Closed Bug 1580753 Opened 6 years ago Closed 11 hours ago

SecurityDevices settings in policies.json don't take effect on Thunderbird

Categories

(Thunderbird :: Preferences, enhancement)

Product:
Thunderbird
Component:
Preferences
Type:
enhancement
Points:
2

Tracking

(thunderbird_esr140 affected)

Status:
RESOLVED FIXED
Milestone:
152 Branch
Tracking Flags:
Tracking Status
thunderbird_esr140 --- affected

People

(Reporter: mozilla, Assigned: tobyp, NeedInfo)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [enterprise-request])

Attachments

(2 files)

Bug 1580753 - Enable SecurityDevices in enterprise policies. r=john.bieling
48 bytes, text/x-phabricator-request
Details | Review
Screenshot of the registry key I tried on Windows, please doublecheck if it's correct
22.17 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

Created policies.json file:
{
"policies": {
"DisableAppUpdate": true,
"OverrideFirstRunPage": "",
"OverridePostUpdatePage": "",
"BlockAboutConfig": true,
"DisableTelemetry": true,
"SecurityDevices": {
"DOD_CAC_Reader": "/usr/lib64/pkcs11/libcoolkeypk11.so"
}
}
}

Actual results:

Security device is not defined. About:config is not disabled.

DisableAppUpdate is turned off.

Expected results:

I expected that App Updates would be disabled when I view Help->About and they are. But I also expected Edit->Preferences->Advanced->General Config Editor to not bring up about:config and it did. As well I wanted to globally set a security device for DOD common access card use and it's not getting set. All these settings appear to function as desired in Firefox 69.0 using the same policies.json entries.

Component: Untriaged → Preferences

We know that disabling the config editor didn't work. That's will be fixed in TB 68.1.1 or TB 68.2, see bug 1579019.

So the remaining issue is the

"SecurityDevices": {
  "DOD_CAC_Reader": "/usr/lib64/pkcs11/libcoolkeypk11.so"
}

Right?

Flags: needinfo?(geoff)
See Also: → 1579019
Summary: settings in policies.json not set → SecurityDevices settings in policies.json don't take effect

Yep, getting SecurityDevices set globally is probably the one I'm most concerned with. Fixing that would alleviate a good amount of admin headache.

Not sure how related this might be....

I'm trying to install multiple certificate authorities using policies.json also:

"Certificates": {
	"Install": [
		"/common/Certs/Certificates_PKCS7_v5.0u1_DoD_DoDRootCA2_withCAs_FirefoxChromeOS.der.p7b",
		"/common/Certs/DODCA_41.pem",
		"/common/Certs/DODCA_42.pem"
             ]
    }

So far using that has not worked in thunderbird or firefox with this new policies.json file.

Thunderbird 68 doesn't have the SecurityDevices policy, so it's unsurprising that it doesn't do anything.

Type: defect → enhancement
Flags: needinfo?(geoff)
Severity: normal → S3

This bug still exists to this day with the new format. Tried adding opensc:

"SecurityDevices": {
    "Add": {
      "OpenSC PKCS#11 Module": "/usr/lib64/opensc-pkcs11.so"
    }
},

Seeing no change to the security devices list after loading this policy.

John or Kai, could you copy the relevant code from browser to mail? I think that's all it should take to get this working.

See Also: → 1956145
Summary: SecurityDevices settings in policies.json don't take effect → SecurityDevices settings in policies.json don't take effect on Thunderbird
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: spain

(In reply to Geoff Lankow (:darktrojan) from comment #6)

John or Kai, could you copy the relevant code from browser to mail? I think that's all it should take to get this working.

Flags: needinfo?(john)

We also stumbled on this bug (more of a missing feature) at my company, and it's quite frustrating.

We recently decided to switch from installing two dozens private CAs with the Certificates policy in policies.json, to using p11-kit-trust.so, in order to avoid the need to update policies.json in both Firefox and Thunderbird each time we upgrade our certificates bundle (which is stored in the system SSL store, ca-certificates package on Debian).

This works perfectly in Firefox, but not on Thunderbird, and indeed, according to the documentation, it's not supported, neither in ESR [1], nor in the development version [2].

[1] https://thunderbird.github.io/policy-templates/templates/esr128
[2] https://thunderbird.github.io/policy-templates/templates/release

Could you please add this missing functionality in the next ESR version, or even better, if it's not too much of a change in terms of code, in a future minor release of 128 ESR ?

Assignee: nobody → kaie
Status: NEW → ASSIGNED

(In reply to Wayne Mery (:wsmwk) from comment #7)

(In reply to Geoff Lankow (:darktrojan) from comment #6)

John or Kai, could you copy the relevant code from browser to mail? I think that's all it should take to get this working.

Following your advice, I made a patch, but I haven't test it.
I haven't used enterprise policies before.

How could we easily test this (manually) to ensure the patch has the intended effect?

I could create an experimental build, if the reporters of the bug wish to test it.

I don't know for other systems, but on Linux, create a file called policies.json in the directory /usr/lib/thunderbird/distribution with the following contents :

{
  "policies": {
    "SecurityDevices": {
      "Add": {
        "Some name of your choice": "/full/path/to/a/pkcs11/library.so"
      }
    }
  }
}

For example, on Debian, /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so (package p11-kit-modules). On next (or first) start, the module should appear (with the chosen name) in (translated from French) Preferences -> Privacy and security -> Security devices, and all the CA certificates in the system store (if ca-certificates is installed) should appear in Preferences -> Privacy and security -> Display certificates.

And I forgot, thanks for providing a patch so quickly :)

Thanks for the quick example, and I'm confirming the patch works.

I copied the file to the "distribution" subdirectory of my locally built Thunderbird,
and for the "name/so" line, I used
"p11-kit-trust": "/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so"
on my debian system.

After restarting, the module was shown as loaded in the security devices window.

I think this can be considered to be backported to ESR 140.

status-thunderbird_esr140: --- → affected

(In reply to Kai Engert [:KaiE:] from comment #14)

I think this can be considered to be backported to ESR 140.

Thank you for working so quickly ! This kind of functionality is really needed in the corporate world, and facilitates the work of admins to convince decision makers to see Thunderbird as a professional-grade e-mail client (and believe me, there is work to do...).

Is there a chance that it could also be backported to 128 ESR ? We don't know when 140 will be pushed to Debian Stable (it's already in experimental, though), and it would greatly help us in our current case.

Or could you point me to a patch working in 128 ESR, that I could ask Debian to integrate in their package ?

Thanks again :)

I couldn't make it work on Windows yet.
I've only done an artifact build, that should be sufficient, right?

Could you please review the attached screenshot?
Did I set the correct registry key?
Should this key alone be sufficient to trigger the action?

I'd appreciate help in pushing this forward on Windows.

Note, it worked when I added that device with that file path manually to security devices in Thunderbird, I could see the Yubikey device.
(And I removed it again manually for testing.)

(In reply to Raphaël Halimi from comment #15)

Is there a chance that it could also be backported to 128 ESR ? We don't know when 140 will be pushed to Debian Stable (it's already in experimental, though), and it would greatly help us in our current case.

It's too early to ask.
As a first step, we need to get this actually working on all platforms.
If it's working, we can consider backporting to 140. The patch seems to apply cleanly.
However, on 128 at least some of the files we're modifying aren't there.

(In reply to Kai Engert [:KaiE:] from comment #19)

It's too early to ask.
As a first step, we need to get this actually working on all platforms.
If it's working, we can consider backporting to 140. The patch seems to apply cleanly.
However, on 128 at least some of the files we're modifying aren't there.

I understand. Thanks for your efforts !

Tested on Windows with Thunderbird 145.0 (Released November 13, 2025) with:

{
  "policies": {
    "SecurityDevices": {
      "Add": {
        "OpenSC PKCS#11 Module": "C:\\Program Files\\OpenSC Project\\OpenSC\\pkcs11\\opensc-pkcs11.dll"
      }
    }
  }
}

Same issue: Enterprise Policies: Unknown policy: SecurityDevices EnterprisePoliciesParent.sys.mjs:175

I have also tried through regedit as suggested Kai's screenshot. I am happy to test an experimental build if I can help to close this issue.

Assignee: kaie → toby
Blocks: tb-maintenance-2026-q2
Points: --- → 2
Whiteboard: [enterprise-request]
Keywords: spaincheckin-needed-tb
Target Milestone: --- → 152 Branch

Pushed by toby@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/467001b61a14
Enable SecurityDevices in enterprise policies. r=john.bieling

Status: ASSIGNED → RESOLVED
Closed: 11 hours ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: