Enabling Firefox Autoupdates without Helper Tool prompt asking for Admin password

msoti
New Contributor II

In our Company we currently have Firefox 60.2 ESR distributed, we have AutoUpdates turned off, configured in the .cfg file.

We're now trying to turn on AutoUpdates on with an exchange of the .cfg file in the currently installed Firefox. That part works without any problems, but when actually trying to install an updated version of Firefox afterwards it will ALWAYS ask for admin privileges with the Helper Tool.
I tried it with the following permissions set for Firefox: 775 with root:wheel, root:admin, root:netaccounts. With 777 Permissions there's no prompt for a password, but it gets stuck in a loop asking to relaunch Firefox to install the Update.

Any ideas what we can do to make the update happen without the Helper Tool prompt?

12 REPLIES 12

mlizbeth
Contributor II

Unfortunately Firefox doesn't have a keystone update service like Chrome does, so I have just been building new packages each time, though we aren't using ESR.
perhaps this script may help you? https://www.jamf.com/jamf-nation/third-party-products/files/764/firefox-install-update
Here is a script from 2015 for Firefox ESR https://www.jamf.com/jamf-nation/discussions/12956/firefox-update-script#responseChild76205

Hope one of them helps! The second thread has a lot of different implementations.

msoti
New Contributor II

@mlizbeth Thank you! Yes, those would theoretically work, but we would rather just distribute Firefox with Autoupdates enabled and let the users update it themselves, less hassle for us in the long term. And a script like this wouldn't work in our environment, since we also need to include certificates with Firefox. It really bugs me that the Helper Tool pops up, disregarding of what permissions are set...

nkuhl30
Contributor

@msoti This has been a thorn in my side for years now. You do have a couple of options though.

  1. Use the CFG file to disable updates altogether and then manually push out the latest version with a package. This will stop Firefox from prompting a standard user to update, even when they can't.

  2. Install Firefox in the user's profile Application folder ,ie, ~/Applications. We do this with SKYPE and other apps that can't update without an an admin account. This would obviously not work in lab environments. I've stopped including Firefox as a default app on all machines and just provide Safari and Chrome. Chrome is the easiest the manage out of all 3 browsers. And this includes Safari. It keeps itself updated and it's easy to push out a default set of settings and bookmarks using a Google Master Preferences file.

msoti
New Contributor II

We finally found a solution that worked! We got rid of any cck2 setting in Firefox, now managing the setting with a policies.json file and also adding the certificates with the package. To get rid of the Helper Tool prompt, we set the owner and group of Firefox to $USER:staff!

pabohr
New Contributor II

@msoti We seems to be hitting the same issue with Yammer. How can we set the owner and group of Yammer to $USER:staff?
We are using Composer to create our packages and I don't see the option to set the owner to $USER. Any idea?

ryan_ball
Valued Contributor

@msoti Firefox is an example of an app in dmg that can be installed or upgraded using our install-update-app-in-dmg script with the following parameters in a Jamf Pro policy:
- Parameter 4: http://download.mozilla.org/?product=firefox-latest&os=osx&lang=en-US
- Parameter 5: Firefox.app
- Parameter 6: CFBundleShortVersionString

If Firefox is installed and open, it will prompt the user to postpone or update. You can set this policy to run once a week.

pabohr
New Contributor II

@ryan.ball Great script! This actually 99% answers to our issue with Yammer. Only caveat is that you need to download the dmg to compare its version with the installed one. Thanks!

ryan_ball
Valued Contributor

@pabohr The script can be modified to check for the version first without too much trouble. Here is how you can get the latest version of Firefox:

latestVersion=$(curl -s "https://product-details.mozilla.org/1.0/firefox_versions.json" | grep "LATEST_FIREFOX_VERSION" | grep -E -o "[0-9.]+")

bwoods
Contributor III

@msoti are you capturing the logged in user and using it as a variable? How are you setting the owner and group for the firefox app to $User:staff? @pabohr and I would like to know.

bwoods
Contributor III

@pabohr based on what @msoti described, I figured that she's doing something similar to my script below.

#!/bin/bash

# Get logged-in user

currentUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`

# Change Firefox.app owner and group

chown $currentUser:staff /Applications/Firefox.app/

ThierryD
New Contributor III

Hi @bwoods @msoti

I tried changing the group and user successfully but I still has the admin prompt...
How did you got rid of this admin prompt ?
Do you have other app that get the admin prompt ? Like Spotify for example.

bwoods
Contributor III

Hey @PayFit after you run my script above, you need to move the app to ~/Applications. The user will then have permissions to manage the app. I would only advise doing this for some apps like browsers though.