Locking down Safari/Firefox Extensions

New Contributor III

Hi, I have been able to blacklist/whitelist google chrome extensions, but have not been able to figure out a way to do the same for Firefox/Safari. Has anyone been able to find a way to do this successfully?


Release Candidate Programs Tester

@discounteggroll For Firefox, i'd look at CCK, might be something there.

For Safari, I'm not sure what the options are. Maybe something can be set for Safari via a config profile? With Safari 9, Apple started to lock things down in regards to extensions, & erm... I might be a little to blame.. so, sorry about that!

New Contributor II

It would be great if the JSS added an easy way to block or allow extensions on Popular Browsers. Seems like it would be easy code to write for the smart people at Jamf and then for us not so smart admins out in the world we could do a better job keeping student computers clean.

New Contributor

For FireFox you can easily set profiles: https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment
Same as with chrome: https://www.chromium.org/administrators/policy-list-3#ExtensionInstallBlacklist https://www.chromium.org/administrators/configuring-other-preferences

Safari is very limited on this: see https://www.jamf.com/jamf-nation/discussions/15324/disabling-safari-extensions
It's possible to block certain extensions by dropping them into /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

New Contributor III

Do you have a better link for this? seems like navigating to this one takes me to a page that is no longer active:

i was able to blacklist all chrome extensions, and whitelist a selected few, still attempting to figure out firefox.

New Contributor II

You can create a new configuration profile.
Therefore you have to upload a plist file at "Application & Custom Settings"
Here is an example plist:

Preference Domain: org.mozilla.org

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>EnterprisePoliciesEnabled</key> <true/> <key>ExtensionSettings</key> <dict> <key>*</key> <dict> <key>installation_mode</key> <string>blocked</string> </dict> key>uBlock0@raymondhill.net</key <dict> <key>installation_mode</key> <string>allowed</string> <key>install_url</key> <string>https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi</string> </dict> key>@contain-facebook</key <dict> <key>installation_mode</key> <string>allowed</string> <key>install_url</key> <string>https://addons.mozilla.org/firefox/downloads/latest/facebook-container/latest.xpi</string> </dict> </dict> </dict> </plist>

This plist will blacklist every firefox extension and whitelist specific ones.

In this case the addons uBlock origin and Facebook Container are allowed.
You can also force the installation of plugins if you want by using installation mode "force_installed" instead of "allow".

More information about the parameters you can find here:

This addon can help to figure out the extension ID:

New Contributor III

I can't get this to work. I created a new configuration profile and pasted your code in die Application & Custom Settings as Property List. But it doesn't work. Also tested the code posted here: https://github.com/mozilla/policy-templates#macos-47

Can someone please help me?

Any update so this?

New Contributor III

Unfortunately not

New Contributor III

Hi @Tim_Apple - I've been playing around with this today and have a working config if it helps you at all.


Here's the contents of my Application & Custom Settings -> Upload plist 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
			<string>Extension blocked by Security Policy. Please contact the Service Desk if you would like to request this extension to be considered for approval.</string>


The preference domain is org.mozilla.firefox


This config will block all extensions by default and allow the install of a single one (1Password in this example).


Good luck!

Contributor II

circling back. I came up with something similar to @psmac . Now if I could figure out how to make this a JSON. where you could create a field to enter this , i'd be golden