How to Block or Allow Firefox Extensions using Group Policy

by Danny
0 comment

READING TIME: 9 MINUTES

In this guide, I’m going to show you how to create a Firefox browser Group Policy (GPO) in Active Directory. This will allow you to set corporate browser policies for all Firefox Enterprise browser users, such as allowing, blocking, or whitelisting certain extensions.

If you’ve configured Chrome Enterprise or Edge Enterprise in a corporate environment, then the procedure is pretty similar. Download the ADMX & ADML files, add to the PolicyDefinitions folder on your domain controller, create a GPO, and apply it to a target computer.

However, configuring the ability to block all extensions (except for approved extensions) is a lot more difficult. You can’t simply paste the extension ID into the settings like you can with Chrome/Edge; you have to paste a perfectly formatted json code into the policy settings.

I couldn’t find any step-by-step or how to guides on how to do this correctly, so I decided to write one myself as I set this up.

Hopefully it helps, and let’s get started!


Setting Up Your Test Environment

Before we get started, you should first create an Organization Unit in AD specifically for testing these new policies out. Otherwise, you might apply some unwanted changes to your existing employees browsers.

  1. Log into your domain controller.
  2. Open Active Directory Users and Computers
  3. Right click an existing folder > New Organization Unit and give it a name.

You will then want to move your computer object (or a test computer) into that OU. That way when you create the Firefox Settings GPO it gets applied to only that 1 computer. Once testing is complete, you can move the group policy to your primary computers’ OU and move the test computer object back into it’s respective OU.

For this guide, my OU is called Browser GPO. Once the computer object is moved into the OU, open CMD on the test computer and run:

gpupdate /force

Step 1: Install Firefox Enterprise

Before you can apply any enterprise-level policies on a Mozilla Firefox browser, you must install Firefox Enterprise. It’s free and can be downloaded from here.

Click Download and choose the version.

After installing, reboot your computer. A restart is required, otherwise you will bang your head against a wall trying to figure out why the policies aren’t applying (ask me how I know…)


Step 2: Download Firefox ADMX and ADML Files

Next, we need to download the .admx/.adml files from here: https://github.com/mozilla/policy-templates/releases

Under the latest release, download the policy_templates_XXX.zip. Extract it once complete.

Copy the extracted files to the desktop of your Domain Controller. Expand the subfolder Windows.


Step 3: Copy files to PolicyDefinitions Folder

Part 1: Copy the firefox.admx

Locate the firefox.admx file. Then, browse to C:\Windows\PolicyDefinitions on the domain controller and drag the file into it.

Part 2: Expand Language

In the same extracted policy_definitions_4.XX folder, open the subfolder En-US. Copy the firefox.adml and paste it into C:\Windows\PolicyDefinitions\en-US. If you are using a different language, of course browse to the that folder instead.


Step 4: Open Group Policy Editor to test

If all has gone well so far, you should be able to open Group Policy Management from the DC, right click any existing policy to Edit, and expand:

Policies > Administrative Templates > Firefox

You should now see a bunch of new policies that can be applied to any computers that have Firefox Enterprise installed.


Install Query AMO Addon

Like I mentioned at the beginning, whitelisting/blacklisting or allowing & blocking extensions (called Addons in Firefox) is much more difficult with Firefox than Edge or Chrome. But, here’s the process to do it.

Before you block or allow, you need two bits of information: the extension ID and the email address/unique identifier (not sure if that’s the proper name for it or not). You won’t find this information on the extension homepage, so the only way to get it is by installing a firefox addon called Query AMO (stands for addons.mozilla.org).

From your test computer, open Firefox Enterprise and go here: https://github.com/mkaply/queryamoid/releases/

Under the latest release, click the query_amo_addon link to install it.

Search for an addon

Once added, you can now to to Mozilla add-ons store and search for an extension. I’m going to use Bitwarden for this example.

On the Bitwarden “Download” page, click the Query AMO addon. It should display the two bits of information you need for the next step:


Creating Firefox Browser GPO’s

For this step, open Group Policy Management on your domain controller. Browse to the test OU you created in Step 1 (mine was called Browser GPO).

