cck could allow settings to be set via windows group policy

RESOLVED WONTFIX

Status

enhancement
RESOLVED WONTFIX
13 years ago
3 years ago

People

(Reporter: webograph, Assigned: mkaply)

Tracking

Trunk
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

Reporter

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.3) Gecko/20060426 (CK-VereinLOK) Firefox/1.5.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.3) Gecko/20060426 (CK-VereinLOK) Firefox/1.5.0.3

as cck is used in corporate environments, users might wish to set config settings using group policies (our ourganisation wants to set different proxies for groups of users organized in active directory OUs, which enables distribution of policies via gpo).
this feature had been provided by firefoxadm and admxpi (also called adm-xpi for the sake of those looking for it), but this extension seems not to be maintained any more as it is not available for fx 1.5.0.1 and newer.

i'll include a patch ('bout 30 lines of code) which allows cck to read arbitrary preferences from the registry and lock them if desired. it uses the same structure and priorities as adm-xpi, thus, existing adm templates for admxpi can be used with this as well. there has been a discussion about the structure in #267888, and it looks as if the way adm-xpi uses is accepted.
for those not familiar with adm-xpi: HKC[UM]\Software\Policies\Firefox.XPI\Locked\ and HKC[UM]\Software\Policies\Firefox.XPI\ may contain entries having the name of the firefox preference to set and the appropriate value in string representation (!)

things to do before this could be possibly integrated into cck:
- check where it fails on other os. i have try-catch-wrapped the part that fails on windows if the registry keys don't exist, but i can't predict which part will fail in other os's (i don't want to wrap the whole structure as this will make debugging harder). could someone please try it out?
- provide an option to enable it in the wizard dialog (the Customize Preferences section seems appropriate to me). as i lack experience in xpi writing, it always uses the registry settings by now.

Reproducible: Always
Reporter

Comment 1

13 years ago
i'm not too experienced with writing patches -- if you tell me how you need the patch, i'll provide it
Assignee

Comment 2

13 years ago
Wow, this is great.

Do you see one button that says "read preferences from a group policy on Windows?" in order to activate this?
Reporter

Comment 3

13 years ago
such a button is what i suggest; unfortunately i lack the experience to modify the xul.
as far as i understand the way cck works, the wizard could provide a line in the cck.properties; i would then add an `if(bundle.getStringFromName("UseWindowsPolicyPrefs")=="true") {...` to the appropriate part of the cckService.js.
Assignee

Comment 4

13 years ago
I'm finally getting a chance to investigate this.

The path for the policy seems a little odd to me:

Software\Policies\Firefox.XPI

Shouldn't we use something like Software\Policies\Mozilla\Firefox similar to what frontmotion is using? I'm also thinking we should use preference names as the actual names in the policy.

Do you know much about the policy editor? When something is enabled vs. disabled, is that a statement of locking the function?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee

Comment 5

13 years ago
sorry, I misread. You are doing the right thing - using the preference name - FrontMotion is not.
Reporter

Comment 6

13 years ago
i agree -- Software\Policies\Mozilla\Firefox is the more logical choice.
Policies\Firefox.XPI originates from the fact that we used to use admxpi before, and none of us wanted to re-do our group policy (i can change the adm template by simple replacement, but changing the actual group policy requires manual clicking)

as far as the policy editor is concerned, i don't understand what that "disabled" means (i'm not a "windows server native", i just happen to have to use it this year), but i /think/ that it is used to undo general settings for a specific group of users.
in practice, i just enable a certain group policy and set the apropriate values.

i have quickly translated the adm-file we use and changed the registry paths to Mozilla\Firefox, i'll upload it immediately.

even claiming that my xul negligible would be an exaggeration, so i'm afraid i can't help with that -- is there any other way i can help?
Assignee

Comment 8

13 years ago
You've done a great job hear, and I guess what I'm trying to figure out is if we should work to create a standard ADM interface (there are currently three for Firefox).

How were decisions made as to what to set in this ADM file? Where did the items come from?

It's interesting comparing this to the other two.

for instance http pipelining.

