Don't activate enterprise policies if there are no valid policies
Categories
(Firefox :: Enterprise Policies, enhancement, P3)
Tracking
()
People
(Reporter: streetwolf52, Assigned: mkaply)
References
Details
Attachments
(3 files)
26.00 KB,
image/png
|
Details | |
47 bytes,
text/x-phabricator-request
|
lizzard
:
approval-mozilla-esr68+
|
Details | Review |
5.87 KB,
patch
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Steps to reproduce:
Go to about:support.
Look at the Enterprise Policies under Application Basics.
Actual results:
Enterprise Policies says Active.
Expected results:
Should say inactive as I am using the normal Nightly version of Fx not the Enterprise version.
Clicking on the Active link under Active it displays 'The Enterprise Policies service is active but there are no policies enabled.'
In addition I have a bunch of policies listed under Documentation.
Under Errors I get Unknown policy: -DisableAppUpdate
AFAIK Enterprise Policies should be Inactive. How do I get it to be inactive?
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 1•5 years ago
|
||
Perhaps the question is why do I have the ability to create Policies on non-Enterprise Fx and others do not?
Assignee | ||
Comment 2•5 years ago
|
||
It sounds like something in your system thinks policies are enabled.
Do you have a policies.json file in the distribution directory where Firefox is installed?
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
And to be clear:
Should say inactive as I am using the normal Nightly version of Fx not the Enterprise version.
There is no enterprise version. policies are in all versions.
Reporter | ||
Comment 4•5 years ago
|
||
I have no distribution folder in the Fx directory. I've asked other folks over at Mozillazine if they have Policies marked as active and they all said no. They are also on Nightly. If as you said it is not related to whether you have an Enterprise version of Fx or not then why are policies active for me and not others? At this point I'm just curious.
Assignee | ||
Comment 5•5 years ago
|
||
Can you check your windows registry using regedit?
Software\Policies\Mozilla\Firefox
in both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE
Thanks!
Assignee | ||
Updated•5 years ago
|
Reporter | ||
Comment 6•5 years ago
|
||
I'm currently away from my Windows machine. I'll have access to it on Thursday, I'll check the reg entry and report back here.
Reporter | ||
Comment 7•5 years ago
|
||
Only one of the two keys had anything Firefox related:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox]
"-DisableAppUpdate"=dword:00000001
This enables app updates because of the '-' in front of the key name. I have yet to find anything that would turn on policies either in the Registry or in a Fx file.
Assignee | ||
Comment 8•5 years ago
|
||
Did you add the -DisableAppUpdate policy manually).
The reason policies are active is because you have a policy (even though it is an invalid policy).
So this is working as expected.
I've been considering making policies inactive if there are no vald policies at all. Maybe we should do that.
Reporter | ||
Comment 9•5 years ago
|
||
I guess I must have added the key name myself at some point when I was investigating the problem. I probably put the minus sign in front of the name to basically disable it. I just deleted the key and still have automatic updates enabled in Options and the key in the Registry doesn't exist at all. Also I have no more policies that are in error. But I still have policies active. You stated this was not unique to enterprise additions of Fx. But again this begs the question why other folks on Nightly I spoke with say their policies are inactive. Also if it isn't unique to enterprise editions why use the name enterprise to label the policies?
Assignee | ||
Comment 10•5 years ago
|
||
You have to remove the entire Firefox subtree for us to show as inactive.
If we see a Firefox in the policies tree in the registry, we activate policies.
The word enterprise is used because the policies are intended for enterprises.
Reporter | ||
Comment 11•5 years ago
|
||
I removed the entire Fx subtree and Policies now show as inactive. I guess I added the DisableAppUpdate key myself at some point which made policies active. I guess this bug report can be closed unless you see other problems that need fixing.
Comment 12•5 years ago
|
||
The priority flag is not set for this bug.
:mkaply, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•5 years ago
|
Comment 13•5 years ago
|
||
Some AVs apparently leave policy registry keys behind when uninstalled.
Note: Uninstalling avast removes the policy only, but the key will be left in Registry and notice will still be shown in Firefox browser, it is mandatory to remove Mozilla registry key we mentioned above to see the message go away.
If there is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\
then about:policies
shows the message:
The Enterprise Policies service is active but there are no policies enabled.
But if there is an empty Certificates
key, then the list is completely empty with no explanation.
If there are no policies active then the notification in about:preferences
, linking to an empty about:policies
, is very confusing. The user only needs to be informed when policies are in effect.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 14•5 years ago
|
||
Assignee | ||
Comment 15•5 years ago
|
||
We still activate if there is a bad policy only (incorrect name).
But if there are no policies, we don't enable.
