Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

How to: Firefox trusting company certificates

Firefox manages certificates separated from the system certificates that are used by Safari or Chrome. To circumvent the issue that users are presented with the "certificate not trusted, add exception" notification, it is possible to add the certificates automated to the users firefox installations by utilizing the following commands: Importing Certificates on Firefox & code snippet for looking for the profile name

I know that there is also the CCK utility, but that is also more or less a pain in the a**, especially when you want to maintain firefox installations that are already existing (and have a filled user profile).

Firefox now provides the possibility to trust certificates that are stored in the system keychain by setting the key "about:config", "security.enterprise_roots.enabled" to TRUE. Mozilla Help

This setting should also be stored somewhere in prefs.js, but i have not figured out how to fiddle around with this file without ruining the user profile.

Now my question:
Does someone know a handy way to set this setting on all machines without destroying everything?

Like Comment
Order by:
SOLVED Posted: by Durkin

I am very interested in this as well. I am having the same issues everyone else has and the old posts about CCK are not helpful.

Like
SOLVED Posted: by swhps

watching this one also

Like
SOLVED Posted: by AndreasRumpl

SOLVED, but some bits needed to come together:

With Firefox 64 it is now possible to trust root certificates that are in the system certificate store
https://wiki.mozilla.org/CA/AddRootToFirefox

Also with Firefox 64 it is now possible to not only edit and distribute settings via the about:config (firefox config editor), but also by using .json files
https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson

AND even better, it is also possible to use configuration profiles: "Policies can be specified using the Group Policy templates on Windows or configuration profiles on macOS (https://github.com/mozilla/policy-templates/tree/master/mac), or by creating a file called policies.json."
https://github.com/mozilla/policy-templates/blob/master/README.md

Here you can find the example plist with all currently possible keys ("IMPORTANT: This file is in active development along with the policies in Firefox. To get the policy information that corresponds to a specific release, go to https://github.com/mozilla/policy-templates/releases."
https://github.com/mozilla/policy-templates/blob/master/mac/org.mozilla.firefox.plist

--> The important part regarding certificates is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>EnterprisePoliciesEnabled</key>
    <true/>
    <key>Certificates</key>
    <dict>
        <key>ImportEnterpriseRoots</key>
        <true/>
    </dict>
</dict>
</plist>

You can simply edit the .plist for your needs and then upload it to the JSS (config profile - custom settings, preference domain is org.mozilla.firefox)

Just distributed this to our testing machines and it seems to work (finally!)

Like

Jamf wants to hear your feedback around Peripherals and Jamf Connect settings configuration