1560808 - Don't activate enterprise policies if there are no valid policies

Status: VERIFIED FIXED

(Firefox :: Enterprise Policies, enhancement, P3)

Description

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

Go to about:support.

Look at the Enterprise Policies under Application Basics.

Actual results:

Enterprise Policies says Active.

Expected results:

Should say inactive as I am using the normal Nightly version of Fx not the Enterprise version.

Clicking on the Active link under Active it displays 'The Enterprise Policies service is active but there are no policies enabled.'

In addition I have a bunch of policies listed under Documentation.

Under Errors I get Unknown policy: -DisableAppUpdate

AFAIK Enterprise Policies should be Inactive. How do I get it to be inactive?

Comment 1

[Gary [:streetwolf52]]

Perhaps the question is why do I have the ability to create Policies on non-Enterprise Fx and others do not?

Comment 2

[Mike Kaply [:mkaply]]

It sounds like something in your system thinks policies are enabled.

Do you have a policies.json file in the distribution directory where Firefox is installed?

Comment 3

[Mike Kaply [:mkaply]]

And to be clear:

Should say inactive as I am using the normal Nightly version of Fx not the Enterprise version.

There is no enterprise version. policies are in all versions.

Comment 4

[Gary [:streetwolf52]]

I have no distribution folder in the Fx directory. I've asked other folks over at Mozillazine if they have Policies marked as active and they all said no. They are also on Nightly. If as you said it is not related to whether you have an Enterprise version of Fx or not then why are policies active for me and not others? At this point I'm just curious.

Comment 5

[Mike Kaply [:mkaply]]

Can you check your windows registry using regedit?

Software\Policies\Mozilla\Firefox

in both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE

Thanks!

Comment 6

[Gary [:streetwolf52]]

I'm currently away from my Windows machine. I'll have access to it on Thursday, I'll check the reg entry and report back here.

Comment 7

[Gary [:streetwolf52]]

Only one of the two keys had anything Firefox related:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox]
"-DisableAppUpdate"=dword:00000001

This enables app updates because of the '-' in front of the key name. I have yet to find anything that would turn on policies either in the Registry or in a Fx file.

Comment 8

[Mike Kaply [:mkaply]]

Did you add the -DisableAppUpdate policy manually).

The reason policies are active is because you have a policy (even though it is an invalid policy).

So this is working as expected.

I've been considering making policies inactive if there are no vald policies at all. Maybe we should do that.

Comment 9

[Gary [:streetwolf52]]

I guess I must have added the key name myself at some point when I was investigating the problem. I probably put the minus sign in front of the name to basically disable it. I just deleted the key and still have automatic updates enabled in Options and the key in the Registry doesn't exist at all. Also I have no more policies that are in error. But I still have policies active. You stated this was not unique to enterprise additions of Fx. But again this begs the question why other folks on Nightly I spoke with say their policies are inactive. Also if it isn't unique to enterprise editions why use the name enterprise to label the policies?

Comment 10

[Mike Kaply [:mkaply]]

You have to remove the entire Firefox subtree for us to show as inactive.

If we see a Firefox in the policies tree in the registry, we activate policies.

The word enterprise is used because the policies are intended for enterprises.

Comment 11

[Gary [:streetwolf52]]

I removed the entire Fx subtree and Policies now show as inactive. I guess I added the DisableAppUpdate key myself at some point which made policies active. I guess this bug report can be closed unless you see other problems that need fixing.

Comment 12

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 13

[Kestrel]

Attachment: Notified about empty list of policies

Some AVs apparently leave policy registry keys behind when uninstalled.

Note: Uninstalling avast removes the policy only, but the key will be left in Registry and notice will still be shown in Firefox browser, it is mandatory to remove Mozilla registry key we mentioned above to see the message go away.

https://techdows.com/2019/06/fix-firefox-says-your-browser-is-being-managed-by-your-organization.html

If there is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\ then about:policies shows the message:

The Enterprise Policies service is active but there are no policies enabled.

But if there is an empty Certificates key, then the list is completely empty with no explanation.

If there are no policies active then the notification in about:preferences, linking to an empty about:policies, is very confusing. The user only needs to be informed when policies are in effect.

Comment 14

[Mike Kaply [:mkaply]]

Attachment: Bug 1560808 - Don't activate policy engine if there are no policies.

Comment 15

[Mike Kaply [:mkaply]]

We still activate if there is a bad policy only (incorrect name).

But if there are no policies, we don't enable.