Comment 16•5 years ago
|
||
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/029511f2fefc Don't activate policy engine if there are no policies. r=mconley
Comment 17•5 years ago
|
||
Backed out for failing browser-chrome's browser_policies_notice_in_aboutpreferences.js and browser_policies_mistyped_json.js
Failure log for browser_policies_mistyped_json.js: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=268391065&repo=autoland&lineNumber=23452
Failure log for browser_policies_notice_in_aboutpreferences.js: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=268397383&repo=autoland&lineNumber=2548
Backout: https://hg.mozilla.org/integration/autoland/rev/22fe5053450804fb4c09ef372e4bf2d176c1a2b0
Comment 18•5 years ago
|
||
This also caused xpcshell failures: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=268407623&repo=autoland&lineNumber=2043
[task 2019-09-25T18:26:31.851Z] 18:26:31 INFO - TEST-START | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js
[task 2019-09-25T18:31:31.852Z] 18:31:31 WARNING - TEST-UNEXPECTED-TIMEOUT | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Test timed out
[task 2019-09-25T18:31:31.852Z] 18:31:31 INFO - TEST-INFO took 300000ms
[task 2019-09-25T18:31:32.176Z] 18:31:32 INFO - xpcshell return code: 143
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - TEST-UNEXPECTED-FAIL | Received SIGINT (control-C), so stopped run. (Use --keep-going to keep running tests after killing one with SIGINT)
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Result summary:
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Passed: 229
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - INFO | Failed: 1
[task 2019-09-25T18:31:32.295Z] 18:31:32 WARNING - One or more unittests failed.
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Todo: 6
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - INFO | Retried: 0
[task 2019-09-25T18:31:32.295Z] 18:31:32 INFO - SUITE-END | took 1234s
[task 2019-09-25T18:31:32.360Z] 18:31:32 ERROR - Return code: 1
Assignee | ||
Comment 19•5 years ago
|
||
Needed to disable for android and update some other tests.
Comment 20•5 years ago
|
||
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/df1795d1a8ae Don't activate policy engine if there are no policies. r=mconley
Comment 21•5 years ago
|
||
bugherder |
Updated•5 years ago
|
Assignee | ||
Comment 22•5 years ago
|
||
Comment on attachment 9094958 [details]
Bug 1560808 - Don't activate policy engine if there are no policies.
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy related
- User impact if declined: Some antivirus remove policy but leave the empty key behind, so policies are activated even though they shouldn't be. This prevents that.
- Fix Landed on Version: 71
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): QA verified, automated test, policy only.
- String or UUID changes made by this patch:
Updated•5 years ago
|
Comment 23•5 years ago
|
||
Hello,
Managed to reproduce this issue with 69.0a1 (buildID:20190623094201) on Windows 10x64 with Avast Free antivirus.
Confirming this issue as verified fixed on 71.0b11(20191118154140) and 72.0a1(20191120215217) with Windows 10x64.
Updated•5 years ago
|
Comment 24•5 years ago
|
||
Comment on attachment 9094958 [details]
Bug 1560808 - Don't activate policy engine if there are no policies.
Fix for policy engine, verified in nightly/beta, let's uplift for 68.3esr.
Comment 25•5 years ago
|
||
bugherder uplift |
Comment 26•5 years ago
|
||
Backed out changeset 7be1e51ac6f6 (bug 1560808) for xpcshell failures at toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js
Backout: https://hg.mozilla.org/releases/mozilla-esr68/rev/426e37b06a7572bde09729af13f7967e89384abf
Failure push: https://treeherder.mozilla.org/#/jobs?repo=mozilla-esr68&revision=78764fc644ded50f7e681596608aa754ed90b0cc
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=277497177&repo=mozilla-esr68&lineNumber=3021
[task 2019-11-22T00:07:50.553Z] 00:07:50 INFO - TEST-START | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js
[task 2019-11-22T00:12:50.553Z] 00:12:50 WARNING - TEST-UNEXPECTED-TIMEOUT | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Test timed out
[task 2019-11-22T00:12:50.559Z] 00:12:50 INFO - TEST-INFO took 300000ms
[task 2019-11-22T00:12:50.559Z] 00:12:50 INFO - >>>>>>>
[task 2019-11-22T00:12:50.559Z] 00:12:50 INFO - PID 28981 | [28981, Main Thread] WARNING: Couldn't get the user appdata directory. Crash events may not be produced.: file /builds/worker/workspace/build/src/toolkit/crashreporter/nsExceptionHandler.cpp, line 2560
