Zum Inhalt

GPOFirefox – Gpo Plugin for Firefox extended

Paul (Nickname Killerx) did a great job with developing the GPO add-on for Firefox called GPOFirefox.
There are a couple of Extensions out there, that handle the interface between Firefox and the Registry. That’s in case all you need to do, if you add some of these admx files around for managing Firefox through GPO. Since Paul stopped the development of the Gpofirefox add-on with version 5 of Firefox there are some things, that this add-on can’t handle.

First of all, there are some differences between this add-on and other add-ons like for example the one of Frontmotion, which isn’t really a add-on. It’s kind of build into the so called Community Edition of Frontmotion Firefox. The Frontmotion add-on lacks at some point, when you need to change more settings than just the defaults like browser startup homepage, or proxy settings. If you only need these few defaults, I would recommend to use Frontmotions version, instead of any other, because Frontmotion comes with a customized admx file for all default settings in Firefox. The point, where this is not enough is when you want to change settings for example of an extension. Because Frontmotions admx file doesn’t support custom settings, so you can’t handle this.

Lets explain, how these GPO add-ons work.
Frontmotion offers an admx template that can be imported to your active directory gpo manager, to change all default settings. In the background, everything is done by writing some strings to the registry. Firefox reads these values and changes them locally in your running Firefox (about:config). That’s it. So, to test these add-ons, all you need to do is just open your registry editor and go to \HKLM|HKCU\software\policies\mozilla\defaultpref|pref|lockedpref (depending of kind of GPO add-on you are using). Here comes the gap.
Frontmotion doesn’t support any other values than the default settings of Firefox. Although this is really long list, but you are not able to control any setting that doesn’t belong to the default set of Firefox. Even if you set custom settings in your registry, they aren’t noticed! GPOFirefox does support these custom values, but lacks at some point as well. For example, if you want to use xmarks with your own server, you can set extesnions.xmarks.useOwnServer to true.
After putting it to the registry it looks like this:

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Policies\Mozilla\defaultpref] "extensions.xmarks.useOwnServer"="true"

This setting only applies to your Firefox (about:config) if it already exists in your about:config list. Otherwise it is dropped and you can spend hours to check your settings until you notice, that it is not provided to set not existing values. Why is that? GPOFirefox reads all of your values without any limitation. After reading, the add-on tries to change these values in Firefox. Because Firefox has different types of variables, (string, integer, boolean) it first reads the variable type (in your about:config list), to set the correct variable type and its value. That means, if your add-on tries to set a value that doesn’t exist in Firefox already, it can’t determine the variable type and wont write your setting to Firefox. Pretty uncool.
After extracting Pauls add-on I extended it to the ability to write a setting to Firefox even if it doesn’t exists. This is done by checking, if the value exists (like before) and if it doesn’t exists, the add-on tries to detect, what type the value is. If your setting extensions.xmarks.useOwnServer doesn’t exist, my code extension checks the value (in this case the value is „true“) and writes a Boolean preference to Firefox.
I stumbled across another problem, which is a bug in the add-on. If you try to set a Boolean value that is „false“, e.g. to turn off the telemetry stuff in Firefox the add-on sets this value to true. I think this happens, because the used function to create bool settings in Firefox needs an bool parameter and not a string parameter like the add-on uses. Maybe the setter function checks if the committed parameter is Boolean by checking it like „if (parameter) { write true } else { write false}“.
In this case every string is interpreted as Boolean:true and leads to this wrong behavior!

Because I don’t want to hurt any copyrights and to respect Pauls great work I only publish some instructions on how to extend the add-on by yourself.

First of all you need three Things:
– 7 Zip
– Firefox (my Version is 24)
– The gpofirefox add-on (https://add-ons.mozilla.org/de/firefox/add-on/gpo-for-firefox/)
1. Use 7Zip to extract the XPI File
2. Go to the extracted folder and open the chrome folder
3. Use 7Zip to extract the gpofirefox.jar
4. Delete gpofirefox.jar
5. Modify the file gpofirefox.js in <extracted-extension-folder>\chrome\gpofirefox\content\ (difference between original and modified)
6. Mofify <extracted-extension-folder>\chrome.manifest ( difference between original and modified )
7. Go to <extracted-extension-folder> and Select „chrome“, „defaults“, „chrome.manifest“, „install.rdf“ and use 7.ZIP -> Add new archive (zip)
8. Rename the created zip file to gpofirefox@extensions.org.xpi
9. Install your add-on (or copy it to extensions folder) Renaming and modifying the internal add-on structure is to simplify the add-on for further changes

Please leave me a comment. I’m actually thinking about creating an add-on like this with some further functionality like adding the ability to write to sqllite databases (popup blocking), replace / update files in the profile and so on. Everything controlled by the registry via group policy AD Things .
For testing purpose you can use a registry file like the below one.

Keep in mind, that these settings are only for the CURRENT_USER. If you want to set everything machine wide you have to rewrite the reg file to HKEY_LOCAL_MACHINE instead of HKEY_CURRENT_USER


Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Policies\Mozilla]
[HKEY_CURRENT_USER\Software\Policies\Mozilla\defaultpref]
"browser.startup.homepage"="intranet"
"browser.search.suggest.enabled"="false"
"browser.shell.checkDefaultBrowser"="true"
"browser.tabs.warnOnClose"="false"
"extensions.zotero.firstRun2"="false"
"signon.rememberSignons"="false"
"startup.homepage_override_url"="intranet"
"extensions.pendingOperations"="true"
"extensions.xmarks.username"="marco"
"extensions.xmarks.sync-tabs"="true"
"extensions.xmarks.syncOnShutdown"="1"
"add-on.disable_full_page_add-on_for_types"=""

[HKEY_CURRENT_USER\Software\Policies\Mozilla\lockPref]
"datareporting.healthreport.uploadEnabled"="false"
"toolkit.telemetry.enabled"="false"
"toolkit.telemetry.prompted"="2"
"toolkit.telemetry.rejected"="true"
"privacy.donottrackheader.enabled"="true"
"extensions.update.notifyUser"="false"
"browser.search.update"="false"
"browser.rights.3.shown"="true"
"extensions.blocklist.enabled"="false"
"extensions.autoDisableScopes"="0"
"extensions.zotero.firstRunGuidanceShown.saveIcon"="true"

If you want to add your settings to a GPO, open the Group Policy Management and edit your current / create a new GPO object. Now you have to choose if you want to create registry entries for user (user configuration) or computer (computer configuration). Afterwards choose [ Settings -> Windows Settings -> Registry ]. We decided to create two sub folders, one for locked pref and one for default pref, as shown here:

GPO Firefox Registry Settings
GPO Firefox Registry Settings

Next step: Create a new registry element at the right side. This could look like this:

GPO Firefox Registry Settings
GPO Firefox Registry Settings

How about an ADM/ADMX file?
– If you want to use an ADMX file you have to create it from scratch.
– There are so many settings available in Firefox itself that it would take too long to create it.
– It’s not flexible enough, because every add-on has its own settings.
– If you add another add-on / update Firefox you maybe have to extend your own ADMX file.

These are the reasons why I prefer adding everything „raw“ to the registry. For deactivating some Firefox features you have to Google once, or check the prefs.js file changes These bugs are fixed with version 0.9.3 –

Veröffentlicht inAllgemein

19 Kommentare

  1. Tim Koehler Tim Koehler

    Would be awesome if you build one upon Pauls. With the ability to support admx. Could you please write some info how to include new reg settings for example telemetry off? Thanks a lot

  2. Hi Tim,

    Thanks for your comment. I’ll extend this post with the information on how you can add the registry information via GPO this evening.

    Kind regards
    Marco

  3. Tim Koehler Tim Koehler

    PERFECT Thanks a lot. I did it via adm file and never came up with the idea to do it raw, but it is much more flexible as you see. Grüße

  4. I talked to paul and it looks like I will be the second developer of GPOFirefox. So there will be updates in the future, yay :).
    Stay tuned, while I dive into the plugin code and set up a documentation website and a forum for upcoming features and bugs ( :/ )

  5. Daniel Daniel

    Hallo Marco,

    mittlerweile hab ich gesehen hast du Version 0.94 veröffentlicht, funktioniert super. Ich habe aber ein einziges Problem: Die Einstellung browser.startup.homepage funktioniert einfach nicht, wenn ich Sie über das Plugin setzen lasse. Sobald ich diese Einstellung aber manuell unter about:config eintrage, greift Sie sofort und die korrekte Startseite wird geladen. Setze ich die Einstellung über das Plugin/GPO, wird der Wert zwar unter about:config angezeigt, aber about:home wird als Startseite geladen. Eine Idee dazu?

    Daniel

  6. Hallo Daniel,

    ich habe etwas ähnliches beobachtet. Nach 1-2 Browser Neustarts wurde es dann aber doch übernommen. Ich werde heute abend noch einmal nachschauen, ob sich das beheben lässt.
    Vielen Dank für dein Feedback.
    Marco

  7. Daniel Daniel

    Hi Marco,

    danke, werd das auch nochmal austesten.

    Daniel

  8. Lukas Lukas

    Moin Marco,

    erstmal vielen Dank für die Weiterentwicklung des AddOns. Ich habe hier auf den Clients jedoch das Problem, dass der lokale Admin das AddOn erkennt und auch anwendet. Also die entsprechenden Registrykeys in die about:config übernimmt, aber die Domain User nicht.
    Wenn ich über das .adm-File die Einstellungen setze, kann ich nur „gpofirefox“ Enabled setzen wenn ich im gleichen Zug die Option „hide […]“ aktivieren, da das Setting sonst als Disabled gesetzt wird. Die Clients ziehen die entsprechende GPO, die Registrykeys werden auch gesetzt aber nicht in die about:config übernommen. Es scheint so, als dass die Clients nicht auf das AddOn zugreifen können. Ein Rechteproblem bzgl. des Zugriffs auf die editierte .xpi-Datei kann nicht sein, Domain User haben entsprechende Rechte auf den Ordner, bzw. die Datei.
    Hast du eine Idee, woran es evtl. liegen könnte?

  9. Hallo Lukas,
    Danke für dein Kommentar.

    Welche Pluginversion verwendest du?
    Die Möglichkeit das Plugin zu verstecken habe ich mittlerweile entfernen müssen, weil das die Addon Policy von Mozilla verbietet, darum wundert es mich, dass du das setzen musst, damit das Plugin funktioniert.

    Hast du mal als normaler User in die Registry geguckt, ob du dort alle Keys siehst? Wie setzt du den Schlüssel, als locked oder nicht?

    Ich stecke im Moment noch in den letzten Zügen meines Umzugs, werde aber bald eine neue Version releasen, mit der man mehr Möglichkeiten der Fehleranalyse haben wird, so dass man bei deiner Art von Fehlern relativ einfach eine Analyse machen kann.

    Viele Grüße Marco

  10. Lukas Lukas

    Hallo Marco,

    ich habe die 0.9.4. Das Problem hat sich aber schon erledigt. Der extensions Ordner wurde ja mit dem ESR-Update von FF17 auf FF24 von „…\Mozilla Firefox\extentions“ in „…\Mozilla Forefox\browser\extensions“ geändert. Settings werden jetzt erkannt *thumps up*

    Wieso ich das in der GPMC beides aktivieren muss ist mir schleierhaft, es wird auf jeden Fall auf dem Client nicht „versteckt“. Gibt es sonst eine Möglichkeit das Deaktivieren durch den User zu verhindern? Und hattest du nochmal nach dem browser.startup.homepage geschaut? Ich habe hier das gleiche Problem wie Daniel, nur dass es hier nicht nach 1-2 Browser Neustarts geändert wird 🙁

  11. Das Verschleiern wird es so nicht mehr geben. Mozilla verbietet das und die Addon Prüfer haben sich sowieso schon gewundert, wie das bei früheren Versionen überhaupt durchgewunken werden konnte.

