Awesome, I'll give this a go and report back. Many thanks for the work that you have put into this.jpa wrote:Got it. Third and final option for those who can't wait for DraconPern to fulfill this request (which may never come.) Add a modified mozilla.cfg file to the deploy using a transform.
Put the following code into a text file named addmozcfg.vbs (very slightly modified from original located here)Create a custom mozilla.cfg with the following suggested contents:Code: Select all
Option Explicit Const MY_CONFIG = "mozilla.cfg" Const CAB_FILE = "mozillacfg.cab" Const MSI = "Firefox-13.0-en-US.msi" Dim filesys : Set filesys=CreateObject("Scripting.FileSystemObject") If filesys.FileExists("temp.tmp") Then filesys.DeleteFile("temp.tmp") filesys.CopyFile MSI, "temp.tmp" Dim installer, database, database2, view Set installer = CreateObject("WindowsInstaller.Installer") Set database = installer.OpenDatabase ("temp.tmp", 1) Set database2 = installer.OpenDatabase (MSI, 1) If Not filesys.FileExists(MY_CONFIG) Then WScript.Quit 2 ' No config file, abort! Dim objFile, size, result, seq, objCab ' MakeCab object has been depreciated so we fallback to makecab.exe for with Windows 7 On Error Resume Next ' Disable error handling, for a moment Set objCab = CreateObject("MakeCab.MakeCab.1") On Error Goto 0 ' Turn error handling back on If IsObject(objCab) Then ' Object creation successful - use XP method objCab.CreateCab CAB_FILE, False, False, False objCab.AddFile MY_CONFIG, filesys.GetFileName(MY_CONFIG) objCab.CloseCab Set objCab = Nothing Else ' object creation failed - try Windows 7 method Dim WshShell, oExec Set WshShell = CreateObject("WScript.Shell") Set oExec = WshShell.Exec("makecab " & filesys.GetFileName(MY_CONFIG) & " " & CAB_FILE) End If Set objFile = filesys.GetFile(MY_CONFIG) size = objFile.Size Set view = database.OpenView ("SELECT LastSequence FROM Media WHERE DiskId = 1") view.Execute Set result = view.Fetch seq = result.StringData(1) + 1 ' Sequence for new configuration file Set view = database.OpenView ("INSERT INTO Media (DiskId, LastSequence, Cabinet) VALUES ('2', '" & seq & "', '" & CAB_FILE & "')") view.Execute Set view = database.OpenView ("UPDATE File SET FileSize = " & size & ", Sequence = " & seq & ", FileName = 'mozilla.cfg' WHERE File = '" & MY_CONFIG & "'") view.Execute database.GenerateTransform database2, "CustomConfig.mst" database.CreateTransformSummaryInfo database2, "CustomConfig.mst", 0, 0 'filesys.DeleteFile("temp.tmp") Set view = nothing Set installer = nothing Set database = nothing Set database2 = nothing Set filesys = Nothing WScript.Quit 0
Start a cmd prompt in the directory with the FF MSI, custom mozilla.cfg and modmozcfg.vbs files.Code: Select all
// try { lockPref("app.update.enabled", true); lockPref("app.update.autoUpdateEnabled", true); lockPref("extensions.update.enabled", true); lockPref("extensions.update.autoUpdateEnabled", true); lockPref("extensions.shownSelectionUI", true); lockPref("extensions.autoDisableScopes", 0); lockPref("browser.rights.3.shown", true); lockPref("toolkit.telemetry.prompted", 2); lockPref("toolkit.telemetry.rejected", true); lockPref("toolkit.telemetry.enabled", false); } catch(e) { displayError("lockedPref", e); }
Run the following at the cmd prompt: "cscript modmozcfg.vbs"
You should get two new files: mozillacfg.cab and CustomConfig.mst (and temp.tmp which you can delete)
Make sure your install location contains the FF MSI, CustomConfig.mst and mozillacfg.cab files.
Install with GPO making sure to add the CustomConfig.mst to the Modifications tab
Or install with "msiexec /I FM<ver>.msi TRANSFORMS=CustomConfig.mst
Firefox 13 question
Re: Firefox 13 question
Hi there,
The above didn't seem to work. I was expecting that I would be updated to 13.0.1, is there some kind of delay on when the software updates itself?
The above didn't seem to work. I was expecting that I would be updated to 13.0.1, is there some kind of delay on when the software updates itself?
- DraconPern
- Site Admin
- Posts:1218
- Joined:Thu Oct 30, 2003 11:47 pm
- Location:Texas
- Contact:
Re: Firefox 13 question
I really need to test out what the effects of turning this on will be. Especially on the interaction between the MSI installer system and firefox's auto update. I think though for most of my users, people are pushing the MSI through some managed system like SCCM. The auto update kind of is in the middle where you are no longer in control of what gets installed...
FrontMotion Lead Developer
Re: Firefox 13 question
Yes? Go to Help -> About and it should update automatically rather than saying updates are managed by the Administrator.Rick-PS wrote:is there some kind of delay on when the software updates itself?
