Manage Mozilla Firefox settings with Microsoft Intune

The last couple of weeks I wrote a lot of blog posts related to managing the new Microsoft Edge browser with Microsoft Intune. And in the past I wrote articles about managing Internet Explorer and Google Chrome. it`s now time to show how the other popular webbrowser, Mozilla Firefox, can be managed using Microsoft Intune.

Like Google Chrome, Firefox can also be managed using a Custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Firefox ADMX file to the Intune managed device. The second part of the policy is used to manage the settings of choice.

Deploy the Firefox ADMX file

The Firefox ADMX file can be downloaded from GitHub. After downloading the file, locate the ADMX file and open the file with a text editor.

Now open a browser to sign-in to the Microsoft Endpoint Manager (Intune) portal.

  • Sign-in to the Device Management Portal
  • Browse to Devices – Windows
  • On the Configuration Profiles tab click Create profile
  • Give the configuration profile a Name
  • Enter a Description (optional)
  • Choose Windows 10 as Platform
  • Choose Custom as Profile type
  • Click the Settings tab
  • Click Add

With this row we deploy the ADMX file to the Windows 10 device. As you can see the OMA-URI contains ADMXInstall.
More info on how the OMA-URI is build up and complementing information about ADMX-backed policies can be read in this article on Microsoft Docs.

Enter below information to the policy;
Name: Firefox ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

Click OK twice and click Create.

The policy to deploy the ADMX file is ready. In the next steps we add the settings we manage with Intune to the same policy.

How to build up the OMA-URI

As with deploying the ADMX file, for the settings to manage we also need to know the OMA-URI. But the OMA-URI for managing the settings consists of some information we need to collect ourselves from the Firefox ADMX file.

This is for example the OMA-URI to manage the Homepage URL
./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageURL
Let`s split up the OMA-URI in seperate parts.
This is default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/

The part that comes next is not always the same, we need to follow some rules:
Firefox~Policy~firefox~Homepage
It starts with Firefox (the ADMX file name), like in the ADMXInstall URI, followed by Policy. Between every part we have the ~ sign.
After Policy we see the name of two categories. These categories can be found in the Chrome ADMX file.
When we open the ADMX file in a text editor, we can see there are several categories. The first categorie we find in the ADMX file is the top category and as we can see that is firefox (name). We put this in the OMA-URI after Policy.

If we search for the actual policy we want to control, in this case HomepageURL, we also find there is a category mentioned for that policy. It is the parentcategory of HomepageURL, Homepage.
So homepage is the next part of our OMA-URI.

The last part of our OMA-URI is the actual policy displayname, in this case HomepageURL. If we put al this information together, we have our OMA-URI.

Manage Homepage settings

We start with managing the settings from the Homepage categorie. These are settings like the Homepage URL and Startpage.

We have already seen how to build the OMA-URI for the policy HomepageURL, so let`s start with that one. The Data type for these settings is always String. Than we only need to know what our Value is.

The value starts with <enabled/> (or <disabled/> if you like to disable a setting).
If we have a setting which can only be set to enabled or disabled, than that`s the value.

But for HomepageURL, we need to set the actual homepage URL. In this case <enabled/> is followed by a data id. The data id is found again in the ADMX file, in below example the text id, HomepageURL. And as last we need to set a value, the valuename, which is the URL from your website of choice.
This policy also contains a second setting, which is optional, with which we can lock the homepage. To enable this setting we also start with <enabled/> followed by a boolean id as data id (HomepageLocked). As value we have two choices which are mentioned, trueValue, disabledValue.

Switch over to the Intune portal.

  • Open your existing custom policy or create a new policy
  • On the settings tab click Add
  • Give the Row a Name
  • Fill in the OMA-URI:
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageURL
  • Data type: String
  • Value:
<enabled/>
<Data id="HomepageURL" value="https://www.inthecloud247.com"/>
<data id="HomepageLocked" value="true"/>
  • Click OK

That`s all to manage our first Mozilla Firefox setting using Microsoft Intune!

