Locking down Firefox with CCK 2
Firstly, Firefox has changed a little from version 24 to the (at time of writing) current version 30. Secondly, the excellent Mike Kaply has released a ‘new-proved’ (that’s new and improved) CCK, version 2, which offers a better system to maintain the lockdowns through Firefox updates.
Previously, you’d have to manually modify each newly updated Firefox bundle to keep your restrictions in place. With the new method, you can re-push / deploy the specific settings files, back into the newly updated (or replaced) application bundle.
I’d also like to take this chance to apologise to Mike for not having a chance to play and write this up sooner. CCK 2 was released back in November 2013.
One final thing…. I apologise in advance for the length of this post!
Right, let’s get to it.
Firefox Version: 30.0.0
CCK Version: 2.0.4
This blog post is split into four main sections:
- Obtaining and installing the CCK Wizard
- Configuring a CCK lock-down ‘auto-config’ package
- Installing the package into your Firefox bundle
- Using the new package when updating Firefox.
I suggest you use a new user account that hasn’t launched Firefox of any version to build your deployment copy.
Phase 1: Obtaining and installing the CCK Wizard
1. Navigate to the Firefox website and download the latest copy of Firefox.
2. Drag your new copy of Firefox to the desktop so you can work on it.
3. Launch Firefox and dismiss all of the first launch popups and messages.
4. Once you have got your copy of Firefox fully open, launch the Add-on manager by going to the “Tools” menu item, then “Add-ons”.
5. In the “Search all add-ons” box, type in “cck” and hit return.
6.This should show the 2 CCK Wizard add-on installers. Click “Install” on the CCK Wizard 2.0.4 and once complete, close this tab.
7. Once Firefox has installed the plugin, you should see the below screen. This means that the CCK Wizard add-on is installed. This completes Phase 1.
Phase 2: Configuring a CCK lock-down ‘auto-config’ package
8. As directed by the ‘Thanks for installing…’ screen, click the new icon in the top right corner.
9. This will launch the CCK Wizard 2 editor. Click “New” to create a new configuration. You can import previous CCK Wizard creations but sometimes it’s good to start from scratch to clear out the fluff.
10. Enter a name and a unique identifier for your lockdown profile. For this example, I have used “Amsys-Example-Lockdown-2014” and “email@example.com”. Click “OK”.
11. The entire plugin will now move to a new screen, with the sections on the left and the settings on the right. On the “About” page, set a description and give the configuration a version number. Use the “Choose…” option to select the location that the work in progress files will be stored. In this example I have used the desktop of my test user account. Once complete, Click “Next”.
Please Note: You can also navigate directly to each section using the titles in the left hand window.
12. The next section is “Web Pages”. This will allow you to set a homepage, lock the homepage, set a ‘new user’ welcome page and not to display it, and finally set a ‘Firefox has been upgraded’ page and not to display it. In my default ‘education lockdown’ I will set the Homepage, tick the ‘lock down’ box, leave the Welcome and Upgrade page URLs blank, but tick both “Do not display…” options. Once complete, click “Next”.
13. Next is the “User Interface”, providing general options for the UI of the browser. Typically, I would only select / tick the “Remove the Web Developer menu”, “Remote the ‘Set As Desktop Background’ menuitem” and “Remove the ‘Restart with Add-ons disabled’ menuitem” options. The last option isn’t really that relevant with the new UI style of Firefox v30. Once complete, click “Next”.
14. The next section is “Help Menu” and allows you to modify some aspects of the Help system. Generally speaking, it’s not something I make use of but feel free to play (and test)! Click “Next”.
15. This section is the “Hidden UI” section. It allows you to hide whole sections of the Firefox UI. Again, generally speaking, it’s not something I make use of, but might be ideal for you. Once complete, Click “Next”.
16. The next section “Permissions” allows you to set default site preferences such as block/allow Popups, Installs, Cookies and Plugins. For this example I have used a (hopefully) fake site called “http://www.popsite.com” and blocked all. Clicking the “Add…” option, filling in the boxes, and then clicking “OK” added this. Repeat as required. Click “Next” once you’re done.
