Use Compliance Settings to Disable Firefox AutoUpdates in ConfigMgr 2012

This is very much an “edge case” type of situation… but this came up internally where I work, so I thought I’d put this out there for public consumption, in case this isn’t as much of an edge case as I think it is.

The –>attached<– has only had a brief life in pilot… so if you do need this, PLEASE test thoroughly.

The scenario / issue to be solved was this… Firefox releases updates frequently, and internally the goal was to use SCUP (System Center Updates Publisher) to deploy those updates, just like any other security update–and here’s the fun part–using the exact download from mozilla (no modifications).  This tested great, but then they also didn’t want the end users to get those reminders about updates… the instant Mozilla releases an update.  If the plan is to manage them with SCUP-offered updates, then they wanted the client-side Update Prompts to go away.

Unfortunately, not quite that easy with Firefox.  It’s not registry keys, it’s not WMI, it’s two files, with specific lines inside those files, to disable updates.

What the attached Baseline will do, if you target it to your machines, is a) first look if firefox is installed (looking for firefox.exe in program files).  b) If it’s there, then it’ll check, and if you have “remediate” checked when you deploy the baseline, optionally create the 2 files, with the required data inside those two files.

How To Implement:

  1. Take the Attached, and import into your CM12 console (Assets and Compliance, Compliance Settings, Configuration Baselines) the Firefox Disable AutoUpdates-Baseline.cab.
  2. Once Imported, Deploy that baseline to a test collection; I recommend one with at least two boxes: one with firefox and one without; so you can confirm for yourself that it doesn’t do anything when firefox is not there.

How to Check if it’s working:

  1. Interactively from Firefox itself:
    1. before deployment, in Firefox, if you go to the pull-down for Firefox (on the left), then the -> arrow by Help, then About FireFox, in the middle-ish will be a message about whether or not you are up to date.
    2. After deployment, (and after you restart Firefox, if the Compliance Setting ran while Firefox was already open), when you go to About Firefox it will now say “Updates disabled by your system administrator”
  2. Remotely:
    1. there are two files, and those two files need very specific things inside:
      1. File #1: In the same folder as firefox.exe, mozilla.cfg with these exact lines:
        lockPref(“app.update.auto”,false);
        lockPref(“app.update.enabled”,false;
      2. file #2:  In the subfolder \Defaults\Pref, local-settings.js with these exact lines:
        pref(“general.config.filename”, “mozilla.cfg”);
        pref(“general.config.obscure_value”, 0); // use this to disable the byte-shift

Naturally… the assumption is that you’ll be forever after vigilent about deploying firefox updates using SCUP, or somehow else managing firefox deployments.  Because just like any other browser… occasionally “bad” people decide to release trojans or viruses or something else that can cause harm to your computer or company via a unpatched or old browser.  So… just because you no longer see popups about “new version is available” doesn’t mean you are safe!

email

Written by , Posted .
  • Steven Hosking

    Hi Sherry,
    Great solution as usual, was hoping to test it out, but receiving a 404 error from the MNSCUG site to get the code.
    Cheers
    Steve