Deploying and managing FireFox centrally

As an IT Professional you might get the question to deploy Mozilla's FireFox browser on the workstations of your users.

I must admin FireFox is a pretty good product and Mozilla does a good job building and promoting it. In fact: In my opinion it's the only company I know that effectively took on a Microsoft product and led Microsoft into updating its product to remain competitive.

 

Differences

Many people prefer Mozilla FireFox as their browser. The reasons for this are many, but most of the reasons are no longer valid. Mozilla FireFox isn't the only browser with tabbed browsing, easy search and anti-phishing filter. Microsoft's Internet Explorer 7.0 offers this as well. Mozilla FireFox and Internet Explorer both faced some awkward vulnerabilities and exploits lately and both have quirks in their rendering engine, which makes sense when you look at the basic browser rules: (directly from Wikipedia)

 

The browser wars encouraged two specific kinds of behavior among their combatants.

  • Adding new features instead of fixing bugs: A web browser had to have more new features than its competition, or else it would be considered to be "falling behind." But with limited manpower to put towards development, this often meant that quality assurance suffered and that the software was released with serious bugs.
  • Adding proprietary features instead of obeying standards: A web browser was expected to follow the standards set down by standards committees (for example, by adhering to the HTML specifications). But competition and innovation required that web browsers extend the standards with proprietary features (such as the HTML tags <font>, <marquee>, and <blink>) without waiting for committee approval. Sometimes these extensions led to useful techniques that were adopted by other browsers, such as the XMLHttpRequest technology that resulted in Ajax. More often than not, however, these extensions proved harmful.

 

There are still differences though. Internet Explorer 7.0 (and Windows Defender for that matter) can't be installed on Windows 2000 and previous versions of Windows. Mozilla FireFox can be installed on Windows 98 and above, which means you can have a safe and reliable browsing experience on these platforms… (just kidding)

 

Switching manually

Switching from the built-in Internet Explorer to Mozilla FireFox is easy. It only takes eight mouse clicks to install Mozilla FireFox to a PC. The first time you run it, it will even import your Internet Explorer settings (mainly Bookmarks) and it stores its settings within your (roaming) profile, so there's really no hassle. Since proxy server addresses won't change on a weekly basis changing these on several (thousands of) workstations won't be a problem in most environments as well.

Switching isn't everything

Implementing a product is just the first step. Most of the time however it's the only step administrators take. The consequence of this behavior is a temporarily safe browsing experience, but a severe security risk in the long run.

Keeping it up to date

In 2006 Mozilla released a new version of FireFox roughly every two months, most of them minor updates. For major updates in a locked down environment however the only way to check if a new version is available was through the mailing list. This is due to the way Mozilla FireFox handles the use of Least Administrative Privilege. (more on Aaron Margosis' blog) The logic is simple: Because most major updates require you're an administrator, you can't update it and you don't get notified.

The end result

Many environments I encounter that have Mozilla FireFox installed contain computers running old versions of Mozilla FireFox. Microsoft Windows, Microsoft Office and even Internet Explorer are kept strictly up-to-date with Windows Server Update Services (WSUS).

In my opinion these old versions of Mozilla FireFox (just like old versions of Internet Explorer) are a threat to the Internet, a risk to your information security strategy, a menace to society, a disgrace to the community, and are a sign of abysmal stupidity and the inability to comprehend that users don't care about security, but systems administrators must!

 

Switching centrally

Nobody forces you to be a Microsoft fanboy and you don't have to like Internet Explorer. Even if you love Internet Explorer, your boss might be devoted to the proliferation of Mozilla FireFox. One way or another you might have to or want to switch to FireFox. If you do please follow these guidelines:

Note:
I assume you will be running Active Directory and Windows Server on your network:  You're looking for a "labor-inexpensive, but safe and scalable" solution and according to IDC Research Active Directory is right up that alley!

Step 1: Deploying

Centrally deploying Mozilla FireFox isn't difficult since FrontMotion developed a MSI Package and administrative templates (*.adm files) for Mozilla FireFox. What you need is the free FrontMotion FireFox Community Edition. The MSI package can be easily deployed in many languages and through Group Policy Objects (GPO's). High level steps include:

 

  1. Download FireFox.adm from the FrontMotion website.
  2. Download the latest MSI package from the FrontMotion website and save it to a shared network location where computer accounts have read and execute rights.
  3. Log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group and create a Group Policy Object (GPO) on an Organizational Unit with computer accounts on which you want to install Mozilla FireFox.
    Note: you can't deploy GPOs on the default "Computers" OU
  4. Edit the Group Policy Object (GPO) to install the package by browsing to 'Computer Configuration', next 'Software Settings' and eventually to 'Software installation' and assign the package there by right clicking on 'Software installation' on the left side of the snap-in and selecting 'New' and then 'Package'. KnowledgeBase article 816102 provides more information if you need it.
  5. Add the FireFox Administrative Template (FireFox.adm) to the Computer Configuration part of the Group Policy Object you just created. KnowledgeBase article 816662 provides more information and recommendations for this step.
  6. Configure settings for Mozilla FireFox within the Group Policy Object. You find these settings under 'Administrative Templates' and then 'FireFox'. You can find common configurations here.
  7. Close the Group Policy Object (GPO)

 

Step 2: Gathering information

This is the easy step. Since everyone will be running Mozilla FireFox as a standard user no-one will receive the update notifications. Mozilla hosts a whole list of forums and mailinglists. Subscribing to the Mozilla Announce mailinglist with two e-mailaddresses (one within and one outside your organization) will keep you informed of new versions of Mozilla FireFox. Subscribe to this mailinglist by filling out this form.

Step 3: Maintaining

My experience with these guys is they work pretty fast and respond well to new releases of FireFox. No more than a day gets between a new release from Mozilla Corporation and FrontMotion. Furthermore you can just reinstall a new version of the FrontMotion MSI package over an old FrontMotion MSI package. Here's how to upgrade Mozilla FireFox within your organization:

 

  1. Log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
  2. Open the Group Policy Object (GPO) you created earlier.
  3. Browse to to 'Computer Configuration', next 'Software Settings' and eventually to 'Software installation'.
  4. Right click 'Software installation' on the left hand side of the snap-in and select 'New' and then 'Package'.
  5. Click the Windows Installer package that will serve as the upgrade package, and then click 'Open'.
  6. In 'Deploy Software', click 'Assigned'.
  7. In the details pane, right-click the Windows Installer package that will function as the upgrade (not the package to be upgraded).
  8. Click 'Properties', and then open the 'Upgrades' tab.
  9. Click 'Add' to create or add to the list of packages that are to be upgraded by the current package.
  10. Under 'Choose a package from', click 'Current Group Policy object (GPO)'.
  11. Review the list of packages under 'Package to upgrade', which lists all of the other packages that are assigned or published within the selected Group Policy object.
  12. Click the package that you want to upgrade, and then click 'Package can upgrade over the existing package'.
  13. Close the Group Policy Object (GPO)

 

Microsoft TechNet has some more information on Deploying and upgrading software through Group Policy Objects (GPOs)

Step 4: Getting rid of it

At some moment in time you might want to get rid of all used Mozilla FireFox installations. When you installed FireFox with Group Policy Objects (GPOs) uninstalling it is as simple as the following six steps:

 

  1. Log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group.
  2. Open the Group Policy Object (GPO) you created earlier.
  3. Expand the 'Software Settings' container that contains the Mozilla FireFox MSI Package(s).
  4. Click the software installation container that contains the package.
  5. In the right pane of the 'Group Policy' window, right-click the program, point to 'All Tasks', and then click 'Remove'.
  6. Click 'Immediately uninstall the software from users and computers', and then click OK.
  7. Quit the Group Policy snap-in and then click 'OK'.

 

Concluding

If you're planning on deploying Mozilla FireFox in your environment make sure you do it the safe and easy way! Apparently the Mozilla corporation doesn't care that you can't use their product in a safe way when you run a Least Administrative Privilege based environment, so you'll have to be smart.

Although this post assumes you run Active Directory the steps and tools described above are usable when you use Novells eDirectory and Novell Zenworks, because these products also know how to work *.msi and *.adm files.

More Information

Easily deploy FireFox on the enterprise for free!
FireFox MSI installers and ADM files for group policy
Deploy and manage Firefox with…Active Directory Group Policy?
Two Options for Deploying and managing Firefox using Active Directory
Microsoft's Internet Explorer global usage share is 85.81 percent
Top 10 reasons to switch from Internet Explorer 6.0 to Mozilla FireFox
Wikipedia on Mozilla, Mozilla FireFox, Browser Wars and Comparison of web browsers
IDC paper on Identity Management & Active Directory
816102 How to use Group Policy to remotely install software in Windows Server 2003
816662 Recommendations for managing Group Policy administrative template (.adm) files
TechNet on Deploying and upgrading software
Firefox goes 'mainstream' with revamped add-ons

Posted on February 15, 2007 by Sander Berkouwer in Active Directory [Old], Best practices [Old], Systems Administration [Old]

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.