Configuring Mozilla Firefox for usage with device-based Conditional Access

by

This week is all about managing and configuring Mozilla Firefox, with the main focus on using it with device-based Conditional Access. When looking specifically at Conditional Access, Mozilla Firefox is nowadays a supported browser for device-based Conditional Access scenarios on devices running Windows 10 and later. That is of course a really good thing, but it does require a specific configuration that should be in place within the browser. A single configuration that could be a real lifesaver on managed devices. Even better, on managed devices that configuration can also be set by using Microsoft Intune. To facilitate that, Mozilla provides easy configuration options via Group Policy templates. This blog post will provide a brief overview of importing those settings, followed with the steps to configure the required configuration. This post will end with the user experience.

Important: At the moment of writing, the feature of importing third-party ADMX-files is still in public preview.

Importing the Mozilla Firefox ADMX-files

When looking at managing settings of Mozilla Firefox, it all starts importing the third-party ADMX-files. For that, it’s important to be familiar with the current limitations of this feature. Those limitations will help with determining the usage of the feature.

  • A maximum of 20 ADMX-files can be imported (each being 1MB or smaller)
  • Each ADMX-file only supports a single language (each can also only be combined with a single ADML-file)

Important: At the moment of writing, only en-us ADML-files are supported.

Once being familiar with the current limitations of importing third-party ADMX-files, it’s time to look at the steps to actually import those ADMX-files. With that it’s important to be familiar with the dependencies of those ADMX-files, as those dependencies should be imported first. That’s also applicable for the configuration of Mozilla Firefox. The configuration requires the firefox.admx file, which depends on the mozilla.admx file. The following five steps walk through the process of importing those files.

Important: At the moment of writing, the combo box setting type is still not supported.

  1. Download the ADMX and ADML-files for Mozilla Firefox here
  2. Open the Microsoft Intune admin center portal and navigate to Devices > Configuration 
  3. On the Import ADMX tab, select Import to start the process of importing the ADMX-file and ADML-file
  4. On the ADMX file upload page, as shown in Figure 1, provide the following information and click Next
  • ADMX file (1): Select the mozilla.admx file to import
  • ADML file for the default language (2): Select the mozilla.adml file to import
  • Specify the language of the ADML file: At this moment English is selected and grayed out
Figure 1: Overview of importing ADMX and ADML-files
  1. On the Review + create page, click Create
  2. Once the Status is Available, walk through step 2-4 for the firefox.admx file and the firefox.adml file

Keep in mind that the challenge will be in keeping the ADMX and ADML-files up-to-date. That’s because when uploading an ADMX-file with settings that are already imported, the upload will fail with a namespace error. That includes a new version of an ADMX-file that contains the same settings as the existing ADMX-file. So, when working with third-party ADMX-files, make sure to think about how to handle updates on those ADMX-files and the related settings.

Configuring the required settings in Mozilla Firefox

After importing the different required ADMX and ADML-files, the available settings within those ADMX-files become available for configuration via Microsoft Intune. That can be achieved by using the configuration template named Imported Administrative templates. That template can be used to easily browse through the available imported settings for managing the configuration of Mozilla Firefox, including the required setting for usage with device-based Conditional Access. That setting is Allow Windows single sign-on for Microsoft, work and school accounts within the browser itself, which translates to Windows SSO within the available settings. The following eight steps walk through the process of configuring that specific setting in Mozilla Firefox.

  1. Open the Microsoft Endpoint Manager admin center portal and navigate to Devices > Configuration
  2. On the Devices | Configuration profiles page, click Create profile
  3. On the Create a profile blade, provide the following information and click Create
  • Platform: Select Windows 10 and later as platform
  • Profile type: Select Templates Imported Administrative templates as profile type
  1. On the Basics page, provide at least a unique name and click Next
  2. On the Configuration settings page, as shown in Figure 2, configure the following setting and click Next
  • Navigate to Computer Settings > Mozilla > Firefox, select Windows SSO (1) and select Enabled (2)
Figure 2: Overview of configuring imported settings
  1. On the Scope tags page, configure the require scope tags and click Next
  2. On the Assignments page, configure the required assignment and click Next
  3. On the Review + create page, verify the configuration and click Create

Experiencing the new configuration

When the configuration of Mozilla Firefox is in place, it’s time to actually verify the configuration. That can be done in many different ways. As the configuration is ADMX-backed, the verification can be done in the registry, the Settings app, or even the browser itself. The latter actually also provides the most concrete information, as the browser provides direct access to all available configurations and applied configuration (similar to Microsoft Edge). Simply open the Mozilla Firefox, navigate to Settings and scroll to the Passwords section. The setting Allow Windows single sign-on for Microsoft, work and school accounts should be selected and grayed out, as shown below in Figure 3 with number 1. Besides that, the top of the page should notify the user that the browser is managed, as shown below in Figure 3 with number 2. Clicking on that notification, will bring the user to the applied policies on that browser, as shown below in Figure 3 with number 3. That should provide an overview of the applied settings with configured values. In this case that should be WindowsSSO that is set to true.

Figure 3: Overview of the configuration of the Mozilla Firefox browser

More information

For more information about managing third-party ADMX-files, and Mozilla Firefox ADMX-files, refer to the following docs.

Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.