This repo contians the firefox policy to be used when managing firefox browsers within the org. A complete list of all possible firefox can be found here: https://github.com/mozilla/policy-templates.
Below is a list of policies that are either included, Might be useful, or Need clarification. In order for the firefox policy file to take affect, it needs to be placed in the Firefox.app/Contents/Resources/distribution
directory as the file policies.json
. Given users have sudo privs on their machines, they may be able to abuse this, thus agent carter's file watcher functionality will assist in detecting such events.
AppAutoUpdate
- is set to true so application updates are installed without user approval within Firefox, no more worrying about chromepots!
- However, if we want to have more granular control of this, we can use
AppUpdatePin
.
BackgroundAppUpdate
- Enable automatic application update in the background, when the application is not running.
- This needs the above policy to not be disabled in order to work.
- I think this would be good to pair with
AppUpdatePin
to ensure that firefox is always patched.
Cookies
- Configures cookie preferences, currently all cookies are allowed and set to expire at the end of the session thus avoiding issues like the gsuite long-term cookie.
- The user is prevented from changing the cookie settings via the
Locked
attribute (unless they disable this by editing the policy file). - Tracking cookies are rejected is normal and private browsing.
DisableFirefoxAccounts
- Disable Firefox Accounts integration (Sync), added this is as we don't want people sharing data outside of bugcrowd via syncing.
DisableSystemAddonUpdate
- Prevents system add-ons from being installed or updated, this was added as we don't use any of the firefox system add-ons like pocket and any other add-on should be going through security approval.
EnableTrackingProtection
- Configures tracking protection, most of this is handled by the
Cookies
policy, however this also allows us to block Cryptomining and Fingerprinting scripts on sites. Exceptions
are origins for which tracking protection is not enabled.- Not sure how effective this is, but might as well use it if its there.
EncryptedMediaExtensions
- If
Locked
is set to true andEnabled
is set to false, Firefox will not download encrypted media extensions (like Widevine) or ask the user to install them. - Might as well add this, we don't have a use case for this kind of stuff.
ExtensionSettings
- Manage all aspects of extensions. This policy is based heavily on the Chrome policy of the same name.
- To obtain an extension ID, install the extension and go to about:support. You will see the ID in the Extensions section.
- By default, all extensions are blocked with the
*
wildcard, however the following are set to installed by default.- 1password (
{d634138d-c276-4fc8-924b-40a0ea21d284}
) - okta plugin (
[email protected]
) - Zoom schedular (
{bf855ead-d7c3-4c7b-9f88-9a7e75c0efdf}
)
- 1password (
ManagedBookmarks
- Configures a list of bookmarks managed by an administrator that cannot be changed by the user.
- This is good for us as the support desks can be built right into the browser, which means IT and security don't have to constantly provide the link to make tickets.
- Currently, this has okta, the jira help center, and the specific links to the cybersecurity and IT service desks in it.
OfferToSaveLogins
- Control whether or not Firefox offers to save passwords, this was added in so that it could be
false
thus not prompting users or them clicking on it by accident.
PasswordManagerEnabled
- Removed access to the password manager via preferences and blocked about:logins.
SanitizeOnShutdown (Selective)
- Clear data on shutdown. Choose from Cache, Cookies, Download History, Form & Search History, Browsing History, Active Logins, Site Preferences and Offline Website Data.
- This is really good for security, no more reminding people to clear their cache, this does it automatically.
SSLVersionMin
- Set and lock the minimum version of TLS, this policy sets it at TLS 1.3.
- This is good to mitigate TLS downgrade attacks, and if a new version is released tomorrow, then the user can use that too since this only restricts the minimum.
WebsiteFilter
- Block websites from being visited. The parameters take an array of Match Patterns, as documented in https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Match_patterns.
- This just allows us to block things at the browser level, but it requires the name of the site, rather than category.
- Right now its just set to xss hunter.
3rdParty
- TL:DR, firefox extensions can use the storage api to read storage objects, represented in the firefox app directory as json files.
- Doesn't really help us since we don't have many applications.
- It would be something we can look into for things like tampermonkey to ensure that we are the ones who set that, not the user.
- Will need file watcher via mdm for alerting however.
Example
{
"policies": {
"3rdparty": {
"Extensions": {
"[email protected]": {
"adminSettings": {
"selectedFilterLists": [
"ublock-privacy",
"ublock-badware",
"ublock-filters",
"user-filters"
]
}
}
}
}
}
}
AllowedDomainsForApps
- TL;DR only the domains you put in here will be allowed to access google workspaces, i.e. gmail, gdrive, etc.
- This might be good to ensure that only bugcrowd domains can access google workspaces on the machine
{
"policies": {
"AllowedDomainsForApps": "managedfirefox.com,example.com"
}
}
AppUpdatePin
- Prevent Firefox from being updated beyond the specified version. You should specify a version that exists or is guaranteed to exist. If you specify a version that doesn't end up existing, Firefox will update beyond that version.
- We can control major and minor version with
xx.
andxx.xx
respectively. - This way it auto-updates, but if there is ever a vuln in a newer version, we can hold the updates.
DisableTelemetry
- Prevent the upload of telemetry data.
- I know all browsers do this, but if we can turn this off, then might as well turn it off.
DNSOverHTTPS
- Configure DNS over HTTPS.
- This seems like a good thing, wondering if this will cause any issues at all.
{
"policies": {
"DNSOverHTTPS": {
"Enabled": true | false,
"ProviderURL": "URL_TO_ALTERNATE_PROVIDER",
"Locked": true | false,
"ExcludedDomains": ["example.com"]
}
}
}
SupportMenu
- Add a menuitem to the help menu for specifying support information.
- This is cool, but I don't see a use case for it if we use
ManagedBookmarks
.
BlockAboutConfig, BlockAboutProfiles, BlockAboutSupport, BlockAboutAddons
- Block access to about:config, about:profiles, about:support, and about:addons.
- I don't know if we want to block users on this, devs and secops might get angry (assuming they use this kinda thing).
DisableSecurityBypass
- Prevent the user from bypassing security in certain cases.
InvalidCertificate
prevents adding an exception when an invalid certificate is shown.SafeBrowsing
prevents selecting "ignore the risk" and visiting a harmful site anyway.- This might be something to add, but there are times where this might be a blocker, like when using burp with foxyproxy.