Increasingly in the corporate world we’re seeing not only the want but the need for our users to utilize different web browsers in the workplace. This, of course, poses several problems for us as administrators. With Internet Explorer we have the ability, out of the box, to customize and lock down the settings to protect end users and business interests. We’re not so lucky with other browsers.
Two of the most popular alternative browsers are Firefox and Chrome. They have slowly eaten away at the dominant IE market share practically since their inception. Some of the newer web sites and administrative interfaces are even requiring the Chrome Frame extension for Internet Explorer as it is much easier to develop web pages for Chrome and honestly anything but IE.
Fortunately there are some options to help us out in this predicament. Google offers their own administrative template files to help with GPO. Although Firefox does not support it natively, there is an open source ADM file called FirefoxADM that will allow us automatic configuration through GPO.
Group Policy support comparison ^
Before we get started, I’ll lay out a brief comparison chart of some of the more important settings so you can get an idea what each of these administrative templates offer in comparison to Internet Explorer.
Internet Explorer - Firefox - Chrome - Group Policy comparison
It’s also important to keep in mind that these templates also support browser specific settings such as ActiveX for Internet Explorer and Google Cloud Print for Chrome.
Download the ADM files ^
You can download the latest files, including detailed documentation, at the following URL’s:
Ensure you download these files somewhere we can locate them later.
Chrome administrative template ^
Installing the Chrome administrative template is simpler and more straight-forward process out of the two, so I will cover that first.
Open the zip file (chrome_policy_templates.zip) and navigate to \windows\adm\en-US\ or whatever language you’d like to use and extract the chrome.adm file to a folder that you’ll remember.
Note: I’m using the ADM file. If your environment can utilize ADMX files, there’s a folder for those also.
Open Group Policy Management by going to Start>All Programs>Administrative Tools.
Right click on the group you would like to add this GPO to and click Create a GPO in this domain, and Link it here…
Group Policy Management
Enter a descriptive name for the Policy and click OK.
Right click on the newly created Policy and click Edit. This will open the Group Policy Management Editor. Expand User Configuration>Policies and right click on Administrative Templates. Select Add/Remove Templates…
The Add/Remove Templates: modal box will pop up. Click the Add… button and browse to where you extracted the chrome.adm file, select it, and click Open.
Current Policy Templates
Once the administrative template has been imported, click the Close button.
In the left panel tree view, navigate to User Configuration>Policies>Administrative Templates->Classic Administrative Templates. You will now see the new configuration settings for Google.
Group Policy settings Google Chrome
A really cool feature of this admin template is the ability to still allow users to control some aspects of the program. Take a look around and configure the settings to the requirements of your company.
Note: You’ll notice that the Google Chrome settings also show up under the Computer Configuration. Several admins, including myself, have had issues applying the configuration from there. It is best to use the User Configuration.
Firefox administrative template ^
Because Firefox does not natively support GPOs, there are a few extra steps that need to be done for us to get it working correctly.
Initially, you will follow the same instructions as with the Chrome admin template install. Extract all of the files, create a new Policy through Group Policy Management, right click the new Policy, and edit it.
New Firefox policy
Just as you did above, expand User Configuration>Policies and right click on Administrative Templates. Select Add/Remove Templates…, click Add… on the dialogue box, and then browse to where you extracted the FirefoxADM files.
This is where the differences start. You will notice that there is not just one ADM file, but two! The two files are firefoxdefaults.adm and firefoxlock.adm.
firefoxdefaults.adm and firefoxlock.adm
Select both of them, click Open, and then Close after the files have been imported.
Group Policy settings Firefox
You’ll notice that not only do you have the Firefox settings under User Configuration>Policies>Administrative Templates->Classic Administrative Templates, but also under Computer Configuration>Policies>Administrative Templates->Classic Administrative Templates and that they’re not the same.
As their locations in the tree suggest, the computer configuration will configure all defaults for Firefox on and machine in the group. The user configuration is user specific.
Now we’ll see how FirefoxADM overcomes the lack of native support. When you extracted the zip you should have noticed some extra VBS files; specifically firefox_login.vbs, firefox_logout.vbs, firefox_shutdown.vbs, and firefox_startup.vbs.
To make these configuration changes VB scripts are used to configure Firefox during login/logout/startup/shutdown. These scripts should be imported to their correct locations inside the Policy.
In Group Policy Management Editor, navigate to Computer Configuration>Policies>Windows Settings and select Scripts (Startup/Shutdown).
Double click Startup in the right pane. A new modal box (Startup Properties) will pop up. Click the Add… button on the right.
Add Firefox startup script
A second dialogue box titled Add a Script will pop up. Click the Browse… button and locate the firefox_startup.vbs file you extracted earlier and double click it. Click OK to close the box.
Add a Script
Click the OK button again to close the Startup Properties modal box. Repeat the steps above for the Shutdown script.
Next, navigate to User Configuration>Policies>Windows Settings and select Scripts (Logon/Logoff). Then just simply repeat the same steps as above pairing the Logon with the firefox_login.vbs and Logoff with firefox_logout.vbs.
That’s it! You’ve just configured GPO for Firefox. Now those scripts will run when the computer is started and shutdown and when a user logs on and logs off.
With Internet Explorer’s market share slowly creeping down to around 50%, we as system administrators need to look at managing the different browsers our users are utilizing. Armed with the information above and the downloadable administrative templates, you can configure Group Policy on your domain for the two most popular alternative browsers: Firefox and Google Chrome.