Password manager GPO, unable to disable
Categories
(Firefox :: Enterprise Policies, defect, P3)
Tracking
()
People
(Reporter: hahnson, Assigned: mkaply)
Details
Attachments
(8 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Steps to reproduce:
Configure GPO (Computer side) using latest ADMX files 2.1 on Mozilla firefox 78.1.0 ESR. To disable save password, disable offer to save logins,
Actual results:
Firefox offers to save logins, RSOP repport shows offer to save logins disabled and also registry setting indicate that offer to save logins is disabled, other GPO settings works and are applied
Expected results:
User should not be able to save any logins, firefox should not offer to save any logins by my configuration, it works as it should in firefox 68.11.0 ESR
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Assignee | ||
Comment 2•4 years ago
|
||
Can you give me a specific example of where it is offering to save password?
Does everything show disabled in about:policies?
Reporter | ||
Comment 3•4 years ago
|
||
Hi
It offers on any site, for example www.dn.se and the user can change the setting
I have done some additional testing on my testenvironment using same settings, i can not reproduce using msi installer, but if i use the .exe installers i can reproduce, (same GPO settings) we use the exe as we do a msi re-packageing )
Reporter | ||
Comment 4•4 years ago
|
||
Here is my about:policies from the customer, note i have changed the name to name :
Reporter | ||
Comment 5•4 years ago
|
||
Here is my about:policies from the customer, note i have changed the name to name :
Policynamn
Policyvärde
BlockAboutConfig
true
BlockAboutProfiles
true
BlockAboutAddons
true
DisableFirefoxAccounts
true
DisableProfileImport
true
DisableProfileRefresh
true
DisableAppUpdate
true
DontCheckDefaultBrowser
true
OverrideFirstRunPage
""
OverridePostUpdatePage
""
DisableFeedbackCommands
true
DisableTelemetry
true
SSLVersionMin
"tls1.2"
PasswordManagerEnabled
false
OfferToSaveLogins
false
OfferToSaveLoginsDefault
false
NewTabPage
false
DisablePasswordReveal
true
DisableSystemAddonUpdate
true
AppAutoUpdate
false
DisableMasterPasswordCreation
true
Authentication
Locked
true
AllowNonFQDN
NTLM
true
SPNEGO
true
NTLM
".name.name"
SPNEGO
".name.name"
Certificates
ImportEnterpriseRoots
true
DisableSecurityBypass
SafeBrowsing
true
InvalidCertificate
true
Homepage
StartPage
"homepage"
URL
Locked
true
InstallAddonsPermission
Default
false
Preferences
extensions.getAddons.showPane
false
Proxy
Locked
true
Mode
"system"
HTTPProxy
""
UseHTTPProxyForAllProtocols
true
SSLProxy
""
FTPProxy
""
SOCKSProxy
""
SOCKSVersion
5
Passthrough
""
AutoConfigURL
""
AutoLogin
false
UseProxyForDNS
false
UserMessaging
WhatsNew
false
ExtensionRecommendations
Reporter | ||
Comment 6•4 years ago
|
||
Strange, just installed MSI installer at customer machine, policy still not applied but about:cofig states it is (looks same as posted, ) but in lab it worked with msi, but not with exe install (two different machines) perhaps something gets tainted if exe was installed?
Assignee | ||
Comment 7•4 years ago
|
||
I am not able to recreate this.
This is controlled by
OfferToSaveLogins (if you set this, you don't need to set OfferToSaveLoginsDefault)
When I go to:
https://account.bonnier.news/bip/authenticate
If OfferToSaveLogins is set to true, I get the doorhanger popup asking to save passwords.
When I set it to false, I do not get that popup.
The preference specifically involved here is:
signon.rememberSignons
Can you go to about:config on the machine where you are seeing the popup and see what it is set to?
Also, can you post a screenshot of what you are seeing to make sure we are looking at the same thing?
Reporter | ||
Comment 8•4 years ago
|
||
Reporter | ||
Comment 9•4 years ago
|
||
Reporter | ||
Comment 10•4 years ago
|
||
Comment 11•4 years ago
|
||
The severity field is not set for this bug.
:mkaply, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 12•4 years ago
|
||
I don't understand how sign.RememberSignons can be true here.
We literally set it to false with both those OfferToSaveLogins options and the PasswordManager option.
https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/browser/components/enterprisepolicies/Policies.jsm#1304
https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/browser/components/enterprisepolicies/Policies.jsm#1310
https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/browser/components/enterprisepolicies/Policies.jsm#1340
And there is no other policy that modifies it.
Are you possibly using Autoconfig or some other management tool?
Are there any errors on the about:policies page or on the javascript console? (Ctrl+Shift+J)
Reporter | ||
Comment 13•4 years ago
|
||
No , we do a repack at customer but then i installed the clean swedish 64bit msi directly from your site in my test environment on a clean client that has not had firefox installed before, just configured those settings and got the results as in my recent pictures,
I do get a few errors in that console please refer to 3.jpg
Reporter | ||
Comment 14•4 years ago
|
||
Reporter | ||
Comment 15•4 years ago
|
||
Reporter | ||
Comment 16•4 years ago
|
||
Comment 17•4 years ago
|
||
The severity field is not set for this bug.
:mkaply, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 18•4 years ago
|
||
What you are showing in preferences doesn't correspond with what you posted in about:config.
The fact that Ask to save logins and passwords for website is disabled means the preference is locked, but the screenshot you posted of about:config shows it as unlocked.
Would it be possible to do some sort of screenshare on one of the machines with the problem so I can take a look?
Comment 19•4 years ago
|
||
The severity field is not set for this bug.
:mkaply, could you have a look please?
For more information, please visit auto_nag documentation.
Reporter | ||
Comment 20•4 years ago
|
||
Hi
Yes we could probably arrange that as it is in my testenvironment
No exactly my point, and it also sees to be a bit sporadic, right now it does not offer to save logins but the tickboxes are still checked as seen in my latest screenshots, but it did offer to save before i rebooted ,
I saw that ESR 78.2 is released so i will try that on my customer today and this time use the msi and on a clean machine to se what happens,
Reporter | ||
Comment 21•4 years ago
|
||
Ok now i got this behavior also on 68.12.0 at my customer, offered to save login despite disabled in GPO, in 68.11.0 this is not present,
Reporter | ||
Comment 22•4 years ago
|
||
Ok solved ast least on 68.12.0,
OfferToSaveLogins false
OfferToSaveLoginsDefault false
I i remove this
OfferToSaveLoginsDefault false
but keep
OfferToSaveLogins false
It behaves as expected, seems OfferToSaveLoginsDefault false somehow wins over OfferToSaveLogins false, new behaviour as we had it like above for a longer time, also as per GPO MS Standard the most restrictive GPO setting should win
Assignee | ||
Comment 23•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 24•4 years ago
|
||
There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:mkaply, could you have a look please?
For more information, please visit auto_nag documentation.
Comment 25•4 years ago
|
||
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/9e6c111e6cf2 Ignore OfferToSaveLoginsDefault if OfferToSaveLogins is present. r=emalysz
Comment 26•4 years ago
|
||
bugherder |
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 27•4 years ago
|
||
Comment on attachment 9172779 [details]
Bug 1658259 - Ignore OfferToSaveLoginsDefault if OfferToSaveLogins is present. r?emalysz!
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy only, parity with corresponding Firefox
- User impact if declined: Confusing for administrators of two different policies.
- Fix Landed on Version: 82
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): automated test, policy only.
- String or UUID changes made by this patch:
Updated•4 years ago
|
Comment 28•4 years ago
|
||
Comment on attachment 9172779 [details]
Bug 1658259 - Ignore OfferToSaveLoginsDefault if OfferToSaveLogins is present. r?emalysz!
Approved for 78.4esr.
Comment 29•4 years ago
|
||
bugherder uplift |
Description
•