[task 2019-11-22T00:12:50.560Z] 00:12:50 INFO - PID 28981 | Couldn't convert chrome URL: chrome://branding/locale/brand.properties
[task 2019-11-22T00:12:50.561Z] 00:12:50 INFO - NS_ERROR_FILE_NOT_FOUND:
[task 2019-11-22T00:12:50.562Z] 00:12:50 INFO - @/builds/worker/workspace/build/tests/xpcshell/tests/toolkit/components/enterprisepolicies/tests/xpcshell/head.js:18:45
[task 2019-11-22T00:12:50.562Z] 00:12:50 INFO - load_file@/builds/worker/workspace/build/tests/xpcshell/head.js:681:7
[task 2019-11-22T00:12:50.563Z] 00:12:50 INFO - _load_files@/builds/worker/workspace/build/tests/xpcshell/head.js:693:10
[task 2019-11-22T00:12:50.564Z] 00:12:50 INFO - _execute_test@/builds/worker/workspace/build/tests/xpcshell/head.js:542:3
[task 2019-11-22T00:12:50.564Z] 00:12:50 INFO - @-e:1:1
[task 2019-11-22T00:12:50.564Z] 00:12:50 INFO - (xpcshell/head.js) | test MAIN run_test pending (1)
[task 2019-11-22T00:12:50.565Z] 00:12:50 INFO - (xpcshell/head.js) | test run_next_test 0 pending (2)
[task 2019-11-22T00:12:50.565Z] 00:12:50 INFO - (xpcshell/head.js) | test MAIN run_test finished (2)
[task 2019-11-22T00:12:50.566Z] 00:12:50 INFO - running event loop
[task 2019-11-22T00:12:50.566Z] 00:12:50 INFO - PID 28981 | [28981, Main Thread] WARNING: Could not get the program name for a cubeb stream.: 'NS_SUCCEEDED(rv)', file /builds/worker/workspace/build/src/dom/media/CubebUtils.cpp, line 388
[task 2019-11-22T00:12:50.567Z] 00:12:50 INFO - "CONSOLE_MESSAGE: (info) No chrome package registered for chrome://branding/locale/brand.properties"
[task 2019-11-22T00:12:50.567Z] 00:12:50 INFO - toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Starting test_app_update_URL
[task 2019-11-22T00:12:50.568Z] 00:12:50 INFO - (xpcshell/head.js) | test test_app_update_URL pending (2)
[task 2019-11-22T00:12:50.569Z] 00:12:50 INFO - TEST-PASS | toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | test_app_update_URL - [test_app_update_URL : 50] Sanity check the temporary file doesn't exist. - true == true
[task 2019-11-22T00:12:50.569Z] 00:12:50 INFO - (xpcshell/head.js) | test run_next_test 0 finished (2)
[task 2019-11-22T00:12:50.570Z] 00:12:50 INFO - <<<<<<<
[task 2019-11-22T00:12:50.570Z] 00:12:50 INFO - xpcshell return code: None
[task 2019-11-22T00:12:50.571Z] 00:12:50 INFO - toolkit/components/enterprisepolicies/tests/xpcshell/test_empty.js | Process still running after test!
[task 2019-11-22T00:12:50.571Z] 00:12:50 INFO - >>>>>>>
[task 2019-11-22T00:12:50.572Z] 00:12:50 INFO - PID 28981 | ExceptionHandler::GenerateDump cloned child 28995
[task 2019-11-22T00:12:50.572Z] 00:12:50 INFO - PID 28981 | ExceptionHandler::SendContinueSignalToChild sent continue signal to child
[task 2019-11-22T00:12:50.573Z] 00:12:50 INFO - <<<<<<<
[task 2019-11-22T00:12:50.573Z] 00:12:50 INFO - INFO | Result summary:
[task 2019-11-22T00:12:50.574Z] 00:12:50 INFO - INFO | Passed: 645
[task 2019-11-22T00:12:50.574Z] 00:12:50 WARNING - INFO | Failed: 1
[task 2019-11-22T00:12:50.575Z] 00:12:50 WARNING - One or more unittests failed.
[task 2019-11-22T00:12:50.576Z] 00:12:50 INFO - INFO | Todo: 4
[task 2019-11-22T00:12:50.576Z] 00:12:50 INFO - INFO | Retried: 1
[task 2019-11-22T00:12:50.577Z] 00:12:50 INFO - SUITE-END | took 1604s
[task 2019-11-22T00:12:50.577Z] 00:12:50 INFO - Node moz-http2 server shutting down ...
[task 2019-11-22T00:12:50.578Z] 00:12:50 INFO - Process stderr
[task 2019-11-22T00:12:50.579Z] 00:12:50 INFO - (node:1030) ExperimentalWarning: The http2 module is an experimental API.
[task 2019-11-22T00:12:50.637Z] 00:12:50 ERROR - Return code: 1
Updated•5 years ago
|
Comment 27•5 years ago
|
||
This missed the ESR 68.3 build, but could make the 68.4 release or potentially a 68.3 dot release if we have one.
Comment 28•5 years ago
|
||
[Tracking Requested - why for this release]:
Assignee | ||
Comment 29•5 years ago
|
||
ESR patch build and tested.
Problem was that a file (PermissionTestUtils) didn't exist in 68 and we were including it.
Assignee | ||
Comment 30•5 years ago
|
||
This missed the ESR 68.3 build, but could make the 68.4 release or potentially a 68.3 dot release if we have one.
No problem. This was more of a problem on regular release anyway..
Comment 31•4 years ago
|
||
bugherder uplift |
Comment 32•4 years ago
|
||
Hello,
Verified this issue with AVAST free antivirus and 68.4.0 (id: 20191202154004) on Windows 10x64.
However, like in issue 1600007, I still managed to reproduce the faulty behavior 3 out of 5 attempts. I will close this one and continue addressing the issue there instead.
Description
•