Is anyone successfully using Firefox 3 in a Windows domain? By "successfully" I mean deploying via AD, configuring via GPO (especially setting network.automatic-ntlm-auth.trusted-uris), default plugins, and somehow managing updates.
I'm aware of FrontMotion and Firefox ADM. It looks like the FrontMotion MSI installer and administration templates would solve most of the problem. I'm not sure how updates would work, however... without me having to update the MSI manually.
I'm also a little bit leery of using a 3rd party package for this. I'm not terribly worried that FrontMotion is packaging up anything naughty in their distribution, but I don't like having to rely on them for being timely with critical updates and such.
Have any of you successfully replaced IE with Firefox in your organization? Is the way your managing it on par with managing IE on your desktops?
We currently deploy the vast majority of the software in our university user labs via AD group policy. Firefox is included. The caveat is that we also repackage most of the vendors' installers using tools like InstallShield AdminStudio. Regarding Firefox specifically, we don't technically enforce any settings. But we do pre-configure a default profile with university specific stuff that gets added to user local profiles when they login for the first time. We manage the updates by simply repackaging the new version and replacing what is deployed.
The main benefit to the FrontMotion version (at least the last time I tried it) was that they've modified the source so that some of the settings are enforceable via normal GP admin templates. We briefly used their version, but ultimately decided the settings enforcement wasn't necessary for our situation.
I honestly don't think you're ever going to be able to completely replace IE in a Windows environment. But it's not that hard to make alternatives easy to access.
I would like to just answer "No" but I felt it was a bit useless for an answer... ^^ Firefox ADM isn't the problem, as you say it's mostly the updates. It's easy if you already have a way to push and execute any files (like SMS/Configuration Manager or whatever management system you use) or if end-users manage their own machines for some reason - but if you only use WUS and patch other applications manually through group policy published MSIs, it certainly adds up to the amount of work you have to do...
...on the other hand, if you run Adobe Reader or Flash Player for example - there should already be a routine in place to handle this very problem - as they too are third party applications that needs to be updated rather frequently.
Each system/application adds up to the patch management workload - so one major goal in my opinion should be to minimize the amount of applications supported. Would you get rid of IE completely (probably not) - or would introducing Firefox mean you'd have two browsers to maintain or at least keep patched? Is there an actual gain with this in the specific environment - then go for it.
This web page shows how to create msi files of Firefox yourself: http://www.klaus-hartnegg.de/gpo/msi_firefox_wix.html
The usual method is to disable the auto-updater, and deploy a new msi-file whenever a new version is available.
Firefox has since learned to update itself with help of an updater service that runs with system rights. So an alternative would be to install it just once, not via the msi method in the above web page, but for example with gpo logon script, and then let it update itself.
Updated answer to this question...
Starting with Firefox v60 (I believe), I recommend starting here:
https://support.mozilla.org/en-US/products/firefox-enterprise
There is now built-in GPO support for many (probably the most common) settings. MSI installers are also now available.