Disable auto-updates for Firefox when deploying using Munki and AutoPkg

Note before you begin
Acknowledgements
Why you should do this
The actual procedure
Caveat
Thunderbird
The CCK2 method

Note before you begin

If you know nothing about Munki or AutoPkg, then this page will be of little use to you. If you're interested in a basic setup tutorial, check out the Absolute beginner’s guide to setting up Munki (not monkey).

Acknowledgements

Special thanks to Nick McSpadden for Deploying and Managing Firefox Part 2: Working with Munki, which lays out the disable-update concept with a slightly different procedure (using CCK and symlinks), and to Mozilla for documenting directory changes in Deploying Firefox in an enterprise environment.

Why you should do this

For a while, I was deploying Firefox using Munki but then not disabling updates, because it actually wasn't causing any problems.

firefoxupdateerror
Recently, though, users have been getting this kind of error, which is odd, because Firefox should, in theory, still be able to update itself, even if Munki has been pushing updates, because all Munki does is essentially automate the regular installation process (dragging the Firefox.app bundle to the /Applications folder).

The actual procedure

Create a text file with these contents:

pref("general.config.filename", "mozilla.cfg");
pref("general.config.obscure_value", 0);
Save that text file as autoconfig.js

Create a second text file with these contents:

// Disable updater
lockPref("app.update.enabled", false);
// make absolutely sure it is really off
lockPref("app.update.auto", false);
lockPref("app.update.mode", 0);
lockPref("app.update.service.enabled", false);
Save that text file as mozilla.cfg.

Create a DisableFirefoxUpdates package (if you prefer a GUI, I'd recommend Packages) that distributes a payload of two files. I decided to put the files in /Library/Application Support/Mozilla/DisableAutoUpdates, but you can put them somewhere else, as long as you can find them later (if you do decide on a different location, make sure to tweak the scripts below accordingly).

Import the DisableFirefoxUpdates package into Munki (using munkiimport) and then make it a requirement for the Firefox package.

You may also want to add this as a post_install script for DisableFirefoxUpdates:

#!/bin/bash

# Distribute the script if Firefox is already installed
if [ -d "/Applications/Firefox.app/Contents/Resources" ]; then

# Copy the autoconfig.js
cp /Library/Application\ Support/Mozilla/DisableAutoUpdates/autoconfig.js /Applications/Firefox.app/Contents/Resources/defaults/pref

# Copy the mozilla.cfg file
cp /Library/Application\ Support/Mozilla/DisableAutoUpdates/mozilla.cfg /Applications/Firefox.app/Contents/Resources/

fi
That's handy if you, like me, are starting to distribute the DisableFirefoxUpdates package after having already deployed Firefox.

There is one more final step, which is super important. If you're using AutoPkg (or its graphical frontend, AutoPkgr) to automatically get the latest Firefox and import it into Munki, you want to create an override recipe (if you have one already, tweak the existing override), and then include the following as part of the pkginfo dict:

<key>postinstall_script</key>
<string>#!/bin/bash

# Copy the autoconfig.js
cp /Library/Application\ Support/Mozilla/DisableAutoUpdates/autoconfig.js /Applications/Firefox.app/Contents/Resources/defaults/pref

# Copy the mozilla.cfg file
cp /Library/Application\ Support/Mozilla/DisableAutoUpdates/mozilla.cfg /Applications/Firefox.app/Contents/Resources/
</string>
What this does (minus the check to see if Firefox is installed) is just make sure that every time you install a new version of Firefox, you copy the DisableFirefoxUpdate files over to the newly-installed version.

Caveat

I've done some testing, and this works. The only thing to keep in mind is that if you deploy the DisableFirefoxUpdates after having already deployed Firefox to users, users will still likely have auto-updates enabled... until they restart Firefox.

So if a user says "I'm getting an error about Firefox not updating," have the user quit out of Firefox and launch up Managed Software Center, and it should be good from that point forward.

Thunderbird

Someone asked about this, so I did testing, and this exact same config works for Thunderbird as well. You would just have to add in the appropriate script to copy the files over (from the same payload):

#!/bin/bash

# Distribute the script if Thunderbird is already installed
if [ -d "/Applications/Thunderbird.app/Contents/Resources" ]; then

# Copy the autoconfig.js
cp /Library/Application\ Support/Mozilla/DisableAutoUpdates/autoconfig.js /Applications/Thunderbird.app/Contents/Resources/defaults/pref

# Copy the mozilla.cfg file
cp /Library/Application\ Support/Mozilla/DisableAutoUpdates/mozilla.cfg /Applications/Thunderbird.app/Contents/Resources/

fi

The CCK2 method

If you would like to use CCK for some more major customizations instead of just disabling auto-update, here is a recent blog post on how to do so:
Firefox, CCK2 and an AutoPKG Recipe.

Here are a few fun screenshots of my own to complement the ones on that page:

And this is the Munki recipe you'd use with the resulting autoconfig.zip file.

Leave a Reply

Your email address will not be published. Required fields are marked *