Replace Windows SyncML profile with PowerShell script for Firefox DoH#41238
Open
kilo-code-bot[bot] wants to merge 1 commit intosession/agent_01a6aac4-6dd1-4630-852b-c69d6c8cad0dfrom
Open
Conversation
Remove the Windows SyncML/OMA-URI configuration profile for Firefox DNS over HTTPS and replace it with a PowerShell script that deploys a policies.json file directly to Firefox's distribution directory. This approach is more reliable as it does not depend on Firefox ADMX policies being available via MDM. Changes: - Remove: Firefox DNS over HTTPS.xml (Windows SyncML profile) - Add: deploy-firefox-doh-policy.ps1 (writes policies.json to Firefox installation directories with DoH enabled, fallback on, and locked) - Add: firefox-doh-check.yml (Fleet policy that verifies policies.json is present and contains correct DoH settings) - Update workstations.yml to reference the new script and policy - macOS mobileconfig profile remains unchanged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Firefox DNS over HTTPS.xml) that was added in Add Firefox DNS over HTTPS configuration profiles for Workstations #41216, replacing it with a more reliable PowerShell script approachdeploy-firefox-doh-policy.ps1) that writes apolicies.jsonfile directly to Firefox'sdistributiondirectory, enforcing DNS over HTTPS with fallback enabled and the setting lockedfirefox-doh-check.yml) that verifies thepolicies.jsonfile is correctly deployed on Windows workstations.mobileconfigprofile from Add Firefox DNS over HTTPS configuration profiles for Workstations #41216 remains unchangedChanges
Removed
it-and-security/lib/windows/configuration-profiles/Firefox DNS over HTTPS.xml— the SyncML/OMA-URI profile that relied on Firefox ADMX policy paths via MDMAdded
it-and-security/lib/windows/scripts/deploy-firefox-doh-policy.ps1— PowerShell script that:Program Files(x64) andProgram Files (x86)pathsdistributionfolder if it doesn't existpolicies.jsonwith DoH enabled, fallback enabled, and the setting lockedit-and-security/lib/windows/policies/firefox-doh-check.yml— Fleet policy (osquery SQL) that:policies.jsonexists in at least one Firefox installation directory"Enabled": true,"Fallback": true, and"Locked": trueModified
it-and-security/teams/workstations.yml— Removed the Windows SyncML profile reference, added the new script and policy referencesBuilt for Allen Houchins by Kilo for Slack