Closed Bug 1658259 Opened 4 years ago Closed 4 years ago

Password manager GPO, unable to disable

Categories

(Firefox :: Enterprise Policies, defect, P3)

Product:
Firefox
Component:
Enterprise Policies
Version:
78 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
82 Branch
Tracking Flags:
Tracking Status
firefox-esr78 82+ fixed
firefox82 --- fixed

People

(Reporter: hahnson, Assigned: mkaply)

Details

Attachments

(8 files)

about policy
1.45 KB, text/plain
Details
This is what it looks like in settings
48.59 KB, image/png
Details
signon settings
18.09 KB, image/png
Details
About:Policies
199 bytes, text/plain
Details
Console errors
33.48 KB, image/png
Details
About policies on same machine
36.03 KB, image/png
Details
password save page, note that they are ticked but i havent ticked and cant untick
49.33 KB, image/png
Details
Bug 1658259 - Ignore OfferToSaveLoginsDefault if OfferToSaveLogins is present. r?emalysz!
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Steps to reproduce:

Configure GPO (Computer side) using latest ADMX files 2.1 on Mozilla firefox 78.1.0 ESR. To disable save password, disable offer to save logins,

Actual results:

Firefox offers to save logins, RSOP repport shows offer to save logins disabled and also registry setting indicate that offer to save logins is disabled, other GPO settings works and are applied

Expected results:

User should not be able to save any logins, firefox should not offer to save any logins by my configuration, it works as it should in firefox 68.11.0 ESR

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Enterprise Policies

Can you give me a specific example of where it is offering to save password?

Does everything show disabled in about:policies?

Flags: needinfo?(hahnson)

Hi

It offers on any site, for example www.dn.se and the user can change the setting

I have done some additional testing on my testenvironment using same settings, i can not reproduce using msi installer, but if i use the .exe installers i can reproduce, (same GPO settings) we use the exe as we do a msi re-packageing )

Flags: needinfo?(hahnson)
Attached file about policy 
Here is my about:policies from the customer, note i have changed the name to name :

Here is my about:policies from the customer, note i have changed the name to name :

Policynamn

Policyvärde

BlockAboutConfig

true

BlockAboutProfiles

true

BlockAboutAddons

true

DisableFirefoxAccounts

true

DisableProfileImport

true

DisableProfileRefresh

true

DisableAppUpdate

true

DontCheckDefaultBrowser

true

OverrideFirstRunPage

""

OverridePostUpdatePage

""

DisableFeedbackCommands

true

DisableTelemetry

true

SSLVersionMin

"tls1.2"

PasswordManagerEnabled

false

OfferToSaveLogins

false

OfferToSaveLoginsDefault

false

NewTabPage

false

DisablePasswordReveal

true

DisableSystemAddonUpdate

true

AppAutoUpdate

false

DisableMasterPasswordCreation

true

Authentication

Locked

true

AllowNonFQDN

NTLM

true

SPNEGO

true

NTLM

".name.name"

SPNEGO

".name.name"

Certificates

ImportEnterpriseRoots

true

DisableSecurityBypass

SafeBrowsing

true

InvalidCertificate

true

Homepage

StartPage

"homepage"

URL

"https://name/"

Locked

true

InstallAddonsPermission

Default

false

Preferences

extensions.getAddons.showPane

false

Proxy

Locked

true

Mode

"system"

HTTPProxy

""

UseHTTPProxyForAllProtocols

true

SSLProxy

""

FTPProxy

""

SOCKSProxy

""

SOCKSVersion

5

Passthrough

""

AutoConfigURL

""

AutoLogin

false

UseProxyForDNS

false

UserMessaging

WhatsNew

false

ExtensionRecommendations

Strange, just installed MSI installer at customer machine, policy still not applied but about:cofig states it is (looks same as posted, ) but in lab it worked with msi, but not with exe install (two different machines) perhaps something gets tainted if exe was installed?

I am not able to recreate this.

