Closed mcringbearer closed 5 years ago
mkaply
commented
5 years ago https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos
The distribution directory is not removed when Firefox is updated.
Policies.json was a temporary solution anyway. We support configuration profiles on Mac now and this is the recommended thing to use:
mcringbearer
commented
5 years ago On Jan 1, 2019, at 8:17 AM, Michael Kaply notifications@github.com wrote:
It is very straightforward to remove the quarantine bit and we document it: Disabling the quarantine bit is a security risk. https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos The distribution directory is not removed when Firefox is updated.
NOT true in the case if you update by copying a new Firefox.app file from the downloaded DMG, the entire folder structure is overwritten. From a sys admin point of view, there are times it is preferable to update by replacing the entire app rather than using the built in update mechanism.
Policies.json was a temporary solution anyway. We support configuration profiles on Mac now and this is the recommended thing to use: I learned about the support for policies because there was a link from a Firefox support page to https://github.com/mozilla/policy-templates/blob/master/README.md https://github.com/mozilla/policy-templates/blob/master/README.md The very first sentence in the readme says this is in active development and refers to JSON files. There is no mention that use of JSON files is a temporary solution or that config files are now supported. All of this info is spread across different links; it would be useful for system admins to have this in one place. Regards the support for Mac configuration profiles in org.mozilla.firefox.plist, I don’t see any mention whether this file is per user only and placed in Users/Username/Library/Preferences or if it can be enforced system wide for all users by adding to Root/Library/Preferences. If it is not supported in Root/Library/Preferencesm, then is there/will there be a mechanism to enforce this system wide for all users?
https://github.com/mozilla/policy-templates/tree/master/mac https://github.com/mozilla/policy-templates/tree/master/mac—
You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/policy-templates/issues/321#issuecomment-450731515, or mute the thread https://github.com/notifications/unsubscribe-auth/AHYd58kAS8Fszfm8c0cyVX4Gj-PnCXgsks5u-23zgaJpZM4Zl06K.
mcringbearer
commented
5 years ago As a test, using Firefox 64.0.2, I edited the existing org.mozilla.firefox.plist file located in Users/Username/Library/Preferences and added the keys for disabling AppUpdate, Pocket, Telemetry and keys to set homepage. None of the options were observed or in effect after launching FF.
What am I doing wrong?
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
On Jan 12, 2019, at 12:48 PM, Michael Lilly mchinlilly@gmail.com wrote:
On Jan 1, 2019, at 8:17 AM, Michael Kaply <notifications@github.com mailto:notifications@github.com> wrote:
It is very straightforward to remove the quarantine bit and we document it: Disabling the quarantine bit is a security risk. https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos The distribution directory is not removed when Firefox is updated.
NOT true in the case if you update by copying a new Firefox.app file from the downloaded DMG, the entire folder structure is overwritten. From a sys admin point of view, there are times it is preferable to update by replacing the entire app rather than using the built in update mechanism.
Policies.json was a temporary solution anyway. We support configuration profiles on Mac now and this is the recommended thing to use: I learned about the support for policies because there was a link from a Firefox support page to https://github.com/mozilla/policy-templates/blob/master/README.md https://github.com/mozilla/policy-templates/blob/master/README.md The very first sentence in the readme says this is in active development and refers to JSON files. There is no mention that use of JSON files is a temporary solution or that config files are now supported. All of this info is spread across different links; it would be useful for system admins to have this in one place. Regards the support for Mac configuration profiles in org.mozilla.firefox.plist, I don’t see any mention whether this file is per user only and placed in Users/Username/Library/Preferences or if it can be enforced system wide for all users by adding to Root/Library/Preferences. If it is not supported in Root/Library/Preferencesm, then is there/will there be a mechanism to enforce this system wide for all users?
https://github.com/mozilla/policy-templates/tree/master/mac https://github.com/mozilla/policy-templates/tree/master/mac—
You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/policy-templates/issues/321#issuecomment-450731515, or mute the thread https://github.com/notifications/unsubscribe-auth/AHYd58kAS8Fszfm8c0cyVX4Gj-PnCXgsks5u-23zgaJpZM4Zl06K.
mkaply
commented
5 years ago You can't modify that plist file.
You need to use our plist file:
https://github.com/mozilla/policy-templates/blob/master/mac/org.mozilla.firefox.plist
Then use a tool like this:
https://github.com/timsutton/mcxToProfile
To convert it to a mobileconfig file and then load the mobileconfig.
