Well, I’ve been threatening to do this for a while but I’ve decided to resurrect my seeming forgotten project, FirefoxADM.

First of all:  why?  Well, a lot of that is connected to why I stopped updating it.  The last version I released, 0.4, contained the vast majority of settings that I, and people who contacted me, seemed to need to implement Group Policy control in the enterprise.  I had no desire, or especially time, to keep adding more and more obscure settings that ultimately no one would ever use.  There was also another couple of angles to it:  firstly, at the time, I wanted to see if there was any way I could make the Group Policy Add-on (ADM XPI) I wrote a more flexible solution.  Unfortunately, that one has never really flew for a few reasons that I will come back to in another post.  Secondly, there seemed to be growing a movement of people interested in creating a Mozilla-backed enterprise solution.  Now, to be utterly honest, extremely little has happened on that front in the past 3 years.  That is not the fault of anyone involved in that process, I should add, but all of that is for another post too.

I am restarting FirefoxADM because there are a number of new things that I want out of it, some new features and some changes to the way it works.  There are also a number of new preferences that have come into play in the past 3 years.

I’m also hugely delighted at the sheer amount of people who contact me from across the globe who are using FirefoxADM in their environment.  That really gave me the biggest urge to start this up again, so onwards and upwards.  Any requests?


FirefoxADM and Firefox 3

February 22, 2008

I think it is best I am completely open while I investigate this further, and to forewarn users of FirefoxADM that they may need to investigate another method of preference locking when they are considering deploying Firefox 3.

A couple of days ago, I tried Firefox 3 Beta 3 with a normal install of FirefoxADM and, to date, I have not been able to get it to work at all – either setting default preferences or locking preferences.  This is obviously a bit of a blow.

I feel that this could be connected to a bug in the Firefox code, as I have been unable to get locking working in any form (such as using the traditional method).

Its very early in the process of investigating this but if anyone has tried Firefox 3 and FirefoxADM and has any other experiences, please let me know.

I’ll post any updates to this here as well as in a new blog entry.

UPDATE (29/5/08):  Oh THANK GOODNESS…  https://bugzilla.mozilla.org/show_bug.cgi?id=427927 was the bug and it is fixed.  FirefoxADM and Firefox 3 like each other again!  Thanks to wzzrd for his comment

Back when I was actively coding FirefoxADM, one question I would get quite often was:  “when are we going to see ThunderbirdADM?”.

My answer was that I really wanted to do this, to allow users to be able to control both Firefox and Enterprise as either their main or alternative browser and email clients.  Unfortunately, I didn’t really get round to it due to the unwieldy way I built FirefoxADM.

So let’s look at it now…

Controlling Thunderbird actually works in exactly the same way as the way that was the basis for FirefoxADM.  The big problem is, because things have been moved around, some functionality changed, it wasn’t always obvious how this was done.  Now, from this point, I am going to talk in a Windows context.  However, as far as I can tell, this should work on all platforms.

First things first:  install Thunderbird and run it for the first time.  To follow some of the prefs, it is better if you use a cleanly built machine, but if you are doing this on your machine, with your own settings in play, be careful!  If you are using it for the first time, set it up as you would want to see it in your enterprise environment if Thunderbird was freshly installed.  The overall aim of this exercise is to take a large number of these preferences you just set up and apply them to users.  You want some to be locked, some to be default and you want them in there automagically when the user first uses Thunderbird.

Navigate to where Thunderbird is installed.  This will usually be C:\Program Files\Mozilla Thunderbird.  The way the enterprise management works in Thunderbird goes all the way back to Netscape.  There was a hidden preference in Netscape called “general.config.filename”.  This preference set the location of a central configuration file.  By default, this file was a ROT 13 file.  ROT is a very simplistic byte shifting encryption.  For example, the word “MARK” would be “NBSL” at ROT 1, “OCTM” at ROT 2 and therefore “ZNEX” at ROT 13.  Fortunately, there is another setting, “general.config.obscure_value” which allows you to set the ROT value.  I prefer ROT 0!  Where do we put this?  Inside the greprefs directory in Mozilla Thunderbird’s installation directory, create a file.  Call it “adm.js“.  Now, let’s put these two settings in there, and call the configuration file tbirdadm.cfg (from the filename, you can see where I’m going with this!):

pref(“general.config.obscure_value”, 0);
pref(“general.config.filename”, “tbirdadm.cfg”);