Comment 16

[Pulsebot]

Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/029511f2fefc
Don't activate policy engine if there are no policies. r=mconley

Comment 17

[Oana Pop-Rus]

Backed out for failing browser-chrome's browser_policies_notice_in_aboutpreferences.js and browser_policies_mistyped_json.js

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=superseded%2Ctestfailed%2Cbusted%2Cexception%2Crunnable&revision=029511f2fefc2ff0db4c750966cf563e0345aabc&selectedJob=268391065

Failure log for browser_policies_mistyped_json.js: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=268391065&repo=autoland&lineNumber=23452

Failure log for browser_policies_notice_in_aboutpreferences.js: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=268397383&repo=autoland&lineNumber=2548

Backout: https://hg.mozilla.org/integration/autoland/rev/22fe5053450804fb4c09ef372e4bf2d176c1a2b0

Comment 18

[Andreea Pavel [:apavel]]

This also caused xpcshell failures: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=268407623&repo=autoland&lineNumber=2043

[task 2019-09-25T18:26:31.851Z] 18:26:31 INFO - TEST-START | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js
[task 2019-09-25T18:31:31.852Z] 18:31:31 WARNING - TEST-UNEXPECTED-TIMEOUT | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Test timed out
[task 2019-09-25T18:31:31.852Z] 18:31:31 INFO - TEST-INFO took 300000ms
[task 2019-09-25T18:31:32.176Z] 18:31:32 INFO - xpcshell return code: 143
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - TEST-UNEXPECTED-FAIL | Received SIGINT (control-C), so stopped run. (Use --keep-going to keep running tests after killing one with SIGINT)
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Result summary:
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Passed: 229
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - INFO | Failed: 1
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - One or more unittests failed.
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Todo: 6
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Retried: 0
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - SUITE-END | took 1234s
[task 2019-09-25T18:31:32.360Z] 18:31:32 ERROR - Return code: 1

Comment 19

[Mike Kaply [:mkaply]]

Needed to disable for android and update some other tests.

Comment 20

[Pulsebot]

Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/df1795d1a8ae
Don't activate policy engine if there are no policies. r=mconley

Comment 21

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/df1795d1a8ae

Comment 22

[Mike Kaply [:mkaply]]

Comment on attachment 9094958 [details]
Bug 1560808 - Don't activate policy engine if there are no policies.

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy related
• User impact if declined: Some antivirus remove policy but leave the empty key behind, so policies are activated even though they shouldn't be. This prevents that.
• Fix Landed on Version: 71
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): QA verified, automated test, policy only.
• String or UUID changes made by this patch:

Comment 23

[Vlad Lucaci, Desktop QA (:vlucaci)]

Hello,
Managed to reproduce this issue with 69.0a1 (buildID:20190623094201) on Windows 10x64 with Avast Free antivirus.

Confirming this issue as verified fixed on 71.0b11(20191118154140) and 72.0a1(20191120215217) with Windows 10x64.

Comment 24

[Liz Henry (:lizzard) (relman/hg->git project)]

Comment on attachment 9094958 [details]
Bug 1560808 - Don't activate policy engine if there are no policies.

Fix for policy engine, verified in nightly/beta, let's uplift for 68.3esr.

Comment 25

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr68/rev/7be1e51ac6f6

Comment 26

[Cristina Coroiu [:ccoroiu]]

Backed out changeset 7be1e51ac6f6 (bug 1560808) for xpcshell failures at toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js

Backout: https://hg.mozilla.org/releases/mozilla-esr68/rev/426e37b06a7572bde09729af13f7967e89384abf

Failure push: https://treeherder.mozilla.org/#/jobs?repo=mozilla-esr68&revision=78764fc644ded50f7e681596608aa754ed90b0cc

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=277497177&repo=mozilla-esr68&lineNumber=3021

