Deploying uBlock Origin for Firefox with CCK2 and Group Policy

[Article last updated 2017-03-07]

Blocking advertising has multiple security and performance benefits to clients. I have reviewed all the options and 'uBlock Origin' is the clear winner. It is a clean implementation that relies on existing excellent Adblock Plus filters, but with better performance and without letting through "acceptable advertising" that nonetheless brings security risks. I won't get into uBlock vs uBlock Origin. Origin is the original by the original developer.

The following has been tested and applied across over 1000 clients.

This article covers deploying uBlock Origin for Firefox - see my other articles for Chrome and Internet Explorer.

uBlock Origin homepage

Part 1: Firefox ESR

This is only a forward-looking recommendation; ESR is not required.

Mozilla Firefox comes in two flavors: Firefox, and Firefox ESR.

ESR is "Extended Support Release." It allows organizations to standardize on periodic major versions of the browser that are more conservative in introducing major non-security changes. Firefox is a browser primarily built for end-users and Mozilla has in the past, and continues to, make decisions with them in mind. You want stability and a place at the table. ESR gives you that.

Download Firefox ESR

Part 2: Firefox customization with CCK2

Mike Kaply has built a Firefox extension that helps you build Firefox auto-configuration file-sets named CCK2. You place these files you generate in the Firefox Program Files directory and Firefox configures new and existing profiles based on them. They're like Group Policy for Firefox, and CCK2 is the editor.

Download CCK2

Get uBlock Origin URL

We need to get the URL of uBlock Origin so Firefox can auto-download it. It will update the extension when updates are released later. Still, it's better to start off with something as new as possible.

  1. Open Firefox
  2. Go to https://addons.mozilla.org/En-us/firefox/addon/ublock-origin/
  3. Right-click the "Add to Firefox" button
  4. "Copy link location"
  5. You will get something like: https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/addon-607454-latest.xpi?src=/decentsecurity.com/ublock-for-firefox-deployment/dp-btn-primary
  6. Remove everything after the ? so you get something like: https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/addon-607454-latest.xpi
  7. Make a note of this, you'll need it soon

Working in CCK2

Install the extension and click the new button it added to the toolbar in the top right. The following steps are in the CCK2 interface.

  1. Make a new configuration
    1. Name: Company Name
    2. Identifier: [email protected]
  2. About
    1. Version: 1.0
    2. Output Directory: Make a folder in your Documents where the autoconfig files will end up
  3. Add-ons > Add URL: Use the URL you got in the "Get uBlock Origin URL" section
  4. Look through all the other options in the interface and customize as you see fit.
  5. Finish > Use AutoConfig

The files in your Output Directory need to now be dropped in the 'C:\Program Files (x86)\Mozilla Firefox' folder on clients. Go ahead and manually copy them into the folder on a PC to test everything works correctly.

Part 3: Publishing the files

You now need to get the files in your Output Directory to a public file share that Everyone or Authenticated Users have access to. This is because the files will be copied using the computer's Active Directory account, not the logged-in user's. Make note of the location

Part 4: Distributing with Group Policy File Preferences

Now you need to copy the files from your share to C:\Program Files (x86)\Mozilla Firefox\
You can use a simple xcopy/robocopy script, or if you want to do it natively you can use Files Preferences in Group Policy. This is what I do across 1600 computers. 

  1. Make a new Group Policy named "Firefox customization" OR add this to an existing GPO.
  2. Open the editor for the GPO.
  3. Create the following Files Preferences under Computer Configuration > Windows Settings > Files
  • Replace (Apply once and do not reapply)
    • \\fileserver\share\FirefoxConfig\*.*
    • %ProgramFiles(x86)%\Mozilla Firefox
  • Replace (Apply once and do not reapply)
    • \\fileserver\share\FirefoxConfig\browser\defaults\profile\*.*
    • %ProgramFiles(x86)%\Mozilla Firefox\browser\defaults\profile
  • Replace (Apply once and do not reapply)
    • \\fileserver\share\FirefoxConfig\cck2\*.*
    • %ProgramFiles(x86)%\Mozilla Firefox\cck2
  • Replace (Apply once and do not reapply)
    • \\fileserver\share\FirefoxConfig\cck2\modules\*.*
    • %ProgramFiles(x86)%\Mozilla Firefox\cck2\modules
  • Replace (Apply once and do not reapply)
    • \\fileserver\share\FirefoxConfig\defaults\pref\*.*
    • %ProgramFiles(x86)%\Mozilla Firefox\defaults\pref

On next reboot or Group Policy refresh and Firefox launch, you should see uBlock Origin appear and start applying automatically with no user prompts.

SEND FEEDBACK