How-to: Create ABP Deployment Package

Place to exchange experience about rolling out Adblock Plus to many computers, preconfiguring the extension etc.
mdodge
Posts: 2
Joined: Mon Apr 27, 2015 8:50 pm

How-to: Create ABP Deployment Package

Post by mdodge »

Hello All,

I've been messing around with building deployment package/method for ABP for all 3 main browsers via GPO. I figured I would share. Note that this was done in a time crunch so there is most definately room for improvement and probably much better ways to accomplish it. But hopefully this can help someone. I have used this method for 2 clients (about 50 devices or so) and seems to work good. Dont have a method yet for disabling first run for IE and Firefox yet but at least the plugin installs on its own without user intervention.

How to deploy and manage Adblock Plus with Group Policy for IE, Chrome and Firefox

Adblock Plus for IE

Adblock Plus for IE comes as an MSI for easier deployment. Typically, you will only need to deploy the x86 version even with 64bit OS. As this is a plugin for IE x86. The x64 bit installer is only needed if using IE 64bit. It should be noted that users will receive a one-time pop up message when opening IE for the first time after install. This window basically is just a “Thanks for installing Adblock” message, with options to donate. Users can close this window and it won’t appear again. As of this writing, there is no reliable way found to disable this yet.

Follow these steps to deploy
  • 1. Create a share on a server for Adblock. Make sure domain users and domain computers have ready only access. Create an IE folder to your server share.
    2. Create a new file in notepad and save it as adblockIEdeploy.bat with this code:

    Code: Select all

    msiexec /q /i \\server\Adblock-Deploy\IE\adblockplusie-1.4-x86.msi
    3. Modify adblockIEdeploy.bat - change \\server\\server\Adblock-Deploy\IE\adblockplusie-1.4-x86.msi to the appropriate path created in step 1.
    4. Copy the patterns.ini file from PC that already has Adblock Plus for IE installed and updated and place it in the IE folder. The location for patterns.ini in IE is: c:\users\%username%\appdata\locallow\Adblock Plus for IE\patterns.ini
    5. Make sure the .bat file, the .msi file and the patterns.ini file are in the same folder
    6. Create a group policy and assign to OU's you wish to deploy adblock to. Add the .bat file as a computer startup script
    7. Under Computer Configuration - Policies - Security Settings - local policies - security options - Change setting of "User Account Control: Admin Approval Mode for the built-in Administrator account" to disabled
    8. UnderUser Configuration/Policies/Administrative Templates/Windows Components/Internet Explorer/Security Features/Add-on Management/Add-on List, Enable policy and configure with these values:
    • Value name: {FFCB3198-32F3-4E8B-9539-4324694ED664}
    • Value: 1
    9. Enable "Configure User Group policy loopback processing mode:" under Computer Configuration - Policies - Administrative Templates - System - Group Policy. Set mode to merge
    10. Under User Configuration - Preferences - Windows Settings - Files, Create a new file action. Set the action type to "Replace". Set source file to the network path location of the patterns.ini file. Under destination, enter the path exactly as c:\users\%username%\appdata\locallow\Adblock Plus for IE\patterns.ini. Click on the “Common” tab and check the box for setting “Run in logged-on user’s security context”. Click Ok.

Managing Adblock Plus for IE filterlist
  • 1. The patterns.ini file contains the filter list for Adblock Plus. The group policy will copy the ini file to the appropriate folder for Adblock to use. Used the “replace” option because otherwise, Adblock itself will create its own or possible it could be overwritten, losing any customized filters.
    2. The Patterns.ini file should be edited with a program like Notepad++, rather than standard notepad as it will not be formatted correctly.
    3. Note that you cannot use the same patterns.ini file for all installs of Adblock Plus (chrome or firefox) as each browsers pattern file is slightly different.

    To add a domain/site to be excluded from adblock:
    1. Open patterns.ini in notepad++
    2. Scroll to the very bottom. Add this code:

    Code: Select all

    [Subscription filters]
    @@||domain.com^$document
    Replace "domain.com" with the domain of the site you wish to whitelist
    3. Make sure there is no empty/white space at the bottom of the file. Save the file.
    4. If Adblock is ever updated, the version=4 variable at the top of the file should be adjusted to match. Adblock will update itself, so that is why the group policy “replace” is needed to make sure clients are always using the customized patterns file.
    5. Since the patterns file can occasionally be updated to add more filters (like a definition file), it would be best to replace the shared patterns.ini file with a new one every so often, then just cut and paste the custom entries from the old one. As of this writing, there isn’t a way found to reliably automate updating the shared patterns file while retaining the custom entries. It’s possible a more complex script could be created to do this.