We now want to get all those settings you made.  Go to your Application Data directory (for Vista users, that’s in C:\Users\<username>\AppData\Roaming, XP/2000 is in C:\Documents and Settings\<username>\Application Data).  There should be a folder there called Thunderbird.  Go in there, into the Profiles directory that is below that and you should see a directory called, well, something.  Its a random name.  Inside that folder you see your profile.  The file we are interested in is prefs.js.  Open it and you will see it looks something like this:


And here you have the settings you really want to push out to your users.  You now have to choose which settings to use.  This is the really tricky part.  There will be a LOT of trial and error at this stage – finding all the right settings can be a pain.  One gotcha with the prefs.js file is it only includes preferences where the user has preference values that are different to those Thunderbird has as default.  If you have a fresh profile as I said earlier, I suggest copy from this file all the preferences that start “user_pref(“mail…”.  Now, in the C:\Program Files\Mozilla Thunderbird directory, create a file called “tbirdadm.cfg”.  Paste all the settings you had in there.  Now, replace all the “user_pref” in that file with “lockPref” (ie.  Edit, Replace) and close the file.

Time to test!  Rename the entire Thunderbird directory from the Application Data directory to Thunderbird.bak.  Fire up Thunderbird.  You are now a first time user using Thunderbird.  Hopefully, Thunderbird will now be using your managed preferences and will automatically have configured Thunderbird to act as you want it to for a first time user.  What’s more, all the settings will be locked from being changed:


Do not be despondent if, when you loaded Thunderbird up, you got an error, or no accounts were set up.  Close Thunderbird, delete the Thunderbird directory, go into the Thunderbird.bak directory and have another look at that prefs.js file.  You might also find that some values seem not locked.  Thunderbird is a tricksy application in that way.  Sometimes, settings aren’t locked or you find there are workarounds.  For example, in that screenshot above, if someone ticks and unticks that Attach this signature box, it unlocks the box.  The problem is, that tick box is not locked, because it never appeared in the prefs.js as unticked is default.  So, you tick the box, close Thunderbird, go to the prefs.js file and find this value:  user_pref(“mail.identity.id1.attach_signature”, true);.  Therefore, you just add:  lockPref(“mail.identity.id1.attach_signature”, false);  to the tbirdadm.cfg file file.  There are plenty more of these to find!

Once you have all that working, you have one last major problem which is, some of the settings are configured to you.  For example, in mine, many of them use my username.  You now have to genericise the settings.  Fortunately, you can use getenv to get Environment Variables.  This is useful because you can change a line like:

lockPref(“mail.identity.id1.draft_folder”, “imap://msammons@mailserver.com/Drafts”);


lockPref(“mail.identity.id1.draft_folder”, “imap://” + getenv(“username”) + “@mailserver.com/Drafts”);

Not all settings are going to be as easy as that to make generic.  Some may even require some user interaction.  Some may require some more programming in the tbirdadm.js file (remember, this is effectively inside Thunderbird, so any javascript code you put in there, Thunderbird will try to execute…).  For instance, their email address and full name may not be things you can set generically and will have to teach users to set themselves (although I think it is the case that in those two examples Thunderbird will demand these are set when you first try to send an email).

I said earlier that you might want to set default settings as opposed to locked ones.  Simple:  find the setting in tbirdadm.cfg and change lockPref to defaultPref.

This is a bit of a wordy skip through the process but its really quite a simple process really.

In the last week, I did an email interview with Computerworld magazine, regarding Firefox and FirefoxADM.

You can read the resulting article here.

