The Mozilla Enterprise Policies for Firefox (and Thunderbird)

This feature is meant to help enterprise admins, who deploy Firefox as software package to computers in their organization.

Versions

Policies were first added in Firefox 60, and back then were purely optional.

In Firefox 68 some settings from autoconfig stopped working (for example the option to disable automatic updates), thus it became necessary to at least partially switch to policies.

Thunderbird started to implement policies in version 68, and at the same time also stopped respecting some of the autoconfig options.

Overview

The Enterprise Policy feature provides two new ways to configure Firefox (besides the old autoconfig aka mozilla.cfg):

• Windows Group Policy Objects (GPO)
• A config file named policies.json

Requirements:

• Firefox version 60 or later.
• Thunderbird version 68 or later.
• In Windows some policies work only if you have either Firefox ESR or domain-joined PCs.
  (It is currently unclear how Firefox detects the domain membership, and whether it must be an Active Directory domain)

Interactions:

• If autoconfig (old) and policies (new) provide conflicting settings, policies win.
• If policies are set with both GPO and a json file, they are combined, with GPO taking precedence when there are conflicts. This has changed. Before Firefox 87 the json file was ignored if any policies were set with GPO.

Howto use the admx templates (for GPO)

Firefox

1. Copy firefox.admx to C:\Windows\PolicyDefinitions
2. Copy firefox.adml to C:\Windows\PolicyDefinitions\en-US
3. Run gpedit.msc or RSAT (Remote Server Administration Tools), and open Computer Configuration, Administrative Templates, Firefox.

More Info: https://github.com/mozilla/policy-templates/.

Thunderbird

Some of the Firefox policies also work in Thunderbird.

Now the official admx-templates on https://github.com/thundernest/policy-templates have been fixed (they were just a clone of the templates for Firefox, and thus did not have an effect on Thunderbird). Now they are correct and more recent than the other ones. Do not use the inofficial templates any more from https://github.com/drlellinger/thunderbird-policies. They were announced here, and were the only working ones for quite a while.

1. Copy thunderbird.admx to C:\Windows\PolicyDefinitions
2. Copy thunderbird.adml to C:\Windows\PolicyDefinitions\en-US
3. Run gpedit.msc or RSAT (Remote Server Administration Tools), and open Computer Configuration, Administrative Templates, Thunderbird.

Alternative download of the whole repository (contains all versions and languages):
https://github.com/thundernest/policy-templates/archive/refs/heads/master.zip

You can also copy registry keys from Firefox and rename them. For example this one works:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Thunderbird]
"DisableAppUpdate"=dword:00000001

Update: The official place (see above) now seems to be fixed, and more current than the inofficial one. If so the above download links fr ADMX and ADML files are outdated.

Howto use create the json file (alternative for GPO)

The currently supported policies are listed here. New policies are added with every version, and so far all new policies are available both in the latest RR (Rapid Release), and in the latest ESR (Extended Service Release).

Multiple policies must be separated with commas. Multiple options to one policy must be placed in curly brackets, and separated with commas.

A Generator addon was published (german). More info.

The json file must be placed in a subdirectory named distribution in the program directory. In Windows the path will be something like
C:\Program Files\Mozilla Firefox\distribution\policies.json
This directory does usually not yet exist, you must create it.

Sample file:

{
 "policies": {
    "DisableAppUpdate": true,
    "DisableBuiltinPDFViewer": true,
    "DisableFirefoxAccounts": true,
    "DisableFirefoxStudies": true,
    "DisablePocket": true,
    "DisableProfileRefresh": true,
    "DisableTelemetry": true,
    "DontCheckDefaultBrowser": true,
    "EnableTrackingProtection": { "Value": true, "Locked": false },
    "Proxy": { "Mode": "none", "Locked": false },
    "SearchBar": "separate"
  }
}

Errors in the file are reported on the page "about:policies", but this feature needs at least Firefox version 63. This is the typical way how Mozilla develops new feature: publish it long before its ready.

Howto not document a feature

Mozilla has created this labyrinth:

• https://wiki.mozilla.org/Firefox/EnterprisePolicies
• https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise
• https://developer.mozilla.org/Firefox/Enterprise_deployment
• https://support.mozilla.org/products/firefox-enterprise
• https://support.mozilla.org/products/firefox-enterprise/policies-customization-enterprise
• https://support.mozilla.org/kb/customizing-firefox-using-policiesjson
• https://github.com/mozilla/policy-templates/blob/master/README.md

It seems that Github is now the official place for documentation. But even there a lot of info is missing. For example that this is supposed to replace autoconfig. And that in Windows several of these options only work if either the ESR version is used, or the PCs are members of a Windows Domain. Also how do the two methods relate to each other and to autoconfig: which one does take precedence?

Lets hope that eventually Mozilla will write some decent documentation for this new feature.

No, I'm not gonna read the source to extract infos from there.

---