One of my favorite parts about the IGEL Community and any community is people helping people. Someone asks a question, maybe not even relating to IGEL itself but an associated technology. Many fine folks jump in to give their suggestions. Recently I saw just this in the IGEL Community, and the solution is so fantastic and helpful; I wanted to share it with all of you!
Joseph Masone, asked the question:
"Aside from modifying hosts files, is there a way to allow only a list of URLs we designate via the Firefox browser? We tried setting up a local HTTP proxy. However, that can be bypassed by simply typing HTTPS in the URL. We also tried restricting all the navigation menus/toolbars; however, one of the sites we need to allow access to has links that can leverage to access other unwanted sites."
Host: Andy Whiteside
Co-host: Patrick Toner
00:00:02.400 --> 00:00:08.489
Andy Whiteside: Everyone and welcome to episode 68 of idl weekly. I'm your host, Andy White Side today is December the sixth
00:00:08.980 --> 00:00:12.199
Andy Whiteside: 22. I've got Patrick Toner with me. Patrick. How's it going?
00:00:12.290 --> 00:00:21.219
Patrick Toner: It's going Good don't go to it's a little sad to hear say December sixth. I it's like as soon as I get used to writing 22 on forms and things like that.
00:00:21.340 --> 00:00:26.720
Andy Whiteside: That's when the year changes. So oh, man I can't write a check to save my life. I can't write the numbers.
00:00:26.830 --> 00:00:33.949
Andy Whiteside: I can't sign my name. I can't like. I can't write period in a legible way, and then the dates
00:00:34.050 --> 00:00:39.639
Andy Whiteside: I. I have to look every time to see what date it is, and half the time it's what month it is, and sometimes it's what year it is, I can't even
00:00:39.880 --> 00:00:46.249
Patrick Toner: It's insane. I hear you. I hear you. It's very maybe it's because we just don't write that stuff as much. I don't know what it is.
00:00:46.280 --> 00:00:49.960
Patrick Toner: you know, growing up in school. You probably wrote it every day right now. We
00:00:50.170 --> 00:00:57.739
Patrick Toner: and technology kind of doesn't. We don't have to do that. It's all done for us. That's it. That's a great example of how technology has helped us.
00:00:57.890 --> 00:01:02.140
Andy Whiteside: Right. I mean, you don't have to write your name. I heard somebody talking about writing their name on the top of their paper.
00:01:02.250 --> 00:01:06.350
Andy Whiteside: there! Nobody does that anymore. It's all part of your digital footprint.
00:01:07.170 --> 00:01:08.259
Andy Whiteside: and that's good.
00:01:08.600 --> 00:01:12.579
Andy Whiteside: But what if you had to write your name like I had to go to this. Which which
00:01:12.670 --> 00:01:17.159
Andy Whiteside: and the I did? I have to write my name on a little piece of paper. I forget to fill it out.
00:01:17.490 --> 00:01:18.080
00:01:18.440 --> 00:01:31.190
Patrick Toner: yeah, I mean, our names are on our what our email signatures, you know. And then even that stuff Every company goes to the space. And like, hey, we have, like a 100 different email signatures. We need to standardize. That's how little we think about it. We really don't look at it. We don't think about it
00:01:32.240 --> 00:01:41.429
Andy Whiteside: well, and that's an interesting conversation, too, because we have. We had res and absence and profile, unity, and the thing, whatever Citrix bought
00:01:41.660 --> 00:01:46.460
Andy Whiteside: that made all that, you know follow you kind of around, but it never quite got to the finish line, and
00:01:46.600 --> 00:01:51.079
Andy Whiteside: I don't think Microsoft even has it where your outlook, your
00:01:51.140 --> 00:02:06.499
Andy Whiteside: your you know your exchange footprint actually has your signature tattooed into that. So every I'm. I work from 3 virtual desktops for laptops. I'm all over the place all the time, and I'm constantly having to copy my signature from somewhere else and put it in.
00:02:06.550 --> 00:02:13.029
Patrick Toner: Yeah, it is. It is definitely well, that's the thing for sure, Microsoft, If you're listening. We we need that fix
00:02:13.170 --> 00:02:14.810
Patrick Toner: or someone needs to develop it.
00:02:14.840 --> 00:02:16.390
Patrick Toner: There we go.
00:02:16.560 --> 00:02:19.640
Andy Whiteside: and there may be an answer for that already, and I just I just don't know it.
00:02:19.870 --> 00:02:21.110
Patrick Toner: Yeah, he's in here.
00:02:21.230 --> 00:02:23.740
Patrick Toner: I I wrestle with that one as well for sure.
00:02:24.520 --> 00:02:31.440
Andy Whiteside: Well, Patrick, thanks thanks for joining us. Just you and I. Today we picked a article. Let me pull it up on the screen, so you and I can talk through it
00:02:31.870 --> 00:02:35.630
Andy Whiteside: around Firefox. It's an older blog.
00:02:35.830 --> 00:02:42.809
Andy Whiteside: but the name of it is how to restrict Firefox to a list of designated urls.
00:02:43.130 --> 00:02:53.010
Andy Whiteside: Looks like maybe Joseph Mason asked the question in the Ij community. And let's see, Can we tell who actually responded here to this?
00:02:53.180 --> 00:03:07.150
Patrick Toner: Well, it's speaking of names and signatures. I I was just gonna say I I this sounds like Seb wrote it, but I don't see his name anywhere, but i'm pretty sure this is Seb's writing just it reads like said when he says, I must confess the solution is quite articulate.
00:03:07.170 --> 00:03:10.330
Andy Whiteside: Yeah, that probably is true.
00:03:10.470 --> 00:03:15.179
Andy Whiteside: So help me understand this. Why is this important? Why is it important to?
00:03:15.380 --> 00:03:17.300
Andy Whiteside: I guess. First, maybe
00:03:17.340 --> 00:03:30.499
Andy Whiteside: take an igl OS and lock it down to where it's browser only or maybe not browser only, but when it relates to the browser, you want it to go to one place in one place only. Why is important.
00:03:30.660 --> 00:03:46.779
Patrick Toner: Yeah, you know it. It really comes down to, you know, security and security policies in your company. I've had this request many times over the years, and at 1 point the answer was that there's really not a way to do this at the OS level. and there probably was a way. Obviously this the scripting probably what works back then.
00:03:46.810 --> 00:03:51.859
Patrick Toner: but many customers would do this not at the OS level, but maybe they would.
00:03:51.960 --> 00:03:55.730
Patrick Toner: you know, block it at the firewall level internally, or whatever they're doing
00:03:55.780 --> 00:03:59.629
Patrick Toner: the but the one thing that's changed a lot is.
00:03:59.680 --> 00:04:14.610
Patrick Toner: you know, end Users have gone home that more people are working remotely they're working remotely, either full time, or maybe a few days a week, coming back into the office. So doing it at the firewall level. That's only gonna really affect you when you're in the office once you go home it's wide open.
00:04:14.840 --> 00:04:20.580
Patrick Toner: so there! There is more of a need now to restrict this at the operating system level.
00:04:20.610 --> 00:04:31.869
Patrick Toner: that's this is really a great way to do it. you know, to to basically no matter where the user is, whether in the office at home, or it's, Starbucks, or whatever they can only hit a few different urls
00:04:31.900 --> 00:04:34.060
Patrick Toner: from their company assigned device.
00:04:34.520 --> 00:04:42.230
Patrick Toner: So is this a security or productivity need or both. Well, that's a good point. I guess it could be both, I mean, if you don't want.
00:04:42.390 --> 00:04:46.610
Patrick Toner: Your engines are scrolling Facebook and tik tok and everything else all day.
00:04:46.690 --> 00:04:49.779
Patrick Toner: yeah, that could actually be productivity.
00:04:49.800 --> 00:05:05.870
Patrick Toner: yeah, I mean, I think it definitely plays into both categories, you know. for sure. You don't want any any malicious type websites coming into the to the mix especially on company property and yeah productivity for sure that without a doubt that that plays into it.
00:05:05.950 --> 00:05:16.320
Andy Whiteside: and just for clarification. It looks like Seb, wrote the blog. but Joseph asked the question, and then found the answer to his his own question. And that's what the the blog is addressing here.
00:05:16.530 --> 00:05:17.290
Patrick Toner: Okay.
00:05:17.550 --> 00:05:29.099
Andy Whiteside: no. It starts off with the kind of the comment from Joseph around doing what we all, as it admins to understand how Dns works could possibly do, which is to go in and just
00:05:29.140 --> 00:05:33.840
Andy Whiteside: modify the host file, so that the only place you can get to is
00:05:34.180 --> 00:05:43.269
Andy Whiteside: resolve the name, but that that's not a real security approach. That's just kind of what do we call that security through obscurity. Kind of thing.
00:05:43.660 --> 00:05:46.340
Patrick Toner: Yeah, I think I think that's a good way to put it.
00:05:46.390 --> 00:05:47.120
00:05:47.460 --> 00:05:49.999
Andy Whiteside: but then he points out
00:05:50.230 --> 00:06:06.069
Andy Whiteside: the ability to launch the app, pointing it to a Json file equipment. okay. So all of you as the more technical guy your what was the solution. Joseph came up with: let's do that. You had exactly right. You know it's a script. So you know the Nigel operating system.
00:06:06.170 --> 00:06:14.549
Patrick Toner: I don't, have I'm not looking at the Us. In front of me, so I usually have it up. you know it's it's in the system area. You could put custom commands into the operating system.
00:06:14.580 --> 00:06:18.740
Patrick Toner: And there's all these different sections. Now. There's sections where the OS is starting up.
00:06:18.780 --> 00:06:37.789
Patrick Toner: there's sections, but you know at the they they called the desktop initialization phase. It's the last thing that happens as the OS finalizes. so you you know, that's one thing that you know from a timing perspective when you're doing scripting. And I jos you know which category which section you put it in matters
00:06:37.800 --> 00:06:51.860
Patrick Toner: but at the end of the day. What you're really talking about is the Linux script. you know. So you know it's using the said command sed and what it's doing is it's really just looking at a Json file, and it's editing it.
00:06:53.090 --> 00:07:09.079
Andy Whiteside: Okay, so any exceptions. So, Firefox, you and I, we're talking about chromium versus Firefox a while ago. Firefox has a long history of being a a very robust let's call it maybe work where the enterprise browser, and it comes with a Json file, which is
00:07:09.110 --> 00:07:12.349
Andy Whiteside: really a file that's used to at least a startup
00:07:12.450 --> 00:07:15.070
Andy Whiteside: control applications like firebox.
00:07:15.540 --> 00:07:22.730
Patrick Toner: That's right, and I am almost certain the same is true for chrome and chromium. They also have a Json file that has the same function.
00:07:22.750 --> 00:07:30.339
Patrick Toner: so I guess in theory you could do something similar with chromium or chrome the way he's doing it here.
00:07:30.370 --> 00:07:45.200
Patrick Toner: but but yeah, this is the Json files going to. If you look at the way it's, it's written here. it's telling it's telling the browser to block everything, and then it's saying, Except for these exceptions, so it's. Say, hey, you know, it's using this command
00:07:45.220 --> 00:07:48.130
Patrick Toner: slash and block all Urls.
00:07:48.290 --> 00:07:53.310
Patrick Toner: and then exceptions. And it has google.com. So in this scenario. Only google.com would work
00:07:53.540 --> 00:07:58.099
Patrick Toner: but you could create a list, you know. Hey? Maybe I want these 10 business websites
00:07:58.110 --> 00:08:17.259
Andy Whiteside: that my users use. They can access these, but absolutely nothing else. And chances are you go into this Json file, whether it's for chromium or firefox. You'll find all kinds of things about full screen mode or partial screen mode or I I don't know the different tools and toolbar being available or not probably pretty powerful. If you went through there and looked around.
00:08:17.320 --> 00:08:25.549
Patrick Toner: Yeah, I mean every every, every type of custom thing like this the customers have asked in the past. It's usually editing a Json file for the browsers.
00:08:25.570 --> 00:08:27.940
Patrick Toner: it's extremely powerful,
00:08:28.030 --> 00:08:41.139
Patrick Toner: you know, and really a a lot of the the ideal profile. When you when you look at the Firefox settings. it's most likely just making a change in that file. But you're just doing it with it easy, Gui, instead of scripting.
00:08:41.700 --> 00:08:45.450
Andy Whiteside: But in this case it looks like, okay. So there are they setting a
00:08:45.530 --> 00:08:47.499
Andy Whiteside: script that runs every time
00:08:47.640 --> 00:08:53.739
Andy Whiteside: that goes in and modifies or make sure that entry is modified versus going in and maybe editing the
00:08:53.880 --> 00:08:55.320
Andy Whiteside: the text file.
00:08:55.760 --> 00:09:05.709
Andy Whiteside: and then make your part of the image. I guess, in Nigel world can you make? Can you go in and edit the Json and leave it modified for the base image? Or do you need to go in and touch it every time the machine comes up.
00:09:05.770 --> 00:09:15.519
Patrick Toner: Yeah, it's a it's a great question. And you mean, really, the the answer is, No, you can't just edit the file. and the reason for that is, I. J. Is a sandbox operating system. So
00:09:15.620 --> 00:09:27.359
Patrick Toner: every time you reboot the OS, it's, you know, whatever's in that Json file by default that's going to default back to it. So the way you would do this is, you copy this script and edit it as as you would need.
00:09:27.490 --> 00:09:45.499
Patrick Toner: and you would put it into one of those sections in a Nigel profile. So I don't know which one there. I don't see a recommendation. But you know desktop initialization a final desktop command is probably where I would put it basically every time the OS boots it's the last command that runs.
00:09:45.570 --> 00:09:51.630
Patrick Toner: And then, as you launch your Firefox browser, that change is already made in that Json file, so it it keeps it.
00:09:51.650 --> 00:10:08.909
Andy Whiteside: it keeps that the changes you know that they stay in effect, even after a review. because you have a sandbox or less. That's that's necessary. So they so they don't get tattooed. In effect, you're just manually. You're not your autom automatically through the ums
00:10:08.920 --> 00:10:12.500
Andy Whiteside: telling you this is what you're going to do every time every time you come up.
00:10:12.660 --> 00:10:15.299
Patrick Toner: Yep, absolutely, you know, every time.
00:10:15.920 --> 00:10:19.770
Andy Whiteside: and that's the power of just the concept of the sandbox dos?
00:10:19.780 --> 00:10:36.120
Andy Whiteside: That's the power of a true enterprise Linux operating system. That's the power of a centralized management solution. it. It's really the ideal story kind of in a nutshell, and in this case it's all about a something as simple as a browser, but something as powerful as a browser.
00:10:37.030 --> 00:10:56.040
Patrick Toner: Yeah. And I think, too, it shows the power, you know of knowing scripting right that that's that's ultimately. If you want to become a Nigel wizard, right the more you can learn about Linux scripting the better. because there's just so much you can do it's outside the lines of what's built into the Us. It's already a lot of settings there. It's over 7,000. But
00:10:56.050 --> 00:11:01.829
Patrick Toner: if you know how to script, and you know, you know, some some basics about Linux yeah, it's really powerful.
00:11:02.490 --> 00:11:16.600
Andy Whiteside: Yeah, this is so interesting because I've got this 20 year, old son. I I don't know whether to send him down the the the sass route or into the cloud world, or into scripting and scripting. No matter which direction you go. It is super valuable
00:11:16.740 --> 00:11:20.179
Andy Whiteside: for this kind of runtime code.
00:11:20.260 --> 00:11:22.349
Andy Whiteside: power, management or management.
00:11:23.280 --> 00:11:29.469
Patrick Toner: Yeah, you know it's it, you know, I think Linux is, and you know I I'd be curious of your thoughts on this Andy. I mean, I think
00:11:29.580 --> 00:11:35.350
Patrick Toner: knowing Linux now, there's just more and more systems back in Front-end Moving to Linux is probably
00:11:35.670 --> 00:11:40.450
Patrick Toner: a great place for any young person who wants to get into you know technology.
00:11:40.630 --> 00:11:55.830
Patrick Toner: But you know, to your point scripting is it's just. I remember when I was working in health care. There was one guy he was like a power shell scripting with, and everybody would go to him, and he was. He was probably about job security that you know that hospital would go down without the guy.
00:11:56.080 --> 00:12:03.650
Andy Whiteside: Well, and I actually have this in my background. I was becoming an AI X administrator unix at 1 point, and I was playing with Linux
00:12:03.770 --> 00:12:17.769
Andy Whiteside: and then I got a job at Microsoft doing support for a couple of years, and then around that time Microsoft brought power shell forward because they realized that having a real shell was going to be super powerful in the enterprise space or in in you know the business world.
00:12:17.780 --> 00:12:41.770
Andy Whiteside: and they they went from kind of a consumer operating system to a true business operating system, multi-user scripting true shell behind it. And honestly for me, I think that's what's happened. I think the Linux world, the unix world, became the Linux world to some degree. And the the the Microsoft world started thinking shell was important as well. Therefore scripting became a real thing Instead of you know, batch file stuff
00:12:41.780 --> 00:13:01.209
Andy Whiteside: that was going on and then. Now, all these worlds, if you really want to be a a powerful strong entity in the configuration, because think about it. You have a ui that somebody can design that can do. X could do X number of things, but at a script level at a at a shell level you could do 100 times those things
00:13:01.220 --> 00:13:03.939
Andy Whiteside: things you couldn't fit on a screen or design in a Ui.
00:13:04.950 --> 00:13:16.629
Patrick Toner: Yeah, yeah, for sure. I mean it kind of what we're talking about, right? We're talking about, you know, an an operating system with a Ui that has so many little, you know, levers. I mean 20 something years worth of development.
00:13:16.780 --> 00:13:20.790
Patrick Toner: and there's still need at times to custom script something.
00:13:20.910 --> 00:13:31.869
Patrick Toner: you know, even when you're talking about a solution like this, it just has like 7,000 things you can change in the Ui. There's going to come a point, really. That's 7,005, 7,006.
00:13:31.900 --> 00:13:34.000
Andy Whiteside: You need those things outside the bounds
00:13:34.670 --> 00:13:48.349
Andy Whiteside: you you can't fit all those things in a Ui. Nobody has time to design it you I to do all that. So Therefore, if you want to do the sort of superficial level stuff, then you use the Ui If you want to get deeper or like. In this case, script it, and schedule it.
00:13:48.550 --> 00:13:50.060
Andy Whiteside: Well, you can't do that in the Ui.
00:13:51.820 --> 00:14:01.290
Patrick Toner: Yeah. Well, you can in this Ui I guess. Schedule it. you schedule it, you know, at at boot, but it's not, you know. But yeah, most most of the time that's not going to be
00:14:01.690 --> 00:14:07.819
Andy Whiteside: well. No, I mean nobody sitting there. Every time the machine comes up to click, click, click! You've got to write it into a script
00:14:07.840 --> 00:14:17.299
Andy Whiteside: via the power of the shell, and then stick that into the ums, maybe through a ui. But then that point you're just pointing to a script or some type of command that's going to run each time
00:14:17.780 --> 00:14:24.929
Andy Whiteside: super powerful head. So if you're 70 years old or 20 years old, and you plan to be relevant in it for the next
00:14:25.130 --> 00:14:26.280
Andy Whiteside: well forever.
00:14:26.320 --> 00:14:29.609
Andy Whiteside: go understand shells and go and learn how to script.
00:14:29.840 --> 00:14:32.660
Andy Whiteside: And you'll make yourself a valuable resource.
00:14:33.580 --> 00:14:40.740
Patrick Toner: Yeah. And you know, if you're a Nigel person, you know, join the community, and you know you'll see the the people in that community that are the most
00:14:40.890 --> 00:14:43.060
Patrick Toner: that had the most valuable feedback
00:14:43.080 --> 00:14:49.739
Patrick Toner: who constantly come up with solutions. They're the ones who know the they know when it's scripting, and
00:14:49.870 --> 00:15:04.240
Patrick Toner: you know it's there. There's never been a better time in the every you know. There's all these different training platforms. you could pay a monthly fee, and so you know an expert walk you through it. There's really never been a better time to learn this type of stuff. You do it from the comfort of your home, and
00:15:04.460 --> 00:15:08.360
Patrick Toner: never have to leave and just have somebody walk you through it. So it's.
00:15:08.640 --> 00:15:09.670
Patrick Toner: It's great stuff.
00:15:10.700 --> 00:15:15.930
Andy Whiteside: So, Patrick, if you had to start learning a shell language tomorrow, which one. Would you start with?
