``` -Value (string): -``` - or -``` -OMA-URI: -``` -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Flash/FlashPlugin_Default -``` -Value (string): -``` - or -``` -#### macOS -``` - - FlashPlugin - - Allow - - http://example.org - - Block - - http://example.edu - - Default - | - Locked - | - - -``` -#### policies.json -``` -{ - "policies": { - "FlashPlugin": { - "Allow": ["http://example.org/"], - "Block": ["http://example.edu/"], - "Default": true | false, - "Locked": true | false - } - } -} -``` ### GoToIntranetSiteForSingleWordEntryInAddressBar Whether to always go through the DNS server before sending a single word search string to a search engine. @@ -4557,22 +4603,30 @@ spellchecker. (Firefox 84, Firefox ESR 78.6) toolkit.legacyUserProfileCustomizations.stylesheets (Firefox 95, Firefox ESR 91.4) ui. widget. +xpinstall.signatures.required (Firefox ESR 102.10, Firefox ESR only) ``` as well as the following security preferences: + | Preference | Type | Default -| --- | --- | --- +| --- | --- | --- | | security.default_personal_cert | string | Ask Every Time |     If set to Select Automatically, Firefox automatically chooses the default personal certificate. | security.insecure_connection_text.enabled | bool | false |     If set to true, adds the words "Not Secure" for insecure sites. | security.insecure_connection_text.pbmode.enabled | bool | false |     If set to true, adds the words "Not Secure" for insecure sites in private browsing. -| security.insecure_field_warning.contextual.enabled | bool | true -|     If set to false, remove the warning for inscure login fields. | security.mixed_content.block_active_content | boolean | true |     If false, mixed active content (HTTP and HTTPS) is not blocked. | security.osclientcerts.autoload | boolean | false |     If true, client certificates are loaded from the operating system certificate store. +| security.OCSP.enabled | integer | 1 +|     If 0, do not fetch OCSP. If 1, fetch OCSP for DV and EV certificates. If 2, fetch OCSP only for EV certificates +| security.OCSP.require | boolean | false +|      If true, if an OCSP request times out, the connection fails. +| security.osclientcerts.assume_rsa_pss_support | boolean | true +|      If false, we don't assume an RSA key can do RSA-PSS (Firefox 114, Firefox ESR 102.12). +| security.ssl.enable_ocsp_stapling | boolean | true +|      If false, OCSP stapling is not enabled. | security.ssl.errorReporting.enabled | boolean | true |     If false, SSL errors cannot be sent to Mozilla. | security.tls.enable_0rtt_data | boolean | true @@ -4583,7 +4637,6 @@ as well as the following security preferences: |     If true, browser will accept TLS 1.0. and TLS 1.1 (Firefox 86, Firefox 78.8). | security.warn_submit_secure_to_insecure | boolean | true |     If false, no warning is shown when submitting a form from https to http. -  Using the preference as the key, set the `Value` to the corresponding preference value. @@ -4707,7 +4760,7 @@ Set and lock certain preferences. **Preferences Affected:** See below | Preference | Type | Compatibility | Default -| --- | --- | --- | --- +| --- | --- | --- | --- | | accessibility.force_disabled | integer | Firefox 70, Firefox ESR 68.2 | 0 |     If set to 1, platform accessibility is disabled. | app.update.auto (Deprecated - Switch to AppAutoUpdate policy) | boolean | Firefox 68, Firefox ESR 68 | true @@ -4810,6 +4863,7 @@ disabled |     If false, the Alt key doesn't show the menubar on Windows. | widget.content.gtk-theme-override | string | Firefox 72, Firefox ESR 68.4 (Linux only) | N/A |     If set, overrides the GTK theme for widgets. + #### Windows (GPO) ``` Software\Policies\Mozilla\Firefox\Preferences\boolean_preference_name = 0x1 | 0x0 @@ -4980,8 +5034,98 @@ Software\Policies\Mozilla\Firefox\Proxy\AutoLogin = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\Proxy\UseProxyForDNS = 0x1 | 0x0 ``` #### Windows (Intune) +**Note** +These setttings were moved to a category to make them easier to configure via Intune. + +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_Locked +``` +Value (string): +``` + or +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_ConnectionType +``` +Value (string): +``` + + +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_HTTPProxy +``` +Value (string): +``` + + +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_UseHTTPProxyForAllProtocols +``` +Value (string): +``` + or +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_SSLProxy +``` +Value (string): +``` + + +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_SOCKSProxy +``` +Value (string): +``` + + + +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_AutoConfigURL +``` +Value (string): +``` + + +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_Passthrough +``` +Value (string): +``` + + +``` OMA-URI: ``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_AutoLogin +``` +Value (string): +``` + or +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~ProxySettings/Proxy_UseProxyForDNS +``` +Value (string): +``` + or +``` +OMA-URI (Old way): +``` ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/Proxy ``` Value (string): @@ -4989,11 +5133,11 @@ Value (string): - + - - - + + + @@ -5599,6 +5743,68 @@ Value (string): ``` ### SecurityDevices +Add or delete PKCS #11 modules. + +**Compatibility:** Firefox 114, Firefox ESR 112.12\ +**CCK2 Equivalent:** N/A\ +**Preferences Affected:** N/A + +#### Windows (GPO) +``` +Software\Policies\Mozilla\Firefox\SecurityDevices\Add\NAME_OF_DEVICE_TO_ADD = PATH_TO_LIBRARY_FOR_DEVICE +Software\Policies\Mozilla\Firefox\SecurityDevices\Remove\1 = NAME_OF_DEVICE_TO_REMOVE +``` +#### Windows (Intune) +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/SecurityDevices/SecurityDevices_Add +``` +Value (string): +``` + + +``` +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/SecurityDevices/SecurityDevices_Delete +``` +Value (string): +``` + + +``` +#### macOS +``` + + SecurityDevices + + Add + + NAME_OF_DEVICE_TO_ADD + PATH_TO_LIBRARY_FOR_DEVICE + + Delete + + NAME_OF_DEVICE_TO_DELETE + + + +``` +#### policies.json +``` +{ + "policies": { + "SecurityDevices": { + "Add": { + "NAME_OF_DEVICE_TO_ADD": "PATH_TO_LIBRARY_FOR_DEVICE" + }, + "Delete": ["NAME_OF_DEVICE_TO_DELETE"] + } + } +} +``` +### SecurityDevices (Deprecated) + Install PKCS #11 modules. **Compatibility:** Firefox 64, Firefox ESR 60.4\ @@ -5629,7 +5835,6 @@ Value (string): ``` - #### policies.json ``` { @@ -5854,6 +6059,8 @@ Prevent Firefox from messaging the user in certain situations. `MoreFromMozilla` If false, don't show the "More from Mozilla" section in Preferences. (Firefox 98) +`Locked` prevents the user from changing user messaging preferences. + **Compatibility:** Firefox 75, Firefox ESR 68.7\ **CCK2 Equivalent:** N/A\ **Preferences Affected:** `browser.messaging-system.whatsNewPanel.enabled`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons`, `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features`, `browser.aboutwelcome.enabled`, `browser.preferences.moreFromMozilla` @@ -5866,6 +6073,7 @@ Software\Policies\Mozilla\Firefox\UserMessaging\FeatureRecommendations = 0x1 | 0 Software\Policies\Mozilla\Firefox\UserMessaging\UrlbarInterventions = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\UserMessaging\SkipOnboarding = 0x1 | 0x0 Software\Policies\Mozilla\Firefox\UserMessaging\MoreFromMozilla = 0x1 | 0x0 +Software\Policies\Mozilla\Firefox\UserMessaging\Locked = 0x1 | 0x0 ``` #### Windows (Intune) OMA-URI: @@ -5876,6 +6084,7 @@ OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_UrlbarInterventions ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_SkipOnboarding ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_MoreFromMozilla +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~UserMessaging/UserMessaging_Locked ``` Value (string): ``` @@ -5898,6 +6107,8 @@ Value (string): | MoreFromMozilla | + Locked + | ``` @@ -5911,7 +6122,8 @@ Value (string): "FeatureRecommendations": true | false, "UrlbarInterventions": true | false, "SkipOnboarding": true | false, - "MoreFromMozilla": true | false + "MoreFromMozilla": true | false, + "Locked": true | false } } } @@ -6046,3 +6258,4 @@ Value (string): } } ``` +