1672923 - Add AllowInstall policy like Chrome

Status: UNCONFIRMED

(Firefox :: Enterprise Policies, enhancement, P3)

Description

[Mark Heitbrink]

Reopen: https://bugzilla.mozilla.org/show_bug.cgi?id=1588059

Sorry guys, I need to reopen this issue, because the Group Policy settings will still not behave the same like the JSON file. Your JSON works like expected. I tested on Firefox 81 and 82, so actual release October 2020.

There are 2 Issues: Tested in GPO/Computerconfiguration JSON works, GPO/Registry not.

1. Blacklist everything, allow/install only known Add-Ons.
   Mozilla/Firefox/Extensions/Extensions Management
   JSON: {"*": {"installation_mode":"blocked"},"{446900e4-71c2-419f-a6a7-df9c091e268b}": {"installation_mode": "force_installed","install_url":"https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"}}
   -> Bitwarden will be installed, all others are blocked. Thats the expected working result.

GPO:
Mozilla/Firefox/Add-ons/Add-On Installation = Disable
Mozilla/Firefox/Extensions/Extensions to install = https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi
-> All Add-Ons are blocked. Thats it. "Extensions to install" creates no whitelist or exclude, aswell the kind of install option is missing in Policy.

2. Auto Install Add-on, do not control a blacklist
   JSON: {"{446900e4-71c2-419f-a6a7-df9c091e268b}": {"installation_mode": "force_installed","install_url":"https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"}}
   -> Bitwarden will be installed, none of the others are blocked. Just an AutoInstall of the extension Thats the expected working result.

GPO:
Mozilla/Firefox/Extensions/Extensions to install = https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi
-> Nothing will happen. No blocking active, no Autoinstall either.

My conclusion:

1. Registry: Software\Policies\Mozilla\Firefox\InstallAddonsPermission\Default = 4 (Reg_Dword) = Disable in GPO, behaves like "*": {"installation_mode":"blocked"}, but it does not allow any whitelist. It is not build additive.
2. Registry: Software\Policies\Mozilla\Firefox\Extensions\Install"count" = PATH to XPI, takes no effect at all and it can not difference in "allowed", "blocked", "normal_installed", "force_install".

Wish:
Chreate/Change 2 Policies:

1. "Disable all Add-Ons" = this is "*": {"installation_mode":"blocked"} from JSON
2. "Add, remove or force install Add-On", that could be an ADMx where the LIST Box integrates "VALUENAME" and "VALUE".
   Valuename = Path to XPI
   Value = kind of installation
   When query/processing this regsitry Key, you can create the ruleset like in the JSON, all variables are there.

Comment 1

[Nelson_N]

-was spam - mhoye

Comment 2

[Mike Kaply [:mkaply]]

I'm planning to deprecate all of the old methods and encourage everyone to use the new mechanism (JSON) which works much better than everything we had before.

I don't want to change the way the old policies are implemented because I don't want to encourage people to use them.

Is there a reason you don't want to just use the new method?

FYI, Wish 2 won't work because I need the ID of the extension. That's what makes the new version work so much better. By having the ID, I can check the state of the extension as it is currently installed.

I find ADMX incredibly limiting and as Chrome is doing, for more complex policies, I will probably use JSON instead of trying to shoehorn them into ADMx.

Comment 3

[Mark Heitbrink]

Hi,

why are not asking for help if it comes to policy? Probably there are a few people out there that know a lot about it ..?

I do not want to use a JSON because it needs to be a onliner in the GPO, which breaks completly the structure and syntax view.
this is close to unmanagable. In a Microsoft Enterprise infrastructure, there is GPO. Firefox was long time no option, because of the missing group policy functionality.

By the way: Thank you for your AMO Search Addin. That helps a lot.

Lets assume you would stay on Group Policy and I am using your AMO Plugin, I would need 4 policies (like Chromium), 1 for each install option.

1. Blacklist (blocked)
2. Whitelist (Allow_Install)
3. Autoinstall without change (Force_Install)
4. Autoinstall usr can change (normal_install)

All of them are a listbox, and you need to change your listbox from:
<elements>
<list id="Extensions" key="Software\Policies\Mozilla\Firefox\Extensions\Install" valuePrefix="" expandable="true"/>
</elements>

to, by adding ---> explicitValue="true"
<elements>
<list id="Extensions" key="Software\Policies\Mozilla\Firefox\Extensions\Install" valuePrefix="" expandable="true" explicitValue="true"/>
</elements>

Now, you will get a listbox that contains VALUENAME and VALUE, which can be used by your ruleset.
Valuename = ID and Value = URL. With the "explicitValue" the Valuenames are no longer automatically/dynamically counted, the need to be entered "explicit". Now they are not longer 1,2,3,4,5 ... now you can us individual entries for the ruleset.

Sample:
<policy name="Autoinstall without change (Force_Install)" key="key="Software\Policies\Mozilla\Firefox\Extensions\Install" valueName="Force_Install">
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<list id="AllowInstall" "key="Software\Policies\Mozilla\Firefox\Extensions\Install\AllowInstall" additive="true" explicitValue="true" />
</elements>

Now you can build your rule on:
Software\Policies\Mozilla\Firefox\Extensions\Install" valueName="Force_Install"
and "Software\Policies\Mozilla\Firefox\Extensions\Install\AllowInstall valuename="URL to latest xpi" (Valuename from listbox) and "ID" (Value from Valuename from Listbox)

All of the 3 variable you need.