17. The “Add-ons” page. You can use the main section to load in the pre-downloaded extension files to include. Typically, I’d rarely use this feature but I heavily use the lower section. This allows the disabling of “Discovering Add-ons in the Add-ons Manager”, the Add-ons manager itself and the installing of Add-ons. I typically will tick all three. Click “Next”.
18. “Search Engines”. As the name suggests, this allows you to customise the Search Engines that Firefox uses. By default Firefox uses Google so typically, I’ll leave this as is. Click “Next”.
19. “Plugins”, the section for your web plugins such as Flash, Java, Adobe Reader etc. Generally, I’d be deploying Flash and Java to the system as standard I don’t typically use this section. Click “Next”.
20. “Bookmarks”. This section can be used to set some options relating to the bookmark items and view settings. I typically select all three options (“Display the Bookmarks toolbar by default”, “Remove Smart Bookmarks…” and “Remove Default Bookmarks…”). Click “Next”.
21. “Toolbar” and “Menu”. These two sections allow you to add bookmarks, separators and folders to the bookmarks toolbar and menu item respectively. Added these is simple a case of clicking the relevant “Add [XXXX]…” button and filling in the popup box. Once complete, click “Next” on each section.
22. “Preferences”. This section is very similar to the one in CCK 1.x. Again, these are the same options available in the about:config menu and also very similar to those we’ve added in my previous Firefox deployment blogs.
23. To add a preference, click the “Add…” option.
24. In the “Preference Name” box, start typing the preference you want to set. The CCK will try and offer the preferences you are looking for. Once you find the one you want, click it.
25. In the lower box, select the value you want. Click “OK”. Previously, this is also where you’d set to either ‘lock’ the preference (stopping it from being changed) or just to set it (as an initial setting, but changeable by each user).
26. Once you’ve clicked “OK” you will be taken back to the previous page and shown the preference you have set. Consult my last blog for my personal favourites. To enable the ‘lock’ setting on the preference, set the preference, right click it and select “Lock”.
27. The final option here is a tick box to block access to the “about:config” page of Firefox. This is a local page displaying all of the set and possible options for Firefox. Typically I would have this selected. Click “Next”.
28. “General”. This section provides you with three tick boxes that do, like much in the CCK, exactly as they say. I will usually set the middle option, “Don’t check if Firefox is the default browser at startup”. Click “Next”.
29. “Privacy”. This section allows you to disable private browsing and to not remember search and form history. I tick the “Disable Private Browsing” option usually. Click “Next”.
30. “Security”. This gives you the option to not remember passwords and to disable the creation of a master password to encrypt the stored passwords. This might be a good option for Kiosk style Macs but I don’t normally require this setting. Click “Next”.
31. “Sync”. This single tick box allows the Firefox Sync feature to be turned off. Generally I tick this option. Click “Next”.
32. “Data Choices”. This section provides three options to “Disable the crash reporter”, “Disable telemetry” and “Disable Firefox Health Report upload”. I would normally tick all three options to reduce end user popups and undesirably behaviour. Click “Next”.
33. “Update”. This section has the sole option of disabling Firefox Updates. In a controlled environment I would always select this option to allow the site administrators to control the version of Firefox available to end-users. Click “Next”.
34. “Windows Registry”. This section allows the adding of entries to the Windows Registry relating to Firefox. Being a Mac tech, I skip this section. Click “Next”.
35. “Certificates”. This section has three tabs; “Authorities”, “Servers” and “Overrides”. The first tab allows you to add CA certificates directly into the Firefox application. The second tab allows you to add individual server certificates and the Overrides section controls which domains are allowed to provide self signed certificates. I typically push out certificates using packages or MDM profiles as this will add them to the System Keychain and make them accessible to all applications, therefore I don’t make use of this section personally. Click “Next”.
36. “Network”. This section has two options; a drop down box to pick the setting and a tick box to stop users changing it. The default for Firefox is to use the System Proxy settings, which is normally the best option. I tend to forcibly set this and use the tick box to stop this being changed. Click “Next”.
