Closed Bug 1461730 Opened 6 years ago Closed 6 years ago

Figure out a way to enable "enterprise only" policies on Rapid Release

Categories

(Firefox :: Enterprise Policies, enhancement, P1)

Product:
Firefox
Component:
Enterprise Policies
Version:
60 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1463895

People

(Reporter: mkaply, Assigned: mkaply)

References

Details

We have certain policies that are marked "enterprise only." We did this because policies are just registry keys on Windows and it would be really easy for adware/malware to take advantage of this to change Firefox's behavior.

When we created these policies, the goal was to have a solution to enable them on rapid release as well, but we didn't have time for Firefox 60.

As a result, these policies are ESR only on all platforms.

We should enable these policies in Mac and Linux with no restrictions and we should come up with some way to identify users for which these policies can be enabled on Windows.

On Chrome, they only enable certain policies only when connect to an Active Directory server. I originally was going to do this on Firefox, but as I think about this solution more, I think it's too specialized, especially in a world where more and more workers are remote and not necessarily connected to AD. I know of one large company that uses Local GPO and even Microsoft provides tools for managing LGPO when you aren't connected to AD - https://www.microsoft.com/en-us/download/details.aspx?id=55319.

So this bug is about trying to come up with a good solution ASAP. This is a Windows only solution since that's where the hijacking problem exists.

Again, these are rapid release only. ESR will not change.

My first thoughts are:

1. Only allow policies if connected to an Active Directory server (same as Chrome).

2. Only allow policies for machines that are marked as Professional or Enterprise based on:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID

3. Only allow policies that are in HKEY_LOCAL_MACHINE.

I'd love some other ideas from folks.

I'd like to have a very constructive discussion about this. Anything off topic or not constructive will be hidden.
See Also: → 1461586
Summary: Figure out a way to enable "enterprise only" policies on Raid Release → Figure out a way to enable "enterprise only" policies on Rapid Release
Being in charge of network-wide GPOs for over 3500 clients, here are my 2 cents on this topic:

First, lets get the ones out of the way where the "this is for security reasons" argument simply does not apply:
- DisableTelemetry (ESR only)
- SearchBar (ESR only)

There needs to be a way to turn telemetry off, period. Especially with all the GDPR stuff going around recently. I get why Mozilla wants this turned on, but no matter how anonymized the data is, it is my data, not yours.
And whether the search bar is displayed alongside the URL field or integrated into it .. seems like a mere optical preference than a security concern.

------

For the remaining options:

Determining which Windows SKU is running will probably bite you in the ass. I'm not 100% certain but I believe they might be localized. You really don't want to maintain a list for that, especially with Microsoft introducing new product names with every new major update.

Applying only HKLM policies is a possible way to go. Other software does that too. But for this route I'd advice to just kill off (even in ESR) the options that would only be available through the HKLM keys in RR.
There is no real need to maintain all policies in both HKCU and HKLM. Personally I'd prefer them to be available in both but if you decide that some policies will only work in ESR it will save a lot of people a lot of headaches if the policy templates are very clear on what is available regardless of the version of Firefox.
I personally would like the idea of options 1 and 3 being allowed. Allow computer and/or user policy if joined to a domain, only allow computer policy if not. 

There are plenty of machines that are Professional or Educational editions that should be treated like typical home machines--watch out, Windows 10 has an Education edition also which is basically almost exactly like the Enterprise edition. People who purchased Windows 10 via our University get the Windows 10 Education edition. Of course, there are probably a lot of Enterprise edition ones that are pirated that are home machines also.

Tools to fix browser hijacking will quickly adapt to searching these new policy keys for Firefox.
Priority: -- → P1
We're going with the machine method for now. I'm still investigating the Active Directory piece.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.