In this article I’ll show you how to install and configure FireFox in a non-persistent Session Host environment. By non-persistent I mean in a Citrix Virtual Apps and Desktop setup deployed either via Citrix Provisioning or via Citrix Machine Creation Services. However you should be able to use this guide in Microsoft RDS and VMware Horizon as well.

During my research and testing of FireFox I have of course become more familiar with the browser, and it is also currently my second choice of browser, my first choice is still Microsoft Edge. Until recently my second choice was actually Internet Explorer, but I am more and more often experiencing issue with different web sites when using IE, so it’s now down to third choice.

Unfortunately in Session Hosts, we do not have access to the Microsoft Edge, only Internet Explorer is available out of the box. Microsoft has decided that the Edge browser, among other in-box Universal Windows applications, are only available in the semi-annual releases of Windows.

For anyone caring a bit about privacy, it may also be that FireFox is becoming one of the last independent browsers out there, as Microsoft late last year announced that Edge is moving to the Chromium open source project.

This means that at some point two of the four major browsers (Edge, Google Chrome, FireFox and Internet Explorer) will be running on the Chromium core.

To get started you will need to pick a FireFox installer that suits your needs. Currently FireFox is being maintained in two tracks, the Regular Release and Extended Support Release (ESR).
The ESR edition of FireFox is not updated with new features, updates will only address security vulnerabilities. Updates to the Regular Release may contain feature additions and will also address security vulnerabilities. So going with the ESR edition, could mean less testing when the browser is updated, as any updates will not contain new features.

Mozilla has a release calendar for 2019 where you can track when a new Regular Version is released.

For this article I am using the latest ESR 64-bit edition of FireFox, which currently is version 60.5.0. You can find the latest ESR edition here:
https://www.mozilla.org/en-US/firefox/organizations/all/.

You will also need the Group Policy Administrative Templates for FireFox, they can be found at Mozillas GitHub repository here:
https//github.com/mozilla/policy-templates

Click “Clone or Download”. That triggers a download of a ZIP file which contains the ADMX and ADML files needed.

So let’s get started.

Installing FireFox manually is pretty straight forward, I will not provide an install guide here. I will instead show how to do an unattended install of FireFox.

To do an unattended install of FireFox via command line or a script, you will need an INI file, with a few options.

Here are the contents of the INI file I use:

[Install]
;The name of the directory where the application will be installed in the system's program files directory
InstallDirectoryName=Mozilla Firefox

;Create a shortcut for the application in the current user's QuickLaunch directory. 
QuickLaunchShortcut=false

;Create a shortcut for the application on the desktop.
;This will create the shortcut in the All Users Desktop directory
;If that fails this will attempt to create the shortcuts in the current user's Start Menu directory. 
DesktopShortcut=false

;Create shortcuts for the application in the Start Menu.
;This will create the shortcuts in the All Users Start Menu directory
;If that fails this will attempt to create the shortcuts in the current user's Start Menu directory.
StartMenuShortcuts=true

;The MozillaMaintenance service is used for silent updates and may be used for other maintenance related tasks.
;It is an optional component.
MaintenanceService=false

Additional information about the arguments can be found here:
https://wiki.mozilla.org/Installer:Command_Line_Arguments

An important thing to remember is to include the “MaintenanceService=false” in the INI file, this excludes the FireFox Maintenance Service from the install process.
According to Mozilla this service is used for silent updates and “other maintenance tasks” whatever that means. As we all know it’s usually not a good idea to do any kinds of updates or “other maintenace tasks” in a Session Host based setup, whether it’s non-persistent or not. A certain degree of application control is still needed.

To install FireFox unattended using the INI file, use the /INI=<full path to configuration INI file> install switch, like this:
“Firefox Setup 60.5.0esr.exe” /INI=”C:\Temp\FireFox-Unattend-INI.ini”

If you are using the INI file provided above, everything should go through smoothly and you should now have a shortcut to FireFox in the Start Menu only, and no Maintenance Service. To verify whether the Maintenance Service is installed or not, go the Services console. If you see a service called “Mozilla Maintenance Service”, the service is installed. You can either remove FireFox and do another install, or simply disable the service.

Now to the more exiting part, group policy. We are going to create a FireFox GPO which configures a few things that addresses general usability and a bit of security/privacy.

Import the ADMX and ADML into your Central Store, then you should be able to access the FireFox group policy settings.

As you can see, we have a few possibilities when it comes to managing the configuration of FireFox. I will not go through every single policy, I will however show you the GPO I have implemented. Just remember that some of the settings in this GPO might not apply to your environment, so read the policy descriptions, understand them, and test whatever policies you apply.

All policies are configured in User Configuration. I prefer this approach, as I am then able to do security filtering of users and/or groups, which enables users and/or groups to receive different group policy configurations.

Here I block the access to the “about:config” page. This page contains a lot of very advanced features and settings, which probably isn’t a very good idea for a regular user to be messing around with.

Other noticeable policies are “Disable System Addon Updates”, which disables the update of System Addons, again we don’t want that in a Session Host based environment. The “Disable Update”, disables the update of FireFox itself.

“Tracking Protection” is enabled, and the user cannot disable it. This provides a security/privacy feature in FireFox which blocks content, cookies or scripts from collecting your browsing data across multiple sites. I recommend enabling the feature in a Session Host based environment, as it will reduce the CPU usage of the FireFox browser dramatically and provide some basic privacy when browsing the internet. A similar feature exists in Internet Explorer, which I have mentioned in another blog post.

The “Allow add-on install from website” is disabled, which prevents the user from installing add-ons to FireFox. We want control of the FireFox application, there are all kinds of add-ons doing all kinds of different things, we don’t want that on our Session Hosts.

The last part is the “Default Search Engine”. Here I configure Google as the default search provider, have you ever met a user that wanted another search provider than Google?
I also remove some built in search providers and essentially only allow Google and DuckDuckGo in the list of search providers and prevent manual addition of other search providers.

This concludes the guide. With this information you should be able to do an unattended setup of FireFox and configure a basic lockdown GPO to deliver a good user experience and prevent users from “messing thing up” for themselves, other users on the Session Host or the Session Host server.