[est31]

Of course you can lock stuff via enterprise settings so that about:config entries can't be modified by local users, but that takes time to find out and test, while removing the weird non-Chrome browser that's still present mostly for inertia reasons but nowadays only gets used for evil porn is much easier.

[close04]

Saving time by applying a non-solution 9like removing one browser instead of treating the root cause) is not actually saving anything. You just kick the problem further down the road. Firefox prefs are documented even if not in the most user friendly way [0][1][2][3]. For the most part performing some basic hardening and other useful config on the browser takes less than a day. A person with some IT background shouldn't have too much problems doing it and it's more or less a one time thing.

[0] https://dxr.mozilla.org/mozilla-release/source/modules/libpr...

[1] https://dxr.mozilla.org/mozilla-release/source/browser/app/p...

[2] https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Ent...

[3] https://support.mozilla.org/en-US/products/firefox-enterpris...

[simondedalus]

no, using the nuclear option of removing the browser outright when others work is the smart, efficient option that someone who actually works in IT with limited resources would (and should) use.

this stuff about finding all the right config files during "basic hardening" and having it just work is the stuff of armchair commenters and people who do IT/security on a well funded, sufficiently redundant team. assuming the latter would be the people in charge of school IT is hopelessly naive.

[close04]

So tell me then, what exactly are you achieving with removing Firefox when the same bypass can easily be achieved with Chrome? Remove Chrome also? Call the well funded security team to configure whatever browser you’ll eventually have to use?

The problem with half assed work is that you still put in some effort but reap none of the rewards. You work to uninstall Firefox from dozens of computers but get exactly 0 results because now you’ll have to configure Chrome. Default installations of both browsers are perfect for home use but woefully inadequate for controlled networks.

And in the end you put in just about as much effort as changing some flags in any one of the dozens of example config files available on the internet and copying it on every machine.

[simondedalus]

the DNS filtering works on chrome. yes, people can bypass it, but it doesn't even work on firefox, so they remove firefox. this isn't rocket science, and you're being foolishly contrarian instead of trying to understand what the original commenter's actual situation is. this leads me to believe that you are hypothesizing about work you don't do, but feel perfectly qualified to talk about "half assing" things.

[close04]

> you're being foolishly contrarian instead of trying to understand what the original commenter's actual situation is

Perhaps because he's describing 2 different situations. One where "some schools" are removing Firefox, and one where it's not an option for him because of BYOD. Uninstalling Firefox is exactly the solution he can't apply. So I still maintain that the other schools that fully control the clients could have applied a proper fix faster and cheaper than any uninstall. It's one line in a config file [0], already linked above.

All your replies are gratuitously aggressive and insulting. That's not a good way to contradict my solution that works, is simpler and more future proof than uninstalling browsers with DOH.

Eventually all browsers will have DOH, you can't uninstall them all. And leaving a browser unmanaged and at the mercy of a student is not an option since requiring 2 extra clicks to bypass the filtering isn't a solution. You need some form of management either way.

I already gave you a solution that's better than removing the browser and "cheaper" than having to manage Chrome with GPOs (not a high bar). Insults won't change that.

[0] https://dxr.mozilla.org/mozilla-release/source/modules/libpr...

[simondedalus]

this is getting really boring and repetitive, but you didn't give a "cheaper" solution, you gave an administratively more expensive solution (change files on machines rather than bulk remove an app which is out of the box functionality for many products IT like this would use), along with moving the goal posts; the goal is "keep my DNS filtering working," not "make sure no one ever gets to the porn site."

of course, you would need to do more in chrome (and windows/osx/ubuntu generally) to stop traffic to a site if a student knows what they're doing. that's not the point. the point is: we have this control in place. we've agreed it's working well enough. people can bypass the control simply by using firefox. to avoid adding overhead, we ditch firefox (for now). it's that simple.

as for future-proofing, that's a luxury. ...and part of why it's a luxury is that some goals ("make all traffic to any porn sites impossible on our school network") just aren't going to be met by budget IT.

re: BYOD, for that i go over to the armchair tech purist side i'm afraid, and just say "well, you allow that, so you need to get over that they can use VPNs and stuff. you're not DOJ or some wealthy corporation with important IP assets and equally 'important' VIP execs that insist on bringing their OSX 10.6 MBP to work. you don't get to have all the cool controls that might allow BYOD. sorry."

[buran77]

How efficient is the "nuclear option" when all browsers have DNS-over-HTTPS? By then you have a few options:

- Implement a proxy to break SSL.

- Configure the browsers to disable DOH (GPO or local configuration) for as long as it's an option.

- remove all browsers because that's the solution you already have in place.

I wholeheartedly disagree with any resolution that just hides or ignores the issue especially when it's scheduled to become more or less standard.

[isostatic]

Yes, we should stick with IE6 on all machines, no need for any other browsers

[simondedalus]

firefox messes up their DNS filtering, chrome doesn't. so they remove firefox and enforce chrome. if you see that as a slippery slope, you're imagining it. they probably 1) have a decent app like ninite to remove and install apps, 2) don't have anything but their production environment, 3) don't have a homogenous environment in terms of patching (maybe they do), 4) don't have people to go around and make sure the config changes they push (however they would push them) took, worked, etc. so they block the app. maybe eventually they reinstall it. welcome to IT.

...which reinforces my point about how people actually doing this and people speculating about it tend to respond to issues like this.

[close04]

> firefox messes up their DNS filtering, chrome doesn't

I take it you assume students are not creative enough to get the exact same result with Chrome? Because it is perfectly possible to do it. Unless of course you take steps to prevent that in Chrome. One way or another you either put in the work or the users will end up doing whatever they please. After configuring the OS doing the same for the browser is a relatively small step.

[simondedalus]

of course it's possible to do so. but DNS filtering works for most users, and is much easier to centrally manage on a budget (in terms of time / people / money) than browser settings.

i'm belaboring this point now, but people who actually do this stuff know that you can't just throw up a GPO to fiddle with chrome settings and expect everything to work. this culture of "power users" thinking they know the best course of action for every situation in IT (and it's always "that thing i Put In The Work to do when i was tailoring my own system") is really silly.