So, what do I think of the final article?  Well, its pretty much spot on for the situation as it is.  I have to say, I gave them a lot more information than they used from me, which is kinda annoying.  But expected, really, in that they wanted to make a readable article.

The article’s writer, Eric Lai, did a good job of including the opinions of most of the people who should have been asked:  Mike Kaply, Eric from Frontmotion, Rafael Ebron (who did a great job of spreading word of our third party tools) and, dare I be arrogant to say, myself.  I absolutely agree with what Mike, Eric and Rafael say in the article.

The article, though, unfortunately exposes the real problem with Firefox in the enterprise:  Mozilla.  Chris Hofmann from Mozilla gave some comments and they are ridiculous and FUD.  From the article:

He dismissed Active Directory as a “proprietary technology” that would hurt rather than help Firefox administrators.

“Multiple levels of permissions applied across different groups add a lot of complexity,” he said. “If you look at the track record for that feature, it’s resulted in less security for IE.”

This is rubbish.  Complete and absolute rubbish.  In fact, when he says “multiple levels of permissions”, I’m not actually sure he even knows what the hell he’s even talking about.  And this is the guy Mozilla put in charge of Enterprise strategy.  Heaven help us!

All of this has made me come to a decision.  I am going to start to look at sourceforge, the emails I’ve had over the past 3 years, looking at Firefox to see anything I’ve missed and am going to draw up a list of features I want to implement for new versions of FirefoxADM.  If you have feature requests, let me know.

Whose Service Is It Anyway?

January 11, 2008

In recent weeks, a story erupted within the Educational Web 2.0 market, and it showed there exists a worrying lack of understanding about the entire area.

The story goes a little like this:  there is a company called Curverider, set up by a couple of guys who used to work in education.  Their main product is an open source social networking/PLE environment called Elgg.  Their own install of this social network, Eduspaces, gained some traction in the education community and began to get used by a reasonably large number of people.  Curverider then spun off Elgg to become a community-run project in Autumn of this year and all seemed right in the world.  Then, BOOM!, late-December, Curverider announced they were to close Eduspaces on January 10th, as they had made the decision to exit the education market.  If they wanted to create the maximum damage they could, this was the way to do it – a lot of people working in Higher Education go off for Christmas break mid-December and don’t return to work until 7th January at the earliest.  Unsurprisingly, the members of the community who were there were livid, especially as many were using it for assessments and teaching.

As it turned out, within a week, a Canadian NPO called TakingITGlobal.org took over the hosting and database of Eduspaces and the future of the community is again safe.

However, its what happened behind the scenes and the psyche of the community that I find interesting.

In the end of the day, this was a completely free service (with no commercial sponsorship or advertising on the site) being given to the users and a service which seemed like it probably cost quite a bit of time and money for Curverider to host and run.  My initial reaction was to side with Curverider and take an attitude of “the community didn’t pay for it, so Curverider owe them nothing and can do what the hell they want with the service”.

However, the more I thought about this particular type of service, the more my mind changed.  See, there is a thing about Eduspaces that I noticed as I browsed the site.  Simply put, as a tool the software is, well, crap.  The site layout is not good, some features are laughably awful (look at this page from the Browse all communities feature – I bet you can’t tell me without a great deal of pain which of the 82 pages that is!) and its a poor competitor to many of the other social networks.  Yet, its successful.  The measure of how successful a social network is, isn’t how great the software is, how snazzy the layout is or how many buzzwords like AJAX you can shoehorn into it – the measure of success is how big and how active the community is.  Given how important they therefore are, the community deserved to be in on the conversation when the future and closure of Eduspaces was first considered.

The guys from Curverider then explained why it was closing and, boy oh boy, I can’t think of the last time I read such a trite explanation.  According to them, Eduspaces is to close because of a raft of bodies – funding bodies, universities, proprietary software companies.  Anyone but them.  How ridiculous.

