Locking down Firefox with CCK 2amsys.co.uk /2014/blog/locking-firefox-cck-2/

Darren WallacePosted by: Darren Wallace On Tuesday, August 26th, 2014 -

Hello again. Yes it’s another Firefox lockdown blog, and a second CCK one, but I have good reasons! Ipromise!

Firstly, Firefox has changed a little from version 24 to the (at time of writing) current version 30.Secondly, the excellent Mike Kaply has released a ‘new-proved’ (that’s new and improved) CCK,version 2, which offers a better system to maintain the lockdowns through Firefox updates.

Previously, you’d have to manually modify each newly updated Firefox bundle to keep your restrictionsin place. With the new method, you can re-push / deploy the specific settings files, back into the newlyupdated (or replaced) application bundle.

I’d also like to take this chance to apologise to Mike for not having a chance to play and write this upsooner. CCK 2 was released back in November 2013.

One final thing…. I apologise in advance for the length of this post!

Right, let’s get to it.

Introduction

Firefox Version: 30.0.0

CCK Version: 2.0.4

This blog post is split into four main sections:

1. Obtaining and installing the CCK Wizard

2. Configuring a CCK lock-down ‘auto-config’ package

3. Installing the package into your Firefox bundle

4. Using the new package when updating Firefox.

I suggest you use a new user account that hasn’t launched Firefox of any version to build yourdeployment copy.

Phase 1: Obtaining and installing the CCK Wizard

1. Navigate to the Firefox website and download the latest copy of Firefox. 2. Drag your new copy ofFirefox to the desktop so you can work on it. 3. Launch Firefox and dismiss all of the first launchpopups and messages. 4. Once you have got your copy of Firefox fully open, launch the Add-onmanager by going to the “Tools” menu item, then “Add-ons”.

5. In the “Search all add-ons” box, type in “cck” andhit return.

6.This should show the 2 CCK Wizard add-on installers. Click “Install” on the CCK Wizard 2.0.4 andonce complete, close this tab.

7. Once Firefox has installed the plugin, you should see the below screen. This means that the CCK

Wizard add-on is installed. This completes Phase 1.

Phase 2: Configuring a CCK lock-down ‘auto-config’ package

8. As directed by the ‘Thanks for installing…’ screen, click the new icon in the top right corner.

9. This will launch the CCK Wizard 2 editor. Click “New” to create a new configuration. You can importprevious CCK Wizard creations but sometimes it’s good to start from scratch to clear out the fluff.

10. Enter a name and a unique identifier for your lockdown profile. For this example, I have used“Amsys-Example-Lockdown-2014” and “amsys-cck-2@extensions.amsys.co.uk”. Click “OK”.

11. The entire plugin will now move to a new screen, with the sections on the left and the settings onthe right. On the “About” page, set a description and give the configuration a version number. Use the“Choose…” option to select the location that the work in progress files will be stored. In this example Ihave used the desktop of my test user account. Once complete, Click “Next”.Please Note: You canalso navigate directly to each section using the titles in the left hand window.

12. The next section is “Web Pages”. This will allow you to set a homepage, lock the homepage, set a‘new user’ welcome page and not to display it, and finally set a ‘Firefox has been upgraded’ page andnot to display it. In my default ‘education lockdown’ I will set the Homepage, tick the ‘lock down’ box,leave the Welcome and Upgrade page URLs blank, but tick both “Do not display…” options. Oncecomplete, click “Next”.

13. Next is the “User Interface”, providing general options for the UI of the browser. Typically, I wouldonly select / tick the “Remove the Web Developer menu”, “Remote the ‘Set As Desktop Background’menuitem” and “Remove the ‘Restart with Add-ons disabled’ menuitem” options. The last option isn’treally that relevant with the new UI style of Firefox v30. Once complete, click “Next”.

14. The next section is “Help Menu” and allows you to modify some aspects of the Help system.Generally speaking, it’s not something I make use of but feel free to play (and test)! Click “Next”.

15. This section is the “Hidden UI” section. It allows you to hide whole sections of the Firefox UI. Again,generally speaking, it’s not something I make use of, but might be ideal for you. Once complete, Click“Next”.

16. The next section “Permissions” allows you to set default site preferences such as block/allowPopups, Installs, Cookies and Plugins. For this example I have used a (hopefully) fake site called“http://www.popsite.com” and blocked all. Clicking the “Add…” option, filling in the boxes, and thenclicking “OK” added this. Repeat as required. Click “Next” once you’re done.

17. The “Add-ons” page.You can use the mainsection to load in the pre-downloaded extension filesto include. Typically, I’drarely use this feature but Iheavily use the lowersection. This allows thedisabling of “DiscoveringAdd-ons in the Add-onsManager”, the Add-onsmanager itself and theinstalling of Add-ons. Itypically will tick all three.Click “Next”.

18. “Search Engines”. As the name suggests, this allows you to customise the Search Engines thatFirefox uses. By default Firefox uses Google so typically, I’ll leave this as is. Click “Next”.

19. “Plugins”, the section for your web plugins such as Flash, Java, Adobe Reader etc. Generally, I’d bedeploying Flash and Java to the system as standard I don’t typically use this section. Click “Next”.

20. “Bookmarks”. This section can be used to set some options relating to the bookmark items and viewsettings. I typically select all three options (“Display the Bookmarks toolbar by default”, “Remove SmartBookmarks…” and “Remove Default Bookmarks…”). Click “Next”.

21. “Toolbar” and “Menu”. These two sections allow you to add bookmarks, separators and folders tothe bookmarks toolbar and menu item respectively. Added these is simple a case of clicking therelevant “Add [XXXX]…” button and filling in the popup box. Once complete, click “Next” on eachsection.

22. “Preferences”. This section is very similar to the one in CCK 1.x. Again, these are the same optionsavailable in the about:config menu and also very similar to those we’ve added in my previous Firefox

deployment blogs.

23. To add a preference, click the “Add…” option.

24. In the “Preference Name” box, start typing the preference you want to set. The CCK will try andoffer the preferences you are looking for. Once you find the one you want, click it.

25. In the lower box, select the value you want. Click “OK”. Previously, this is also where you’d set toeither ‘lock’ the preference (stopping it from being changed) or just to set it (as an initial setting, butchangeable by each user).

26. Once you’ve clicked “OK” you will be taken back to the previous page and shown the preferenceyou have set. Consult my last blog for my personal favourites. To enable the ‘lock’ setting on thepreference, set the preference, right click it and select “Lock”.

27. The final option here is a tick box to block access to the “about:config” page of Firefox. This is alocal page displaying all of the set and possible options for Firefox. Typically I would have this selected.Click “Next”.

28. “General”. This section provides you with three tick boxes that do, like much in the CCK, exactly asthey say. I will usually set the middle option, “Don’t check if Firefox is the default browser at startup”.Click “Next”.

29. “Privacy”. This section allows you to disable private browsing and to not remember search and formhistory. I tick the “Disable Private Browsing” option usually. Click “Next”.

30. “Security”. This gives you the option to not remember passwords and to disable the creation of amaster password to encrypt the stored passwords. This might be a good option for Kiosk style Macsbut I don’t normally require this setting. Click “Next”.

31. “Sync”. This single tick box allows the Firefox Sync feature to be turned off. Generally I tick thisoption. Click “Next”.

32. “Data Choices”. This section provides three options to “Disable the crash reporter”, “Disabletelemetry” and “Disable Firefox Health Report upload”. I would normally tick all three options to reduceend user popups and undesirably behaviour. Click “Next”.

33. “Update”. This section has the sole option of disabling Firefox Updates. In a controlled environmentI would always select this option to allow the site administrators to control the version of Firefoxavailable to end-users. Click “Next”.

34. “Windows Registry”. This section allows the adding of entries to the Windows Registry relating toFirefox. Being a Mac tech, I skip this section. Click “Next”.

35. “Certificates”. This section has three tabs; “Authorities”, “Servers” and “Overrides”. The first taballows you to add CA certificates directly into the Firefox application. The second tab allows you to addindividual server certificates and the Overrides section controls which domains are allowed to provideself signed certificates. I typically push out certificates using packages or MDM profiles as this will addthem to the System Keychain and make them accessible to all applications, therefore I don’t make useof this section personally. Click “Next”.

36. “Network”. This section has two options; a drop down box to pick the setting and a tick box to stopusers changing it. The default for Firefox is to use the System Proxy settings, which is normally thebest option. I tend to forcibly set this and use the tick box to stop this being changed. Click “Next”.

37. “Miscellaneous”. This is where the ‘everything else’ settings live. I advise to certainly tick the firstthree options as these minimise the pop ups and stop users resetting Firefox. Click “Next”.

38. “AutoConfig Only”. As thename implies, this section onlyworks for those of us that aregoing to deploy the setup usingthe “AutoConfig” methoddescribed in this blog. Thosewho want to use the extensionmethod (as described previouslybut for CCK 1.x) should skipthese two steps.

