admin adventure

the ongoing struggle: man vs machine

Firefox ESR 31 Deployment via Group Policy and Powershell

If you have found this blog through searching for tips on how to deploy Firefox in the enterprise, you are likely in one of two camps.

  1. Your luck was high today and this was the first link you clicked on in the search results.
  2. Your a generally lucky person, but today your Google-foo search skills seem to be lacking. You are encountering numerous websites that make it seem like deploying Firefox and customising some simple settings is a very difficult process.

I myself have been in the second scenario, and eventually realised that everyone was overcomplicating this issue. I suspect that most people have some very simple requirements when deploying Firefox. What follows is a the process I used to install Firefox ESR 31.2 in my Windows 7/Windows Server 2008 environment, using nothing but native windows tools, and the Firefox install bundle.

Goals

  • Install Firefox using Group Policy to my Fleet of Windows 7 PCs.
  • Customise the homepage URL.
  • Disable the “Know your rights” website that can display on first run.
  • Configure several internal domain names to be trusted for NTLM authentication purposes. This enables things like SharePoint to automatically login with the current windows user account.
  • Updates will be handled via the in-built Firefox updating mechanism. This is performed by the Mozilla Maintenance Service, which is installed alongside Firefox. Firefox will be automatically updated when a new ESR version is released, without the user requiring administrative rights over their local PC.

Task 1 – Install Firefox

This seems to be the area where many people come unstuck. Mozilla do not provide an .msi installer for Firefox, despite this being requested for several years. Fortunately Firefox can be silently installed from the command line with some switches. We can utilise Powershell to execute the install on startup, after performing some initial checks to make sure that Firefox is not already installed.

  1. Download the appropriate version of Firefox ESR from https://www.mozilla.org/en-US/firefox/organizations/faq/
  2. Create a deployment share on a server that has read permissions to the everyone group. This will be your deployment share.
  3. Copy the Firefox installer to a folder within the deployment share.
  4. Open up the Powershell ISE. It is likely in your windows 7 start menu.
    image
  5. Now we need to get started on the script. Note that the complete script is available for download at the end of this blog entry. Here I will work through the script in parts so that you are able to customise it for your requirements. Due to how various web browsers will display this script, download the copy in the zip file rather than copy and paste from the script boxes.
  6. Firstly, we need to define some variables that we will reference later. We will create the config files later. For the moment just add them to the script with their intended file names.

$InstalledFilePath = “C:\Program Files (x86)\Mozilla Firefox\Firefox.exe”

$ConfigFile1Source = “\\servername\sharename\Firefox\v31\autoconfig.js
$ConfigFile2Source = “\\servername\sharename\Firefox\v31\Firefox.cfg”

$ConfigFile1Destination = “C:\Program Files (x86)\Mozilla Firefox\defaults\pref”
$ConfigFile2Destination = “C:\Program Files (x86)\Mozilla Firefox”

7. Next, we need to check if Firefox is already installed. This command uses the previously defined variable to check if Firefox.exe is present.

#Test to see if any edition of Firefox is installed.
IF (!(Test-Path -path $InstalledFilePath -pathType leaf))

8. If Firefox is not found, we will install Firefox silently and then configure our install options in the file config.ini. The install silently switch is –ms.

{

#Install if file not found.
Invoke-Expression “cmd.exe /c \\servername\sharename\Firefox\v31\FirefoxSetup31.2.0esr.exe -ms /INI=\\servername\sharename\Firefox\v31\config.ini”


Copy-Item $ConfigFile1Source $ConfigFile1Destination
Copy-Item $ConfigFile2Source $ConfigFile2Destination

}

9. If Firefox was found, we may still need to install the new version and copy the config files. This will overwrite any manual installs of Firefox with our deployed version.

ELSE
{
$InstalledProductVersion = (Get-Command $InstalledFilePath).FileVersionInfo.ProductVersion
IF ($InstalledProductVersion -lt 31.2)
{
#Install if version is less
Invoke-Expression “cmd.exe /c \\servername\sharename\Firefox\v31\FirefoxSetup31.2.0esr.exe -ms /INI=\\servername\sharename\Firefox\v31\config.ini”

Copy-Item $ConfigFile1Source $ConfigFile1Destination
Copy-Item $ConfigFile2Source $ConfigFile2Destination
}

10. If Firefox was found to be a higher version than is installed by this script, it is possible that the automatic update function has updated to the latest version. In this case, we don’t need to install Firefox, but we still want our customised configuration copied.

    }
ELSE
{
Copy-Item $ConfigFile1Source $ConfigFile1Destination
Copy-Item $ConfigFile2Source $ConfigFile2Destination

}

}

A limitation of this script is that the configuration files will be copied on every boot of the computer (whilst they are very small, this is still undesirable). I will leave it up to you to solve this  within the script, but how you solve this needs to take into account how you will handle configuration changes (e.g. your homepage address changes).

Save the script to your deployment share. We will now move onto creating our supporting files.

You can download a complete copy of the script, and other resources here.

Task 2 – Creating config.ini

Config.ini is referenced in the Powershell script to provide a way to set some options that would normally be selected through the installation GUI.

1. Copy the following text into notepad, and save to the deployment share as config.ini

[Install]
;
; Remove the semicolon (;) to un-comment a line.
;
; The name of the directory where the application will be installed in the
; system’s program files directory. The security
; context the installer is running in must have write access to the
; installation directory. Also, the directory must not exist or if it exists
; it must be a directory and not a file. If any of these conditions are not met
; the installer will abort the installation with an error level of 2. If this
; value is specified then InstallDirectoryPath will be ignored.
; InstallDirectoryName=Mozilla Firefox

; The full path to the directory to install the application. The security
; context the installer is running in must have write access to the
; installation directory. Also, the directory must not exist or if it exists
; it must be a directory and not a file. If any of these conditions are not met
; the installer will abort the installation with an error level of 2.
; InstallDirectoryPath=c:\Firefox\

; By default all of the following shortcuts are created. To prevent the
; creation of a shortcut specify false for the shortcut you don’t want created.

; Create a shortcut for the application in the current user’s QuickLaunch
; directory.
; QuickLaunchShortcut=false

; Create a shortcut for the application on the desktop. This will create the
; shortcut in the All Users Desktop directory and if that fails this will
; attempt to create the shortcuts in the current user’s Start Menu directory.
; DesktopShortcut=false

; Create shortcuts for the application in the Start Menu. This will create the
; shortcuts in the All Users Start Menu directory and if that fails this will
; attempt to create the shortcuts in the current user’s Start Menu directory.
; StartMenuShortcuts=false

; The directory name to use for the StartMenu folder (not available with
; Firefox 4.0 and above – see note below).
; note: if StartMenuShortcuts=false is specified then this will be ignored.
; StartMenuDirectoryName=Mozilla Firefox

; The MozillaMaintenance service is used for silent updates and may be used
; for other maintenance related tasks.  It is an optional component.
; This option can be used in Firefox 16 or later to skip installing the service.
; MaintenanceService=false

;

2. Uncomment any line that you need to customise.

Task 3 – Create autoconfig.js and Firefox.cfg

autoconfig.js and Firefox.cfg work hand in hand to provide a means to configure Firefox options.

Copy the following into notepad and save as autoconfig.js on the deployment share.

pref(“general.config.filename”, “Firefox.cfg”);
pref(“general.config.obscure_value”, 0);

These settings tell Firefox that the configuration file is named Firefox.cfg, and that the configuration file is not bit-shifted to hide the contents. Note that if you intend to set passwords in the config file, this would be a security risk as the file is effectively plain text. For our simple purpose this is acceptable.

Note that this file will be placed on the client PC via our powershell deployment script at C:\Program Files (x86)\Mozilla Firefox\defaults\pref”

Now we will make Firefox.cfg. This file will be where we set the options for the web browser. There are many hundreds of options available to set. I am demonstrating only a couple. Many of the options revealed by typing about:config into the Firefox address bar are usable.

image

Copy the following into notepad and save as Firefox.cfg to the deployment share.

//Don’t show ‘know your rights’ on first run
pref(“browser.rights.3.shown”, true);
pref(“browser.startup.homepage”, “http://homepage.com”);
pref(“network.automatic-ntlm-auth.trusted-uris”, “internalsite1.local, internalsite2.local”);

Tip: Line 1 must always be a comment, as denoted by //. If you place a setting on line 1, your config will not work.

Note that this file will be placed on the client PC via our powershell deployment script at C:\Program Files (x86)\Mozilla Firefox\”

Task 4 – Bringing it all together

We now have several elements to bring together via a group policy to implement our configuration. I would recommend implementing this in a testing scenario before you deploy into production, but this is up to you.

  1. Log onto a domain controller and open up the Group Policy Management Console.
  2. Create a new policy with a descriptive name. Pick a name that will mean something to you after 6 months when you have forgotten all about this project.
  3. Edit the new policy and navigate to Computer Configuration>Policies>Windows Settings>Scripts>Startup
    image
  4. Double-click on the startup and select show files. This will open up the folder for this group policy object, which will have an impossibly long GUID in the folder name which you will have no hope of remembering.
  5. Make a new text file within this folder and write the following command to run your powershell script.

@echo off

powershell.exe \\servername\sharename\firefox\v31\InstallFirefox.ps1

exit

6. Save the file and rename the file extension from .txt to .bat to make it a batch file.

7. Close the folder, then click the add button. Add the script you just made to the startup properties window.
image

And your done.

Summary

After following the above guide, and obviously customising the file and path locations within the scripts, you should have:

Group policy which executes a powershell script.

Powershell script which checks for Firefox, the version of Firefox, and either installs Firefox and copies two configuration files, or just copies the configuration files.

A Firefox install, and two configuration files that end up on the client PC.

Resources

Script and configuration files

https://etherpad.mozilla.org/r3eYJXEyhp

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: