Thursday, July 16, 2009

Why the State Department Doesn't Use Firefox

At a recent town hall meeting, a State Department employee asked Hillary Clinton why employees were not allowed to use Firefox. When it was suggested by Pat Kennedy that the reason was likely cost, it was humorously pointed out that Firefox is free! Har har! Yeeeah daaawg! Hand slap!

In a rare moment for government, Kennedy actually went on to explain what he meant by cost, which may have nothing to do with the actual cost of licensing the software itself. Maybe he just got lucky, but he's absolutely correct.

I've been crybabying about Firefox's complete lack of enterprise support for many, many years. We all know just how entrenched Internet Explorer remains in the corporate world, and this is responsible for much of the market share it still clings to. If Mozilla would just start offering services for business users, I think it would dominate the market in short order.

What do I mean by "support" and "services?" I'm not talking about contracts or paid subscriptions or anything icky. Maybe I can shed some light on the issue by describing what it's like to manage Internet Explorer on corporate desktops.

1) Even the most basic Windows Server can run, at no additional "cost", a service called WSUS, or "Windows Server Update Service" or something goofy like that. Using WSUS with group policies, even the most inexperienced IT professional can gain complete control over updating and patching just about all Microsoft products, including Internet Explorer, on all of the machines he's responsible for.

When a security vulnerability is patched in Interenet Explorer, which happens every 2.74 minutes, I can push the update out to all of the machines in my domain. It doesn't matter that the user who uses the machine has no administrative rights, and the user has no control over whether the update is applied. Thus using WSUS I can easily see exactly what's up with every installation of Internet Explorer on my network. To my end users it's completely transparent.

2) When using Internet Explorer in a Windows domain, it is trivial via group policy to completely control the behavior of Internet Explorer for all users and / or machines. I can lock down security settings, configure default home pages, and all sorts of fun stuff. Mozilla does not directly support this for Firefox.

3) If machines in a business environment are running Windows, then it's very likely that any local browser-based services are using some form of Windows authentication. With Internet Explorer this is of course supported by default. When a user logs on to a machine and uses IE to hit the corporate intranet, he is automatically logged in to the site using his domain credentials. The user has absolutely no idea that he's logging in, it just works.

With Firefox NTLM authentication does exist and actually works. In fact, I can configure Firefox and actually use it to browse a local Sharepoint site, and from an authentication standpoint it works just the same as IE. However, I cannot easily push these settings out to Firefox installations using group policy.

Ok, so what does Mozilla need to do in order to get the enterprise online with Firefox?

1) Offer a simple way to control updates. We cannot simply hope that users update when prompted, and updates won't even work for locked down users, which is about 99% of them. Requiring that IT build and deploy an .MSI every time Firefox is updated is unreasonable and costly.

There are projects out there like FrontMotion that offer a Firefox package that takes away much of the burden, but this makes us rely on FrontMotion for timely updates. This is not something I want to leave to some independent third party. This is exactly what I want *from Mozilla* itself.

2) Offer administrative templates so that Firefox can be configured via group policy, including the ever-important NTLM authentication settings. Again, this has to come directly from Mozilla or it's probably just not going to fly.

That's it.

How much work would this be for Mozilla? I dunno, but gauging by what FrontMotion does, I don't think it's an insurmountable task. (I think FrontMotion might just be one person!) Considering the market share that Firefox would gain, I'm absolutely dumbfounded as to why they haven't even tried this yet. It's not like it hasn't been requested by users for years and years!

"Ok, well if it's really not that hard, then why not just do this yourself in-house?"

Because that would *cost something*. Just sticking with Internet Explorer doesn't cost anything more than what I'm already spending. Yes, it's an inferior browser, but it works and users are familiar with it. Its security shortcomings are mitigated by making sure that all users have restricted accounts. (It's not like Firefox doesn't have security problems from time to time)

Since Firefox is a better browser in many ways which we don't even need to get into, and a lot of people are now using it at home, I can matter-of-factly state: if Mozilla was able to give me what I want, I would immediately offer the option of Firefox on all desktops and over time switch all default browsers to it. Everybody wins, right? What's the holdup?