How to Restrict Firefox Extension Installation for Non-Admin Users via Group Policy and Enterprise Policies


6 views

In enterprise environments, controlling browser extensions is crucial for security and compliance. Firefox provides multiple methods to restrict extension installation for non-admin users, primarily through Group Policy (Windows) and enterprise policies (cross-platform).

For Windows systems, the most effective method is using Firefox's ADMX templates:


1. Download the latest Firefox ADMX templates from Mozilla's website
2. Place them in your Group Policy Central Store
   - admx files in \PolicyDefinitions\
   - adml files in \PolicyDefinitions\en-US\
3. Configure the following policies:
   - Disable extension installation (User Configuration)
   - Locked extension whitelist (if needed)

For cross-platform control, create a policies.json file:


{
  "policies": {
    "Extensions": {
      "Install": ["https://addons.mozilla.org/firefox/downloads/latest/extension-name/latest.xpi"],
      "Locked": ["extension-id@mozilla.org"],
      "Blocked": ["*"]
    }
  }
}

For Windows deployment via GPO:


# PowerShell script to deploy policies.json
$firefoxDir = "$env:ProgramFiles\Mozilla Firefox\distribution"
if (-not (Test-Path $firefoxDir)) {
    New-Item -ItemType Directory -Path $firefoxDir
}
@'
{
  "policies": {
    "Extensions": {
      "Blocked": ["*"]
    }
  }
}
'@ | Out-File "$firefoxDir\policies.json" -Encoding utf8

After implementation, verify the restrictions by:

  1. Attempting to install extensions via Firefox Add-ons site
  2. Checking about:policies page for active policies
  3. Validating registry keys (Windows): HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox

For more granular control, consider these additional policies:


{
  "policies": {
    "ExtensionSettings": {
      "*": {
        "installation_mode": "blocked"
      },
      "uBlock0@raymondhill.net": {
        "installation_mode": "allowed"
      }
    }
  }
}

Firefox provides enterprise-level control through policies.json configuration, which allows system administrators to restrict extension installation. This is particularly useful in corporate environments where unauthorized extensions might pose security risks or compliance issues.

Create or modify the policies.json file in Firefox's installation directory. The path varies by operating system:

// Windows
C:\Program Files\Mozilla Firefox\distribution\policies.json

// macOS
/Applications/Firefox.app/Contents/Resources/distribution/policies.json

// Linux
/usr/lib/firefox/distribution/policies.json

To completely block all extension installations:

{
  "policies": {
    "Extensions": {
      "Install": [],
      "Locked": ["*"]
    }
  }
}

To whitelist specific extensions while blocking others:

{
  "policies": {
    "Extensions": {
      "Install": [
        "extension1@example.com",
        "extension2@example.com"
      ],
      "Locked": ["*"]
    }
  }
}

For Windows domains, you can use ADMX templates:

1. Download Firefox ADMX templates from Mozilla
2. Import them into Group Policy Management
3. Navigate to: Computer Configuration → Policies → Administrative Templates → Mozilla → Firefox → Extensions
4. Enable "Block installation of all extensions"

Users attempting to install extensions will see one of these messages:

  • "This extension has been blocked by your system administrator" (complete block)
  • "Add-ons can only be installed if approved by your system administrator" (whitelist scenario)

If policies aren't applying:

  1. Verify the policies.json file is in the correct location
  2. Check file permissions (administrators should have write access)
  3. Type about:policies in Firefox to verify loaded policies
  4. On Windows, run gpupdate /force to refresh group policies