37. “Miscellaneous”. This is where the ‘everything else’ settings live. I advise to certainly tick the first three options as these minimise the pop ups and stop users resetting Firefox. Click “Next”.
38. “AutoConfig Only”. As the name implies, this section only works for those of us that are going to deploy the setup using the “AutoConfig” method described in this blog. Those who want to use the extension method (as described previously but for CCK 1.x) should skip these two steps.
40. “Extension Only”. Same as above, only fill in this section if you are going to use the Extension method to apply the configuration
41. “Finish”. The last section! If you want to use the Extension method, click “Create an Extension” and save the result to your desktop. Then use my previous blog, section 3, to deploy this. If you want to use the new “AutoConfig” method, then click “Use Auto Extension method to apply the configuration.
42. This completes the settings configuration.
Phase 3: Installing the package into your Firefox bundle
43. The next steps involving getting the new settings into the Firefox bundle itself. Navigate to the location you saved your final file in. This should end with the extension .zip
44. Double click this file to unzip the contents.
45. We need to get these files and folder into the Firefox Application, into “./Firefox.app/Contents/MacOS” but without replacing the folders already in place!
46. Keep the autoconfig window open and to one side. Go back to your build version of Firefox, right click and select “Show Package Contents”.
If you are using Firefox 35 please follow these instructions (open in a new tab).
47. Navigate to the “Contents” > “MacOS” folder within this bundle. This area will be familiar to those who’ve followed my many previous posts about Firefox deployment configuration.
48. Copy the “distribution” folder, from your autoconfig folder into this location.
./autoconfig/distribution -> ./Firefox.app/Contents/MacOS/
49. Within your Firefox.app folder structure, open up the “browser” folder (“./Firefox.app/Contents/MacOS/browser”) and open up the “browser” folder in your ‘autoconfig’ folder (“./autoconfig/browser”).
50. Copy the contents of the autoconfig folder into the Firefox “browser” folder.
./autoconfig/browser/* -> ./Firefox.app/Contents/MacOS/browser/
51. Last one! Within your Firefox.app folder structure, open up the “defaults” then “pref” folder (“./Firefox.app/Contents/MacOS/defaults/pref”) and open up the “defaults” then “pref” folder in your
‘autoconfig’ folder (“./autoconfig/defaults/pref”).
52. Copy the contents of the pref folder into the Firefox “pref” folder.
./autoconfig/defaults/pref/* -> ./Firefox.app/Contents/MacOS/defaults/pref/
53. Firefox should now have its tweaks complete and stored within its application bundle. When a new user launches Firefox, it will silently use the lock-down configuration and apply the settings. To test I would recommend copying the final product into the Applications folder, then creating and using a new User account, verifying the behaviour is as expected. Also remember, to ‘reset’ a user to continually test the use of Firefox as a new user, just remove these two directories:
~/Library/Application Support/Mozilla ~/Library/Application Support/Firefox
Phase 4: Using the new package when updating Firefox
Wow, sorry about the length of that. Mike’s done a great job of splitting up the sections neatly; it just doesn’t make for an easy blog!
As promised, let’s have a brief chat about why I would recommend this change. The current easiest (and arguably most popular) method for updating Firefox is to push out the new .app bundle. I can’t disagree with this as it also ensures that any issue within the Application bundle are fixed when the whole lot is replaced. However, this causes the problem that for each new version, you need to re-apply your configurations inside the application before you can push it out.
With the new method, you can simple package those files we copied (steps 48, 50 and 52) in their final locations. With this new package, you can simply ensure to redeploy this after every Firefox update to ensure that your restrictions are applied.
Running Munki? Even easier! Add this package into your installs array and add the files into the pkgsinfo file’s installs array and watch, as Munki will automatically fix Firefox, each time it’s updated.
Running Casper? A little trickier but how about using a customer Extension Attribute that checks for the existence of these files, and if not present, add the Macs to a Smart group and use a scoped policy to reinstall them.
Thanks for sticking it out this far and apologies again for the long post. Hopefully that will help some of you with a better method, or even just an (another) alternative method of configuring Firefox for your deployments.
As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.