Closed Bug 337679 Opened 15 years ago Closed 4 years ago

cck could allow settings to be set via windows group policy

Categories

(Other Applications :: CCK, enhancement)

x86
Windows XP
enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: webograph, Assigned: mkaply)

Details

Attachments

(2 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.3) Gecko/20060426 (CK-VereinLOK) Firefox/1.5.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.3) Gecko/20060426 (CK-VereinLOK) Firefox/1.5.0.3

as cck is used in corporate environments, users might wish to set config settings using group policies (our ourganisation wants to set different proxies for groups of users organized in active directory OUs, which enables distribution of policies via gpo).
this feature had been provided by firefoxadm and admxpi (also called adm-xpi for the sake of those looking for it), but this extension seems not to be maintained any more as it is not available for fx 1.5.0.1 and newer.

i'll include a patch ('bout 30 lines of code) which allows cck to read arbitrary preferences from the registry and lock them if desired. it uses the same structure and priorities as adm-xpi, thus, existing adm templates for admxpi can be used with this as well. there has been a discussion about the structure in #267888, and it looks as if the way adm-xpi uses is accepted.
for those not familiar with adm-xpi: HKC[UM]\Software\Policies\Firefox.XPI\Locked\ and HKC[UM]\Software\Policies\Firefox.XPI\ may contain entries having the name of the firefox preference to set and the appropriate value in string representation (!)

things to do before this could be possibly integrated into cck:
- check where it fails on other os. i have try-catch-wrapped the part that fails on windows if the registry keys don't exist, but i can't predict which part will fail in other os's (i don't want to wrap the whole structure as this will make debugging harder). could someone please try it out?
- provide an option to enable it in the wizard dialog (the Customize Preferences section seems appropriate to me). as i lack experience in xpi writing, it always uses the registry settings by now.

Reproducible: Always
i'm not too experienced with writing patches -- if you tell me how you need the patch, i'll provide it
Wow, this is great.

Do you see one button that says "read preferences from a group policy on Windows?" in order to activate this?
such a button is what i suggest; unfortunately i lack the experience to modify the xul.
as far as i understand the way cck works, the wizard could provide a line in the cck.properties; i would then add an `if(bundle.getStringFromName("UseWindowsPolicyPrefs")=="true") {...` to the appropriate part of the cckService.js.
I'm finally getting a chance to investigate this.

The path for the policy seems a little odd to me:

Software\Policies\Firefox.XPI

Shouldn't we use something like Software\Policies\Mozilla\Firefox similar to what frontmotion is using? I'm also thinking we should use preference names as the actual names in the policy.

Do you know much about the policy editor? When something is enabled vs. disabled, is that a statement of locking the function?
Status: UNCONFIRMED → NEW
Ever confirmed: true
sorry, I misread. You are doing the right thing - using the preference name - FrontMotion is not.
i agree -- Software\Policies\Mozilla\Firefox is the more logical choice.
Policies\Firefox.XPI originates from the fact that we used to use admxpi before, and none of us wanted to re-do our group policy (i can change the adm template by simple replacement, but changing the actual group policy requires manual clicking)

as far as the policy editor is concerned, i don't understand what that "disabled" means (i'm not a "windows server native", i just happen to have to use it this year), but i /think/ that it is used to undo general settings for a specific group of users.
in practice, i just enable a certain group policy and set the apropriate values.

i have quickly translated the adm-file we use and changed the registry paths to Mozilla\Firefox, i'll upload it immediately.

even claiming that my xul negligible would be an exaggeration, so i'm afraid i can't help with that -- is there any other way i can help?
You've done a great job hear, and I guess what I'm trying to figure out is if we should work to create a standard ADM interface (there are currently three for Firefox).

How were decisions made as to what to set in this ADM file? Where did the items come from?

It's interesting comparing this to the other two.

for instance http pipelining.

Also, I think more work would need to be done to grab the XPI whitelist stuff in cckService.

I'm trying to figure out the "right" way to do this.

should I create an admService.js that handles the adm stuff seperately?

Should we focus at first on just putting the existing CCK stuff in?

I'm also not sure how I feel about the way locking is done. I wish there was some way to just mark a pref as locked, as opposed to having a subfolder. I'm thinking :)


(In reply to comment #8)
> How were decisions made as to what to set in this ADM file? Where did the items
> come from?
well, the policy template was based on what we could possibly need i our organisation; it is neither meant to be complete/comprehensive not completely useful -- just an example.

> It's interesting comparing this to the other two.
> for instance http pipelining.
pipelining was basically added because we have a proxy of which i think it supports it, and i saw no reason to keep it disabled. as said, this template is kind of specific to us; other people might use other features. somewhere i've seen a template that was autamatically built from preferential, this is possible as well.

> Also, I think more work would need to be done to grab the XPI whitelist stuff
> in cckService.
> I'm trying to figure out the "right" way to do this.
we've thought about this internally as well and came up with something i'm inclined to call my worst hack evar -- we need a cleaner solution.
the problem is that some firefox settings are not set the usual about:config way (and i don't think this will change any time soon), thus we will need to find a way to set these special things separately.
> Should we focus at first on just putting the existing CCK stuff in?
i think we should. reading about:config preferences from the registry is quite straight forward; doing other stuff (the xpi whitelist won't be our only problem) is certainly much more complicated. i definitely consider it important, but for now, about:config-stuff is at least something to work with.

> should I create an admService.js that handles the adm stuff seperately?
phew ... i'm not an extension developer and didn't even get the large picture of the extension. (to be honest, i considered it, but couldn't figure out how to simply include() another js file)

> I'm also not sure how I feel about the way locking is done. I wish there was
> some way to just mark a pref as locked, as opposed to having a subfolder. I'm
> thinking :)
how do other people (you mentioned frontmotion) solve this problem?
webograph:

Just curious, are you affiliated with either the Frontmotion work or the FirefoxADM work?

Was this work you just did on your own?

I'm trying to consolidate all the work and I'm trying to figure out who the players are.

Thanks!
i'm not affilated with anyone involved here, i'm just an austrian doing his alternate service between school and university who was lucky enough to get a job in the IT department of a non profit organisation.

the functions i submitted are based on the admxpi package, but completely rewritten (i had a look at the functions and methods they use, checked what is already provided in your package (registry stuff from another part of cckService.js) and wrote the script; afair they used a different approach with less loops and sans switch)

> I'm trying to consolidate all the work and I'm trying to figure out who the
> players are.
great idea -- we've been trying out several packages, but cck seems to be the most promising. firefox needs something like this in order to succeed in company environments with more than just a couple of users.
You actually have quite a bit more settings than the other ADM solutions.

You did a nice job.

Did your rollout require all of these settings to be changed?
thanks!

i'm not completely sure (no connection to the server right now), but i think we only actually set about half of them. in our setup, everything but proxy settings is kind of self-imposed (nice, but not a requirement); the actual reaon why we wanted about:config settings in active directory is that we have different user groups in different organizational units which have different proxy settings, and since some users from different groups share a common workstation, we can't filter ip based, so we now employ a port based proxy filter (group A gets proxy port 3128, group B gets 3129 and so on)
i just once again had a look at bug 267888, which seems to deal with quite the same problems as this bug.
the attached (attachment 228129 [details]) is the one off which i based my own script, and the adm-templates seem to be basically compatible but for
- the paths (trivial to adapt)
- bool handling (i'm not too sure, maybe it even works. i use "1" to represent true, and i've seen "true" somewhere over there)
- locking (attachment 228138 [details] uses one switch to lock the whole policy; from my own experience, this is not desirable)
patch from 1.0.3. does not yet incorporate new registry paths and other changes.
Attachment #221797 - Attachment is obsolete: true
i'm going to leave the organization i work for in about two weeks and won't have access to a windows domain or clients i can do testing with any more; i don't know if my successor will continue my engagement with this bug.

if there is any way i can help in getting this useable for regular cck users, please let me know so i can finish this.
Looking at some ADM stuff now. I definitely don't like the style this patch is using for policies. Other thing we tossed around were:

SOFTWARE\Policies\Mozilla\Firefox\browser.startup.homepage

and

SOFTWARE\Policies\Mozilla\Firefox\browser.startup.homepage.locked

We definitely don't want the Firefox.XPI in there.

Looking at IE for instance, there doesn't seem to be a concept of "locking" per say, so what we are implementing here is something that doesn't exist there.

Although, isn't that basically the difference between machine and user policy? Wouldn't machine policy be "locked" and user policy be "default but can be changed?"
Locking is handled in a separate "Restrictions" section at least for IE 5 and 6.

See:

http://www.pctools.com/guides/registry/detail/442/

For IE7, it appears it is handled a little differently. Here's the new IE info:

http://ie7triage.spaces.live.com/Blog/cns!3B6634EF5458F389!174.entry

I think we should try to follow the IE model.
I found this Excel spreadsheet that explains EVERY policy option in Vista for IE

http://download.microsoft.com/download/c/3/8/c3815ed7-aee7-4435-802b-8e855d549154/GroupPolicySettingsforWindowsVista.xls

Man they have a lot of policy options.
(In reply to comment #19)
> I found this Excel spreadsheet that explains EVERY policy option in Vista for
> IE
> 

It doesn't look like they are all IE, just rows 368 through 1548 ;)
(In reply to comment #18)
> Locking is handled in a separate "Restrictions" section at least for IE 5 and
> 6.

In the spreadsheet attached to comment #19, there is a Locked-Down and Restricted section. Anyone know what the difference might be?
Doc from microsoft on implementing group policy in your app

http://technet.microsoft.com/en-us/library/bb742499.aspx
Good resource on IE policies
http://www.kaply.com/work/IEGroupPolicySettingsforWindowsVista.xls

This list has been narrowed down to show the unique policies.

I removed everything but IE (inetres.adm).
I removed user/computer duplicates.
I removed duplicates across different security zones.

So in reality there are about 300 unique settings.

Of these, quite a few are IE specific. That's my next pass.

Status: NEW → ASSIGNED
(In reply to comment #17)
> Although, isn't that basically the difference between machine and
> user policy? Wouldn't machine policy be "locked" and user policy be
> "default but can be changed?"

this would definitely be too narrow -- in the setup i used in 2006, we needed both locked machine policies and locked user policies, as well as default settings (didn't matter where we put them)
In studying the IE Group Policy stuff, it appears that basically the only concept of "locking" in IE is that you removed access to the UI that changed something.

Is that what you have seen?


In terms of computer/user, it looks like this:

If computer is set, it is always used (overrides user setting). User setting is only used if there is no computer setting.


What I'm really trying to figure out in this exercise is are we spending too much time trying to expose every preference in Firefox via an ADM file, when the problem that we're trying to solve should be "have more group policy like IE" which does not seem to be mainly about preferences.

Did you only make ADM stuff available you needed?
Here's another interesting page:

http://support.microsoft.com/kb/823057

NoPrinting is documented here (and in other places) but is for some reason not in the big spreadsheet.
The CCK is not a Mozilla project so this bug doesn't belong here anyway.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.