What is a horrible paradox is I feel really bad criticising these guys.  After all, if you read the comments on their site, people are appreciative of what they did in providing this service.  All they didn’t appreciate was the relationship between community and service provider.  In announcing the closure of Eduspaces as they did, they massively disrespected the community.  At the same time, I feel the community should police itself to make sure they are not disrespecting the service provided.  In my opinion, all those who were using it for teaching were disrespecting the service, especially as it says in the T’s & C’s that such behaviour is “at your own risk“.  I find it interesting that now TakingITGlobal.org have taken over the service, they have talked about having an “advisory group” of the users.  This definitely helps form the relationship better.  Interesting times ahead here.

Group Policy Preferences

December 11, 2007

Here’s an interesting tidbit that came out of Microsoft’s Tech-Ed IT Forum conference:  Group Policy Preferences.

Group Policy Preferences is, basically, 20 client side extensions for group policy which Microsoft acquired when it acquired DesktopStandard and its DesktopStandard PolicyMaker Family product.  You can read more about them at the link above.

A lot of people will have their own solutions via scripts which mimic the functionality from some of these extensions but these native tools will allow you to cut back on things like login and startup scripts, have increased auditing information when doing things like Group Policy Results Wizard and allow you to control settings which, to date, haven’t been easy to set with scripts.

Good to see these sort of tools being released to administrators generally and not just as part of the Software Assurance-only Desktop Optimization Pack.

A wee while back, I mentioned that I had gotten involved in an effort called the Firefox Enterprise Working Group.  So, any news to report?

To be honest, despite the valiant efforts of Mike Kaply, things have somewhat stuttered.  The first conference call was very well attended (although I haven’t seen actual numbers) and the debate lively.  Unfortunately, the numbers seemed to dwindle severely over the next 2 or 3 calls before I managed to attend one where I was the only person on the call!  In retrospect, I am unsure whether the conference call idea is so useful – its great for having a lively debate and for sorting out misunderstandings immediately, but a conference call in office hours on the West Coast of the USA is always going to lead to very unsociable times for the conference call from everywhere from mainland Europe to Australasia.  Even though the call was at 10am PDT, that was 6pm for me in the UK and 7/8pm for mainland Europe.  Obviously, for people in Asia, its seriously into the night time for the call.  I can understand why Michael chose the conference call as the “venue” for the Group but maybe some other communications method might be better for the interchange of ideas from here on in (such as the Firefox Enterprise Wiki or a mailing list).

It was interesting listening to how others have created solutions for Firefox.  Everyone seems to have taken slightly different angles on how to go.  However, I remain convinced that the #1 and #2 priorities should be Group Policy support and an MSI installer.  An example of a different view was TeamA, a pseudonym for what I believe to be a major US Bank, who were major proponents of a tool called Mission Control for controlling settings which harks back to Netscape days.  I previously blogged about this.  Whilst it had advantages over Group Policy such as, significantly, it works cross platform, and can control settings over the web, for me it had disadvantages such as the fact that Group Policy is a technology people know and is the technology used in probably 98% of scenarios, Group Policy is used for other related tools such as reporting and audit tools, and thirdly, it would involve the systems administrator putting in place new infrastructure just to control one application.

That latter issue is something that concerns me about the current approach of some and seemingly the one Mozilla Corp prefers.  Want to control settings?  Set up a Mission Control server.  Want to control extensions?  Deploy your own Firefox Extensions server.  Want to control updates?  Deploy your own Firefox Updates server.  Etc etc etc.  If there is one thing that my experience of FirefoxADM has told me, it is that there are two types of Systems Administrator who really needs a very high level of control over systems:  those at the very high end of resources in the likes of Banks and huge corporations, and those at the very low end of resources such as an IT guy for a bunch of schools.  Setting up a load of servers to control one application is just not a possibility for the latter – the mountain is not going to move to Mohammed.

Anyway, in the New Year, I really want to have another look at all the projects I have done, including the much-untouched FirefoxADM, mainly because, despite being not updated and generally unloved for the past 2 and a bit years, it is still working for people and being downloaded and deployed out there more than ever!

Hopefully 2008 will be the year of Firefox in the Enterprise.  Well, can hope.