Adblock Plus for Chrome

Deploying Adblock plus from Chrome simpler than most browsers to install, though management of its pattern file is different. There is no install file to deploy, rather Chrome will be configured via GPO templates to go download and install it from Google’s play store. Adblock is a very small plugin, so bandwidth traffic should not be a concern even for large environments.

Follow these steps to deploy
  • 1. Create a share on a server for Adblock. Make sure domain users and domain computers have ready only access. Create a Chrome folder to your server share.
    2. Copy the 00000000 pattern file for chrome there from a PC with Adblock Plus for chrome installed. Location is: c:\users\%username%\appdata\local\Google\Chrome\User Data\Default\File System\000\p\00\00000000. Note the "000" will be a different number depending on how many other ext's for chrome are installed.
    3. On a domain controller open group policy editor and create a policy for Adblock deployment (can be 1 policy for all browsers) and assign to the OU that contains the computers you wish to deploy to.
    4. Edit the policy, and install the chrome Group Policy template here: http://dl.google.com/update2/enterprise ... Update.adm (GoogleUpdate.adm) template file (Right click administrative templates select Add/Remove templates). You need only do this to 1 domain controller. This will provide new Chrome specific GPO settings
    5. Enable "Configure User Group policy loopback processing mode:" under Computer Configuration - Policies - Administrative Templates - System - Group Policy. Set mode to merge
    6. Under “User Configuration – Policies – Administrative Templates – Google – Google Chrome – Extensions” enable policy “Configure the list of force-installed extensions”. Under options, click show. Enter the value: cfhdojbkjhnklbpkdaibdccddilifddb;https://clients2.google.com/service/update2/crx
    7. Click OK.
    8. This will disable first run page for Chrome users. Under Computer Configuration - Preferences - Windows Settings - Registry, create new registry item with action "update". Set values as follows:
    1. -Hive: HKEY_Local_Machine
      -Key Path: Software\Policies\Google\Chrome\3rdparty\extensions\ldcecbkkoecffmfljeihcmifjjdoepkn\policy
      -Value Name: suppress_first_run_page
      -Value Type: REG_DWORD
      -Value Data: 1
    NOTE: Disable of first run page for chrome requires dev build 1.8.12.1419 or upcoming release 1.8.13
    9. Under User Configuration - Preferences - Windows Settings - Files, Create a new file action. Set the action type to "Replace". Set source file to the network path location of the 00000000 file. Under destination, enter the path as c:\users\%username%\appdata\local\Google\Chrome\User Data\Default\File System\000\p\00\00000000. Click on the “Common” tab and check the box for setting “Run in logged-on user’s security context”. Click Ok.
    NOTE: Unfortunately, the destination path for the patterns file may not be the same for every user. For chrome, extensions are installed under c:\users\%username%\appdata\local\Google\Chrome\User Data\Default\File System\. The problem is the next folder in that path isn’t always 000. That folder could be anything from 000 to 050 (or higher). It depends on how many extensions are already installed with Chrome. The folders count up. So if adblock has been the 10th extension installed for this users Chrome, the folder name would be 010. It’s highly unlikely (and hopefully) users don’t have that many ext’s installed. At this time, a dynamic way to find that folder isn’t known. So one way to get around this, is to create multiple file actions as listed in step 8, only changing the folder name 000 in the destination path for each one. I decided to create 6 of them, starting with 000 to 006. Since the file copied is extremely small, it should not impact boot up or login performance much. If there are users with more than 6 ext’s installed for chrome, then more entries would need to be created. Hopefully as this process of deployment gets refined, a better method can be found to get around this. Use your judgement and knowledge of client to best determine how many file actions to create.

Managing Adblock Plus for Chrome filterlist
1. The file named 00000000 (there is no file extension) contains the filter list for Adblock Plus. The group policy will copy the file to the appropriate folder(s) for Adblock to use. Used the “replace” option because otherwise, Adblock itself will create its own or possible it could be overwritten, losing any customized filters.
2. The file should be edited with a program like Notepad++, rather than standard notepad as it will not be formatted correctly.
3. To add a domain/site to be excluded from adblock: Open 00000000 in notepad++
4. Add a new line below with following:

Code: Select all

[Subscription filters]
@@||domain.com^$document
Replace "domain.com" with the domain of the site you wish to whitelist.
5. Make sure there is no empty/white space at the bottom of the file. Save the file.
6. If Adblock is ever updated, the version=4 variable at the top of the file should be adjusted to match. Adblock will update itself, so that is why the group policy “replace” is needed to make sure clients are always using the customized patterns file.
7. Since the patterns file can occasionally be updated to add more filters (like a definition file), it would be best to replace the shared 00000000 file with a new one every so often, then just cut and paste the custom entries from the old one. As of this writing, there isn’t a way found to reliably automate updating the shared patterns file while retaining the custom entries. It’s possible a more complex script could be created to do this.


