Also, if you're using SCCM, you can (possibly) take advantage of the Ivanti plugin, which will present Firefox (and other free apps) updates like a Windows update (which I assume your PAW setup allows for) https://www.ivanti.com/products/patch-management-for-sccm
(I do not work for Ivanti, but we've had good success running it) On Mon, Jul 29, 2019 at 9:39 AM Éric Périard <[email protected]> wrote: > Thanks Mike, always reliable J > > > > Have a great day! > > > > Eric > > > > *From:* Mike Kaply <[email protected]> > *Sent:* Monday, July 29, 2019 12:38 PM > *To:* Éric Périard <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [Mozilla Enterprise] Firefox ESR Offline Patching solution. > > > > On Mon, Jul 29, 2019 at 10:54 AM Éric Périard <[email protected]> > wrote: > > *Classification: UNCLASSIFIED** // Public* > > > > Greetings colleagues, > > > > I work in a border-line paranoid secure environment where we make use of > air-gapped PAW (*Privileged Access Workstations*) to administer the > network. > > > > The issue is well… it’s air-gapped, meaning there’s no access to the > internet at all from those workstations and everything is tightly > controlled. > > > > Also to deploy the updates, *I use SCCM*. For end-user systems we > whitelist the access so browsers can update themselves however that’s not > possible for the PAW’s. > > > > So I’ve got a few questions: > > > > 1. Is there a GPO or some kind of solution to redirect where > Firefox ESR fetches it’s update? *(Without trying to spoof URLs which I’m > sure change often)* > > Yes. We provide a policy to change the update URL. > > 2. Where would I get the update patches instead of the entire > installer EXE? > > The updates are called MAR files. They can be obtained on our release > servers: > > > > > http://releases.mozilla.org/pub/firefox/releases/68.0.1esr/update/win64/en-US/ > > 3. Is above possible at all? > > I have an (very) old post that describes this: > > > > > https://mike.kaply.com/2007/03/26/deploying-firefox-2-within-the-enterprise-part-5/ > > > > I think some things have change slightly since then (particular the server > response with the update) > > > > The simplest thing to do would to push the complete mar file every time > and just have an update server that served based on the currently available > version. > > > > If you want to see how this all works, you can install an older version of > Firefox, turn on the pref app.update.log and then check for an update in > the help dialog. In the Javascript console, you'll see a message like this: > > > > AUS:SVC Checker:getUpdateURL - update URL: > https://aus5.mozilla.org/update/6/Firefox/68.0.1/20190717172542/Darwin_x86_64-gcc3/en-US/release/Darwin%2018.7.0/ISET:SSE4_2,MEM:32768/default/default/update.xml?force=1 > > > > You can visit the URL you get to see the inner workings of the update XML. > > > > Mike > > > > > > > > Thank you as always…. > > > > *Éric Périard* > > Laboratory Administrator *|* Administrateur du laboratoire > > Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité > > Email | Courriel: [email protected] > Website | Site Web: https://www.cyber.gc.ca/ > > Government of Canada *|* Gouvernement du Canada > > > [image: cid:[email protected]] > > > > *NOTICE: This message and accompanying attachments contain information > that is intended only for the use of the individual or entity to which it > is addressed. Any dissemination, distribution, copying or action taken in > reliance on the contents of this communication by anyone other than the > intended recipient is strictly prohibited. If you have received this > communication in error, please notify the sender immediately at the above > address and delete the e-mail.* > > > > *AVIS : Le présent message et toutes les pièces jointes qui l'accompagnent > contiennent de l'information destinée uniquement à la personne ou à > l'entité à laquelle elle est adressée. Toute diffusion, distribution ou > copie de son contenu par une autre personne que son destinataire est > strictement interdite. Si vous avez reçu ce message par erreur, veuillez > informer immédiatement l’expéditeur à l’adresse ci-dessus puis l’effacer.* > > > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" > -- Scott Chapin - Director, Infrastructure Operations - DreamWorks [email protected] 818-695-6361
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
