admin adventure

the ongoing struggle: man vs machine

Monthly Archives: October 2014

Firefox ESR 31 Deployment via Group Policy and Powershell

If you have found this blog through searching for tips on how to deploy Firefox in the enterprise, you are likely in one of two camps.

  1. Your luck was high today and this was the first link you clicked on in the search results.
  2. Your a generally lucky person, but today your Google-foo search skills seem to be lacking. You are encountering numerous websites that make it seem like deploying Firefox and customising some simple settings is a very difficult process.

I myself have been in the second scenario, and eventually realised that everyone was overcomplicating this issue. I suspect that most people have some very simple requirements when deploying Firefox. What follows is a the process I used to install Firefox ESR 31.2 in my Windows 7/Windows Server 2008 environment, using nothing but native windows tools, and the Firefox install bundle.

Goals

  • Install Firefox using Group Policy to my Fleet of Windows 7 PCs.
  • Customise the homepage URL.
  • Disable the “Know your rights” website that can display on first run.
  • Configure several internal domain names to be trusted for NTLM authentication purposes. This enables things like SharePoint to automatically login with the current windows user account.
  • Updates will be handled via the in-built Firefox updating mechanism. This is performed by the Mozilla Maintenance Service, which is installed alongside Firefox. Firefox will be automatically updated when a new ESR version is released, without the user requiring administrative rights over their local PC.

Task 1 – Install Firefox

This seems to be the area where many people come unstuck. Mozilla do not provide an .msi installer for Firefox, despite this being requested for several years. Fortunately Firefox can be silently installed from the command line with some switches. We can utilise Powershell to execute the install on startup, after performing some initial checks to make sure that Firefox is not already installed.

  1. Download the appropriate version of Firefox ESR from https://www.mozilla.org/en-US/firefox/organizations/faq/
  2. Create a deployment share on a server that has read permissions to the everyone group. This will be your deployment share.
  3. Copy the Firefox installer to a folder within the deployment share.
  4. Open up the Powershell ISE. It is likely in your windows 7 start menu.
    image
  5. Now we need to get started on the script. Note that the complete script is available for download at the end of this blog entry. Here I will work through the script in parts so that you are able to customise it for your requirements. Due to how various web browsers will display this script, download the copy in the zip file rather than copy and paste from the script boxes.
  6. Firstly, we need to define some variables that we will reference later. We will create the config files later. For the moment just add them to the script with their intended file names.

$InstalledFilePath = “C:\Program Files (x86)\Mozilla Firefox\Firefox.exe”

$ConfigFile1Source = “\\servername\sharename\Firefox\v31\autoconfig.js
$ConfigFile2Source = “\\servername\sharename\Firefox\v31\Firefox.cfg”

$ConfigFile1Destination = “C:\Program Files (x86)\Mozilla Firefox\defaults\pref”
$ConfigFile2Destination = “C:\Program Files (x86)\Mozilla Firefox”

7. Next, we need to check if Firefox is already installed. This command uses the previously defined variable to check if Firefox.exe is present.

#Test to see if any edition of Firefox is installed.
IF (!(Test-Path -path $InstalledFilePath -pathType leaf))

8. If Firefox is not found, we will install Firefox silently and then configure our install options in the file config.ini. The install silently switch is –ms.

{

#Install if file not found.
Invoke-Expression “cmd.exe /c \\servername\sharename\Firefox\v31\FirefoxSetup31.2.0esr.exe -ms /INI=\\servername\sharename\Firefox\v31\config.ini”


Copy-Item $ConfigFile1Source $ConfigFile1Destination
Copy-Item $ConfigFile2Source $ConfigFile2Destination

}

9. If Firefox was found, we may still need to install the new version and copy the config files. This will overwrite any manual installs of Firefox with our deployed version.

ELSE
{
$InstalledProductVersion = (Get-Command $InstalledFilePath).FileVersionInfo.ProductVersion
IF ($InstalledProductVersion -lt 31.2)
{
#Install if version is less
Invoke-Expression “cmd.exe /c \\servername\sharename\Firefox\v31\FirefoxSetup31.2.0esr.exe -ms /INI=\\servername\sharename\Firefox\v31\config.ini”

Copy-Item $ConfigFile1Source $ConfigFile1Destination
Copy-Item $ConfigFile2Source $ConfigFile2Destination
}

10. If Firefox was found to be a higher version than is installed by this script, it is possible that the automatic update function has updated to the latest version. In this case, we don’t need to install Firefox, but we still want our customised configuration copied.

    }
ELSE
{
Copy-Item $ConfigFile1Source $ConfigFile1Destination
Copy-Item $ConfigFile2Source $ConfigFile2Destination

}

}

A limitation of this script is that the configuration files will be copied on every boot of the computer (whilst they are very small, this is still undesirable). I will leave it up to you to solve this  within the script, but how you solve this needs to take into account how you will handle configuration changes (e.g. your homepage address changes).

Save the script to your deployment share. We will now move onto creating our supporting files.

