Skip to content
Firefox administrator reference

ExtensionSettings

Manage all aspects of extensions. This policy is based heavily on the Chrome policy of the same name.

This policy maps an extension ID to its configuration. With an extension ID, the configuration will be applied to the specified extension only. A default configuration can be set for the special ID *, which will apply to all extensions that don't have a custom configuration set in this policy.

To obtain an extension ID, install the extension and go to about:support. You will see the ID in the Extensions section. You can download am extension on AMO that makes it easy to find the ID of extensions.

Compatibility: Firefox 69, Firefox ESR 68.1 (As of Firefox 85, Firefox ESR 78.7, installing a theme makes it the default.)
CCK2 Equivalent: N/A
Preferences Affected: N/A

Values

Section titled “Values”

The configuration for each extension is a dictionary that can contain the fields documented below.

  • installation_mode: Maps to a string indicating the installation mode for the extension.
    Valid values:
    • allowed: Allows the extension to be installed by the user. This is the default behavior. There is no need for an install_url; it will automatically be allowed based on the ID.
    • blocked: Blocks installation of the extension and removes it from the device if already installed. If used in the default ("*") configuration, it blocks all extensions that do not have an explicit configuration with a different installation_mode.
    • force_installed: Automatically installs the extension and prevents it from being removed by the user. This option is not valid for the default configuration and requires an install_url.
    • normal_installed: Automatically installs the extension but allows it to be disabled by the user. This option is not valid for the default configuration and requires an install_url.
  • install_url: The URL from which Firefox can download a force_installed or normal_installed extension. Firefox automatically installs, updates, or re-installs the extension when the XPI file's internal version changes.
    • If installing from addons.mozilla.org, use https://addons.mozilla.org/firefox/downloads/latest/ADDON_ID/latest.xpi and substitute ADDON_ID with the extension's ID (for example, uBlock0@raymondhill.net or {446900e4-71c2-419f-a6a7-df9c091e268b}). Using the AMO ID ensures Firefox always downloads the latest version that matches the user's platform.
    • If installing from the local file system, use a file:/// URL. Firefox will update or re-install the extension whenever the XPI file at that path changes. You can also manually trigger an update by changing the file name or path.
    • Language packs are available from
      https://releases.mozilla.org/pub/firefox/releases/VERSION/PLATFORM/xpi/LANGUAGE.xpi
      (for example, https://releases.mozilla.org/pub/firefox/releases/111.0.1/win64/xpi/en-US.xpi). These URLs can be used as install_url values for managing language pack installation.
  • install_sources: A list of sources from which installing extensions is allowed using URL match patterns. This is unnecessary if you are only allowing the installation of certain extensions by ID.
    Each item in this list is an extension-style match pattern. Users will be able to easily install items from any URL that matches an item in this list. Both the location of the .xpi file and the page where the download is started (the referrer) must be allowed by these patterns. This setting can be used only for the default configuration.
  • allowed_types: Restricts which types of add-ons can be installed. Note that this setting only applies when installation is otherwise allowed. If "installation_mode": "blocked" is set (either for a specific ID or for "*"), extensions remain blocked regardless of allowed_types. This setting can be used only for the default configuration. Accepts one or more of:
    • "extension"
    • "theme"
    • "dictionary"
    • "locale"
  • blocked_install_message: Maps to a string specifying the error message to display to users if they're blocked from installing an extension. This allows you to append text to the generic error message, for example to direct users to a help desk or explain why an extension is blocked. This setting can be used only for the default configuration.
  • restricted_domains: An array of domains on which content scripts can't be run. This setting can be used only for the default configuration.
  • updates_disabled: (Firefox 89, Firefox ESR 78.11) Boolean that indicates whether to disable automatic updates for an individual extension.
  • default_area: (Firefox 113) String that indicates where to place the extension icon by default. Possible values are navbar and menupanel.
  • temporarily_allow_weak_signatures: (Firefox 127) Boolean that indicates whether to allow installing extensions signed using deprecated signature algorithms.
  • private_browsing: (Firefox 136, Firefox ESR 128.8) Boolean that indicates whether this extension should be enabled in private browsing.