Make sure to check the mozilla.cfg file in the Firefox install directory has the proper entries. I think the default app.update.interval is 86400 seconds which would mean it probably only checks once a day. I don't know the logic behind when it decides to check the first time.
I also don't know if the update service stuff gets installed by the MSI. Need to test.
Re: Firefox 13 question
Tested a bit and I think you're out of luck. My changes will enable app update by a user with admin privileges but the FM MSI doesn't install the update service to keep Firefox automatically up to date. I should have expected this.
Re: Firefox 13 question
Unfortunately, in a company of less than 25 employees, with only one server that does everything, SCCM is way out of our budgetry league.DraconPern wrote:I really need to test out what the effects of turning this on will be. Especially on the interaction between the MSI installer system and firefox's auto update. I think though for most of my users, people are pushing the MSI through some managed system like SCCM. The auto update kind of is in the middle where you are no longer in control of what gets installed...
Also, we don't really care about the manageability, but more about keeping software patched and up to date as we're a web design firm.
The issue currently is that the users can't update most auto updated software, as they often require admin privileges to do so.
So I deploy via MSI currently for ease of deployment, but would prefer that it updated itself, to save some of the burden upon me of updating the GPO, but also so that we get any security updates though more quickly than we do waiting for new MSIs to be published here.
Yeah, the updates started coming through today. Bit of a pain now as we're getting UAC boxes, doh!jpa wrote:Tested a bit and I think you're out of luck. My changes will enable app update by a user with admin privileges but the FM MSI doesn't install the update service to keep Firefox automatically up to date. I should have expected this.
- DraconPern
- Site Admin
- Posts:1218
- Joined:Thu Oct 30, 2003 11:47 pm
- Location:Texas
- Contact:
Re: Firefox 13 question
Hummm an interesting thought would be.. for the MSI install to download and run the updated MSI. That might be a possiblity. I'll have to check, but I think that may be possible.
FrontMotion Lead Developer
Re: Firefox 13 question
FYI, I don't know when this happened, but FF is like Chrome now in that it does not require admin rights to install. It detects a limited user account and if so, installs in the user's profile where it has write access rather than %programfiles%. So unless your environment is fairly locked down, limited users can install FF. I don't know if this will have any influence on the this thread, just a FYI.
- DraconPern
- Site Admin
- Posts:1218
- Joined:Thu Oct 30, 2003 11:47 pm
- Location:Texas
- Contact:
Re: Firefox 13 question
Hum.. recent versions also have an update service.
FrontMotion Lead Developer
Re: Firefox 13 question
Hmmm, this would require my users to have to go and download an the package. It's not a bad option, just that I'd rather get it onto the machines so that all users have access to the same software. I'll give it some thought though. Our only other issue then would be profile space as I limit this to 500MB currently; we're using roaming profiles.m0gely wrote:FYI, I don't know when this happened, but FF is like Chrome now in that it does not require admin rights to install. It detects a limited user account and if so, installs in the user's profile where it has write access rather than %programfiles%. So unless your environment is fairly locked down, limited users can install FF. I don't know if this will have any influence on the this thread, just a FYI.
Re: Firefox 13 question
My concern about auto-updating would be if the auto-updater changed the installed application's unique ID.
Firefox 13, like all applications, is installed with a unique ID, which is what group policy checks to see if the application has already been installed. When the auto-update service goes from 13 to 14, does it change the unique ID? 13 isn't installed anymore, 14 is, and 14 should have a different unique ID than 13, because it's a different program. Now reboot the system a couple times. Group policy is going to run and see that that the unique id isn't present on the system anymore and attempt to install 13 all over again.
As for allowing users to install programs into their user folder, there's a very simple way to prevent this from working. Simply only allow executables to be run from %windir% and %programfiles% (or subdirs within either one). The user can't install software because they can't run an executable off their desktop. If they had managed to install unapproved software into their user folder before the policy was put in place the software won't run. And, best of all, malware that copies itself to %temp% or anywhere else inside their user folder can't run either.
Basically, if you want a limited user to be limited for security/stability purposes, you may as well make them limited.
Firefox 13, like all applications, is installed with a unique ID, which is what group policy checks to see if the application has already been installed. When the auto-update service goes from 13 to 14, does it change the unique ID? 13 isn't installed anymore, 14 is, and 14 should have a different unique ID than 13, because it's a different program. Now reboot the system a couple times. Group policy is going to run and see that that the unique id isn't present on the system anymore and attempt to install 13 all over again.
As for allowing users to install programs into their user folder, there's a very simple way to prevent this from working. Simply only allow executables to be run from %windir% and %programfiles% (or subdirs within either one). The user can't install software because they can't run an executable off their desktop. If they had managed to install unapproved software into their user folder before the policy was put in place the software won't run. And, best of all, malware that copies itself to %temp% or anywhere else inside their user folder can't run either.
Basically, if you want a limited user to be limited for security/stability purposes, you may as well make them limited.