DLP agent is overriding Mozilla Firefox enterprise policies in mozilla.cfg

book

Article ID: 170432

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

DLP agent uses the Firefox general config file to manage the spdy protocol. If the spdy protocol is enabled SSL incidents may not be generated.


 

Cause

The DLP agent will create a ffm.js in the Mozilla\default\perf\ folder that specifies the Mozilla\ffm.cfg as the general config file.

This prevents the standard Mozilla.cfg from working as expected and overrides Firefox enterprise policies.

Environment

DLP 14.x
DLP 15.x

Resolution

Disable the option for the DLP agent to handle the SPDY protocol and add manual management for it.

First change the DLP advanced agent config  by following these steps:

  1. From the enforce console go to System > Agents > Agent Configuration
  2. Select / Edit the applicable agent configuration
  3. Set NetworkMonitor.DISABLE_SPDY_PROTOCOL.int = to 0
  4. Save the configuration
  5. Apply the configuration to the agent group

Next we need to modify browser policies.
For Firefox add the SPDY lines into mozilla.cfg used to manage the enterprise policies:
lockPref("network.http.spdy.enabled", false);
lockPref("network.http.spdy.enabled.http2", false);

 
For internet explorer. If IE standard is <11, then create the GPO

Group policy for disabling SPDY:
[User|Computer] Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Allow Internet Explorer to use the SPDY/3 network protocol – Disabled
 
Chrome and Edge do not require any changes.