Or you can use the commandline parameters documented here:
https://github.com/mozilla/policy-templates/blob/master/mac/README.md
mkaply
commented
5 years ago On Jan 1, 2019, at 8:17 AM, Michael Kaply @.***> wrote: It is very straightforward to remove the quarantine bit and we document it: Disabling the quarantine bit is a security risk.
In this case, you're removing it on a none thing you downloaded.
https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos The distribution directory is not removed when Firefox is updated. NOT true in the case if you update by copying a new Firefox.app file from the downloaded DMG, the entire folder structure is overwritten. From a sys admin point of view, there are times it is preferable to update by replacing the entire app rather than using the built in update mechanism.
That's not a typical scenario. Most people use an update tool or use Firefox updates.
I'll update the readme.
mcringbearer
commented
5 years ago That's not a typical scenario. Most people use an update tool or use Firefox updates.
As an admin, I’ve disabled updating from the app UI to prevent users from running update (using the tools / config file we’ve been discussing). So I’ve written scripts that update each installation by copying and replacing the Firefox.app file. Is there another update tool available that can manage this more effectively? I’m coming from a Windows background and still learning the Mac platform, on Windows I would push updates from a server, but I don’t see comparable tools for Mozilla on the Mac side for automated push mechanisms. Welcome any input you can give me.
On Jan 18, 2019, at 1:37 PM, Michael Kaply notifications@github.com wrote:
On Jan 1, 2019, at 8:17 AM, Michael Kaply @.***> wrote: It is very straightforward to remove the quarantine bit and we document it: Disabling the quarantine bit is a security risk.
In this case, you're removing it on a none thing you downloaded.
https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos The distribution directory is not removed when Firefox is updated. NOT true in the case if you update by copying a new Firefox.app file from the downloaded DMG, the entire folder structure is overwritten. From a sys admin point of view, there are times it is preferable to update by replacing the entire app rather than using the built in update mechanism.
That's not a typical scenario. Most people use an update tool or use Firefox updates.
I'll update the readme.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mozilla/policy-templates/issues/321#issuecomment-455663466, or mute the thread https://github.com/notifications/unsubscribe-auth/AHYd56dHyrcEuq7kFBj-tN54dTtn-Sexks5vEiKLgaJpZM4Zl06K.
mkaply
commented
5 years ago FYI, there's a really great community of Mac Admins here on Slack:
https://macadmins.herokuapp.com/
I would highly recommend plugging in.
On a Mac, to implement Policies, the Distribution folder is copied to Firefox.app/Contents/Resources/distribution. Modifying the Contents folder of any mac app is comparable to modifying an EXE file on Windows; it breaks code signing validation of the app. macOS performs a code signing check the first time a new app is run (this includes after each update, since a Firefox update replaces the entire Firefox.app folder.) If the contents have been modified prior to launching the app the first time, the hash validation will fail and the user is issued a warning that the app is corrupted and to trash it (see screen capture attached). If Firefox is launched at least once time (after an update), AND THEN the Distribution folder is copied, then Firefox will launch without a warning because the initial validation check has already been done.
The choice of the location to copy Distribution folder directly into the app Contents, is unacceptable especially for system administrators. First, the Distribution folder is not persistent, it is erased every time the app is updated. Second, to avoid code signing error, It means after every Firefox update, an administrator must launch Firefox at least once on every updated system, PRIOR to copying the Distribution folder.
Although this can be custom scripted, the long term solution involves two changes: 1) choosing new location for the Distribution folder that persists even after app updates. On a Mac, if this is done per user, then it should be in the Profiles folder or the Users/Username/Library/Application Support folder. If this needs to persist globally for all users, the Distribution folder should be located in \HARDDRIVE\Library\Application Support\Firefox. NOTE, this is the root Library folder, not the Users\"Username"\LIbrary folder. The root Library location is protected and would require an actual Installer that prompts for administrator credentials. 2) If you want to maintain the current process of updating the app by just copying Firefox.app into the Applications folder, then for Administrators provide an installer tool to install and manage the Distribution folder into \HARDDRIVE\Library\Application Support\Firefox
I suspect the Mozilla developers for Mac have not experienced this code signing error perhaps because Gatekeeper, SIP (System Integrity Protection) and code validation has been disabled on their Mac systems, which is common for Mac developers for convenience so as to not be hassled every time a change is made. However, the majority of Firefox endusers will have the default setting that these protections will be enabled.
screen shot