[task 2019-11-22T00:07:50.553Z] 00:07:50 INFO - TEST-START | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js
[task 2019-11-22T00:12:50.553Z] 00:12:50 WARNING - TEST-UNEXPECTED-TIMEOUT | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Test timed out
[task 2019-11-22T00:12:50.559Z] 00:12:50 INFO - TEST-INFO took 300000ms
[task 2019-11-22T00:12:50.559Z] 00:12:50 INFO - >>>>>>>
[task 2019-11-22T00:12:50.559Z] 00:12:50 INFO - PID 28981 | [28981, Main Thread] WARNING: Couldn't get the user appdata directory. Crash events may not be produced.: file /builds/worker/workspace/build/src/toolkit/crashreporter/nsExceptionHandler.cpp, line 2560
[task 2019-11-22T00:12:50.560Z] 00:12:50 INFO - PID 28981 | Couldn't convert chrome URL: chrome://branding/locale/brand.properties
[task 2019-11-22T00:12:50.561Z] 00:12:50 INFO - NS_ERROR_FILE_NOT_FOUND:
[task 2019-11-22T00:12:50.562Z] 00:12:50 INFO - @/builds/worker/workspace/build/tests/xpcshell/tests/toolkit/components/enterprisepolicies/tests/xpcshell/head.js:18:45
[task 2019-11-22T00:12:50.562Z] 00:12:50 INFO - load_file@/builds/worker/workspace/build/tests/xpcshell/head.js:681:7
[task 2019-11-22T00:12:50.563Z] 00:12:50 INFO - _load_files@/builds/worker/workspace/build/tests/xpcshell/head.js:693:10
[task 2019-11-22T00:12:50.564Z] 00:12:50 INFO - _execute_test@/builds/worker/workspace/build/tests/xpcshell/head.js:542:3
[task 2019-11-22T00:12:50.564Z] 00:12:50 INFO - @-e:1:1
[task 2019-11-22T00:12:50.564Z] 00:12:50 INFO - (xpcshell/head.js) | test MAIN run_test pending (1)
[task 2019-11-22T00:12:50.565Z] 00:12:50 INFO - (xpcshell/head.js) | test run_next_test 0 pending (2)
[task 2019-11-22T00:12:50.565Z] 00:12:50 INFO - (xpcshell/head.js) | test MAIN run_test finished (2)
[task 2019-11-22T00:12:50.566Z] 00:12:50 INFO - running event loop
[task 2019-11-22T00:12:50.566Z] 00:12:50 INFO - PID 28981 | [28981, Main Thread] WARNING: Could not get the program name for a cubeb stream.: 'NS_SUCCEEDED(rv)', file /builds/worker/workspace/build/src/dom/media/CubebUtils.cpp, line 388
[task 2019-11-22T00:12:50.567Z] 00:12:50 INFO - "CONSOLE_MESSAGE: (info) No chrome package registered for chrome://branding/locale/brand.properties"
[task 2019-11-22T00:12:50.567Z] 00:12:50 INFO - toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Starting test_app_update_URL
[task 2019-11-22T00:12:50.568Z] 00:12:50 INFO - (xpcshell/head.js) | test test_app_update_URL pending (2)
[task 2019-11-22T00:12:50.569Z] 00:12:50 INFO - TEST-PASS | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | test_app_update_URL - [test_app_update_URL : 50] Sanity check the temporary file doesn't exist. - true == true
[task 2019-11-22T00:12:50.569Z] 00:12:50 INFO - (xpcshell/head.js) | test run_next_test 0 finished (2)
[task 2019-11-22T00:12:50.570Z] 00:12:50 INFO - <<<<<<<
[task 2019-11-22T00:12:50.570Z] 00:12:50 INFO - xpcshell return code: None
[task 2019-11-22T00:12:50.571Z] 00:12:50 INFO - toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Process still running after test!
[task 2019-11-22T00:12:50.571Z] 00:12:50 INFO - >>>>>>>
[task 2019-11-22T00:12:50.572Z] 00:12:50 INFO - PID 28981 | ExceptionHandler::GenerateDump cloned child 28995
[task 2019-11-22T00:12:50.572Z] 00:12:50 INFO - PID 28981 | ExceptionHandler::SendContinueSignalToChild sent continue signal to child
[task 2019-11-22T00:12:50.573Z] 00:12:50 INFO - <<<<<<<
[task 2019-11-22T00:12:50.573Z] 00:12:50 INFO - INFO | Result summary:
[task 2019-11-22T00:12:50.574Z] 00:12:50 INFO - INFO | Passed: 645
[task 2019-11-22T00:12:50.574Z] 00:12:50 WARNING - INFO | Failed: 1
[task 2019-11-22T00:12:50.575Z] 00:12:50 WARNING - One or more unittests failed.
[task 2019-11-22T00:12:50.576Z] 00:12:50 INFO - INFO | Todo: 4
[task 2019-11-22T00:12:50.576Z] 00:12:50 INFO - INFO | Retried: 1
[task 2019-11-22T00:12:50.577Z] 00:12:50 INFO - SUITE-END | took 1604s
[task 2019-11-22T00:12:50.577Z] 00:12:50 INFO - Node moz-http2 server shutting down ...
[task 2019-11-22T00:12:50.578Z] 00:12:50 INFO - Process stderr
[task 2019-11-22T00:12:50.579Z] 00:12:50 INFO - (node:1030) ExperimentalWarning: The http2 module is an experimental API.
[task 2019-11-22T00:12:50.637Z] 00:12:50 ERROR - Return code: 1

Comment 27

[Liz Henry (:lizzard) (relman/hg->git project)]

This missed the ESR 68.3 build, but could make the 68.4 release or potentially a 68.3 dot release if we have one.

Comment 28

[Liz Henry (:lizzard) (relman/hg->git project)]

[Tracking Requested - why for this release]:

Comment 29

[Mike Kaply [:mkaply]]

Attachment: 1560808-esr.diff

ESR patch build and tested.

Problem was that a file (PermissionTestUtils) didn't exist in 68 and we were including it.

Comment 30

[Mike Kaply [:mkaply]]

This missed the ESR 68.3 build, but could make the 68.4 release or potentially a 68.3 dot release if we have one.

No problem. This was more of a problem on regular release anyway..

Comment 31

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-esr68/rev/0da507919679

Comment 32

[Vlad Lucaci, Desktop QA (:vlucaci)]

Hello,

Verified this issue with AVAST free antivirus and 68.4.0 (id: 20191202154004) on Windows 10x64.

However, like in issue 1600007, I still managed to reproduce the faulty behavior 3 out of 5 attempts. I will close this one and continue addressing the issue there instead.