Interaction notes

Section titled “Interaction notes”
  • "installation_mode": "blocked" takes precedence over all other settings. When set, extensions cannot be installed regardless of allowed_types or install_sources. A configuration for a specific extension ID still overrides the "*" configuration.
  • To block all extensions except a few, use "installation_mode": "blocked" for "*" and explicitly override it for allowed or force-installed extensions.
  • To block extensions but allow themes, dictionaries, and language packs, leave the default ("*" ) installation_mode as "allowed" and set "allowed_types": ["theme", "dictionary", "locale"]. ("locale" corresponds to Firefox language packs.) Do not set "installation_mode": "blocked" in this scenario, because allowed_types is ignored when installation is blocked.

Windows (GPO)

Section titled “Windows (GPO)”

Software\Policies\Mozilla\Firefox\ExtensionSettings (REG_MULTI_SZ) =

{
  "*": {
    "blocked_install_message": "Custom error message.",
    "install_sources": ["https://yourwebsite.com/*"],
    "installation_mode": "blocked"
  },
  "uBlock0@raymondhill.net": {
    "installation_mode": "force_installed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"  # using slug / short name
  },
  "adguardadblocker@adguard.com": {
    "installation_mode": "force_installed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/adguardadblocker@adguard.com/latest.xpi"  # using extension ID
  },
  "https-everywhere@eff.org": {
    "installation_mode": "allowed",
    "updates_disabled": false
  }
}

Windows (Intune)

Section titled “Windows (Intune)”

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings

Value (string):

<enabled/>
<data id="ExtensionSettings" value='
{
  "*": {
    "blocked_install_message": "Custom error message.",
    "install_sources": ["https://yourwebsite.com/*"],
    "installation_mode": "blocked"
  },
  "uBlock0@raymondhill.net": {
    "installation_mode": "force_installed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
  },
  "adguardadblocker@adguard.com": {
    "installation_mode": "force_installed",
    "install_url": "https://addons.mozilla.org/firefox/downloads/latest/adguardadblocker@adguard.com/latest.xpi"
  },
  "https-everywhere@eff.org": {
    "installation_mode": "allowed",
    "updates_disabled": false
  }
}'/>

If you are using custom ADMX and ADML administrative templates in Intune, you can use this OMA-URI instead to workaround the limit on the length of strings. Put all of your JSON on one line.

OMA-URI:

./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettingsOneLine

Value (string):

<enabled/>
<data id="JSONOneLine" value='{}'/>

macOS

Section titled “macOS”
<dict>
  <key>ExtensionSettings</key>
  <dict>
    <key>*</key>
    <dict>
      <key>blocked_install_message</key>
      <string>Custom error message.</string>
      <key>install_sources</key>
      <array>
        <string>"https://yourwebsite.com/*"</string>
      </array>
      <key>installation_mode</key>
      <string>blocked</string>
    </dict>
    <key>uBlock0@raymondhill.net</key>
    <dict>
      <key>installation_mode</key>
      <string>force_installed</string>
      <key>install_url</key>
      <string>https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi</string>
    </dict>
    <key>adguardadblocker@adguard.com</key>
    <dict>
      <key>installation_mode</key>
      <string>force_installed</string>
      <key>install_url</key>
      <string>https://addons.mozilla.org/firefox/downloads/latest/adguardadblocker@adguard.com/latest.xpi</string>
    </dict>
    <key>https-everywhere@eff.org</key>
    <dict>
      <key>installation_mode</key>
      <string>allowed</string>
      <key>updates_disabled</key>
      <true/> | <false/>
    </dict>
  </dict>
</dict>

policies.json

Section titled “policies.json”
{
  "policies": {
    "ExtensionSettings": {
      "*": {
        "blocked_install_message": "Custom error message.",
        "install_sources": ["https://yourwebsite.com/*"],
        "installation_mode": "blocked"
      },
      "uBlock0@raymondhill.net": {
        "installation_mode": "force_installed",
        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
      },
      "adguardadblocker@adguard.com": {
        "installation_mode": "force_installed",
        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/adguardadblocker@adguard.com/latest.xpi"
      },
      "https-everywhere@eff.org": {
        "installation_mode": "allowed",
        "updates_disabled": false
      }
    }
  }
}