You can download a complete copy of the script, and other resources here.

Task 2 – Creating config.ini

Config.ini is referenced in the Powershell script to provide a way to set some options that would normally be selected through the installation GUI.

1. Copy the following text into notepad, and save to the deployment share as config.ini

[Install]
;
; Remove the semicolon (;) to un-comment a line.
;
; The name of the directory where the application will be installed in the
; system’s program files directory. The security
; context the installer is running in must have write access to the
; installation directory. Also, the directory must not exist or if it exists
; it must be a directory and not a file. If any of these conditions are not met
; the installer will abort the installation with an error level of 2. If this
; value is specified then InstallDirectoryPath will be ignored.
; InstallDirectoryName=Mozilla Firefox

; The full path to the directory to install the application. The security
; context the installer is running in must have write access to the
; installation directory. Also, the directory must not exist or if it exists
; it must be a directory and not a file. If any of these conditions are not met
; the installer will abort the installation with an error level of 2.
; InstallDirectoryPath=c:\Firefox\

; By default all of the following shortcuts are created. To prevent the
; creation of a shortcut specify false for the shortcut you don’t want created.

; Create a shortcut for the application in the current user’s QuickLaunch
; directory.
; QuickLaunchShortcut=false

; Create a shortcut for the application on the desktop. This will create the
; shortcut in the All Users Desktop directory and if that fails this will
; attempt to create the shortcuts in the current user’s Start Menu directory.
; DesktopShortcut=false

; Create shortcuts for the application in the Start Menu. This will create the
; shortcuts in the All Users Start Menu directory and if that fails this will
; attempt to create the shortcuts in the current user’s Start Menu directory.
; StartMenuShortcuts=false

; The directory name to use for the StartMenu folder (not available with
; Firefox 4.0 and above – see note below).
; note: if StartMenuShortcuts=false is specified then this will be ignored.
; StartMenuDirectoryName=Mozilla Firefox

; The MozillaMaintenance service is used for silent updates and may be used
; for other maintenance related tasks.  It is an optional component.
; This option can be used in Firefox 16 or later to skip installing the service.
; MaintenanceService=false

;

2. Uncomment any line that you need to customise.

Task 3 – Create autoconfig.js and Firefox.cfg

autoconfig.js and Firefox.cfg work hand in hand to provide a means to configure Firefox options.

Copy the following into notepad and save as autoconfig.js on the deployment share.

pref(“general.config.filename”, “Firefox.cfg”);
pref(“general.config.obscure_value”, 0);

These settings tell Firefox that the configuration file is named Firefox.cfg, and that the configuration file is not bit-shifted to hide the contents. Note that if you intend to set passwords in the config file, this would be a security risk as the file is effectively plain text. For our simple purpose this is acceptable.

Note that this file will be placed on the client PC via our powershell deployment script at C:\Program Files (x86)\Mozilla Firefox\defaults\pref”

Now we will make Firefox.cfg. This file will be where we set the options for the web browser. There are many hundreds of options available to set. I am demonstrating only a couple. Many of the options revealed by typing about:config into the Firefox address bar are usable.

image

Copy the following into notepad and save as Firefox.cfg to the deployment share.

//Don’t show ‘know your rights’ on first run
pref(“browser.rights.3.shown”, true);
pref(“browser.startup.homepage”, “http://homepage.com”);
pref(“network.automatic-ntlm-auth.trusted-uris”, “internalsite1.local, internalsite2.local”);

Tip: Line 1 must always be a comment, as denoted by //. If you place a setting on line 1, your config will not work.

Note that this file will be placed on the client PC via our powershell deployment script at C:\Program Files (x86)\Mozilla Firefox\”

Task 4 – Bringing it all together

We now have several elements to bring together via a group policy to implement our configuration. I would recommend implementing this in a testing scenario before you deploy into production, but this is up to you.

  1. Log onto a domain controller and open up the Group Policy Management Console.
  2. Create a new policy with a descriptive name. Pick a name that will mean something to you after 6 months when you have forgotten all about this project.
  3. Edit the new policy and navigate to Computer Configuration>Policies>Windows Settings>Scripts>Startup
    image
  4. Double-click on the startup and select show files. This will open up the folder for this group policy object, which will have an impossibly long GUID in the folder name which you will have no hope of remembering.
  5. Make a new text file within this folder and write the following command to run your powershell script.

@echo off

powershell.exe \\servername\sharename\firefox\v31\InstallFirefox.ps1

exit

6. Save the file and rename the file extension from .txt to .bat to make it a batch file.

7. Close the folder, then click the add button. Add the script you just made to the startup properties window.
image

And your done.

Summary

After following the above guide, and obviously customising the file and path locations within the scripts, you should have:

Group policy which executes a powershell script.

Powershell script which checks for Firefox, the version of Firefox, and either installs Firefox and copies two configuration files, or just copies the configuration files.

A Firefox install, and two configuration files that end up on the client PC.

Resources

Script and configuration files

https://etherpad.mozilla.org/r3eYJXEyhp

Advertisements

Deploy and Customise Google Chrome

This guide will lead you through the basic steps to deploy Google Chrome with group policy. It is based on v38, which at the time of writing is the current release. To follow this guide, you should already be familiar with Group Policy in general.

As with any task, first clearly define the objectives you want to achieve before starting. Your objectives will no doubt be different, so this guide should be a general reference only.

Objectives

1. Install Google Chrome 64bit edition for all users of selected Windows 7 PCs. For our purpose the computers are all in the active directory organisational unit “Computers – Windows 7”.

2. Set home page to a specific address.

3. Reduce automatic update frequency.

 

 

Task 1 – Obtain the appropriate Files

  1. Download the 64bit msi package of the enterprise Google chrome that Google helpfully provide. It can be located at https://www.google.com/intl/en/chrome/business/browser/admin/
  2. Download the adm and admx group policy templates from https://support.google.com/chrome/a/answer/187202
  3. Download the Google Update adm group policy template from https://support.google.com/installer/answer/146164

 

Task 2 – Copy MSI file to the deployment share.

  1. Copy the downloaded .msi file to a deployment share that client computers have read access to.

 

Task 3 – Create a new GPO to deploy the software and settings.

  1. Open group policy management console on a domain controller, and create a new policy. Give it a descriptive name that will still retain some meaning to you and your colleagues in 6 months time.
  2. Edit the newly created policy (Right-click>Edit) and navigate to the Computer Configuration>Policies>Software Settings>Software Installation node.
     image
  3. In the right-hand pane, right click and select New>Package
  4. Navigate to the package file you earlier placed in the deployment share, and click ok.
  5. Select Advanced for the deployment method and click Ok.
  6. Enter a name for the package. I like to put both the architecture and version number in the package name, but it is up to you really. Note that this is the name that will appear in the installed program list on the client computers. I like to put the word “Deployed” in the name to distinguish the group policy installs from the manual installs.
    image
  7. No further options are required to be set, however depending on your environment, you may wish to set some further options. I always set “Ignore language when deploying this package” which is under Deployment>advanced. Once done, click ok.
  8. The install will now install to any PC’s that are covered by the policy you created. If you are testing, you may wish to run the command “gpupdate /force /boot” on your test PC to force an immediate deployment.
  9. Close the Group Policy Management Editor before continuing.

 

Task 4 – Customise via Group Policy

Configure Homepage

In my case I need to import the .admx template files into my Windows 2008 R2 central store. Your group policy setup may be different. The below paths are for my environment, and your environment will be different.

  1. Extract the policy templates archive.
  2. Copy Chrome.admx to D:\ADDS\Sysvol\sysvol\xxxxxx\Policies\PolicyDefinitions\
  3. Copy the language specific adml files for your required languages to the central store. i.e. the EN-GB files to D:\ADDS\Sysvol\sysvol\xxxxxx\Policies\PolicyDefinitions\EN-GB\
  4. Open Group Policy Management Editor and edit the policy you created earlier. When you expand Policies>Administrative Templates>Google in both computer configuration and User Configuration, you will see the new settings that can be applied.
    image
  5. In our case, we want to change the default home page, and not allow the user to override this. Navigate to the “Computer Configuration>Policies>Administrative Templates>Google>Google Chrome>Home page and set the”Configure Home Page URL” setting.
    image
    Note that is we had desired users have the ability to override, and wanted to set a default, we could have configured the same setting under the “Google Chrome – Default Settings (users can override)” node.
    image 
  6. I will also set the “Use New Tab Page as Homepage” option to disabled, to prevent users from changing the homepage behaviour.
  7. This will now load the homepage you have just configured when the home button is clicked. The default startup action for Chrome 38 doesn’t open the homepage, but a new tab. Navigate to Google Chrome>Startup pages and change both the action on startup (Open a list of URLs) and URLs to open on startup settings.

 

Configure Update Frequency

Chrome will be updated via the Google Update software that is installed alongside Chrome, even for users without admin rights. To manage this software, we need to use the Google update adm template that we downloaded earlier.

  1. Copy the Google update adm template file to a location on the domain controller.
  2. Within the GPME, right-click the administrative templates node, and select add/remove templates.
    image
  3. Add in the Google update adm template, and click close.
  4. You now have the ability to manage Google update.
    image
  5. Navigate to the “Google update>preferences” node, and set the auto-update check period override to the desired setting. I have set the number of minutes to 10080 to enable a weekly update.

Now you should have a working setup. I would recommend you review the documents located below in the resources section, and the other available group policy settings to identify further opportunities to set default settings as appropriate.

 

Resources

Chrome for Work
https://www.google.com/intl/en/chrome/business/browser/admin/

Set up Chrome for Work
https://support.google.com/chrome/a/answer/188446?hl=en

Set chrome policies for devices
https://support.google.com/chrome/a/answer/187202

Control Auto-updates
https://support.google.com/chrome/a/answer/187207

Google Update for Enterprise
https://support.google.com/installer/answer/146164