Hello Have anyone noticed that if two GPOs have for example NTLM list , only list of last processed GPO applies?
Makes managing in OU level bit hard. Top level GPO settings have to be copied to sub level GPO settings, if customer wants own trust and every sub level GPO have to be updated if top level GPO is updated. Not familiar with ADMX-files but at least Internet Explorer Site-to-zone settings are appending. Thanks - Miika Sorvisto -----Alkuperäinen viesti----- Lähettäjä: Enterprise <[email protected]> Puolesta [email protected] Lähetetty: keskiviikko 7. elokuuta 2019 15.00 Vastaanottaja: [email protected] Aihe: Enterprise Digest, Vol 98, Issue 5 To unsubscribe via the web interface, visit https://mail.mozilla.org/listinfo/enterprise or, via email, send a message with a subject or body of 'unsubscribe' to [email protected] Send Enterprise mailing list submissions to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Enterprise digest..." Today's Topics: 1. Re: Inquiry: Firefox error using policy to pull from windows certificate store (Mike Kaply) 2. Firefox ignores update configuration (Sirko P?hlmann) ---------------------------------------------------------------------- Message: 1 Date: Tue, 6 Aug 2019 16:16:39 -0500 From: Mike Kaply <[email protected]> To: "Hoang (US), Victor T" <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [Mozilla Enterprise] Inquiry: Firefox error using policy to pull from windows certificate store Message-ID: <cahueozdnewwqs+n1bs7cmubom+1tf0+rdly_krszv1hjptu...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" On Fri, Aug 2, 2019 at 5:46 PM Hoang (US), Victor T < [email protected]> wrote: > I forgot to show an example of what I will be trying. > > > > { > > "policies": { > > "Certificates": { > > "Install": ["C:\\Program Files (x86)\\Mozilla > Firefox\\cck2\\resources\\certs\\ cert1.cer", "C:\\Program Files > (x86)\\Mozilla Firefox\\cck2\\resources\\certs\\cert2.cer", > Firefox\\cck2\\resources\\certs\\cert3.cer", "C:\\Program Files > (x86)\\Mozilla Firefox\\cck2\\resources\\certs\\cert4.crt"] > > } > > } > > } > > > > Something like that? (I?m currently just testing so I?m installing > from a directory in which cck still exists where my certificates are > stored locally on the device. I will change it once I can get the > certs installed the first time) > Yes, that should work. > > > Also, once I save this in the json file, I?m guessing it will create > the directories for me? E.g.: > > %USERPROFILE%\AppData\Local\Mozilla\Certificates > > %USERPROFILE%\AppData\Roaming\Mozilla\Certificates > Nope, you'll need to create the Certificates subdir > > > Will it need to be a fresh install of firefox, or can I just use my > currently existing one and it will be created on start up? > Doesn't need to be a fresh install. If the policy is updates, it will add the new certs/ > > > Thanks again, > > Victor > > *From:* Hoang (US), Victor T > *Sent:* Friday, August 2, 2019 3:39 PM > *To:* 'Mike Kaply' <[email protected]> > *Cc:* [email protected] > *Subject:* RE: [Mozilla Enterprise] Inquiry: Firefox error using > policy to pull from windows certificate store > > > > I?m giving tinker with this and will get back with my findings. Silly me. > Thanks! > > > > *From:* Mike Kaply <[email protected]> > *Sent:* Friday, August 2, 2019 2:30 PM > *To:* Hoang (US), Victor T <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [Mozilla Enterprise] Inquiry: Firefox error using > policy to pull from windows certificate store > > > > It should just be about putting them in the right location and setting > the > Certificates->Install policy (if they aren't being imported from the > Certificates->window > store). > > > > See: > > > > > https://github.com/mozilla/policy-templates/blob/master/README.md#cert > ificates--install > > > > Are these client certificates? > > > > Mike Kaply > > > > On Fri, Aug 2, 2019 at 4:18 PM Hoang (US), Victor T < > [email protected]> wrote: > > Hello, > > > > My name is Victor. I was wondering if anyone could share any > experience/expertise/solutions with switching over to policy for > managing certificates to pull from the windows store. I?m running into > some issues even after following some of the guides about how to try > and pull from my organizations windows store locations from > https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox. > It seems like the instructions might be a little broad/high level so I > could be missing some things. Following the guide, I have > security.enterprise_roots.enabled set to true and checked the windows > store certificate location in regedit.exe and mmc and they seem to > already exist (perhaps not in the right directory?). I asked someone > in my organization and they mentioned that all the stores can be found > on the console root (Local Computer) under trusted root certification > Authorities ? > Certificates and it all seems to be there as well. > > > > My question: > > ? It seems like firefox checks > HKLM\SOFTWARE\Microsoft\SystemCertificates according to the support page. > I?m using regedit.exe to navigate to the directory, but I don?t see > any sort of ?Import? option for the certificates I want to embed. I?m > wondering how I can add my certificates into the location required by > firefox? This is what I speculate to be the culprit. > > > > Background: > > ? Switching from FF 60.8 ESR cck2 over to FF 68.0.1 ESR with > policy.json > > ? Able to do majority of things such as setting up proxy, > changing home page, and Trusted Devices installed (for CSSI Library > badge authentication, etc) > > ? Unable to have certificates be read from the windows store via > policy unless I manually add them to the Certificate Manager in firefox. > (Secure Connection Failed: SSL_ERROR_HANDSHAKE_FAILURE_ALERT) > > Thanks all, > Victor Hoang > > > > _______________________________________________ > Enterprise mailing list > [email protected] > https://mail.mozilla.org/listinfo/enterprise > > To unsubscribe from this list, please visit > https://mail.mozilla.org/listinfo/enterprise or send an email to > [email protected] with a subject of "unsubscribe" > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20190806/4ac9f9e6/attachment-0001.html> ------------------------------ Message: 2 Date: Wed, 7 Aug 2019 09:14:21 +0200 From: Sirko P?hlmann <[email protected]> To: [email protected] Subject: [Mozilla Enterprise] Firefox ignores update configuration Message-ID: <[email protected]> Content-Type: text/plain; charset=windows-1252; format=flowed Hello, We use Firefox with central software distribution, each new version is distributed to the clients via WSUS. Automatic or manual updates have been disabled for years. In the past, we used a central file to configure the presets. Since version 60.x we use the new GPOs. Actual we use .exe file, but we want to change to .msi I now found that Firefox ignores the update configuration on the clients. The clients updated to version 68.0.1 on their own. The GPO is set and applied: Computerconfiguration /MOZILLA/FIREFOX/UPDATE DISABLE : ACTIVE The clients tell me... HELP/About Firefox: "Updates deactivated by? system administrator". When I check the settings on the clients...: Settings/General/Firefox-Updates is specified: "Updates deactivated by your system administrator", the button for manual update search is grayed. Policiy Definitions are from 07/2019. Why was Firefox able to update from 60.8.1 to 68.x? regards, S. Poehlmann -- Dipl.-Ing.(FH) Sirko Poehlmann Tel: 03641 3667 43 Fax: 03641 3667 77 GMBU e.V. - Fachsektion Photonik und Sensorik Felsbachstra?e 7 D- 07745 Jena [email protected] www.gmbu.de DSGVO - http://www.gmbu.de/cms/de/datenschutz ------------------------------ Subject: Digest Footer _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe" ------------------------------ End of Enterprise Digest, Vol 98, Issue 5 ***************************************** _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
