[SOLVED] Managing Firefox/Thunderbird policies on macOS

Questions about WAPT Packaging / Requests and help regarding Wapt packages.
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Answer
bastien30
Messages: 38
Registration: March 8, 2024 - 3:21 PM

October 28, 2024 - 6:12 PM

Good morning,

As requested on the Discord channel, here are my observations following my recent tests with Thunderbird/Firefox and their policies under MacOS.

When one of these software programs is updated, all the contents of the .app directory in /Applications are deleted by the install_app() function which then copies the .app folder of the new version, so the distribution folder and the policies.json file are deleted (we also use autoconfig/MCD to configure LDAP or add identifiers on new profiles, and this is also lost as a result).

I have therefore retrieved/renamed/modified your Firefox/Thunderbird packages in our repository to reapply the audit of all these packages after installation, which has the effect of reapplying the modifications directly, without waiting for the next audit (the audit() function calling the install() function in case of a missing file).

The other solution, if you only use policies, is to use a .plist file (https://github.com/mozilla/policy-templ... master/mac / https://github.com/thunderbird/policy-t...entral/mac) which will not be removed by the update.

This involves maintaining two separate files or converting the .json file to .plist within the package (possibly using the plutil command). https://gist.github.com/sugarmo/5334805 (but I haven't tested it).

This also means having to run the following command (here for Firefox, but the same applies to Thunderbird, see the previous links):

Code: Select all

run("sudo defaults write /Library/Preferences/org.mozilla.firefox EnterprisePoliciesEnabled -bool TRUE")


Another problem encountered, which strangely only occurs on Thunderbird: during a first installation and/or after an update, on the first launch of the program, Mac will check the signature of the application.

If the signature is invalid, it displays a message indicating that the application is damaged and refuses to launch it (requiring you to go through System Preferences / Privacy & Security to force authorization, which is a bit of a pain, especially with each update). However, the signature is no longer valid after copying any file (typically the policies.json file) to /Applications/Thunderbird/Contents/Resources/
The signature can be verified using the following command:

Code: Select all

codesign --verify --verbose /Applications/Thunderbird.app
If you launch the program once and then install the policy package afterwards, there's no problem (however, you need to give wapt-get full disk access rights if you want to run the action from the wapt console, and the same applies to the terminal if you want to run the installation via the command line), but you have to do this every time you update the package...

The only solution I found to avoid this problem is to re-sign the package after adding the policy files, using the following command:

Code: Select all

codesign -f -s - /Applications/Contents/MacOS/thunderbird
Deploying applications on macOS is really not simple, especially if you want to do anything other than just install a dmg/pkg file... 😮‍💨
If it can save others from wasting hours on this... 😅
High
Answer

Return to “WAPT Packages”


  • To go further with WAPT