The next example is the Homepage Startpage. Open the ADMX file and search for the corresponding policy. With the information found in the ADMX file we can create the OMA-URI.
The parentcategorie is Homepage, the setting itself is HomepageStartpage.
The data id is in this setting enum id=Startpage.
For this setting we have three options we can set as value; none, homepage and previous-session. I choose homepage in this example.

  • Open the Intune portal
  • Give the Row a Name
  • OMA-URI:
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageStartPage
  • Data type: String
  • Value:
<enabled/>
<data id="StartPage" value="homepage"/>
  • Click OK

If you`d like to configure additional homepage URLs, we can use the setting HomepageAdditional for that. In the ADMX file we find the ID to be used in the value field and further not much info.
We can add multiple URLs to the setting. Every URL needs to be separated with the (encoded) unicode character &#xF000 and because we need to number the URLs, the unicode character is also used between the number and the URL.

  • Open the Intune portal
  • Give the Row a Name
  • OMA-URI:
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageAdditional
  • Data type: String
  • Value:
<enabled/>
<data id="HomepageAdditional" value="1&#xF000;http://www.microsoft.com&#xF000:2&#xF000;http://www.mempowered.eu"/>
  • Click OK

With this settings we have configured a homepage URL, made sure an user cannot change it and the startpage URL is set to the homepage.

Manage Block About settings

The next example is a setting to block access to the about:config page. As you can see in the AMDX file, this policy setting isn`t located under a subcategorie, but direct onder the top categorie, firefox.
Another difference with the previous policies, there is no id mentioned. This policy can only be set to <enabled/> or <disabled/>.

Op

  • Open the Intune portal
  • Add a new row
  • Give the Row a Name
  • OMA-URI:
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/BlockAboutConfig
  • Data type: String
  • Value:
    <enabled/>
  • Click OK

Let`s move on to the next example.

Manage Tracking Protection settings

Firefox contains a feature called Tracking Protection, like we have seen in the new Edge browser. This feature can be managed with a couple of settings.
With the first setting we enable Tracking Protection.
Open the ADMX file and search for TrackingProtection.
With the setting A_TrackingProtection_Value we enable the feature.

  • Open the Intune portal
  • Add a new row
  • Give the Row a Name
  • OMA-URI:
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/A_TrackingProtection_Value
  • Data type: String
  • Value:
    <enabled/>
  • Click OK

I want to make sure Tracking Protection isn`t switched off by the user, which is done with the setting E_TrackingProtection_Locked.

  • Open the Intune portal
  • Add a new row
  • Give the Row a Name
  • OMA-URI:
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/E_TrackingProtection_Locked
  • Data type: String
  • Value:
    <enabled/>
  • Click OK

With this last example I make sure trackers are blocked for cryptominers, which can be done with the setting B_TrackingProtection_Cryptomining.

  • Open the Intune portal
  • Add a new row
  • Give the Row a Name
  • OMA-URI:
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/B_TrackingProtection_Cryptomining
  • Data type: String
  • Value:
    <enabled/>
  • Click OK

When your done adding the ADMX file and all the settings, make sure to assign the policy to a security group.

End-user experience

Let`s have a look at the end-user experience.
Make sure the policy is applied to an Intune managed device with Mozilla Firefox.

When we now start Firefox, the homepage which we set with the policy is shown.
If you also configured the HomepageAdditional setting, multiple tabs with websites are opened.

If we open Settings, we see the homepage settings section is greyed out. And we see a message on the top of the page; Your browser is being managed by your organization.

When you click on that message the about:policies page is opened which shows all managed settings.

Switching back to the Settings, on the Privacy & Security tab we see Enhanced Tracking Protection is also managed. Tracking Protection is set to custom, Tracking content and Cryptominers is checked.

That`s it for this blog post. I hope you find it informative and if you have any questions, let me know in the comments!

To see how you can manage bookmarks using Intune, read the follow post!

NB: Don`t just copy/ paste the policy values into your own custom policies. Unfortunately WordPress converts the double quotes So please replace the quotes from the article before deploying the settings.




23 Comments

    • Are you sure about that David? I`m only aware that we can do this by using setting HomepageAdditional.
      It added that to the article, to show how that works.

      Regards,

      Peter

  1. Hello Peter (Klapwijk),

    I am trying to add a list of sites that are automatically authenticed via the Firefox option > network.automatic-ntlm-auth.trusted-uris
    I Tried the following, and it not working

    Name: some_name
    Description: some_description
    OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Authentication/Authentication_NTLM
    Data type: String
    Value:

    Could you tell me how I can do this using a OMA-URI in Intune?

    Best regards,

    Peter (de Vries)

  2. Hi Peter,

    Not tried that particular setting, but have you tried to separate the URLs with the unicode character as described above? You probably also need to number the URLs, than you should also need to take that in mind.
    This is also used for HomepageAdditional which you can use as an example, just replace data id and the URLs.
    I suggest to first test the policy with only one URL, to make sure the policy itself is working as expected. If that works fine, try to add additional URLs.

    • Just got it to work and replied to my own first comment with an example of how i did it. See above

      Could you maybe remove my other comment with the server names in it? That was not supposed to happen. Thanks in advance

  3. Hello Peter,
    I’ve followed your instruction, it’s great, one thing I can’t get my head around, not sure you have tried, is setting Browser Bookmarks, so that all deployed firefox browsers have some default bookmarks.
    I’ve tried with various combinations of the below, and no joy.
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Bookmarks/Bookmark01
    string

    • Maybe it`s related to this bug: Due to a bug, you must select the location.
      I`ve used the Github example from Firefox to test this setting, without luck. I`m not able to help at this moment.

      • I did get the bookmarks to work in bookmarks bar, which also allows in bookmarks menu. So it does work.

        • Bookmarks is the last piece for me. Anyway you can ping me on twitter? Twitter Handle is BruceSaaaa

          • I spend some more time on the Bookmarks and it now is clear why my setting failed 🙂
            All 5 settings are required for Bookmarks and as I left out the BookmarkFavicon it failed on that, but I missed that event error. Also important is to start the URL with http or https. If it doesn`t start with that (but for example with www), the policy might show success, but no Bookmark is shown.

  4. Hello Peter,
    It seems the proxy configuration doesn’t work. I want to use ConnectionType=system.
    ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/Proxy
    \data id=”ConnectionType” value=”system”//
    I have an unknown error.

      • It seems that, like with the Bookmark policy, all settings need to be configured to get the proxy configured.
        That means setting ConnectionType to system and also configuring all those settings:

        data id=”ProxyLocked
        data id=”ConnectionType
        data id=”HTTPProxy
        data id=”UseHTTPProxyForAllProtocols
        data id=”SSLProxy
        data id=”FTPProxy
        data id=”SOCKSProxy
        data id=”SOCKSVersion
        data id=”AutoConfigURL
        data id=”Passthrough
        data id=”AutoLogin
        data id=”UseProxyForDNS

        Settings which can be left blank, like AutoConfigURL, can be left blank.
        Where you need to make a choice between true or false, make a choice etc. That`s the only way to get this configured at this moment.

  5. Anyone seenig a sucessful injest of ADMX, but the OMA URI fail with infamous error code 0x87d1fde8 (Event ID 404/The system cannot find the file specified). From what I see, all the registry value are present in HKLM\[…]\PolicyManager\AdmxInstalled and HKLM\[…]\PolicyManager\AdmxDefault. I’ve checked syntax, spelling, trailing spaces, can’t find any differences.

    Same method works fine for Chrome. 🙁

    • Yes! I followed them guide in the Firefox Documentation and have the same problem. The ingest ‘works’ but there are no policy Folders for Firefox listed under ADMXdefault. Which is why we get errors for missing policies when applying them. Is it still broke for you?

Leave a Reply

Your email address will not be published.


*