-
Notifications
You must be signed in to change notification settings - Fork 399
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GPO Wish: Timeout to restart firefox once update has been applied #577
Comments
This would be a big thing for Firefox in the enterprise. |
This is an important feature for responding to critical vulnerabilities in Firefox, please consider prioritising it. |
So I've looked into this and I think we already have a preferences that does this. app.update.badgeWaitTime controls how long until the little dot shows on the menu after we have staged an update. It defaults to 345600 seconds (which is three days). app.update.promptWaitTime controls how long until we show a prompt after we have staged an update. It defaults to 691200 (which is eight days). By reducing app.update.promptWaitTime to 60, a user will be prompted to restart Firefox within a minute of an update being received. You can set these with the Preferences policy Does this cover your use case? If so, I will create a specific policy for this so its named. |
@mkaply would this force a restart if the user doesn't restart? The equivalent chrome policy gives the user a grace period with reminders at a set interval. Once the timeout is reached the user is forced to relaunch chrome. |
What does "forced to relaunch chrome" mean? Does the browser stop working? or does it simply show a dialog the user can't workaround? |
It shows a dialogue the user can't work around. |
Thanks for replying and looking into this @mkaply. It is unusual to get such a quick reply from vendors/etc.
Given a 5 day forced restart window, after (configurable) 2 days a yellow/warning dismisable pop-up would appear daily asking the user to click a button to restart the browser. On the final day, a red/critical pop-up would appear informing the user that a browser relaunch will happen automatically in XX hours if they do not click the button, this final pop-up could be dismisable or non-dismisable. The first feature is what you were suggesting but the second one is critical for security reasons. This means that we can guarantee that after X days, we no longer run any vulnerable browser installs, whereas if it is optional we can't say that with any confidence and would be forced to manually coordinate forced restarts with users using other tools (e.g. operating system built-in pops, or emails). This will improve Firefox's enterprise adoption as it provides the tools to infrastructure/IT/Sysadmin teams to ensure the browser is running a secure version without impacting user experience (e.g. force killing firefox processes after a certain threshold). Edit: I'd be interested in this policy for Firefox both Windows and Linux but I suspect people would also like it for OSx. |
@mkaply, I am looking for something more forced that will annoy a user to restart the browser once the update has been applied In Edge/Chrome-land the above box is displayed and disables the browser's functionality until a user makes a selection or it ultimately times out.
|
Yes exactly this. It's not about the timing so much as forcing the restart if the user doesn't update on their own. |
Thanks @AlBrough, as with arjunasokan-bc, the really key feature is being able to force a restart if the user doesn't update on their own. This avoids the previously difficult choice of leaving vulnerable browser versions in operation until the user updated, or forcing an update through tools which are not FireFox aware (e.g. SCCM or PowerShell) and potentially disrupting the user. A third setting, e.g. app.update.forcedRestartWaitTime, which controls how long after the prompt show up before the browser is forced to restart and install the update would be key. Ideally this would also be communicated in the prompt, with it showing the remaining time before a forced restart. Edit: I thought that you were replying from the Mozilla/FireFox team but was mistaken, sorry for the ping and repeating info. |
We're aware of this need and it's on the radar. |
No worries, for my use case I am not worried about disrupting the user - I would far rather have it restart than remain in a vulnerable state, MozFF is also not the primary browser in use so we have some carte blanche on restarting as required... 3 days of notice should also be enough, we have this with other platforms and it is sufficient. |
just chiming in here that this would be huge plus to be able to GPO enforce. the current update process relies on the user to be logged in (background task runs as the user rather than system which is also an issue but a different problem but adds to the lack of speedy updates) and if FF is their primary browser they are not forced to restart no matter what sort of notification settings are used so it's incredibly easy to go weeks with an update staged but not applied. from a corporate vulnerability and cyber security perspective this makes FF much harder to manage compared to Chrome or Edge since those can have app restarts enforced to ensure a staged update applies within a reasonable time frame even if the user does not restart their browser actively. |
This would be great so so I can add it to the Configuration Profile for my company. If you will create a specific policy for this, please let me know ASAP. Prompting the user to restart the browser in order to complete the update as soon as possible would be greatly appreciated. We have over 1500 users using Firefox. @mkaply |
Does that force the user to restart firefox? There's no point in asking users to restart for an update and not enforcing it as most will just ignore the prompt. |
Not necessary but it's great to have the option pop up right away. At the very least a majority of users might click it to get the update completed right away rather than never know. |
I don't disagree that its great to have the option pop up, but that doesn't solve the use case that we're asking for. Speaking from years of enterprise security management if you're depending on users self patching then you're leaving vulns in place. There needs to be an option like Chromium where you set a deadline, the user has x amount of hours/days to do it on their own and if they don't firefox restarts itself with no way to stop it. |
hello, is there any estimate or roadmap info around when you think this could potentially become a reality? |
hello, has there been any new info or updates about this? |
Unfortunately not. The team has had other priorities. I'll bring it up again. |
Gday Mr mkaply- I know you must be busy, but is there any update on this feature? |
We're planning on not including Firefox in our Azure migration because of the severe security risk of not having this capability still. I can't fathom why this has been treated as so low priority. No competent company would want to deploy a web browser that can't be managed to be up to date and secure. |
We're also doing the same. Shifting away from both Firefox and Chrome in favor of Edge which provides superior management capabilities. |
we're starting to try to look at this. One of the things I'd love to know is number of users that could be impacted this. Would any of y'all be willing to share an approximate number of users that might use Firefox if we make this change? |
We have about 1500 users who use Firefox mainly as a secondary browser. |
So can someone who does this on Chrome/Edge tell me what happens at the end of this process? Is there a dialog that shows up and has a countdown or something and can't be dismissed and will restart the browser at the end? Or do the dialogs come up with more frequency as you get towards the restart time? |
@mkaply its the later you get more frequent notifications and then when its time it re-launches automatically. Here is the docs on how the Chrome GPO/Policy works: https://support.google.com/chrome/a/answer/7679871?hl=en#zippy= So in our case we have a 72 hour window where they get notifications every 8 hours with a notification that they need to restart. And then if they don't after 72 hours it restarts |
As we approach the 4 year anniversary of this request, any chance there has been progress in the past 8 months? Is there something that is blocking progress? |
Hi @nascentt - I recommend starting to phase out Firefox and support only Edge and Chrome at your organization. It is evident that Mozilla do not view Firefox as an Enterprise level browser. |
We do view Firefox as an Enterprise level browser, but unfortunately we have other priorities and a much smaller team than Microsoft or Google. |
800+ |
Could we please have a count-down/timeout feature to force restart Firefox after an update?
Chrome has this in their GPO template and it works well:
The text was updated successfully, but these errors were encountered: