Manage Mozilla Firefox settings with Microsoft Intune

The last couple of weeks I wrote a lot of blog posts related to managing the new Microsoft Edge browser with Microsoft Intune. And in the past I wrote articles about managing Internet Explorer and Google Chrome. it`s now time to show how the other popular webbrowser, Mozilla Firefox, can be managed using Microsoft Intune.

Like Google Chrome, Firefox can also be managed using a Custom configuration profile for Windows 10. The policy consists of two parts. The first part is used to deploy the Firefox ADMX file to the Intune managed device. The second part of the policy is used to manage the settings of choice.

Deploy the Firefox ADMX file

The Firefox ADMX file can be downloaded from GitHub. After downloading the file, locate the ADMX file and open the file with a text editor.

Now open a browser to sign-in to the Microsoft Endpoint Manager (Intune) portal.

• Sign-in to the Device Management Portal
• Browse to Devices – Windows
• On the Configuration Profiles tab click Create profile

• Give the configuration profile a Name
• Enter a Description (optional)
• Choose Windows 10 as Platform
• Choose Custom as Profile type
• Click the Settings tab
• Click Add

With this row we deploy the ADMX file to the Windows 10 device. As you can see the OMA-URI contains ADMXInstall.
More info on how the OMA-URI is build up and complementing information about ADMX-backed policies can be read in this article on Microsoft Docs.

Enter below information to the policy;
Name: Firefox ADMX Ingestion
OMA-URI: ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx
Data Type: String
Value: As value copy the entire content of the ADMX file in the value field

Click OK twice and click Create.

The policy to deploy the ADMX file is ready. In the next steps we add the settings we manage with Intune to the same policy.

How to build up the OMA-URI

As with deploying the ADMX file, for the settings to manage we also need to know the OMA-URI. But the OMA-URI for managing the settings consists of some information we need to collect ourselves from the Firefox ADMX file.

This is for example the OMA-URI to manage the Homepage URL
./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageURL
Let`s split up the OMA-URI in seperate parts.
This is default for managing applications using an ADMX file:
./Device/Vendor/MSFT/Policy/Config/

The part that comes next is not always the same, we need to follow some rules:
Firefox~Policy~firefox~Homepage
It starts with Firefox (the ADMX file name), like in the ADMXInstall URI, followed by Policy. Between every part we have the ~ sign.
After Policy we see the name of two categories. These categories can be found in the Chrome ADMX file.
When we open the ADMX file in a text editor, we can see there are several categories. The first categorie we find in the ADMX file is the top category and as we can see that is firefox (name). We put this in the OMA-URI after Policy.

If we search for the actual policy we want to control, in this case HomepageURL, we also find there is a category mentioned for that policy. It is the parentcategory of HomepageURL, Homepage.
So homepage is the next part of our OMA-URI.

The last part of our OMA-URI is the actual policy displayname, in this case HomepageURL. If we put al this information together, we have our OMA-URI.

Manage Homepage settings

We start with managing the settings from the Homepage categorie. These are settings like the Homepage URL and Startpage.

We have already seen how to build the OMA-URI for the policy HomepageURL, so let`s start with that one. The Data type for these settings is always String. Than we only need to know what our Value is.

The value starts with <enabled/> (or <disabled/> if you like to disable a setting).
If we have a setting which can only be set to enabled or disabled, than that`s the value.

But for HomepageURL, we need to set the actual homepage URL. In this case <enabled/> is followed by a data id. The data id is found again in the ADMX file, in below example the text id, HomepageURL. And as last we need to set a value, the valuename, which is the URL from your website of choice.
This policy also contains a second setting, which is optional, with which we can lock the homepage. To enable this setting we also start with <enabled/> followed by a boolean id as data id (HomepageLocked). As value we have two choices which are mentioned, trueValue, disabledValue.

Switch over to the Intune portal.

• Open your existing custom policy or create a new policy
• On the settings tab click Add
• Give the Row a Name
• Fill in the OMA-URI:
  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageURL
• Data type: String
• Value:

<enabled/>
<Data id="HomepageURL" value="https://inthecloud247.com"/>
<data id="HomepageLocked" value="true"/>

• Click OK

That`s all to manage our first Mozilla Firefox setting using Microsoft Intune!

The next example is the Homepage Startpage. Open the ADMX file and search for the corresponding policy. With the information found in the ADMX file we can create the OMA-URI.
The parentcategorie is Homepage, the setting itself is HomepageStartpage.
The data id is in this setting enum id=Startpage.
For this setting we have three options we can set as value; none, homepage and previous-session. I choose homepage in this example.

• Open the Intune portal
• Give the Row a Name
• OMA-URI:
  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageStartPage
• Data type: String
• Value:

<enabled/>
<data id="StartPage" value="homepage"/>

• Click OK

If you`d like to configure additional homepage URLs, we can use the setting HomepageAdditional for that. In the ADMX file we find the ID to be used in the value field and further not much info.
We can add multiple URLs to the setting. Every URL needs to be separated with the (encoded) unicode character &#xF000 and because we need to number the URLs, the unicode character is also used between the number and the URL.

• Open the Intune portal
• Give the Row a Name
• OMA-URI:
  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Homepage/HomepageAdditional
• Data type: String
• Value:

<enabled/>
<data id="HomepageAdditional" value="1&#xF000;http://www.microsoft.com&#xF000:2&#xF000;http://www.mempowered.eu"/>

• Click OK

With this settings we have configured a homepage URL, made sure an user cannot change it and the startpage URL is set to the homepage.

Manage Block About settings

The next example is a setting to block access to the about:config page. As you can see in the AMDX file, this policy setting isn`t located under a subcategorie, but direct onder the top categorie, firefox.
Another difference with the previous policies, there is no id mentioned. This policy can only be set to <enabled/> or <disabled/>.

• Open the Intune portal
• Add a new row
• Give the Row a Name
• OMA-URI:
  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox/BlockAboutConfig
• Data type: String
• Value:
  <enabled/>
• Click OK

Let`s move on to the next example.

Manage Tracking Protection settings

Firefox contains a feature called Tracking Protection, like we have seen in the new Edge browser. This feature can be managed with a couple of settings.
With the first setting we enable Tracking Protection.
Open the ADMX file and search for TrackingProtection.
With the setting A_TrackingProtection_Value we enable the feature.

• Open the Intune portal
• Add a new row
• Give the Row a Name
• OMA-URI:
  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/A_TrackingProtection_Value
• Data type: String
• Value:
  <enabled/>
• Click OK

I want to make sure Tracking Protection isn`t switched off by the user, which is done with the setting E_TrackingProtection_Locked.

• Open the Intune portal
• Add a new row
• Give the Row a Name
• OMA-URI:
  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/E_TrackingProtection_Locked
• Data type: String
• Value:
  <enabled/>
• Click OK

With this last example I make sure trackers are blocked for cryptominers, which can be done with the setting B_TrackingProtection_Cryptomining.

• Open the Intune portal
• Add a new row
• Give the Row a Name
• OMA-URI:
  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~TrackingProtection/B_TrackingProtection_Cryptomining
• Data type: String
• Value:
  <enabled/>
• Click OK

When your done adding the ADMX file and all the settings, make sure to assign the policy to a security group.

End-user experience

Let`s have a look at the end-user experience.
Make sure the policy is applied to an Intune managed device with Mozilla Firefox.

When we now start Firefox, the homepage which we set with the policy is shown.
If you also configured the HomepageAdditional setting, multiple tabs with websites are opened.

If we open Settings, we see the homepage settings section is greyed out. And we see a message on the top of the page; Your browser is being managed by your organization.

When you click on that message the about:policies page is opened which shows all managed settings.

Switching back to the Settings, on the Privacy & Security tab we see Enhanced Tracking Protection is also managed. Tracking Protection is set to custom, Tracking content and Cryptominers is checked.

That`s it for this blog post. I hope you find it informative and if you have any questions, let me know in the comments!

To see how you can manage bookmarks using Intune, read the follow post!

NB: Don`t just copy/ paste the policy values into your own custom policies. Unfortunately WordPress converts the double quotes So please replace the quotes from the article before deploying the settings.