Enterprise Deployment of Firefox

I am responsible for overseeing the IT infrastructure of an office with about 40 Windows-based computers. We always keep the OS and relevant software patched, though sometimes even keeping Windows/Office/IE patched to the most current level is not enough.

The workarounds provided by Microsoft for this issue are frankly, not acceptable because website functionality with security set to ‘High’ is unacceptable and generate user complaints (and doesn’t even solve the problem completely).

Events like this give me cause to consider a company-wide deployment of Firefox as the default browser. We have no internal applications that rely on IE so this is not a sticking point for us as it is for many corporations. Plus, Firefox has far fewer “vulnerable days” as compared to IE (and when Firefox is vulnerable the potential risk to the system is usually lower).

However, there are a couple of blockers that stop me from taking this step. These include:

  • Lack of an automated/scriptable way to deploy Firefox that is supported by Mozilla (though bug 231062 has been filed for an MSI install package – almost 5 years later there is still no resolution).
  • Lack of any way to force Firefox product/security upgrades upon users. Without this, Firefox is arguably even more insecure than IE because at least with IE we can be reasonably sure that updates are being pushed out on schedule.
  • Lack of any centralised way to make sure plugins are up to date (I will concede that IE is not up to par on this front either).

There are probably a few other points that I can’t think of at the moment. However, our company is an SME with less than 100 computers and I find these issues troubling. Imagine a Fortune 500 company – the problem for them would be multiplied many fold.

I am unhappy about the latest problems with IE and unhappy that there is no patch yet for an exploit that is so clearly in the wild and unhappy that there isn’t even an acceptable way to mitigate the risk.

Having said all this – at the moment I don’t see that switching to an alternative browser is an acceptable solution to this problem for enterprise users for the reasons above.

If work was done to make Firefox more enterprise friendly, this would go a long way towards adoption in the workplace. As it stands, there are just too many reasons not to deploy even though the product is clearly superior from an end user standpoint.

This entry was posted in Mozilla and tagged , , , . Bookmark the permalink.

18 Responses to Enterprise Deployment of Firefox

  1. NM says:

    1. What is there to do, update-wise? You can just unzip a “Firefox” application folder, and it just works. On Linux we just update our rpms or debs, but on lesser platforms, you can either have it update itself if the user owns the files, or replace the whole directory if it’s admin owned; you just need to have a way to make sure it’s updated which leads to your second point:
    2. It’s trivial to write an extension that checks the installed version on startup and do whatever you want at that point (nag the user, alert the admin, kill a puppy); in fact it might just exist, have you tried A.M.O?
    3. What do you mean exactly here; Firefox has an update system for extensions. On startup the user is offered to update. If you want to centralise the information in case they don’t, again, it would be easy to have a tiny extension send a report to one of your servers.
    I should add, it’s quite easy to roll your own customised FF that connects to your own server for updates. From there on you can include your own extensions that do whatever it is you need for admin.

  2. Nicolas Briche says:

    I have the exact same problem. Except that I have no Active Directory, or even any domain controller, for my ~130 Windows machines. OS patching is basically impossible (no time for it, at all).

    I’ve been looking for years for a centralized way of controlling my Firefox installs, especially since I’ve began introducing changes in our intranet that will require FF3.x. OCSInventory looks good, but require certificates installed on the targeted clients; so large-scale testing will have to wait ’til I have time to install the certificates… in February or so, if I’m lucky.

    Right now, I have a mix of 2.0.0.x and 3.0.x running on a mix of win2000 and winXP vanilla/SP1/SP2, all with a mix of users having administrator rights and restricted rights. Depending on user rights, some FF are updating and some don’t. Some 2.0.0.x upgraded to 3.0.x, some haven’t even if they could have. It’s a mess and sometimes I cry…

    So yeah, a centralized “Firefox console”, which would _not_ depend on an Active Directory or a domain, and would be able to upgrade FireFox even if the target user has restricted rights, would be more that a good thing; it would help save my sanity.

  3. Steve Lee says:

    These very same issues are seen as stopping educational establishments switching to Firefox. In addition the College I worked at also wanted to lock it down so for example about:config was not available.

  4. Merlin Hartley says:

    What you need to look, my friends, is a great product called WPKG – an awesome software distribution product for Windows… and it’s free.
    http://wpkg.org/

  5. Axel Hecht says:

    Did you know that the Firefox installer has (I’m pretty sure it still does) options for an unattended install?

    “Centralized deployment” isn’t really our business, either. What do you use to deploy software on your systems? How can it be extended?

    For the updates, I’d sneak the update pings from firefox to get the incremental mars when available, and push them on people’s computer during maintaince window via your regular system. Yes, incremental mars can be applied via the commandline, too.

    Like always in corp, the problem is not that we don’t hear what you want, it’s just that corp is like physicians: Ask 5 and get 7 opinions. Not so much about what you want to do, but about how to actually implement that.

    Reading through https://wiki.mozilla.org/Deployment:Deploying_Firefox is probably good, too, there are some constructive tips on how to do what.

  6. You should read Mike Kaply’s blog : http://www.kaply.com/weblog/

    He developed Mozilla CCK, which is an excellent tool !

    I’m going to deploy Firefox 3 over 3000 computers in my company but unfortunately without GPO or anything to help me…however you could consider setup an intranet web server for your firefox updates : http://www.google.fr/url?sa=t&source=web&ct=res&cd=1&url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen%2FSetting_up_an_update_server&ei=7e5ISf3WFJXW0gXAucgU&usg=AFQjCNHCQAqTmZBmdRW14OIOn5B0lFzbiQ&sig2=o_M21pxqf3WU-ZDGXpBQLA

    Other interesting link :

    https://wiki.mozilla.org/Enterprise

  7. “What is there to do, update-wise? You can just unzip a “Firefox” application folder”

    Can you? How? Walk to each computer and run winzip? Write a script of some kind to do that? And just unzipping is a bit limited – if the application wasn’t already there then you would want to sort out shortcuts, etc.

    As for the other points, aside from the CCK wizard, there isn’t anything I can see on AMO that would do that. Those extensions might be fairly easy to write and maintain, and I know there are enterprise users that do various combinations of the things you suggest. The point is that you have to be willing and able to write those scripts and little extensions in order to deploy Firefox, and it would be easier for many places if there was something off-the-shelf that did that.

    https://wiki.mozilla.org/Enterprise was a project that never really got off the ground to do this stuff. mkaply’s blog also has useful stuff about it, and the CCK Wizard is https://addons.mozilla.org/en-US/firefox/addon/2553

  8. Michael Kapl says:

    Steve Lee:

    The CCK will remove about:config and lock down other aspects of Firefox – http://www.kaply.com/weblog/2008/06/11/customizing-firefox-with-the-cck-wizard/

    I’ve actually done some custom work for schools when they ask.

    As far as the other issues, I have been trying for years to get people interested in enterprise Firefox issues, but it has just never happened. We’ve never gotten critical mass to be able to push these types of things.

    Feel free to look at my attempts – https://wiki.mozilla.org/Enterprisehttp://www.kaply.com/weblog/tag/enterprise/

  9. Nukeador says:

    +1 I have plans to follow some guides I found time ago here:

    http://www.kaply.com/weblog/tag/enterprise/

    Using Active directory with the msi package should be enough to update all computers domain wide.

  10. pt says:

    Bit9 published “The Most Vulnerable Applications” report for 2008 few days ago. Firefox was number one on that list.
    http://www.bit9.com/files/Vulnerable_Apps_DEC_08.pdf

    The reasoning behind that report is almost the same as you gave. If program can’t be centrally controlled and updated + it has high or critical vulnerability published year 2008, it’s on the list. More vulnerabilities and more users move it higher in the list.

  11. Nukeador says:

    I forgot to put a link to the customizable msi version:

    http://www.frontmotion.com/FMFirefoxCE/index.htm

  12. NM says:

    “Can you? How? Walk to each computer and run winzip? Write a script of some kind to do that? And just unzipping is a bit limited – if the application wasn’t already there then you would want to sort out shortcuts, etc.”

    Again, I don’t do Windows. I can think of a dozen straightforward, gratis ways to do that on *nix, so I assumed there’d gotta be at least one expensive way to do it on Windows. Is it actually worse than I thought?

    For instance where I work the IT dept has all the windows machine run stupid scripts upon logon. Here they’re just used to annoy users (such re-enabling the locking screensaver — supremely irritating on VMWare or when the PC is merely driving a monitoring screen); but you could have it run an update program of sorts … couldn’t you?

  13. NM says:

    “The reasoning behind that report is almost the same as you gave. If program can’t be centrally controlled and updated + it has high or critical vulnerability published year 2008, it’s on the list. More vulnerabilities and more users move it higher in the list.”

    What does that mean? Firefox has a centralized update mechanism. It even covers extensions.

  14. pt says:

    NM: Sorry, I meant that the centralized update mechanism needs to be controlled by the enterprise. I know quite many companies who control windows update this way (they have one server downloading all the updates, then someone approves them, other machines in the network download the updates from the company server, not from Microsoft… Microsoft offers Windows Server Update Services or WSUS to do this, I think). I think this way they can even force everyone to download optional updates (for example windows search). In Firefox case this could be forced update from 2 to 3.

    I think there are some programs/services you can buy to do centralized administration on windows, and some free ones like WPKG, but I haven’t looked at them very much. I don’t administer any networks so I have only limited knowledge from what I have heard.

  15. Thanks for the post – it sums up many of my concerns with Firefox on a deployment front.

    Lack of easy deployment (read: MSI), managed update mechanism (perhaps via MSI/MSP?), and easy control mechanisms (read: AD, or at least a template that can be released when installed) are the key reasons I can’t advocate installing Firefox on a large scale (i.e. nearly 1000 computers). I have been greatly disappointed in Mozilla’s complete disinterest on this front, and embarrassed when I’ve said that MSIs are going to be ‘in the next release’ (first promised for 1.5, then 2.0, then ignored completely for 3.0).

    Frankly, Internet Explorer is *more* secure than Firefox in terms of ‘Enterprise’ insofar as I can guarantee patching in a very timely manner via WSUS.

    To everyone who suggests “Oh, just do this…” — please try it on a large scale, and get back to me when you have many projects to juggle. Furthermore, I really don’t want to to use a third-party build (i.e. FrontMotion), as I have to place a /lot/ more trust in that than Mozilla. Firefox is great on a small scale, but not nearly as good on a large scale, especially when users don’t have admin. rights (which is /actually secure/). For that matter, to practice what I preach, I took away my own admin rights, so I’m going to have to jump through hoops to upgrade to 3.0.5. :/

    At this point, I may get sufficiently tired of waiting and complaining, and ‘scratch the itch’ with WiX. That requires a lot of free time, which I’m short on, but maybe a ‘rainy day’ will come up.

    P.S. If Mozilla released MSIs that people didn’t alter terribly much, they’d get a lot more revenue from the search box when used on tens of thousands of corporate computers…

  16. RNiK says:

    I’d like to add one more point to your complains about Firefox deploy in Enterprise environment: proxy managment!

    Mozilla Firefox proxy management is flawed by lots of bugs and since proxies and authentication are standard practices in Corporate IT, this browser is still considered “unprofessional” by IT Admins. :(

  17. James says:

    Seconding WPKG – it’s great.

  18. O says:

    My company optionally allows Firefox but blocks remembering passwords through a policy setting. Really annoying.

    Their reasoning: Passwords are stored unencrypted unless there is a master password. IE stores passwords encrypted (linked to user logon). While that doesn’t increase security (anybody logged on to the system incuding a trojan horse) can read stored passwords as evidenced by many tools out there, it looks more secure to our IT department (at a 10000+ company).

    Would be great if FF had an option to additionally encrypt passwords with the same mechanism IE uses.

    THanks

Leave a Reply