Also, I think more work would need to be done to grab the XPI whitelist stuff in cckService.

I'm trying to figure out the "right" way to do this.

should I create an admService.js that handles the adm stuff seperately?

Should we focus at first on just putting the existing CCK stuff in?

I'm also not sure how I feel about the way locking is done. I wish there was some way to just mark a pref as locked, as opposed to having a subfolder. I'm thinking :)


Reporter

Comment 9

13 years ago
(In reply to comment #8)
> How were decisions made as to what to set in this ADM file? Where did the items
> come from?
well, the policy template was based on what we could possibly need i our organisation; it is neither meant to be complete/comprehensive not completely useful -- just an example.

> It's interesting comparing this to the other two.
> for instance http pipelining.
pipelining was basically added because we have a proxy of which i think it supports it, and i saw no reason to keep it disabled. as said, this template is kind of specific to us; other people might use other features. somewhere i've seen a template that was autamatically built from preferential, this is possible as well.

> Also, I think more work would need to be done to grab the XPI whitelist stuff
> in cckService.
> I'm trying to figure out the "right" way to do this.
we've thought about this internally as well and came up with something i'm inclined to call my worst hack evar -- we need a cleaner solution.
the problem is that some firefox settings are not set the usual about:config way (and i don't think this will change any time soon), thus we will need to find a way to set these special things separately.
> Should we focus at first on just putting the existing CCK stuff in?
i think we should. reading about:config preferences from the registry is quite straight forward; doing other stuff (the xpi whitelist won't be our only problem) is certainly much more complicated. i definitely consider it important, but for now, about:config-stuff is at least something to work with.

> should I create an admService.js that handles the adm stuff seperately?
phew ... i'm not an extension developer and didn't even get the large picture of the extension. (to be honest, i considered it, but couldn't figure out how to simply include() another js file)

> I'm also not sure how I feel about the way locking is done. I wish there was
> some way to just mark a pref as locked, as opposed to having a subfolder. I'm
> thinking :)
how do other people (you mentioned frontmotion) solve this problem?
Assignee

Comment 10

13 years ago
webograph:

Just curious, are you affiliated with either the Frontmotion work or the FirefoxADM work?

Was this work you just did on your own?

I'm trying to consolidate all the work and I'm trying to figure out who the players are.

Thanks!
Reporter

Comment 11

13 years ago
i'm not affilated with anyone involved here, i'm just an austrian doing his alternate service between school and university who was lucky enough to get a job in the IT department of a non profit organisation.

the functions i submitted are based on the admxpi package, but completely rewritten (i had a look at the functions and methods they use, checked what is already provided in your package (registry stuff from another part of cckService.js) and wrote the script; afair they used a different approach with less loops and sans switch)

> I'm trying to consolidate all the work and I'm trying to figure out who the
> players are.
great idea -- we've been trying out several packages, but cck seems to be the most promising. firefox needs something like this in order to succeed in company environments with more than just a couple of users.
Assignee

Comment 12

13 years ago
You actually have quite a bit more settings than the other ADM solutions.

You did a nice job.

Did your rollout require all of these settings to be changed?
Reporter

Comment 13

13 years ago
thanks!

i'm not completely sure (no connection to the server right now), but i think we only actually set about half of them. in our setup, everything but proxy settings is kind of self-imposed (nice, but not a requirement); the actual reaon why we wanted about:config settings in active directory is that we have different user groups in different organizational units which have different proxy settings, and since some users from different groups share a common workstation, we can't filter ip based, so we now employ a port based proxy filter (group A gets proxy port 3128, group B gets 3129 and so on)
Reporter

Comment 14

13 years ago
i just once again had a look at bug 267888, which seems to deal with quite the same problems as this bug.
the attached (attachment 228129 [details]) is the one off which i based my own script, and the adm-templates seem to be basically compatible but for
- the paths (trivial to adapt)
- bool handling (i'm not too sure, maybe it even works. i use "1" to represent true, and i've seen "true" somewhere over there)
- locking (attachment 228138 [details] uses one switch to lock the whole policy; from my own experience, this is not desirable)
Reporter

Comment 15

13 years ago
patch from 1.0.3. does not yet incorporate new registry paths and other changes.
Attachment #221797 - Attachment is obsolete: true
Reporter

Comment 16

13 years ago
i'm going to leave the organization i work for in about two weeks and won't have access to a windows domain or clients i can do testing with any more; i don't know if my successor will continue my engagement with this bug.

if there is any way i can help in getting this useable for regular cck users, please let me know so i can finish this.
Assignee

Comment 17

12 years ago
Looking at some ADM stuff now. I definitely don't like the style this patch is using for policies. Other thing we tossed around were:

SOFTWARE\Policies\Mozilla\Firefox\browser.startup.homepage

and

SOFTWARE\Policies\Mozilla\Firefox\browser.startup.homepage.locked

We definitely don't want the Firefox.XPI in there.

Looking at IE for instance, there doesn't seem to be a concept of "locking" per say, so what we are implementing here is something that doesn't exist there.

Although, isn't that basically the difference between machine and user policy? Wouldn't machine policy be "locked" and user policy be "default but can be changed?"
Assignee

Comment 18

12 years ago
Locking is handled in a separate "Restrictions" section at least for IE 5 and 6.

See:

http://www.pctools.com/guides/registry/detail/442/

For IE7, it appears it is handled a little differently. Here's the new IE info:

http://ie7triage.spaces.live.com/Blog/cns!3B6634EF5458F389!174.entry

I think we should try to follow the IE model.
Assignee

Comment 19

12 years ago
I found this Excel spreadsheet that explains EVERY policy option in Vista for IE

http://download.microsoft.com/download/c/3/8/c3815ed7-aee7-4435-802b-8e855d549154/GroupPolicySettingsforWindowsVista.xls

Man they have a lot of policy options.
(In reply to comment #19)
> I found this Excel spreadsheet that explains EVERY policy option in Vista for
> IE
> 

It doesn't look like they are all IE, just rows 368 through 1548 ;)
(In reply to comment #18)
> Locking is handled in a separate "Restrictions" section at least for IE 5 and
> 6.

In the spreadsheet attached to comment #19, there is a Locked-Down and Restricted section. Anyone know what the difference might be?
Assignee

Comment 22

12 years ago
Doc from microsoft on implementing group policy in your app

http://technet.microsoft.com/en-us/library/bb742499.aspx
Assignee

Comment 23

12 years ago
Good resource on IE policies
Assignee

Comment 25

12 years ago
http://www.kaply.com/work/IEGroupPolicySettingsforWindowsVista.xls

This list has been narrowed down to show the unique policies.

I removed everything but IE (inetres.adm).
I removed user/computer duplicates.
I removed duplicates across different security zones.

So in reality there are about 300 unique settings.

Of these, quite a few are IE specific. That's my next pass.

Status: NEW → ASSIGNED
Reporter

Comment 26

12 years ago
(In reply to comment #17)
> Although, isn't that basically the difference between machine and
> user policy? Wouldn't machine policy be "locked" and user policy be
> "default but can be changed?"

this would definitely be too narrow -- in the setup i used in 2006, we needed both locked machine policies and locked user policies, as well as default settings (didn't matter where we put them)
Assignee

Comment 27

12 years ago
In studying the IE Group Policy stuff, it appears that basically the only concept of "locking" in IE is that you removed access to the UI that changed something.

Is that what you have seen?


In terms of computer/user, it looks like this:

If computer is set, it is always used (overrides user setting). User setting is only used if there is no computer setting.


What I'm really trying to figure out in this exercise is are we spending too much time trying to expose every preference in Firefox via an ADM file, when the problem that we're trying to solve should be "have more group policy like IE" which does not seem to be mainly about preferences.

Did you only make ADM stuff available you needed?
Assignee

Comment 28

12 years ago
Here's another interesting page:

http://support.microsoft.com/kb/823057

NoPrinting is documented here (and in other places) but is for some reason not in the big spreadsheet.
Assignee

Comment 29

3 years ago
The CCK is not a Mozilla project so this bug doesn't belong here anyway.
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.