- Disable strict name checking with PowerShell - Mon, Sep 1 2014
- ManageEngine Exchange Reporter Plus review - Wed, Aug 20 2014
- EventSentry – Full-spectrum monitoring - Thu, Jul 17 2014
Increasingly in the corporate world we’re seeing not only the want but the need for our users to utilize different web browsers in the workplace. This, of course, poses several problems for us as administrators. With Internet Explorer we have the ability, out of the box, to customize and lock down the settings to protect end users and business interests. We’re not so lucky with other browsers.
Two of the most popular alternative browsers are Firefox and Chrome. They have slowly eaten away at the dominant IE market share practically since their inception. Some of the newer web sites and administrative interfaces are even requiring the Chrome Frame extension for Internet Explorer as it is much easier to develop web pages for Chrome and honestly anything but IE.
Fortunately there are some options to help us out in this predicament. Google offers their own administrative template files to help with GPO. Although Firefox does not support it natively, there is an open source ADM file called FirefoxADM that will allow us automatic configuration through GPO.
Group Policy support comparison
Before we get started, I’ll lay out a brief comparison chart of some of the more important settings so you can get an idea what each of these administrative templates offer in comparison to Internet Explorer.
Internet Explorer - Firefox - Chrome - Group Policy comparison
It’s also important to keep in mind that these templates also support browser specific settings such as ActiveX for Internet Explorer and Google Cloud Print for Chrome.
Download the ADM files
You can download the latest files, including detailed documentation, at the following URL’s:
Ensure you download these files somewhere we can locate them later.
Chrome administrative template
Installing the Chrome administrative template is simpler and more straight-forward process out of the two, so I will cover that first.
Open the zip file (chrome_policy_templates.zip) and navigate to \windows\adm\en-US\ or whatever language you’d like to use and extract the chrome.adm file to a folder that you’ll remember.
Note: I’m using the ADM file. If your environment can utilize ADMX files, there’s a folder for those also.
Open Group Policy Management by going to Start>All Programs>Administrative Tools.
Right click on the group you would like to add this GPO to and click Create a GPO in this domain, and Link it here…
Group Policy Management
Enter a descriptive name for the Policy and click OK.
Right click on the newly created Policy and click Edit. This will open the Group Policy Management Editor. Expand User Configuration>Policies and right click on Administrative Templates. Select Add/Remove Templates…
The Add/Remove Templates: modal box will pop up. Click the Add… button and browse to where you extracted the chrome.adm file, select it, and click Open.
Current Policy Templates
Once the administrative template has been imported, click the Close button.
In the left panel tree view, navigate to User Configuration>Policies>Administrative Templates->Classic Administrative Templates. You will now see the new configuration settings for Google.
Group Policy settings Google Chrome
A really cool feature of this admin template is the ability to still allow users to control some aspects of the program. Take a look around and configure the settings to the requirements of your company.
Note: You’ll notice that the Google Chrome settings also show up under the Computer Configuration. Several admins, including myself, have had issues applying the configuration from there. It is best to use the User Configuration.
Firefox administrative template
Because Firefox does not natively support GPOs, there are a few extra steps that need to be done for us to get it working correctly.
Initially, you will follow the same instructions as with the Chrome admin template install. Extract all of the files, create a new Policy through Group Policy Management, right click the new Policy, and edit it.
New Firefox policy
Just as you did above, expand User Configuration>Policies and right click on Administrative Templates. Select Add/Remove Templates…, click Add… on the dialogue box, and then browse to where you extracted the FirefoxADM files.
This is where the differences start. You will notice that there is not just one ADM file, but two! The two files are firefoxdefaults.adm and firefoxlock.adm.
firefoxdefaults.adm and firefoxlock.adm
Select both of them, click Open, and then Close after the files have been imported.
Group Policy settings Firefox
You’ll notice that not only do you have the Firefox settings under User Configuration>Policies>Administrative Templates->Classic Administrative Templates, but also under Computer Configuration>Policies>Administrative Templates->Classic Administrative Templates and that they’re not the same.
As their locations in the tree suggest, the computer configuration will configure all defaults for Firefox on and machine in the group. The user configuration is user specific.
Now we’ll see how FirefoxADM overcomes the lack of native support. When you extracted the zip you should have noticed some extra VBS files; specifically firefox_login.vbs, firefox_logout.vbs, firefox_shutdown.vbs, and firefox_startup.vbs.
To make these configuration changes VB scripts are used to configure Firefox during login/logout/startup/shutdown. These scripts should be imported to their correct locations inside the Policy.
In Group Policy Management Editor, navigate to Computer Configuration>Policies>Windows Settings and select Scripts (Startup/Shutdown).
Double click Startup in the right pane. A new modal box (Startup Properties) will pop up. Click the Add… button on the right.
Add Firefox startup script
A second dialogue box titled Add a Script will pop up. Click the Browse… button and locate the firefox_startup.vbs file you extracted earlier and double click it. Click OK to close the box.
Add a Script
Click the OK button again to close the Startup Properties modal box. Repeat the steps above for the Shutdown script.
Next, navigate to User Configuration>Policies>Windows Settings and select Scripts (Logon/Logoff). Then just simply repeat the same steps as above pairing the Logon with the firefox_login.vbs and Logoff with firefox_logout.vbs.
That’s it! You’ve just configured GPO for Firefox. Now those scripts will run when the computer is started and shutdown and when a user logs on and logs off.
With Internet Explorer’s market share slowly creeping down to around 50%, we as system administrators need to look at managing the different browsers our users are utilizing. Armed with the information above and the downloadable administrative templates, you can configure Group Policy on your domain for the two most popular alternative browsers: Firefox and Google Chrome.
Want to write for 4sysops? We are looking for new authors.
Dear Andrew Jacops,
Could you send me what do the 4 vbs files exactly?
I have a problem in the GPO too. I cannot disallow the users to install extension into Firefox.
Waiting for your reply.
Peter Danesch from Budapest, Hungary
Hi Peter. The VBS files are included in the Firefox ADM package located at http://sourceforge.net/projects/firefoxadm/. Thanks for reading!
Thank you for the breakdown on controlling Chrome and Firefox through GPO. Considering how complicated a large scale/enterprise deployment of Firefox turns out to be- this is a considerable timesaver.
One question though-
In our environment, we’ve disabled WSH due to the proliferation of a malicious USB/flash drive so the VBS files requried for the Firefox GPO won’t run. So, I’m wondering if those VBS files are just adding registry elements that can be captured and distributed via GPO as well. Fortunately, we use a shared domain account on all computers as well as DeepFreeze for anti-tampering so I’m not concerned about settings being changed between restarts.
I sincerely appreciate your time and expertise!
The Art Institute of Las Vegas
Yes sir! That’s exactly what it’s doing. If you read through the logon and logoff VBS files, you’ll see that it creates a bunch of registry entries under the HKCU\Software\Policies\Firefox key. You’ll also notice that it creates a config file for Firefox under the logged on user’s AppData folder.
Thank you for this really helpful post.
This makes using Chorme or Firefox possible in enterprise environment.
Unfortunately it seems the link for Chrome adm is broken.
Could you please have a look?
Thank you 🙂
The updated link is http://support.google.com/chrome/a/answer/187202?hl=en. Thanks for calling that to my attention.
I updated the link in the text. Thanks!
Does this apply to the current 32.x versions as well?
Yes this applies to all versions of Chrome.
Ah, works for Chrome but not Firefox if I’m correct then. Something about Firefox now storing preferences in prefs.js.
Thank you for this really it help me a lot but the firefox cant block site is there and solution for that ? thank u
There are many different ways to block sites. I would suggest just blocking them via the hosts file as an quick and easy way. However, there are several proxies, cloud services, and application filtering services out there. Google around to see which one fits your needs best. Thanks for reading!
Hi Andrew, question about the firefox setup. I was able to get this to work in a limited form. Right now all i am trying to do is setup a list of company specific bookmarks to be pushed out the users in FF. While it appears it works initially, as the first time i logged into the test machine with FF freshly installed and the new GPO applied the specific bookmarks appeared. What i noticed however was after deleting a couple of those bookmarks they did not reappear at next login.
I did this to test and see if the users deleted them if they would reappear or not, it appears that even though the script is set at logon and logoff it only runs once? With that will running the scripts to push bookmarks from a bookmark.html overwrite existing bookmarks for users who already have FF installed on their machine? I attempted to test this by adding a few custom bookmarks after the initial login, but since it doesn’t appear the script ran at any of the subsequent logins i am not sure what the reaction there will be.
oh…second question, i forgot to ask. Is there away to force the Bookmark Toolbar to be displayed in the GPO? I didn’t see anything that appeared to do that, but not sure if i was missing it.
The Firefox config doesn’t appear to work on Windows 2012 R2. Can someone confirm or maybe it’s just me…
How can i Block extensions of a user who has installed previously to Firefox browser . I want to block the extensions what ever they are using . Is it possible . Please send the way .
FJ: confirmed, not working on Win2012 🙁
Hi – thanks for this page – very helpful and clearly laid out. I’m wondering whether the settings available in either ADM will allow me to prevent the successful use of file://c:? in the browser address bar?
Hi it is possible using registry settings to hide and stop access to file://c etc or any other drive through registry settings which applied to using browsers too.
Thanks for that Andrew. Was wondering why the Chrome settings turned up the same in computers and users. regards, Andrew
This was helpful to me. I was able to set the homepage for all users in Firefox. I’m still digging for a solution to getting the pop-up whitelist to work. The login vbscript points to a ‘hostperm.1’ file which Firefox 1 and 2 seemed to use. That file has been replaced by the ‘permissions.sqlite’ file. I’m still working on how to change the script to write to this db instead of a flat text file.
Has anyone else overcome this challenge?
Okay, I was able to get the pop-up whitelist to work. I was able to edit the firefox_login.vbs and put in the additional lines necessary to grab the values stored in the GPO ADM User Configuration and add them to the ‘permissions.sqlite’ database. The biggest challenge was how to get the SQLite3 ODBC driver out to all workstations in the organization. Without the ODBC driver the script would not run successfully and I couldn’t figure out how to wrap it in the VBScript. The driver only seems to be in an .exe format from what I could find. I extracted the x86 and x64 .dll files and used a GPO to roll them out to System32 and SysWOW64 respectively. I made the appropriate registry entries to point to them in the same GPO.
It’s kind of hacky but it’s possible. I hope this can help someone else. Hit me up at sgoslin at wfall dot org if you want my revised login script.
It doesn’t work for 2012 r2. Does anyone have the correct scripts for Firefox and chrome?
Hi. I’ve implemented this exactly as shown and for some reason this group policy is only working on Windows 8.1 machines and not Windows 7. Does anyone have any ideas? I’ve set the GPOs at top level so everything in the whole domain should get these, yet when I try to gpupdate /force it says Computer Policies failed to update restart required. I’ve tried restarting the server and no effect with the same message. Thoughts?
Update: I found out it was working for chrome only but I hadn’t configured chrome properly to display a certain page. Now chrome’s GPO works just fine, with the exception of the “Getting Started” page displaying when users login, but I don’t think the Firefox GPO will work at all. It hasn’t been updated in two years and I’m not having much luck with it. I’m also not using 2012r2 so i know it isn’t that.