Windows – How to Allow Non-Admins to Update Firefox

firefoxpermissionsupdateswindows 7

How can I make it to where regular users, on my active directory domain, can upgrade their workstations to the latest version of firefox (when firefox prompts them that an update is available)?

With Google Chrome, regular users seem to have no trouble maintaining the latest version.

But each time Firefox releases an update, it takes a system administrator's permission to upgrade to it. This is true, despite the fact, that during the initial installation of firefox, I selected the option for firefox to automatically update itself as new release come out.

I also have this issue with adobe flash updates. Please advise.


Best Answer

This update script (.cmd) can be executed via different methods (SMS/SCCM/other management tools, PsExec or another remote execution tool, Immediate/Scheduled Task, logon script etc.):

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox" /ve | findstr 25.0.1 & if ERRORLEVEL 1 (xcopy /C /Y /Z \\server\share\update.mar "%TMP%\" & xcopy /C /Y "%PROGRAMFILES(x86)%\Mozilla Firefox\updater.exe" "%TMP%\" & xcopy /C /Y "%PROGRAMFILES(x86)%\Mozilla Maintenance Service\updater.ini" "%TMP%\" & sc start MozillaMaintenance software-update software-update "%TMP%\updater.exe" "%TMP%" "%PROGRAMFILES(x86)%\Mozilla Firefox" "%PROGRAMFILES(x86)%\Mozilla Firefox\firefox.exe" 0)

It's a single statement/line (adjust the registry path, %TMP%, and %PROGRAMFILES(x86)% as relevant). To ensure that the script runs only once when executed using certain methods (for example logon script), findstr (via reg query) checks for the existence of 25.0.1 (an example new version to update to), and the subsequent copy and service commands are executed only if it doesn't exist or is different (ERRORLEVEL returns 1), otherwise the subsequent commands are skipped.

The MozillaMaintenance service calls the Firefox updater, so a standard account can be used to execute this script (if using SRP/AppLocker use a relevant account instead, and also adjust the paths used.). Also, currently running Firefox instances on the clients doesn't hinder the update.

update.mar is the file containing updates; there are two types - a *partial.mar file which can be used to update an immediate preceding version, and a *complete.mar file which is a full/cumulative update, either of which can be obtained here. E.g. to update from 25.0 to 25.0.1, browse to 25.0.1/update/win32/en-US/, save and rename firefox-25.0-25.0.1.partial.mar as update.mar, and execute the script. OTOH, if the systems have older/different versions, use firefox-25.0.1.complete.mar instead. Please note that versions (on the site) ending in b* (beta) or esr are different.

For the details about updater.exe, updater.ini, and MozillaMaintenance and its parameters, please see Software Update:Manually Installing a MAR file, and Windows Service Silent Update.

To be alerted of updates, sign up for notifications, and/or use an extension, and/or use a service.

Misc.: The lock (policy) file can be used to disable automatic updates on the clients. The setting is lockPref("app.update.enabled", false); (The lock (policy) file can be continuously maintained as a Replace action Files GPP).

For maintaining Adobe Flash, one option would be to disable automatic updates via mms.cfg, and use group policy software installation. Regarding this and the other options, please see Adobe Flash Player Administration Guide. The MSI of the Adobe Flash Player Firefox plugin can be obtained here.

Related Question