Right-click the OU > “Create a GPO in this domain and Link it here…“. Give it name like Firefox Browser Settings. Then, expand Policies > Admin Templates > Firefox > Extensions.

After each policy change or edit, you will need do a gpupdate /force on the test computer and close/reopen Firefox.

Block All Extensions

Under Extension Management, add this:

{
  "*": {
    "blocked_install_message": "Please email XYZ@domain.com if you think an extension should be unblocked.",
    "install_sources": ["about:addons","https://addons.mozilla.org/"],
    "installation_mode": "blocked",
    "allowed_types": ["extension"]
  }
}

Block All Extensions – Allow Certain

If you’d like to block users from installing any extensions, except IT-approved ones, here’s what you’d do. This will let users download and install the extension themselves.

Enable the Extension Management policy. Under options, paste this (This will block all, but will allow users to download Bitwarden.)

{
  "*": {
    "blocked_install_message": "Please email xyz@domain.com if you think an extension should be unblocked.",
    "install_sources": ["about:addons","https://addons.mozilla.org/"],
    "installation_mode": "blocked",
    "allowed_types": ["extension"]
  },
  "{446900e4-71c2-419f-a6a7-df9c091e268b}": {
    "installation_mode": "allowed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"
  }
}

Block All Extensions + Force Install Select Extensions

If you’d like to force-install select ones, replace “allowed” with “force_installed” in the code above.

Force Install – No Blocking

Note: You can’t use the code above to block all extensions, and then use the “Extensions to Allow” policy below at the same time. You must specify the allowed extensions in the code above, which makes the “Extensions to Install” policy void.

If you’d like to force-install approved extensions, without blocking any other extensions, Enable the “Extensions to Install” policy and disable the Extension Management policy if you created one.

Then, simply paste in the .xpi path:

Mix and Match

If you’d like to force install some extensions but allow others to be downloaded by the end user, then here’s what you’d use. This example is for Bitwarden, Ublock, and Lastpass, and Privacy Badger.

Note that the brackets had to be removed when the email addresses were used.

{
  "*": {
    "blocked_install_message": "Please email xyz@domain.com if you think an extension should be unblocked.",
    "install_sources": ["about:addons","https://addons.mozilla.org/"],
    "installation_mode": "blocked",
    "allowed_types": ["extension"]
  },
  "{446900e4-71c2-419f-a6a7-df9c091e268b}": {
    "installation_mode": "allowed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/bitwarden-password-manager/latest.xpi"
  },
  "uBlock0@raymondhill.net": {
    "installation_mode": "force_installed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
  },
  "support@lastpass.com": {
    "installation_mode": "force_installed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/lastpass-password-manager/latest.xpi"
  },
  "jid1-MnnxcxisBPnSXQ@jetpack": {
    "installation_mode": "allowed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/privacy-badger17/latest.xpi"
  }
}

Things to Note

I recommend adding ALL extensions that want to approve/deny all at once.

Why?

Because when you block all extensions except allowed ones, the Query AMO addon won’t work and will state that it’s blocked. This means it will be very difficult to get the info you need to allow, block, or force install future extensions. I haven’t figured out how to allow the Query AMO addon yet.

A workaround for this would be to install Firefox on a separate computer that won’t receive this policy to get the extension ID and email/unique identifier.


Wrapping Up

Hopefully you found this guide useful! Like I said, I was sort of surprised that I couldn’t find a helpful guide that walked me through how to do this in a corporate environment, so I hope this tutorial ends up on the first page of Google to save you some time.

The next step would be to configure the rest of the Firefox Enterprise policies – such as disabling syncing, autofill, and saving to Firefox password vault. Then, using whatever deployment tool you use, you can create an “Install Firefox Enterprise” package. Don’t forget to reboot the endpoint computers after installing it everywhere.

Feel free to let me know if you have any questions in the comments below, or let me know if you’ve figured out a way to allow the Query AMO addon.

0 comment

You may also like

Leave a Comment