Adblock Plus for Firefox
Deploying Adblock plus for Firefox turned out to be the most difficult to figure out, but ultimate works the best of probably all 3 browser deploy scenarios. Deploying extensions involved modification of multiple cfg and js files in both user specific profiles and global install directory. Thankfully, there is an extension setup builder on the web that can create an .exe file that can be used to silently install extensions. It supports building installers for both firefox and chrome, however, due to changes in chrome security over the past couple versions, this doesn’t work. But it does for firefox. The site

Code: Select all

http://www.extuper.com/
can be used to build the installer for Adblock Pro for Firefox. It will create a main.exe file and a folder called Firefox.

Follow these steps to deploy:
  • 1. Create a share on a server for Adblock. Make sure domain users and domain computers have ready only access. Create a Firefox folder to your server share.
    2. Copy the patterns.ini file from a PC with Adblock Plus installed and updated for firefox and place it in the server share. File is located at: c:\users\username\%APPDATA%\Mozilla\Firefox\Profiles\profilename\Adblockplus
    2. Download the Firefox XPI file for adblock. https://update.adblockplus.org/latest/a ... irefox.xpi
    3. Go to

    Code: Select all

    http://www.extuper.com/
    . Sign up (it's free). Create a New Project, give it any name. Upload Firefox XPI. Click Save and Build. Then download the package. It should contain a file called main.exe and a folder called Firefox (with the xpi in it)
    3. Create a file adblockdeployFF.bat. Add code:

    Code: Select all

    \\server\Adblock-Deploy\Firefox\main.exe
    . Change the server path to the correct path to the share you created in step 1.
    3. Create a group policy (or edit existing) and assign it to the OU that contains the computers you wish to deploy to. Similar to other deployments above, make sure this policy has User group policy loopback mode enabled as well as admin approval mode disabled.
    4. Under “Computer Configuration – Policies – Windows Settings – Scripts – Startup” add adblockdeployff.bat from your server share. This will install the extension on computer startup
    5. Create a file called adblockpatternsFF.bat. Add code:

    Code: Select all

    cd /d %APPDATA%\Mozilla\Firefox\Profiles\*.default
    robocopy "\\servername\Adblock-Deploy\Firefox" "adblockplus" patterns.ini /R:0

    Change the server path to the correct path you created in step 1.
    6. Under “User Configuration – Policies – Windows Settings – Scripts – Logon” add adblockpatternsFF.bat from your server share. This will copy the firefox patterns.ini file to the users firefox profile.
    NOTE: Firefox profile path is unique to each user, however they always have a .default at the end. This script changes to the directory of the profile using *.default. Then copies the file. This is why this bat file has to be run at user startup.
Managing Adblock Plus for Firefox filterlist
1. The file named patterns.ini contains the filter list for Adblock Plus. The group policy script will copy the file to the appropriate folder(s) for Adblock to use. The script overwrites any existing copies of patterns.ini as Adblock itself may overwrite the file, losing any customized filters.
2. The file should be edited with a program like Notepad++, rather than standard notepad as it will not be formatted correctly.
3. To add a domain/site to be excluded from adblock: Open patterns.ini in notepad++
4. At the top under “Filter” add the following line below it:

Code: Select all

text=@@||domain.com^
- Replace "domain.com" with the domain of the site you wish to whitelist
5. Make sure there is no empty/white space at the bottom of the file. Save the file.
6 If Adblock is ever updated, the version=4 variable at the top of the file should be adjusted to match. Adblock will update itself, so that is why the script always replaces patterns.ini as its is needed to make sure clients are always using the customized patterns file.
7 Since the patterns file can occasionally be updated to add more filters (like a definition file), it would be best to replace the shared patterns file with a new one every so often, then just cut and paste the custom entries from the old one. As of this writing, there isn’t a way found to reliably automate updating the shared patterns file while retaining the custom entries. It’s possible a more complex script could be created to do this.

I hope this comes to some use for people and maybe people can add/refine some steps to make it better.

Thanks!
Last edited by mdodge on Mon Apr 27, 2015 10:12 pm, edited 6 times in total.
User avatar
mapx
Posts: 21940
Joined: Thu Jan 06, 2011 2:01 pm

Re: How-to: Create ABP Deployment Package

Post by mapx »

see about Suppressing the first-run page on Chrome
development-builds/suppressing-the-firs ... -on-chrome
mdodge
Posts: 2
Joined: Mon Apr 27, 2015 8:50 pm

Re: How-to: Create ABP Deployment Package

Post by mdodge »

Thanks updated with those instructions
User avatar
mapx
Posts: 21940
Joined: Thu Jan 06, 2011 2:01 pm

Re: How-to: Create ABP Deployment Package

Post by mapx »

it's for the last dev version but it will land soon in the next stable build
Compuitguy
Posts: 13
Joined: Fri Mar 08, 2013 12:46 pm

Re: How-to: Create ABP Deployment Package

Post by Compuitguy »

This is now closed (fixed)

And there's a follow-up

#2439 (Make suppress_first_run_page preconfigurable)
User avatar
mapx
Posts: 21940
Joined: Thu Jan 06, 2011 2:01 pm

Re: How-to: Create ABP Deployment Package

Post by mapx »

Suppressing the first run page in Firefox
development-builds/suppressing-the-firs ... in-firefox

landed in current development build 2.6.9.3935, and the upcoming 2.6.10 release.
You can do this by setting the extensions.adblockplus.preconfigured.suppress_first_run_page pref to true, for example from autoconfig.js
hype124
Posts: 1
Joined: Wed Sep 23, 2015 8:52 pm

Re: How-to: Create ABP Deployment Package

Post by hype124 »

I followed these instructions and everything seems to work, except when installing abp for firefox main.exe asks for an administrator password. I don't think it did this at first. Am I doing something wrong, is there a way around it?
User avatar
mapx
Posts: 21940
Joined: Thu Jan 06, 2011 2:01 pm

Re: How-to: Create ABP Deployment Package

Post by mapx »

main.exe ? what's this ? Can you see where is installed ?

something about main.exe
http://www.bleepingcomputer.com/forums/ ... exe-error/
kjstech
Posts: 7
Joined: Thu Oct 01, 2015 3:27 pm

Re: How-to: Create ABP Deployment Package

Post by kjstech »

Where do you download the MSI version? I see 1.5 is out with registry key option to disable updates and first run. I had a user today call me because AdBlock needed domain admin credentials to update, but by the time I remoted on his computer the box was gone.

I want to push out 1.5 (MSI of course) to IE upgrading the currently installed 1.4 silently, along with those two new options, touchless (GPO or login scripts). I use Dell Desktop Authority and when I went to the Software Distribution tab and browsed to the new 1.5 IE installer (00latest.exe) it gave me an error "File extension must be msi,mst,msp".
axie
Posts: 5
Joined: Mon Oct 19, 2015 5:38 pm

Re: How-to: Create ABP Deployment Package

Post by axie »

For Google Chrome
2. Copy the 00000000 pattern file for chrome there from a PC with Adblock Plus for chrome installed. Location is: c:\users\%username%\appdata\local\Google\Chrome\User Data\Default\File System\000\p\00\00000000. Note the "000" will be a different number depending on how many other ext's for chrome are installed.

I don't think this is the case anymore. I can no longer find the 00000000 file. Using procmon, I see a lot of activity in C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb directory instead whenever I modify ABP options and update lists.
User avatar
mapx
Posts: 21940
Joined: Thu Jan 06, 2011 2:01 pm

Re: How-to: Create ABP Deployment Package

Post by mapx »

axie wrote:I see a lot of activity in C:\Users\%username%\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb directory instead whenever I modify ABP options and update lists.
yes, it should be that folder now (time ago it was located in file system, now it was modified the storage system)
axie
Posts: 5
Joined: Mon Oct 19, 2015 5:38 pm

Re: How-to: Create ABP Deployment Package

Post by axie »

Ok, so how do we manage the pattern file for Chrome now? Do I upload the Local Extension Settings\cfhdojbkjhnklbpkdaibdccddilifddb folder and have it sync across user's local profile?
User avatar
mapx
Posts: 21940
Joined: Thu Jan 06, 2011 2:01 pm

Re: How-to: Create ABP Deployment Package

Post by mapx »

As you can't edit / browse the files in that folder, try synchronize the whole folder.
If does not work you could file an issue on the bug tracker
https://issues.adblockplus.org
axie
Posts: 5
Joined: Mon Oct 19, 2015 5:38 pm

Re: How-to: Create ABP Deployment Package

Post by axie »

mapx wrote:As you can't edit / browse the files in that folder, try synchronize the whole folder.
If does not work you could file an issue on the bug tracker
https://issues.adblockplus.org
Just submitted one: https://issues.adblockplus.org/ticket/3212
Post Reply