Policy-based extension installs?

[sancomp]

Firefox has the ability to load any extension from any directory via the registry. Normally this is set in the key: "HKLM\Software\Mozilla\Firefox\extensions"

With a simple edit of the nsExtensionManager.js file (line 1300 currently), this information can be read from any key in the registry, like: "HKLM\Software\Policies\Mozilla\Firefox\extensions"

(If you wanted it to look in both locations, you could add the proper lines to the WinRegInstallLocation function rather than editing that one line.)

The advantage is that you could have an administrative template for a GPO that writes the values to that key and allows an admin to centrally manage important extensions throughout the organization. It works... I've already created a basic template and have been testing it over the last few days and it's flawless so far with every extension I've tried.

Question is, is this something that may be included in the CE MSI?

Edit: BTW, this even works by pointing the reg entries to a UNC path (server share)... even if the users only have read permissions to the share... at least with the extensions I've tried so far (IE Tab, Tab Mix Plus, Total Validator, Forecastfox, Search Engine Ordering). Adds a whole new dimension to managing extensions in a corporate environment.

[sancomp]

Correction: Forecastfox Enhanced (and presumable Forecastfox) <b>do not work</b> by sharing it from a server share with read-only access. It returns a parser error. I'll look into this further. This is the only extension so far that does not work this way.

Here is my current list of extensions that I know work 100% using this method:
Total Validator
Find Toolbar Tweaks
Fasterfox
IE Tab
Search Engine Ordering
Tab Mix Plus

I will be testing Adblock Plus, NoScript, and several other extensions soon.

Is anyone else interested in this? Or am I the only one who thinks that managed extensions in a corporate environment would give a great boost to Firefox adoption?

[CGirardy]

Hi,
I'm very interested in this configuration.... I have like 400 workstations to configure so I'll take a look at what this closely.
The holydays are coming and I'll have plenty of time to test without bothering my users

[DraconPern]

I am assuming the xpi has been unpacked in those directories?

[sancomp]

Hi,
I'm very interested in this configuration.... I have like 400 workstations to configure so I'll take a look at what this closely.
The holydays are coming and I'll have plenty of time to test without bothering my users

Yes, definitely test it first, especially in an environment that large. Remember that almost all extensions work this way (but not every one) and that the more you share across the network, the longer Firefox will take to initially startup. Should be milliseconds in most cases, but could be worse in a case like yours if you do it with a lot of extensions shared to all users from a single server.

I'm putting together an administrative template for group policy that allows you to set this, but I have to create separate policies for each extension (plus test each one to ensure it doesn't break the extensions), so it may take some time to finish. Full details are on my company website, but I'm not sure if I'm allowed to post the link here.

[sancomp]

I am assuming the xpi has been unpacked in those directories?

Yes. The way I've been doing it is installing the extensions with -install-global-extension on a test system, then moving (or copying) the created extension folder to a central server share.

Then it's a simple matter of editing the nsExtensionManager.js file as mentioned above, and creating policies that write to that key. The values must be of type REG_SZ with names equal to the ID of the extension and values pointing to the full UNC path where the extension resides (I assume this would even work with DFS shares, but haven't tested it).

So the only time-consuming part is creating the Administrative Templates that contain all of the IDs of the extensions you are likely to share. I'm working on that. I'm trying to put together an MSI of my own that contains this information... primarily for testing purposes right now, but I do have it up on my company website. If you want the URL, just let me know.

[bartrumb]

This sounds like it would work for me. Any updates on your progress? I would like to have those ADM's so I don't have to reinvent the wheel.

[DraconPern]

Just a note that you can attach files (it's in a tab towards the bottom next to Options).