00:15:16.500 --> 00:15:19.540
Patrick Toner: Yeah, If I had to start one
00:15:19.630 --> 00:15:29.819
Patrick Toner: it it would either be power. I would either really want to know powershell power shells touch it touches so many things, you know, and I just think about my background a little bit. Some roles I've worked in
00:15:29.890 --> 00:15:35.700
Patrick Toner: you know. You look again, making the the analogy of you know the example of the guy we're doing in health care.
00:15:35.840 --> 00:15:36.610
Patrick Toner: You just.
00:15:36.690 --> 00:15:45.010
Patrick Toner: you know, took a lot of time he learned self taught, and he knew power, shell scripting really well. and he was super valuable. I would. So it either be I would.
00:15:45.350 --> 00:15:48.930
Patrick Toner: But I I think Powershell is probably going to be the most
00:15:49.260 --> 00:15:53.949
Patrick Toner: you know the most used, so that that that's probably a good place to to for anybody.
00:15:54.100 --> 00:16:03.060
Andy Whiteside: I agree. well, so I I I was coming up in the AI X world at 1 point, and I was learning corn shell which is similar to Bash.
00:16:03.320 --> 00:16:12.590
Andy Whiteside: but then I started going to Microsoft route, because that's where I got my next set of jobs. And that's when I started to become aware of Powershell.
00:16:12.660 --> 00:16:18.670
Andy Whiteside: and then we did a podcast yesterday around the Citrix stuff, and it included. It was about, Linux
00:16:18.800 --> 00:16:25.609
Andy Whiteside: and I didn't realize until then how much effort had gone into bringing power shell over to the Linux world that way it becomes a ubiquitous thing.
00:16:25.800 --> 00:16:34.199
Andy Whiteside: So whether it's maybe a azure, or whether it's a Linux OS, or whether it's windows, or whether it's maybe aws.
00:16:34.300 --> 00:16:38.339
Andy Whiteside: i'm not sure about the Google guys at this point. But powershell would be one
00:16:38.650 --> 00:16:44.639
Andy Whiteside: that I would. I would go down the route of that's again with my 20 year, old son. I'm trying to figure. Okay, Where do I point him?
00:16:44.840 --> 00:16:48.649
Andy Whiteside: And I? There's so many things to the point of that. But if you could learn how to write.
00:16:49.300 --> 00:17:02.840
Andy Whiteside: and if you could learn power shell and how to use it for the command and the commandlets, and then turn around and be able to put that into a script, and then schedule that script. Then you're You're on your path to being a well paid person and technology for many, many years to come.
00:17:02.970 --> 00:17:04.579
Patrick Toner: Yeah, totally agree.
00:17:04.960 --> 00:17:06.940
Andy Whiteside: And you can impress the hell out of your friends, too.
00:17:07.089 --> 00:17:10.290
Patrick Toner: That's true. Well, not all your friends, but at least your technical friends.
00:17:10.380 --> 00:17:28.629
Andy Whiteside: I would say, even some of your non technical fringe like, hey, you do this. Watch this, just type it out and hit sin. And this beautiful thing of messaging going across the screen happens, and you know they think you're a a genius, and all you did was type a little command with the switch or something on it. Or.
00:17:29.870 --> 00:17:43.240
Patrick Toner: Yeah, I I think we've had this discussion about, you know, impressing our wives with these things. I'm i'm pretty sure if I tried to show my wife powershell scripting. you know, she would probably fall asleep. But I think for those years she really couldn't explain what I did for a living.
00:17:43.390 --> 00:17:45.279
Patrick Toner: I still can't.
00:17:45.350 --> 00:17:53.440
Andy Whiteside: Yeah, he works on computers. That's it. That's it. The computers is is that you know that's very simple, very basic computers that he
00:17:53.620 --> 00:17:59.179
Patrick Toner: makes all the payments on all this stuff around here. That's all. There you go 2 very important things. Yeah.
00:17:59.580 --> 00:18:05.059
Andy Whiteside: all right, sir. Well, I appreciate the time and good discussion, and we'll we'll pick a topic and do it again next week.
00:18:05.190 --> 00:18:09.370
Patrick Toner: Great thank you.