39. This section allows you to disable “Safe Mode”, to prevent the migration of Profiles and to set someJavaScript code to run before and after the CCK2 settings. The only option I’ve actively set and used isthe “Don’t Migrate Profiles” option that I understand blocks the use of existing Firefox settings (asstored in ~/Library/Application Support/Mozilla). Click “Next”.

40. “Extension Only”. Same as above, only fill in this section if you are going to use the Extensionmethod to apply the configuration

41. “Finish”. The last section! If you want to use the Extension method, click “Create an Extension” andsave the result to your desktop. Then use my previous blog, section 3, to deploy this. If you want to usethe new “AutoConfig” method, then click “Use Auto Extension method to apply the configuration.

42. This completes the settings configuration.

Phase 3: Installing the package into your Firefox bundle

43. The next steps involving getting the new settings into the Firefox bundle itself. Navigate to thelocation you saved your final file in. This should end with the extension .zip

44. Double click this file to unzip the contents.

45. We need to get these files and folder into the Firefox Application, into“./Firefox.app/Contents/MacOS” but without replacing the folders already in place!

46. Keep the autoconfig window open and to one side. Go back to your build version of Firefox, rightclick and select “Show Package Contents”.

47. Navigate to the “Contents” >“MacOS” folder within this bundle. Thisarea will be familiar to those who’vefollowed my many previous posts aboutFirefox deployment configuration.

48. Copy the “distribution” folder, from your autoconfig folder into this location.

./autoconfig/distribution ->

./Firefox.app/Contents/MacOS/

49. Within your Firefox.app folder structure, open up the “browser” folder(“./Firefox.app/Contents/MacOS/browser”) and open up the “browser” folder in your ‘autoconfig’ folder(“./autoconfig/browser”).

50. Copy the contents of the autoconfig folder into the Firefox “browser” folder.

./autoconfig/browser/* ->

./Firefox.app/Contents/MacOS/browser/

51. Last one! Within your Firefox.app folder structure, open up the “defaults” then “pref” folder(“./Firefox.app/Contents/MacOS/defaults/pref”) and open up the “defaults” then “pref” folder in your

‘autoconfig’ folder (“./autoconfig/defaults/pref”).

52. Copy the contents of the pref folder into the Firefox “pref” folder.

./autoconfig/defaults/pref/* ->

./Firefox.app/Contents/MacOS/defaults/pref/

53. Firefox should now have its tweaks complete and stored within its application bundle. When a newuser launches Firefox, it will silently use the lock-down configuration and apply the settings. To test Iwould recommend copying the final product into the Applications folder, then creating and using a newUser account, verifying the behaviour is as expected. Also remember, to ‘reset’ a user to continually testthe use of Firefox as a new user, just remove these two directories:

~/Library/Application\ Support/Mozilla~/Library/Application\ Support/Firefox

Phase 4: Using the new package when updating Firefox

Wow, sorry about the length of that. Mike’s done a great job of splitting up the sections neatly; it justdoesn’t make for an easy blog!

As promised, let’s have a brief chat about why I would recommend this change. The current easiest(and arguably most popular) method for updating Firefox is to push out the new .app bundle. I can’tdisagree with this as it also ensures that any issue within the Application bundle are fixed when thewhole lot is replaced. However, this causes the problem that for each new version, you need to re-apply

your configurations inside the application before you can push it out.

With the new method, you can simple package those files we copied (steps 48, 50 and 52) in their finallocations. With this new package, you can simply ensure to redeploy this after every Firefox update toensure that your restrictions are applied.

Running Munki? Even easier! Add this package into your installs array and add the files into thepkgsinfo file’s installs array and watch, as Munki will automatically fix Firefox, each time it’s updated.

Running Casper? A little trickier but how about using a customer Extension Attribute that checks forthe existence of these files, and if not present, add the Macs to a Smart group and use a scoped policyto reinstall them.

Summary

Thanks for sticking it out this far and apologies again for the long post. Hopefully that will help some ofyou with a better method, or even just an (another) alternative method of configuring Firefox for yourdeployments.

As always, if you have any questions, queries or comments, let us know below and I’ll try to respond toand delve into as many as I can.Disclaimer:

While the author has taken care to provide our readers with accurate information, please use yourdiscretion before acting upon information based on the blog post. Amsys will not compensate you inany way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/whilemaking use of information in this blog.