    Die einzige Möglichkeit das Deaktivieren zu verhindern ist es, das Plugin in den Installationsordner von Firefox zu packen und dem Benutzer keine Adminrechte zu geben.
    Das andere Problem mit der Startseite schaue ich mir an, wenn ich in der neuen Wohnung Wlan habe und das Plugin erweitere. Bisher habe ich auch nur das Phänomen beobachtet, aber noch nicht analysiert

  12. ukanoldai ukanoldai

    Hello,
    thanks for the extension, i’m looking to deploy and maintain firefox on a 2000 computers environnment.
    i tried to use the .adm that is on the site of gpo for firefox but had trouble to use it.

    Actually i found what was using the issue, on your version you modified the test for the boolean to only test string value, most of the parameter in the .adm use numeric for boolean value.

    so i added the test in the condition on line 61 and 102 by
    if ( value == „false“ || value == 0){

  13. Hey Ukanoldai,

    thank you for your comment.
    In that case, this was a thing I didn’t check before. I’ll implement it in the next version of GPOFirefox.
    One big step in the future will be to get away from the admx file, or create a new, flexible one. As we can see, there is an issue with boolean and integer variable types. For existing values your fix is perfect, but for creating new keys it won’t work, because the plugin can’t decide if the value „0“ is meant to be boolean or integer.
    Once again, thank you for your support!

    Kind regards
    Marco

  14. Daniel Daniel

    Hi Marco!

    How can I hide the GPO proxy add-on extensions list? So that the User does not uninstall or disable the extension, then can change the proxy settings.

    I tested the preferences listed below and any don´t work:
    „extensions.blocklist.enabled“=“false“
    „extensions.autoDisableScopes“=“0“
    „extensions.pendingOperations“=“true“
    „extensions.xmarks.username“=“marco“
    „extensions.xmarks.sync-tabs“=“true“
    „extensions.xmarks.syncOnShutdown“=“1“

    Tks!!

  15. It is not possible and not wanted (by mozilla) that you hide an extension. The early versions had this feature, but it was forbidden after some further progress.

  16. Dniel Dniel

    It’s a shame Mozilla do this 🙁

    Is there any option in „about: config“ that locks the button „network“ or „advanced“ in menu „tools/options/advanced/network“?

    Tks!

    using something like:

    I used a social engineering by changing the add-on name to something like „Adobe Reader Plugin“ to see if the mistake users.

    Great job !! Marco

    tks!

  17. Hey, no, its not possible.
    The only way of avoiding any deletion of the plugin is putting it to the program files directory. Normal users with adminrights cant delete the plugin.
    Adding your proxy config as locked pref avoids any changes, maybe by the advanced tab as well.

  18. Daniel Daniel

    Hi!

    Eu consgui resolver meu problema e bloquear o proxy por perfil de usuário de uma maneira simples, sem addons sem template administrativa (ADM) do firefox.

    Simplesmente crie um script VBS, chamando um self-extract do Winrar, extraindo o localsettings.js e o mozilla.cfg, onde configurei no mozilla.cfg a opção „network.proxy.type“ igual a 5, que é relativo a „use network settings from system“.

    Então quem definirá se o usuário terá acesso à internet ou não através do proxy é a GPO do Internet Explorer, que por default já se aplica a perfil de usuário, e não terei o problema que eu tinha antes, onde um usuário que não acessava a internet, passava a acessar, depois que um usuário que possuía internet logava na máquina, pois o „mozilla.cfg“ funciona para qualquer usuário do computador e não por perfil.

  19. Daniel Daniel

    Hi,
    I managed to solve my problem and block proxy per user profile in a simple way, without addons without administrative template (ADM) firefox.

    Simply create a VBS script, calling a self-extract Winrar, extracting localsettings.js and mozilla.cfg where mozilla.cfg configured in the „network.proxy.type“ equal to 5, which relates to „use network settings from system „.

    So who will define whether the user will have access to the internet or not through the proxy is the GPO’s Internet Explorer, which by default already applies to user profile, and will not have the problem I had before, where a user who has not accessed the internet, going to access after a user who had internet logava the machine as the „mozilla.cfg“ works for any computer user and not per profile.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.