Comment 4

[Mike Kaply [:mkaply]]

(In reply to Mark Heitbrink from comment #3)

Hi,

why are not asking for help if it comes to policy? Probably there are a few people out there that know a lot about it ..?

I've asked (and received) lots of help. And I always appreciate feedback on the policies. You can contribute patches to Firefox or to the ADMX templates.

I do not want to use a JSON because it needs to be a onliner in the GPO, which breaks completly the structure and syntax view.
this is close to unmanagable. In a Microsoft Enterprise infrastructure, there is GPO. Firefox was long time no option, because of the missing group policy functionality.

That is incorrect. I am using a MULTI_SZ for ExtensionSettings so that it is not one line as it is on Chrome. It's a multiline text field that maintains syntax.

What Google has discovered (as have we) is that there are a lot of complex concepts that don't map well to ADMX. Bookmarks are another good example. Our implementation is terrible because there's no way to do anything but simple name/value pairs, so we created individual policies and had to have 50 of them and they don't work well.

By the way: Thank you for your AMO Search Addin. That helps a lot.

Lets assume you would stay on Group Policy and I am using your AMO Plugin, I would need 4 policies (like Chromium), 1 for each install option.

1. Blacklist (blocked)
2. Whitelist (Allow_Install)
3. Autoinstall without change (Force_Install)
4. Autoinstall usr can change (normal_install)

All of them are a listbox, and you need to change your listbox from:
<elements>
<list id="Extensions" key="Software\Policies\Mozilla\Firefox\Extensions\Install" valuePrefix="" expandable="true"/>
</elements>

to, by adding ---> explicitValue="true"
<elements>
<list id="Extensions" key="Software\Policies\Mozilla\Firefox\Extensions\Install" valuePrefix="" expandable="true" explicitValue="true"/>
</elements>

Now, you will get a listbox that contains VALUENAME and VALUE, which can be used by your ruleset.
Valuename = ID and Value = URL. With the "explicitValue" the Valuenames are no longer automatically/dynamically counted, the need to be entered "explicit". Now they are not longer 1,2,3,4,5 ... now you can us individual entries for the ruleset.

Sample:
<policy name="Autoinstall without change (Force_Install)" key="key="Software\Policies\Mozilla\Firefox\Extensions\Install" valueName="Force_Install">
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
<elements>
<list id="AllowInstall" "key="Software\Policies\Mozilla\Firefox\Extensions\Install\AllowInstall" additive="true" explicitValue="true" />
</elements>

Now you can build your rule on:
Software\Policies\Mozilla\Firefox\Extensions\Install" valueName="Force_Install"
and "Software\Policies\Mozilla\Firefox\Extensions\Install\AllowInstall valuename="URL to latest xpi" (Valuename from listbox) and "ID" (Value from Valuename from Listbox)

All of the 3 variable you need.

We already have the function you have pointed out via the existing policy.

https://github.com/mozilla/policy-templates#extensions

If you add an Extension to the Install list and add the id to the Locked list, it will be force installed and can't be uninstalled.

If you add it to just the Install list, it will be normal installed.

The reason I couldn't make this policy as similar to Chrome is because all Chrome installs come from the store, so you only need to specify an ID.

I will investigate if we can match chrome better in some cases.

Comment 5

[Mark Heitbrink]

(In reply to Mike Kaply [:mkaply] from comment #4)

That is incorrect. I am using a MULTI_SZ for ExtensionSettings so that it is not one line as it is on Chrome. It's a multiline text field that maintains syntax.

That is new? Just tested it. It works.
It definitly didn´t work in the past. Even if it was always a Reg_Multi_SZ, it needed to be a oneliner.

We already have the function you have pointed out via the existing policy.

in your explain of the policy "Install Addons" , there is no hint, that you need to combine it with the 2nd policy "Lock AddOns ..." to get it work. A sentence in the explain woud be helpful. Or this is a candidate for "explicit Value", than your 2 settings would be inside one policy.

Comment 6

[Mark Heitbrink]

ok, 1 Policy missing :-)
Force_Install is a little bit crude. because of missing explanation, simple fix in Explaintext.
Allow_Install could be a new policy similar to "Install Addon" but allow instead of force

rename: Install Addon -> Force Install Addon
new: Allow install Addon

Comment 7

[Mike Kaply [:mkaply]]

Great suggestions. I'll take a look.

As far as the MULTI_SZ thing goes, I swear it was like that from the beginning.

I opened a bug for Chrome to fix theirs :)

Comment 8

[Mike Kaply [:mkaply]]

Chrome policies to copy:

https://www.chromium.org/administrators/policy-list-3#Extensions

In theory, I could use the info from these policies to generate ExtensionSettings on the fly

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:mkaply, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 10

[Chloe Summers]

I second this!

Comment 11

[Park Grove]

By enabling the "Allow all trusted apps to install" policy, you are allowing the installation of apps from trusted sources without any restrictions. It's important to note that this policy may vary depending on the version of Windows you're using, as well as the specific edition (e.g., Windows 10 Pro, Enterprise, etc.).
https://www.prestigesparkgrove.in

Comment 12

[Godrej Splendour]

Discover luxury living in Godrej Splendour apartments. Prime location, modern amenities, and spacious layouts. Explore your dream home today.
https://www.godrejsplendour.org.in