X-Git-Url: https://git.p6c8.net/policy-templates.git/blobdiff_plain/d6b123d7e0117cd2934ce4bff00f8c3f5efa61fe..97bb56283cf2030dcb8e62c3be7b53743b084ab0:/README.md diff --git a/README.md b/README.md index acf671d..b264068 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,8 @@ Policies can be specified using the [Group Policy templates on Windows](https:// | **[`Homepage`](#homepage)** | Configure the default homepage and how Firefox starts. | **[`InstallAddonsPermission`](#installaddonspermission)** | Configure the default extension install policy as well as origins for extension installs are allowed. | **[`LegacyProfiles`](#legacyprofiles)** | Disable the feature enforcing a separate profile for each installation. +| **[`LegacySameSiteCookieBehaviorEnabled`](#legacysamesitecookiebehaviorenabled)** | Enable default legacy SameSite cookie behavior setting. +| **[`LegacySameSiteCookieBehaviorEnabledForDomainList`](#legacysamesitecookiebehaviorenabledfordomainlist)** | Revert to legacy SameSite behavior for cookies on specified sites. | **[`LocalFileLinks`](#localfilelinks)** | Enable linking to local files by origin. | **[`ManagedBookmarks`](#managedbookmarks)** | Configures a list of bookmarks managed by an administrator that cannot be changed by the user. | **[`ManualAppUpdateOnly`](#manualappupdateonly)** | Allow manual updates only and do not notify the user about updates.. @@ -90,10 +92,10 @@ Policies can be specified using the [Group Policy templates on Windows](https:// | **[`SanitizeOnShutdown` (Selective)](#sanitizeonshutdown-selective)** | Clear data on shutdown. | **[`SearchBar`](#searchbar)** | Set whether or not search bar is displayed. | **[`SearchEngines`](#searchengines-this-policy-is-only-available-on-the-esr)** | +| **[`SearchEngines -> Add`](#searchengines--add)** | Add new search engines. | **[`SearchEngines -> Default`](#searchengines--default)** | Set the default search engine. | **[`SearchEngines -> PreventInstalls`](#searchengines--preventinstalls)** | Prevent installing search engines from webpages. | **[`SearchEngines -> Remove`](#searchengines--remove)** | Hide built-in search engines. -| **[`SearchEngines -> Add`](#searchengines--add)** | Add new search engines. | **[`SearchSuggestEnabled`](#searchsuggestenabled)** | Enable search suggestions. | **[`SecurityDevices`](#securitydevices)** | Install PKCS #11 modules. | **[`ShowHomeButton`](#showhomebutton)** | Show the home button on the toolbar. @@ -108,86 +110,86 @@ Policies can be specified using the [Group Policy templates on Windows](https:// Allow WebExtensions to configure policy. For more information, see [Adding policy support to your extension](https://extensionworkshop.com/documentation/enterprise/adding-policy-support-to-your-extension/). -### AppAutoUpdate - -Enable or disable **automatic** application update. +### AllowedDomainsForApps -If set to true, application updates are installed without user approval within Firefox. The operating system might still require approval. +Define domains allowed to access Google Workspace. -If set to false, application updates are downloaded but the user can choose when to install the update. +This policy is based on the [Chrome policy](https://chromeenterprise.google/policies/#AllowedDomainsForApps) of the same name. -If you have disabled updates via `DisableAppUpdate`, this policy has no effect. +If this policy is enabled, users can only access Google Workspace using accounts from the specified domains. If you want to allow Gmail, you can add ```consumer_accounts``` to the list. -**Compatibility:** Firefox 75, Firefox ESR 68.7\ +**Compatibility:** Firefox 89, Firefox ESR 78.11\ **CCK2 Equivalent:** N/A\ -**Preferences Affected:** `app.update.auto` +**Preferences Affected:** N/A #### Windows (GPO) ``` -Software\Policies\Mozilla\Firefox\AppAutoUpdate = 0x1 | 0x0 +Software\Policies\Mozilla\Firefox\AllowedDomainsForApps = "managedfirefox.com,example.com" ``` #### Windows (Intune) OMA-URI: ``` -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/AppAutoUpdate +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/AllowedDomainsForApps ``` Value (string): ``` - or + + ``` #### macOS ``` - AppAutoUpdate - | + AllowedDomainsForApps + managedfirefox.com,example.com ``` #### policies.json ``` { "policies": { - "AppAutoUpdate": true | false + "AllowedDomainsForApps": "managedfirefox.com,example.com" } } ``` -### AllowedDomainsForApps +### AppAutoUpdate -Define domains allowed to access Google Workspace. +Enable or disable **automatic** application update. -This policy is based on the [Chrome policy](https://chromeenterprise.google/policies/#AllowedDomainsForApps) of the same name. +If set to true, application updates are installed without user approval within Firefox. The operating system might still require approval. -If this policy is enabled, users can only access Google Workspace using accounts from the specified domains. If you want to allow Gmail, you can add ```consumer_accounts``` to the list. +If set to false, application updates are downloaded but the user can choose when to install the update. -**Compatibility:** Firefox 89, Firefox ESR 78.11\ +If you have disabled updates via `DisableAppUpdate`, this policy has no effect. + +**Compatibility:** Firefox 75, Firefox ESR 68.7\ **CCK2 Equivalent:** N/A\ -**Preferences Affected:** N/A +**Preferences Affected:** `app.update.auto` #### Windows (GPO) ``` -Software\Policies\Mozilla\Firefox\AllowedDomainsForApps = "managedfirefox.com,example.com" +Software\Policies\Mozilla\Firefox\AppAutoUpdate = 0x1 | 0x0 ``` #### Windows (Intune) OMA-URI: ``` -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/AllowedDomainsForApps +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/AppAutoUpdate ``` Value (string): ``` - - + or ``` #### macOS ``` - AllowedDomainsForApps - managedfirefox.com,example.com + AppAutoUpdate + | ``` #### policies.json ``` { "policies": { - "AllowedDomainsForApps": "managedfirefox.com,example.com" + "AppAutoUpdate": true | false } } ``` @@ -1260,9 +1262,29 @@ Value (string): } ``` ### DisabledCiphers -Disable specific cryptographic ciphers. - -**Preferences Affected:** `security.ssl3.dhe_rsa_aes_128_sha`, `security.ssl3.dhe_rsa_aes_256_sha`, `security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256`, `security.ssl3.ecdhe_rsa_aes_128_gcm_sha256`, `security.ssl3.ecdhe_rsa_aes_128_sha`, `security.ssl3.ecdhe_rsa_aes_256_sha`, `security.ssl3.rsa_aes_128_gcm_sha256`, `security.ssl3.rsa_aes_128_sha`, `security.ssl3.rsa_aes_256_gcm_sha384`, `security.ssl3.rsa_aes_256_sha`, `security.ssl3.rsa_des_ede3_sha` +Disable specific cryptographic ciphers, listed below. + +``` +TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 +TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 +TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 +TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 +TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA +TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA +TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA +TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA +TLS_DHE_RSA_WITH_AES_128_CBC_SHA +TLS_DHE_RSA_WITH_AES_256_CBC_SHA +TLS_RSA_WITH_AES_128_GCM_SHA256 +TLS_RSA_WITH_AES_256_GCM_SHA384 +TLS_RSA_WITH_AES_128_CBC_SHA +TLS_RSA_WITH_AES_256_CBC_SHA +TLS_RSA_WITH_3DES_EDE_CBC_SHA +``` + +**Preferences Affected:** `security.ssl3.ecdhe_rsa_aes_128_gcm_sha256`, `security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256`, `security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256`, `security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256`, `security.ssl3.ecdhe_ecdsa_aes_256_gcm_sha384`, `security.ssl3.ecdhe_rsa_aes_256_gcm_sha384`, `security.ssl3.ecdhe_rsa_aes_128_sha`, `security.ssl3.ecdhe_ecdsa_aes_128_sha`, `security.ssl3.ecdhe_rsa_aes_256_sha`, `security.ssl3.ecdhe_ecdsa_aes_256_sha`, `security.ssl3.dhe_rsa_aes_128_sha`, `security.ssl3.dhe_rsa_aes_256_sha`, `security.ssl3.rsa_aes_128_gcm_sha256`, `security.ssl3.rsa_aes_256_gcm_sha384`, `security.ssl3.rsa_aes_128_sha`, `security.ssl3.rsa_aes_256_sha`, `security.ssl3.deprecated.rsa_des_ede3_sha` --- **Note:** @@ -1270,38 +1292,19 @@ Disable specific cryptographic ciphers. This policy was updated in Firefox 78 to allow enabling ciphers as well. Setting the value to true disables the cipher, setting the value to false enables the cipher. Previously setting the value to true or false disabled the cipher. --- -**Compatibility:** Firefox 76, Firefox ESR 68.8 (TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 were added in Firefox 78)\ +**Compatibility:** Firefox 76, Firefox ESR 68.8 (TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 were added in Firefox 78, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, and TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 were added in Firefox 97 and Firefox 91.6)\ **CCK2 Equivalent:** N/A\ **Preferences Affected:** N/A #### Windows (GPO) ``` -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_RSA_WITH_AES_128_CBC_SHA = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_RSA_WITH_AES_256_CBC_SHA = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x1 | 0x0 -Software\Policies\Mozilla\Firefox\DisabledCiphers\TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x1 | 0x0 +Software\Policies\Mozilla\Firefox\DisabledCiphers\CIPHER_NAME = 0x1 | 0x0 ``` #### Windows (Intune) OMA-URI: ``` -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_DHE_RSA_WITH_AES_128_CBC_SHA -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_DHE_RSA_WITH_AES_256_CBC_SHA -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_RSA_WITH_AES_128_CBC_SHA -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_RSA_WITH_AES_256_CBC_SHA -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_RSA_WITH_3DES_EDE_CBC_SHA -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_RSA_WITH_AES_128_GCM_SHA256 -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_TLS_RSA_WITH_AES_256_GCM_SHA384 +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~DisabledCiphers/DisabledCiphers_CIPHER_NAME + ``` Value (string): ``` @@ -1312,27 +1315,7 @@ Value (string): DisabledCiphers - TLS_DHE_RSA_WITH_AES_128_CBC_SHA - | - TLS_DHE_RSA_WITH_AES_256_CBC_SHA - | - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - | - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - | - TLS_RSA_WITH_AES_128_CBC_SHA - | - TLS_RSA_WITH_AES_256_CBC_SHA - | - TLS_RSA_WITH_3DES_EDE_CBC_SHA - | - TLS_RSA_WITH_AES_128_GCM_SHA256 - | - TLS_RSA_WITH_AES_256_GCM_SHA384 + CIPHER_NAME | @@ -1342,17 +1325,7 @@ Value (string): { "policies": { "DisabledCiphers": { - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA": true | false, - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA": true | false, - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": true | false, - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": true | false, - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": true | false, - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": true | false, - "TLS_RSA_WITH_AES_128_CBC_SHA": true | false, - "TLS_RSA_WITH_AES_256_CBC_SHA": true | false, - "TLS_RSA_WITH_3DES_EDE_CBC_SHA": true | false, - "TLS_RSA_WITH_AES_128_GCM_SHA256": true | false, - "TLS_RSA_WITH_AES_256_GCM_SHA384": true | false + "CIPHER_NAME": true | false, } } } @@ -3211,6 +3184,85 @@ Value (string): ``` or ``` +### LegacySameSiteCookieBehaviorEnabled +Enable default legacy SameSite cookie behavior setting. + +If this policy is set to true, it reverts all cookies to legacy SameSite behavior which means that cookies that don't explicitly specify a ```SameSite``` attribute are treated as if they were ```SameSite=None```. + +**Compatibility:** Firefox 96\ +**CCK2 Equivalent:** N/A\ +**Preferences Affected:** `network.cookie.sameSite.laxByDefault` + +#### Windows (GPO) +``` +Software\Policies\Mozilla\Firefox\LegacySameSiteCookieBehaviorEnabled = = 0x1 | 0x0 +``` +#### Windows (Intune) +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/LegacySameSiteCookieBehaviorEnabled +``` +Value (string): +``` + or +``` +#### macOS +``` + + LegacySameSiteCookieBehaviorEnabled + | + +``` +#### policies.json +``` +{ + "policies": { + "LegacySameSiteCookieBehaviorEnabled": true | false +} +``` +### LegacySameSiteCookieBehaviorEnabledForDomainList +Revert to legacy SameSite behavior for cookies on specified sites. + +If this policy is set to true, cookies set for domains in this list will revert to legacy SameSite behavior which means that cookies that don't explicitly specify a ```SameSite``` attribute are treated as if they were ```SameSite=None```. + +**Compatibility:** Firefox 96\ +**CCK2 Equivalent:** N/A\ +**Preferences Affected:** `network.cookie.sameSite.laxByDefault.disabledHosts` + +#### Windows (GPO) +``` +Software\Policies\Mozilla\Firefox\LegacySameSiteCookieBehaviorEnabledForDomainList\1 = "example.org" +Software\Policies\Mozilla\Firefox\LegacySameSiteCookieBehaviorEnabledForDomainList\2 = "example.edu" +``` +#### Windows (Intune) +OMA-URI: +``` +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/LegacySameSiteCookieBehaviorEnabledForDomainList +``` +Value (string): +``` + + +``` +#### macOS +``` + + LegacySameSiteCookieBehaviorEnabledForDomainList + + example.org + example.edu + + +``` +#### policies.json +``` +{ + "policies": { + "LegacySameSiteCookieBehaviorEnabledForDomainList": ["example.org", + "example.edu"] + } +} +``` ### LocalFileLinks Enable linking to local files by origin. @@ -4229,7 +4281,7 @@ as well as the following security preferences: | security.tls.version.enable-deprecated | boolean | false |     If true, browser will accept TLS 1.0. and TLS 1.1 (Firefox 86, Firefox 78.8). | security.warn_submit_secure_to_insecure | boolean | true -|     If false, no warning is shown when submitting s form from https to http. +|     If false, no warning is shown when submitting a form from https to http.   Using the preference as the key, set the `Value` to the corresponding preference value. @@ -4240,7 +4292,7 @@ Default preferences can be modified by the user. If a value is locked, it is also set as the default. -User preferences persist across invocations of Firefox. It is the equivalent of a user setting the preference. They are most useful when a preference is needed very early in startup so it can't be set as default by policy. +User preferences persist across invocations of Firefox. It is the equivalent of a user setting the preference. They are most useful when a preference is needed very early in startup so it can't be set as default by policy. An example of this is ```toolkit.legacyUserProfileCustomizations.stylesheets```. User preferences persist even if the policy is removed, so if you need to remove them, you should use the clear policy. @@ -4974,7 +5026,9 @@ Value (string): ### SearchEngines | Add -Add new search engines (up to five). This policy is only available on the ESR. `Name` and `URLTemplate` are required. +Add new search engines. Although there are only five engines available in the ADMX template, there is no limit. To add more in the ADMX template, you can duplicate the XML. + +This policy is only available on the ESR. `Name` and `URLTemplate` are required. `Name` is the name of the search engine. @@ -5298,7 +5352,7 @@ Software\Policies\Mozilla\Firefox\ShowHomeButton = 0x1 | 0x0 #### Windows (Intune) OMA-URI: ``` -./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/ShowHomeButton +./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/Homepage_ShowHomeButton ``` Value (string): ``` @@ -5454,7 +5508,7 @@ Prevent Firefox from messaging the user in certain situations. `ExtensionRecommendations` If false, don't recommend extensions while the user is visiting web pages. -`FeatureRecommendations` IF false, don't recommend browser features. +`FeatureRecommendations` If false, don't recommend browser features. `UrlbarInterventions` If false, Don't offer Firefox specific suggestions in the URL bar.