1
0
mirror of https://github.com/TommyTran732/Microsoft-Edge-Policies synced 2024-11-21 18:01:34 -05:00
Enterprise Policies for Microsoft Edge
Go to file
Tommy 72cf3eed59
Allow Web Capture
Signed-off-by: Tommy <contact@tommytran.io>
2023-12-29 00:37:10 -07:00
Linux Allow Web Capture 2023-12-29 00:37:10 -07:00
macOS Allow Web Capture 2023-12-29 00:37:10 -07:00
LICENSE Update LICENSE 2023-11-19 13:06:47 -07:00
README.md Typo fix 2023-12-25 13:51:07 -07:00

Microsoft Edge Policies

These policies are written with personal use in mind, so that I can configure Microsoft Edge for security and privacy on my personal systems. Certain features are disabled because I see them as unnecessary, annoying, or potentially privacy invasive. Microsoft has the tendency to implement features in the most privacy invasive way possible, so features that are not related to security are disabled unless they are explicitly documented to not have detremental effects on privacy.

Smartscreen is left as recommended to be be off, as it sends the FULL URLs of what are being visted to Microsoft. I decide whether to use it or not depending on the actual system that I am using.

For corporate environments, you will need make approprieate changes, including but not limited to:

  • Disable DeveloperToolsAvailability. Users can be tricked into running malicious code in the browser console otherwise.
  • Set DefaultWebUsbGuardSetting to "Block". In most cases, the websites will never need to use this API. I need it to flash GrapheneOS and StockOS on my phones.
  • Set DefaultJavaScriptJitSetting to "Block". This will prevent users from adding exceptions to Enhanced Security Mode.
  • Remove the uBlock Origin Lite extension whitelist. I am not aware of any way to block users from granting uBlock Origin Lite access to all content on a website, which is a security risk. If you know of a way to enforce that the extension runs permission-less, please let me know.
  • Set SSLErrorOverrideAllowed to false.
  • Further restrict permissions that websites can prompt for.
  • Consider removing the Disable3DAPIs policy. Currently, WebGL is disabled in my policies and a few sites will break, so whether to do this highly depends on your organization.
  • Consider mandating that SmartScreenEnabled is set to disabled. TyposquattingCheckerEnabled is also potentially invasive, though I have not confirmed this. Please make an issue to let me know of your findings.

Linux

The mandatory policies should be put in /etc/opt/edge/policies/managed/managed.json, and the recommended policies should be put in /etc/opt/edge/policies/recommended/recommended.json

macOS

The mandatory policies should be put in /Library/Managed Preferences/com.microsoft.Edge.plist, and the recommended policies should be put in /Library/Preferences/com.microsoft.Edge.plist

macOS is problematic, as it will wipe /Library/Managed Preferences every boot if you are not using an MDM. I work around this by putting the policies in /Library/Tomster Corporation, and use a cronjob as root to copy it every boot:

@reboot sleep 5 && cp -r '/Library/Tomster Corporation/' '/Library/Managed Preferences'

I have also noticed that Microsoft Edge does not seem to reload Managed Preferences probably until the computer reboots. Note that this may not work after a macOS update, and you will need to reboot the computer again for the policies to apply. I am not sure if this is a macOS behavior or if it is caused because my machine is not enrolled in an MDM.

Alternatively, you can try to convert the .plist files to .mobileconfig files and install them as profiles.