Closed Bug 1560808 Opened 4 months ago Closed 26 days ago

Don't activate enterprise policies if there are no valid policies

Categories

(Firefox :: Enterprise Policies, enhancement, P3)

69 Branch
enhancement

Tracking

()

RESOLVED FIXED
Firefox 71
Tracking Status
firefox71 --- fixed

People

(Reporter: streetwolf, Assigned: mkaply)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

Go to about:support.

Look at the Enterprise Policies under Application Basics.

Actual results:

Enterprise Policies says Active.

Expected results:

Should say inactive as I am using the normal Nightly version of Fx not the Enterprise version.

Clicking on the Active link under Active it displays 'The Enterprise Policies service is active but there are no policies enabled.'

In addition I have a bunch of policies listed under Documentation.

Under Errors I get Unknown policy: -DisableAppUpdate

AFAIK Enterprise Policies should be Inactive. How do I get it to be inactive?

Component: Untriaged → Enterprise Policies

Perhaps the question is why do I have the ability to create Policies on non-Enterprise Fx and others do not?

It sounds like something in your system thinks policies are enabled.

Do you have a policies.json file in the distribution directory where Firefox is installed?

Summary: Enterprise Policies → Enterprise Policies are marked as active in nightly

And to be clear:

Should say inactive as I am using the normal Nightly version of Fx not the Enterprise version.

There is no enterprise version. policies are in all versions.

Flags: needinfo?(garyshap)

I have no distribution folder in the Fx directory. I've asked other folks over at Mozillazine if they have Policies marked as active and they all said no. They are also on Nightly. If as you said it is not related to whether you have an Enterprise version of Fx or not then why are policies active for me and not others? At this point I'm just curious.

Flags: needinfo?(garyshap)

Can you check your windows registry using regedit?

Software\Policies\Mozilla\Firefox

in both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE

Thanks!

Flags: needinfo?(garyshap)

I'm currently away from my Windows machine. I'll have access to it on Thursday, I'll check the reg entry and report back here.

Flags: needinfo?(garyshap)

Only one of the two keys had anything Firefox related:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox]
"-DisableAppUpdate"=dword:00000001

This enables app updates because of the '-' in front of the key name. I have yet to find anything that would turn on policies either in the Registry or in a Fx file.

Did you add the -DisableAppUpdate policy manually).

The reason policies are active is because you have a policy (even though it is an invalid policy).

So this is working as expected.

I've been considering making policies inactive if there are no vald policies at all. Maybe we should do that.

I guess I must have added the key name myself at some point when I was investigating the problem. I probably put the minus sign in front of the name to basically disable it. I just deleted the key and still have automatic updates enabled in Options and the key in the Registry doesn't exist at all. Also I have no more policies that are in error. But I still have policies active. You stated this was not unique to enterprise additions of Fx. But again this begs the question why other folks on Nightly I spoke with say their policies are inactive. Also if it isn't unique to enterprise editions why use the name enterprise to label the policies?

You have to remove the entire Firefox subtree for us to show as inactive.

If we see a Firefox in the policies tree in the registry, we activate policies.

The word enterprise is used because the policies are intended for enterprises.

I removed the entire Fx subtree and Policies now show as inactive. I guess I added the DisableAppUpdate key myself at some point which made policies active. I guess this bug report can be closed unless you see other problems that need fixing.

The priority flag is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mozilla)
Type: defect → enhancement
Flags: needinfo?(mozilla)
Priority: -- → P3
Summary: Enterprise Policies are marked as active in nightly → Don't activate enterprise policies if there are no valid policies

Some AVs apparently leave policy registry keys behind when uninstalled.

Note: Uninstalling avast removes the policy only, but the key will be left in Registry and notice will still be shown in Firefox browser, it is mandatory to remove Mozilla registry key we mentioned above to see the message go away.

https://techdows.com/2019/06/fix-firefox-says-your-browser-is-being-managed-by-your-organization.html

If there is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\ then about:policies shows the message:

The Enterprise Policies service is active but there are no policies enabled.

But if there is an empty Certificates key, then the list is completely empty with no explanation.

If there are no policies active then the notification in about:preferences, linking to an empty about:policies, is very confusing. The user only needs to be informed when policies are in effect.

Blocks: 1465942, 1552302
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → mozilla
Status: NEW → ASSIGNED

We still activate if there is a bad policy only (incorrect name).

But if there are no policies, we don't enable.

Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/029511f2fefc
Don't activate policy engine if there are no policies. r=mconley

This also caused xpcshell failures: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=268407623&repo=autoland&lineNumber=2043

[task 2019-09-25T18:26:31.851Z] 18:26:31 INFO - TEST-START | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js
[task 2019-09-25T18:31:31.852Z] 18:31:31 WARNING - TEST-UNEXPECTED-TIMEOUT | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Test timed out
[task 2019-09-25T18:31:31.852Z] 18:31:31 INFO - TEST-INFO took 300000ms
[task 2019-09-25T18:31:32.176Z] 18:31:32 INFO - xpcshell return code: 143
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - TEST-UNEXPECTED-FAIL | Received SIGINT (control-C), so stopped run. (Use --keep-going to keep running tests after killing one with SIGINT)
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Result summary:
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Passed: 229
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - INFO | Failed: 1
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - One or more unittests failed.
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Todo: 6
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Retried: 0
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - SUITE-END | took 1234s
[task 2019-09-25T18:31:32.360Z] 18:31:32 ERROR - Return code: 1

Needed to disable for android and update some other tests.

Flags: needinfo?(mozilla)
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/df1795d1a8ae
Don't activate policy engine if there are no policies. r=mconley
Status: ASSIGNED → RESOLVED
Closed: 26 days ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 71
You need to log in before you can comment on or make changes to this bug.