Disable DNS over HTTPS in Firefox using Intune

Mozilla makes available admx files (Group Policy settings) which allow you to configure some settings in Firefox using Group Policy. 

I'm trying to move away from using Group Policy to manage our endpoints since it requires connectivity to a Domain Controller which in turn depends on a VPN connection for remote computers. Too many dependencies there for my taste and Intune makes it much easier to push out changes with the push of a button.

This week I've been trying to use a custom configuration profile in Intune to disable DNS over HTTPS on our Windows endpoints. Some of our IPS functionality uses DNS requests to block access to certain websites and DNS over HTTPS makes it easy to bypass that method of content blocking.

Intune offers something they call "ADMX ingestion" which sounds weird and biological but basically it just lets you apply Group Policy like functionality using Intune. Making changes to Chrome was easy using this method because Google has a great write up on it. Firefox wasn't so easy.

The setting I'm trying to change is under Options-->General-->Network Settings-->Enable DNS over HTTPS. I want to grey it out so end users can't enable it. 



I began by downloading the Mozilla Firefox admx templates zip file from here and extracting the zip file to my computer. There's a firefox.admx file and a mozilla.admx file but I'm only concerned with the firefox.admx file. I don't need its counterpart the en-US/firefox.adml file.

Next I create a new Custom Device Configuration Profile in Intune:


This basically allows for importing (ingesting) an ADMX file into Intune to configure registry based policy settings on clients. So next click Add and use the following settings:

Name: Firefox ADMX Ingestion

OMA-URI (case sensitive!)*: 
./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx

Data type: String

Value: (paste the entire contents of the firefox.admx file here)

* I figured out the OMA-URI from this blog

It will look something like this:


Now that we have the admx file ingested we can define the settings we want to apply from it. This took a lot of trial and error to find the correct value for disabling the DNS over HTTPS setting in Firefox (which is why I'm writing this blog).

The next step is to add a new row to the same configuration profile as above. Set the values as follows:

Name: DNSOverHTTPS

OMA-URI (case sensitive!): 
./Device/Vendor/MSFT/Policy/Config/firefox~Policy~firefox/DNSOverHTTPS

Data type: String

Value: <enabled/>
<data id="ProviderURL" value=""/><data id="DNSOverHTTPSEnabled" value="False"/><data id="DNSOverHTTPSLocked" value="True"/>

Sync your client to Intune and now when you open Firefox and look at the connection settings the "Enable DNS over HTTPS" checkbox should be grayed out as shown below:


Comments

Post a Comment

Popular posts from this blog

Auto-installing extensions on Firefox using Intune

Image
To build onto my previous blog post concerning ADMX ingestion in Intune to configure Mozilla Firefox settings I'm going to show you how to auto-install extensions in Firefox with Intune. In this example I'm using the uBlock Origin extension as an example. First you'll need to get the URL of the extension. This is different from Chrome where you just need to get the ID of the extension. The easiest way I found to do this is to open Firefox and go to the Extensions Page  at Mozilla and locate the extensions you want to install. Then right-click and copy the link to the "Add to Firefox" button on the extension page. Save the link for later. Now go to the Custom OMA-URI Settings profile in Intune and add a new row. Configure the fields as follows: Name : Extensions_Install OMA-URI (case sensitive):  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/Extensions_Install Data type (String value)*: <enabled/> <data id="
Read more

Moving Applocker control from Group Policy to Intune

Image
Lately I've been trying to migrate a lot of GPOs to Intune so that our endpoints don't have to depend on a VPN for updating policy. Applocker was an important one for us since VPNs are flaky and it's important that users be able to run updated software while away from the office network. Chrome once updated its signing certificate and because it auto-updates itself we had users who couldn't launch Chrome until they were able to get connected to the VPN and run a gpupdate. I already had the plumbing in place which allows Admins to upload files to a file share and have them automatically added as whitelisted to the Applocker GPO . Now I just had to move the enforcement of the GPO into Intune. I decided to keep the dependency on our Domain Controllers merging the changes into the Applocker policy since there are some pretty good Powershell commands that take care of that. The GPO for Applocker is still being updated but is only used for Intune to pull from and turn int
Read more