v2.9 Policy Not allowing Extensions that are allowed to install.
I'm trying to force the install of the Okta extension for users in my environment. I just updated to the latest admx templates and I'm not allowed to install any extensions.
My GPO JSON is as follows:
{
"*": { "blocked_install_message": "Custom error message.", "install_sources": ["about:addons","https://addons.mozilla.org/"], "installation_mode": "blocked", "allowed_types": ["extension"] }, "[email protected]": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" }, "Okta": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/okta-browser-plugin/latest.xpi" }, "[email protected]": { "installation_mode": "allowed" }
}
Yes I'm getting the attached image on this when i'm trying to install it manually because it's not auto installing. I'm also getting the same with the allowed uBlock extension.
Modified
Chosen solution
Not allowing any extensions to be manually installed is expected since you did:
"installation_mode": "blocked",
This would cover even force_installed extensions because the expectation is that they are already there.
The reason Okta install is failing is because of an incorrect ID:
Add-on downloaded from https://addons.mozilla.org/firefox/downloads/latest/okta-browser-plugin/latest.xpi had unexpected id (got [email protected] expected Okta)
I saw that on the error console.
So change Okta to [email protected] and you should be good.
I also verified that with your configuration I was able to install HTTPS everywhere (https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/)
and everything got auto installed after that change.
Read this answer in context 👍 0All Replies (14)
Chosen Solution
Not allowing any extensions to be manually installed is expected since you did:
"installation_mode": "blocked",
This would cover even force_installed extensions because the expectation is that they are already there.
The reason Okta install is failing is because of an incorrect ID:
Add-on downloaded from https://addons.mozilla.org/firefox/downloads/latest/okta-browser-plugin/latest.xpi had unexpected id (got [email protected] expected Okta)
I saw that on the error console.
So change Okta to [email protected] and you should be good.
I also verified that with your configuration I was able to install HTTPS everywhere (https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/)
and everything got auto installed after that change.
What "error console" are you referring to?
F12 console?
I'm trying your changes as I type this.
Sorry, Browser Console
Web Developer->Browser Console or Ctrl+Shift+J
I think the errors also would have shown up in about:policies in the Errors section
So I made the changes and still unable to force the okta Extension.
So I cleared out all the settings under Extension Management and it won't let me install any Extensions still.
Is there something I need to reset in the registry?
No, when you unset ExtensionManagement in GPO, it should go away.
So when you tried:
{
"*": { "blocked_install_message": "Custom error message.", "install_sources": ["about:addons","https://addons.mozilla.org/"], "installation_mode": "blocked", "allowed_types": ["extension"] }, "[email protected]": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi" }, "[email protected]": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/latest/okta-browser-plugin/latest.xpi" }, "[email protected]": { "installation_mode": "allowed" }
}
It didn't work?
can you go to about:policies and see if there are any errors?
Well, I've recreated the policy and had it set to disable. But i'm still getting the wrong json settings in that key.
I'm trying your json now.
I put in your json and I'm still getting this version in that registry key.
{
"*": { "blocked_install_message": "Custom error message.", "install_sources": ["about:addons","https://addons.mozilla.org/"], "installation_mode": "blocked", "allowed_types": ["extension"] }, "Okta": { "installation_mode": "force_installed", "install_url": "https://addons.mozilla.org/firefox/downloads/file/3701928/latest.xpi" }
}
I have no where this is coming from as I'm only setting it in the ExtensionSettings Policy setting.
I drop the regkey and I can install everything i want until the gpo kicks back in.
Is it possible you accidentally set that in the machine policy?
What do you see at:
HKEY_CURRENT_USER\SOFTWARE\Policies\Mozilla\Firefox ExtensionSettings versus HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox ExtensionSettings
in the registry?
I'm looking at the HKLM as I'm applying it at machine level. I've removed the policy all together and it still re-pops in after deleting the Mozilla key.
I don't even see it under HKCU.
This is all very odd that it keeps coming down even though I've removed it from the OU.
All right, let's get more detail.
Can you go to about:config and add a new string preference called:
browser.policies.loglevel
and set the value to debug
When you restart, it should give us more detail in the browser console as to where it's getting those values.
If you're up for it, we could jump on a screenshare and I'll help figure it out.
After much trouble shooting and trying various resets on the client I went down all the policies applied to my workstation and noticed that there were Firefox settings in the policy that isn't for Firefox.
I'm working good now thank you for the assist!
I do have one more question, wasn't there a extension that will give me the IDs of all the extensions? I thought I saw that in the documentation a bit ago.
Also is there a way to setup non-firefox hosted plugins like www.enpass.io ? It appears they aren't in the add-on store.
Modified
> I do have one more question, wasn't there a extension that will give me the IDs of all the extensions? I thought I saw that in the documentation a bit ago.
This addon shows you IDs and download URLs on AMO:
https://github.com/mkaply/queryamoid/releases
> Also is there a way to setup non-firefox hosted plugins like www.enpass.io ? It appears they aren't in the add-on store.
Yes. You can download and install it and then go to about:debugging and it will show you the addon ID. (spoiler alert -it's [email protected] ) And then you can install it like any other addon using their XPI URL.
https://dl.enpass.io/stable/extensions/firefox/versions/v6.6.0-8/enpass-firefox-6.6.0.xpi
Also, when you get a chance, can you pick the best reply that solves your problem?