On Mon, Jul 29, 2019 at 10:54 AM Éric Périard <[email protected]> wrote:
> *Classification: UNCLASSIFIED** // Public* > > > > Greetings colleagues, > > > > I work in a border-line paranoid secure environment where we make use of > air-gapped PAW (*Privileged Access Workstations*) to administer the > network. > > > > The issue is well… it’s air-gapped, meaning there’s no access to the > internet at all from those workstations and everything is tightly > controlled. > > > > Also to deploy the updates, *I use SCCM*. For end-user systems we > whitelist the access so browsers can update themselves however that’s not > possible for the PAW’s. > > > > So I’ve got a few questions: > > > > 1. Is there a GPO or some kind of solution to redirect where > Firefox ESR fetches it’s update? *(Without trying to spoof URLs which I’m > sure change often)* > Yes. We provide a policy to change the update URL. > 2. Where would I get the update patches instead of the entire > installer EXE? > The updates are called MAR files. They can be obtained on our release servers: http://releases.mozilla.org/pub/firefox/releases/68.0.1esr/update/win64/en-US/ > 3. Is above possible at all? > I have an (very) old post that describes this: https://mike.kaply.com/2007/03/26/deploying-firefox-2-within-the-enterprise-part-5/ I think some things have change slightly since then (particular the server response with the update) The simplest thing to do would to push the complete mar file every time and just have an update server that served based on the currently available version. If you want to see how this all works, you can install an older version of Firefox, turn on the pref app.update.log and then check for an update in the help dialog. In the Javascript console, you'll see a message like this: AUS:SVC Checker:getUpdateURL - update URL: https://aus5.mozilla.org/update/6/Firefox/68.0.1/20190717172542/Darwin_x86_64-gcc3/en-US/release/Darwin%2018.7.0/ISET:SSE4_2,MEM:32768/default/default/update.xml?force=1 You can visit the URL you get to see the inner workings of the update XML. Mike > > > Thank you as always…. > > > > *Éric Périard* > > Laboratory Administrator *|* Administrateur du laboratoire > > Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité > > Email | Courriel: [email protected] > Website | Site Web: https://www.cyber.gc.ca/ > > Government of Canada *|* Gouvernement du Canada > > > [image: cid:[email protected]] > > > > *NOTICE: This message and accompanying attachments contain information > that is intended only for the use of the individual or entity to which it > is addressed. Any dissemination, distribution, copying or action taken in > reliance on the contents of this communication by anyone other than the > intended recipient is strictly prohibited. If you have received this > communication in error, please notify the sender immediately at the above > address and delete the e-mail.* > > > > *AVIS : Le présent message et toutes les pièces jointes qui l'accompagnent > contiennent de l'information destinée uniquement à la personne ou à > l'entité à laquelle elle est adressée. Toute diffusion, distribution ou > copie de son contenu par une autre personne que son destinataire est > strictement interdite. Si vous avez reçu ce message par erreur, veuillez > informer immédiatement l’expéditeur à l’adresse ci-dessus puis l’effacer.* > > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" >
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
