[Mozilla Enterprise] Firefox ESR Offline Patching solution.

Wed Jul 31 17:11:55 UTC 2019

Classification: UNCLASSIFIED

Hey Alex,

Interesting, but deployment wise, SCCM has legs in every segment of the network.

End-user desktops are whitelisted to update from the web using the Firefox maintenance app, however the PAW's are segmented because they are for administration.

So PAWs DO get the updated, however only when I change the base version of the deployment package for Firefox on SCCM.

The way is works is that I deploy a base version to every desktops and the detection is done on a "Greater or Equal..." basis, so desktops are allowed to updated themselves and SCCM doesn't attempt to reinstall it. But since PAWs don't access the web, they're stuck until I deploy a new base version.

Essentially, I'm trying to update one less package manually by building an offline solution for everyone.

Éric Périard
Laboratory Administrator | Administrateur du laboratoire
Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité
Telephone | Téléphone: 613-991-3555
Email | Courriel: Eric.Periard at cyber.gc.ca<mailto:Eric.Periard at cyber.gc.ca>
Website | Site Web: https://www.cyber.gc.ca/
Government of Canada | Gouvernement du Canada

[cid:image002.png at 01D4ADA3.F54E4950]

NOTICE: This message and accompanying attachments contain information that is intended only for the use of the individual or entity to which it is addressed. Any dissemination, distribution, copying or action taken in reliance on the contents of this communication by anyone other than the intended recipient is strictly prohibited. If you have received this communication in error, please notify the sender immediately at the above address and delete the e-mail.

AVIS : Le présent message et toutes les pièces jointes qui l'accompagnent contiennent de l'information destinée uniquement à la personne ou à l'entité à laquelle elle est adressée. Toute diffusion, distribution ou copie de son contenu par une autre personne que son destinataire est strictement interdite. Si vous avez reçu ce message par erreur, veuillez informer immédiatement l'expéditeur à l'adresse ci-dessus puis l'effacer.

From: Alexandre GAUVRIT <agauvrit at tranquil.it>
Sent: Wednesday, July 31, 2019 10:57 AM
To: Éric Périard <Eric.Periard at ccirc-ccric.ca>; Enterprise at mozilla.org
Subject: Re: [Mozilla Enterprise] Firefox ESR Offline Patching solution.

Hi,

There is also an Open-Source alternative to SCCM which can fulfill your need, it's WAPT Deployment software.

The store provides pre-made Firefox and Firefox ESR packages : https://store.wapt.fr/store/?search=Firefox&sort=popular

If your scope of endpoint is out of SCCM scope, it can be a good solution

Alexandre
Le 29/07/2019 à 17:47, Éric Périard a écrit :
Classification: UNCLASSIFIED // Public

Greetings colleagues,

I work in a border-line paranoid secure environment where we make use of air-gapped PAW (Privileged Access Workstations) to administer the network.

The issue is well... it's air-gapped, meaning there's no access to the internet at all from those workstations and everything is tightly controlled.

Also to deploy the updates, I use SCCM. For end-user systems we whitelist the access so browsers can update themselves however that's not possible for the PAW's.

So I've got a few questions:

1.       Is there a GPO or some kind of solution to redirect where Firefox ESR fetches it's update? (Without trying to spoof URLs which I'm sure change often)

2.       Where would I get the update patches instead of the entire installer EXE?

3.       Is above possible at all?

Thank you as always....

Éric Périard
Laboratory Administrator | Administrateur du laboratoire
Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité
Email | Courriel: Eric.Periard at cyber.gc.ca<mailto:Eric.Periard at cyber.gc.ca>
Website | Site Web: https://www.cyber.gc.ca/
Government of Canada | Gouvernement du Canada

[cid:image002.png at 01D4ADA3.F54E4950]

NOTICE: This message and accompanying attachments contain information that is intended only for the use of the individual or entity to which it is addressed. Any dissemination, distribution, copying or action taken in reliance on the contents of this communication by anyone other than the intended recipient is strictly prohibited. If you have received this communication in error, please notify the sender immediately at the above address and delete the e-mail.

AVIS : Le présent message et toutes les pièces jointes qui l'accompagnent contiennent de l'information destinée uniquement à la personne ou à l'entité à laquelle elle est adressée. Toute diffusion, distribution ou copie de son contenu par une autre personne que son destinataire est strictement interdite. Si vous avez reçu ce message par erreur, veuillez informer immédiatement l'expéditeur à l'adresse ci-dessus puis l'effacer.

_______________________________________________

Enterprise mailing list

Enterprise at mozilla.org<mailto:Enterprise at mozilla.org>

https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to enterprise-request at mozilla.org<mailto:enterprise-request at mozilla.org> with a subject of "unsubscribe"
--
Alexandre GAUVRIT, administrateur systèmes et réseaux / RSSI / DPO
Tranquil IT
12 avenue Jules Verne (Bât. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel: +33 (0) 240 975 755
Retrouvez-nous sur les réseaux :
[twitter]<https://twitter.com/TRANQUIL_IT> [linkedin] <https://www.linkedin.com/company/3108003/>  [youtube] <https://www.youtube.com/channel/UCl45FZItnoOlXsaWUa3UrTw>
________________________________
[Tranquil IT]<https://tranquil.it>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20190731/c18c390a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 32780 bytes
Desc: image001.png
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20190731/c18c390a/attachment.png>