This is controlled by

OfferToSaveLogins (if you set this, you don't need to set OfferToSaveLoginsDefault)

When I go to:

https://account.bonnier.news/bip/authenticate

If OfferToSaveLogins is set to true, I get the doorhanger popup asking to save passwords.

When I set it to false, I do not get that popup.

The preference specifically involved here is:

signon.rememberSignons

Can you go to about:config on the machine where you are seeing the popup and see what it is set to?

Also, can you post a screenshot of what you are seeing to make sure we are looking at the same thing?

Attached image signon settings
Attached file About:Policies

The severity field is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mozilla)

I don't understand how sign.RememberSignons can be true here.

We literally set it to false with both those OfferToSaveLogins options and the PasswordManager option.

https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/browser/components/enterprisepolicies/Policies.jsm#1304
https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/browser/components/enterprisepolicies/Policies.jsm#1310
https://searchfox.org/mozilla-central/rev/62f6cc5d9c829bc0c6f18e25f93203a98681ac97/browser/components/enterprisepolicies/Policies.jsm#1340

And there is no other policy that modifies it.

Are you possibly using Autoconfig or some other management tool?

Are there any errors on the about:policies page or on the javascript console? (Ctrl+Shift+J)

Flags: needinfo?(mozilla)

No , we do a repack at customer but then i installed the clean swedish 64bit msi directly from your site in my test environment on a clean client that has not had firefox installed before, just configured those settings and got the results as in my recent pictures,

I do get a few errors in that console please refer to 3.jpg

Attached image Console errors

The severity field is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mozilla)

What you are showing in preferences doesn't correspond with what you posted in about:config.

The fact that Ask to save logins and passwords for website is disabled means the preference is locked, but the screenshot you posted of about:config shows it as unlocked.

Would it be possible to do some sort of screenshare on one of the machines with the problem so I can take a look?

Flags: needinfo?(mozilla)

The severity field is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mozilla)

Hi

Yes we could probably arrange that as it is in my testenvironment

No exactly my point, and it also sees to be a bit sporadic, right now it does not offer to save logins but the tickboxes are still checked as seen in my latest screenshots, but it did offer to save before i rebooted ,

I saw that ESR 78.2 is released so i will try that on my customer today and this time use the msi and on a clean machine to se what happens,

Ok now i got this behavior also on 68.12.0 at my customer, offered to save login despite disabled in GPO, in 68.11.0 this is not present,

Ok solved ast least on 68.12.0,

OfferToSaveLogins false
OfferToSaveLoginsDefault false

I i remove this

OfferToSaveLoginsDefault false

but keep

OfferToSaveLogins false

It behaves as expected, seems OfferToSaveLoginsDefault false somehow wins over OfferToSaveLogins false, new behaviour as we had it like above for a longer time, also as per GPO MS Standard the most restrictive GPO setting should win

Assignee: nobody → mozilla
Severity: -- → S3
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(mozilla)
Priority: -- → P3

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:mkaply, could you have a look please?
For more information, please visit auto_nag documentation.

Flags: needinfo?(mozilla)
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/9e6c111e6cf2
Ignore OfferToSaveLoginsDefault if OfferToSaveLogins is present. r=emalysz

https://hg.mozilla.org/mozilla-central/rev/9e6c111e6cf2

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox82: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 82 Branch
Flags: needinfo?(mozilla)

Comment on attachment 9172779 [details]
Bug 1658259 - Ignore OfferToSaveLoginsDefault if OfferToSaveLogins is present. r?emalysz!

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy only, parity with corresponding Firefox
  • User impact if declined: Confusing for administrators of two different policies.
  • Fix Landed on Version: 82
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): automated test, policy only.
  • String or UUID changes made by this patch:
Attachment #9172779 - Flags: approval-mozilla-esr78?
status-firefox-esr78: --- → affected
tracking-firefox-esr78: --- → 82+
Flags: in-testsuite+

Comment on attachment 9172779 [details]
Bug 1658259 - Ignore OfferToSaveLoginsDefault if OfferToSaveLogins is present. r?emalysz!

Approved for 78.4esr.

Attachment #9172779 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: