Firefox: Prevent Access to MarketPlace

In order to prevent your enterprise users to go to MarketPlace in the latest versions of Firefox, use the following setting in mozilla.cfg

// Disable Firefox MarketPlace
lockPref(“browser.apps.URL”, “\”\””);

Define WinHttp proxy for 32 & 64 bits applications

In order to define the “system” proxy on windows, you can now use Netsh (instead of proxycfg, that was used in the past)

 

to set the proxy, you can use the following process:

define the proxy within Internet Explorer

run the command

Netsh winhttp import proxy source=ie

 

Alternatively you can set the proxy directly via

Netsh winhttp set proxy myproxy:portnumber <exceptions>

 

One thing to take into consideration is that there are two versions of Netsh,

one 64 bits under c:\windows\system32 (the native and default one from the command prompt)

as well as the 32 bits one under c:\Windows\Syswow64 folder.

The 64 bits version should normally be the one to use.

How to use Firefox to connect to ServiceNow with NTLM

In the previous post, I talked about how to use Firefox as default browser for Sccm Catalog access.

As I have encountered the same issue with an internal implementation of ServiceNow, I first thought that the workaround would be the same,

however in our environement NTLM authentication is being used instead of kerberos, so the entry is different:

Open about:config and confirm that you want to make changes

network.automatic-ntlm-auth.trusted-uris

enter the fqdn of your server (without protocol), ie

testserver.domain.com

You should now be able to connect directly to your ServiceNow instance without being prompted for a password.

How to use Firefox as default browser with SCCM Software Catalog

By default, if you use Firefox as default browser, and you open the Software Center then Click on
“Find Additional applications from the Software Catalog”, you will get prompted with a Authentication prompt

This is simply due to the fact that Firefox does not transmit the logged on user credentials by default, where Internet Explorer does.

 

In order to get the same functionality, add the following entry to your mozilla.cfg file

lockPref(“network.negotiate-auth.trusted-uris”, “sccmserver.company.com”)

Of course, replace the value with your Sccm server FQDN.

Next time you launch the software catalog, you won’t be prompted for credentials.

The only thing you have to do is enable Silverlight, and the functionality will be the same as with Internet Explorer.

 

Add Certificates to Firefox installation with Certutil

The Firefox certificates are stored in the user profile in the cert8.db database.

The file is copied to the user profile only at first launch of Firefox.
You can import certificates into the file then deploy it as default for new users by putting it in the folder core\browser\defaults\profile of the installation

For more customization details, see this post: Customize Firefox ESR 31
.

What happens then when you want to add a new certificate to the user db ?
You could add the certificate to the cert8.db and redeploy it, but this would overwrite potential changes made by the user
.
The other way to proceed is to use Mozilla’s Certutil tool to add the certificate.
BTW, Do not try to use the default Certutil that comes with windows, this won’t work.
.

First step, download the tool(s) needed by certutil

Download NSS 3.11 for windows
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_RTM/WINNT5.0_OPT.OBJ/

Download Nspr 4.6 for windows
http://ftp.mozilla.org/pub/nspr/releases/v4.6/WINNT5.0_OPT.OBJ/

Note that those are not the latest versions of the binaries, as the download folders for later versions do not contain windows binaries,
You could try to “build” a later version of the tool, but this is not the purpose of this post.
.

Second Step, mix it all together

Unzip NSS to a folder
You should get the following folder structure

/bin (this is where you can find the certutil.exe utility, but it won’t work straight out of the box)
/include
/lib

copy the contents of the /lib folder to the /bin folder

Unzip NSPR

You should get the following folder structure (same as for NSS)

/bin
/include
/lib

copy the contents of the NSPR /lib folder to the NSS /bin folder

copy the certificate you want to deploy at the same level
.
you should get this structure

/bin (now also contains libs from nss and nspr)
/include
/lib
mycert.cer
.

In order to import the certificate into the user cert8.db, the command is the following

Certutil.exe -A -d path to folder where cert8.db can be found -i certificate -n Name of cert -t level of trust

.
The directory is different for each user. In order to find it, you need to look into the following file:
C:\Users\ *UserName* \AppData\Roaming\Mozilla\Firefox\profiles.ini

Here is an example of a profiles.ini

[General]
StartWithLastProfile=1

[Profile0]
Name=default
IsRelative=1
Path=Profiles/hicgn0ja.default
Default=1

For the user testuser cert8.db file will be found in the folder C:\Users\testuser\AppData\Roaming\Mozilla\Firefox\Profiles\hicgn0ja.default

Here is the vbscript I use for deploying the cert: (no support will be provided, test before using it).
.
.
CONST ForReading = 1
Set objNetwork = WScript.CreateObject(“WScript.Network”)
strUserName = objNetwork.UserName
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set ObjShell = Createobject(“wscript.shell”)
Set FileSystem = CreateObject(“Scripting.FileSystemObject”)
strDBFileLocation = “cert8.db”

mydir = Replace(WScript.ScriptFullName,WScript.ScriptName,””)
strProfileLocation = “C:\Users\” & strUserName & “\AppData\Roaming\Mozilla\Firefox\profiles.ini”

If (fso.FileExists(strProfileLocation)) Then
‘wscript.echo “file exists”
strData = FileSystem.OpenTextFile(strProfileLocation ,ForReading).ReadAll
arrLines = Split(strData,vbCrLf)

For Each strLine in arrLines
If Left(strLine, 14) = “Path=Profiles/” then
strProfileName = Right(strLine, (len(strLine) – 14))
End if
Next

strProfileFolder = “C:\Users\” & strUserName & “\AppData\Roaming\Mozilla\Firefox\Profiles\” & strProfileName

if (fso.FolderExists(strProfileFolder)) Then
myfile = strProfileFolder & “\cert8.db”
oldfile = strProfileFolder & “\cert8.old”
FileSystem.CopyFile myfile, oldfile, True
‘wscript.echo “folder exists”
End if

Certcmd = “Bin\Certutil.exe” & ” ” & “-A -d ” & strProfileFolder & ” ” & “-i” & ” ” & “certname.cer” & ” -n” & ” certname -t” & ” ” & “””CT,c,c”””

Objshell.run Certcmd,0,True

Else
Wscript.Quit()
End if

I did not try yet to use other features of the Certutil tool or of other tools that come with the downloads.
more information can be found on Mozilla’s website developer.mozilla.org

Sccm Reporting: list updates that are part of a Software Update Group

While Sccm provides a lot of standard reports, sometimes they do not give you the information you want.

Let’s take a simple example.

If I go to Software Library / Software Updates / Software Update Groups, I can select one of the groups and show its members to display the list of updates that are part of the group. Now let’s try to provide this list to another person… it should be simple, right ?

But wait, I can’t export this view, cannot print it… and there does not seem to be a report for this in the default report list.. ?

Let’s build one by ourselves… !

.

Step 1: Find what tables / views are being used by the console

If you are proficient in SQL, you could use SQL Server Management Studio to query the tables and views until you find the information you are looking for.

An -easier – alternative is to look at the code the Sccm console is using to provide you with the results you are looking for. This can be done by looking at the sccm logs in Smsprov.log. For each operation in the console, you will get some SQL queries being run in the background, and those will appear in this log. (note that this log is to be found on the server itself, you will not find it on a  computer where the console is installed).

smsprov.log1

Now open Sql Server Management Studio and validate that the information returned is what you are looking for.

For my part I choosed to reduce the number of colums returned so as i can use them to create a report.

My Sql query looks like this :

select all upd.ArticleID,upd.BulletinID,upd.DatePosted,upd.DateRevised,upd.IsExpired,upd.IsSuperseded,upd.Description,upd.DisplayName,upd.CIInformativeURL from vSMS_CIRelation as cr,fn_ListUpdateCIs(1033) as upd where ((cr.FromCIID = 16832645 AND cr.RelationType = 1) AND upd.CI_ID = cr.ToCIID)

order by upd.DatePosted

.

Step 2: Let’s Create a Report based on our Query

.

smsprov.log2

Create a new Sccm SQL-Based Report, define the name and path and the Report Builder will automatically open.

smsprov.log3

Select to Create a new Table or Matrix, and for the Query Design window, click simply on Edit as Text and copy your query.

smsprov.log4

Select all fields and add them to the Values group.

smsprov.log5

There you are, resize the colums to get a report that looks a bit nicer.

.

Step 3: Make the report more user friendly

While report provides us with the updates present in a software update group, this software update group is fixed by our query. Let’s make it work for all Software Update groups…

In order to do this we need to get a list of Software update groups and their corresponding ID.

Here is a query that does just this:

select SMS_AuthorizationList.CI_ID,SMS_AuthorizationList.DisplayName from fn_ListAuthListCIs(1033) AS SMS_AuthorizationList

In order to be able to use this query we need to create a second dataset based on this query

smsprov.log6

We then define a new parameter

smsprov.log8

which values are based on the Second Dataset

smsprov.log7

We can now change the query of our first dataset to use the parameter:

select all upd.ArticleID,upd.BulletinID,upd.DatePosted,upd.DateRevised,upd.IsExpired,upd.IsSuperseded,upd.Description,upd.DisplayName,upd.CIInformativeURL from vSMS_CIRelation as cr,fn_ListUpdateCIs(1033) as upd  where ((cr.FromCIID = @ReportParameter1 AND cr.RelationType = 1) AND upd.CI_ID = cr.ToCIID) Order By upd.ArticleID

We replace our fixed CI_ID with the parameter.

Now when we launch the report, we can choose which Software Update Report we want to target.

You can automatically update the report title by using a TextBox using the expression

=Parameters!ReportParameter1.Label

Finally I made the url clickable via the following change

smsprov.log9

Now we have a report that we can export, print and provide as needed.

 

Firefox ESR 31 customized Install with Sccm

Deploying Firefox has never been very difficult

 

Firefox Setup 31.0esr.exe -ms would do the trick.

 

However, when you want to install a customized version of Firefox, things can get a little bit more difficult.

It just takes a couple of minutes browsing the internet in order to find various sources explaining which files to edit in order to change this or that setting.

As new versions get released, the information you find might be obsolete for the version you are trying to deploy.

 

A major change was introduced in Firefox 21, which now uses different paths for the configuration files:

defaults/preferences -> browser/defaults/preferences

defaults/profile -> browser/defaults/profile

extensions -> browser/extensions

searchplugins -> browser/searchplugins

plugins -> browser/plugins

(see Link for source)

 

This basically means that guidelines previous to may 2013 are now potentially wrong if not updated.

 

So, how do I customize Firefox ?

One side note here. There are basically two ESR packages available. One from Mozilla, one, repackaged as an MSI from FrontMotion (they also created an add-on that allows to use GPOs for management).

I use here the default Mozilla package, but used FrontMotion’s Msi and Adminstudio in the past for different customers and the principle is the same at the end…

 

1. Extract the files from the installer. (I used 7zip to do so)

cap1

 

2. Configuration.ini

This file contains settings linked to the installation itself.

Create the file and put it at the root, at the same level as the setup.exe and the Core folder

[Install]
InstallDirectoryName=Mozilla Firefox
QuickLaunchShortcut=false
DesktopShortcut=false
MaintenanceService=false

The settings are self explanatory, this is where you can disable installation of the Maintenance Service.

 

3. Local-settings.js

This file forces Filezilla to look for configuration settings in the Mozilla.cfg file.

Create the file and put it under core\browser\defaults\preferences (create missing folders if they do not exist)

pref(“general.config.obscure_value”, 0);
pref(“general.config.filename”, “mozilla.cfg”);

 

4. Mozilla.cfg

This is the main config file.

Here you define your proxy settings, autoupdate options, etc.

Basically the settings that you can define here are a little bit like Policies and Preferences in Group Policies.

lockPref(“toolkit.telemetry.enabled”, false); will disable the telemetry, without letting the user change it back.

pref(“browser.startup.homepage”,”http://www.google.com/&#8221;); will set the default, allowing the user to change it.

All settings are visible if you type About:config in the browser url window (this is also how you can check what settings have been set by your custom file).

Create the file and put it directly in the core folder

 

5. Override.ini

[XRE]
EnableProfileMigrator=false
[Crash Reporter]
Enabled=False

This is where you can disable crash reporter and Profile Migrator (at first launch)

Create the file and put it under Core/Browser folder

* Note that version 31.4 does not seem to support the Crash Reporter Override file anymore, but this can be set via the registry.

 

6. Certificates

One last thing I did was customize the default Certificate Trust Authorities list to add our Proxy Certificate.

In order to do this, create a new Firefox profile (by connecting with a new user or cleaning your appdata firefox files).

Import the certificates that you need. Do not forget to set the Trust level (see below, for an internal proxy, only check “This certificate can Identify websites.”)

trustlevel

The changes will be stored into the cert8.db file under the user profile (C:\Users\%username%\AppData\Roaming\Mozilla\Firefox\Profiles\mozillaprofileID.default

Copy the file in the Core/browser/defaults/profile folder and it will be used as default for all subsequent profile creations.

 

7. Deploy the application with the path to the INI file

The path to the configuration.ini file must be a full path, not relative.

In order to do so I choose to create a batch file that uses the %~dp0 variable.

setup.exe /INI=%~dp0configuration.ini

 

One advantage of this way of working is that you don’t need to install Firefox, then copy files to different directories: customized files are used directly. Also, you don’t have to uninstall the Maintenance Service, as it’s simply not installed at all.

Nothing more ? CCK2 to the rescue

For configuring those settings and more, you can also use the tool from Mike Kaply, CCK2. http://mike.kaply.com/

The site is also a very good source of information about the new features of Firefox.

The tool is an Add-On to Firefox that allows you to fully configure Firefox and deploy the resulting config as an extension or an Autoconfig file.

mozcerts

The simple feature to be able to import and integrate certificates into your deployment is worth the download. If you need to go beyond basic config, this is the tool that you need. The tool itself is free, and you can buy support if your company does not like unsupported free tools.

 

Follow

Get every new post delivered to your Inbox.