MacOS
View all Worklets
MacOSmacOS

macOS - Software - Install Mozilla Firefox

Deploy Mozilla Firefox to macOS endpoints by pulling the latest signed DMG directly from Mozilla

Worklet Details

What the Firefox deployment Worklet does

This Automox Worklet™ deploys the latest stable Mozilla Firefox build to macOS endpoints without any end user interaction. The script downloads the signed DMG from download.mozilla.org using curl -Ls with the product=firefox-latest, os=osx, and lang=en-US parameters, follows redirects to the current release, and writes the image to /var/tmp/Firefox.dmg. The Worklet then mounts the disk image with hdiutil attach, copies Firefox.app from /Volumes/Firefox into /Applications using cp -r, unmounts the volume with hdiutil detach, and removes the staged DMG file.

Firefox ships with Enhanced Tracking Protection enabled by default and runs on the Gecko rendering engine that web developers rely on for cross-browser QA. Deploying Firefox alongside Safari or Chrome gives your macOS fleet a non-Chromium cross-platform option when a Chromium-engine vulnerability requires you to steer users to a different browser.

Evaluation is a single check for /Applications/Firefox.app, so already-compliant endpoints return in milliseconds and only endpoints missing the application bundle pull the DMG.

Why deploy Firefox to every Mac in the fleet

Browser coverage on a managed Mac fleet is often inconsistent. Engineering laptops may carry Firefox because developers install it themselves for Gecko-engine testing, while sales and finance laptops carry only Safari or Chrome. That leaves your security and IT teams without a consistent second browser to fall back on when a critical Chromium-engine vulnerability surfaces. Deploying Firefox through this Worklet produces a signed, current Mozilla build on every macOS endpoint, downloaded over TLS from download.mozilla.org and verified by Gatekeeper through the standard notarization chain.

Apply this Worklet to your standard macOS endpoint group; the hdiutil and cp flow places Firefox.app in /Applications on every endpoint under Automox management. The policy reinstalls Firefox on any endpoint where the bundle is later removed.

How Firefox deployment works

  1. Evaluation phase: The Worklet checks for /Applications/Firefox.app on the endpoint. If the application bundle is present, the script exits 0 and the endpoint is reported compliant. If /Applications/Firefox.app is missing, the script exits non-zero and Automox schedules the remediation phase. The check runs in milliseconds and adds no measurable load to the agent.

  2. Remediation phase: The script runs curl -Ls against the download.mozilla.org installer URL (with product=firefox-latest, os=osx, and lang=en-US parameters) to fetch the current signed DMG to /var/tmp/Firefox.dmg. It mounts the image with hdiutil attach "/var/tmp/Firefox.dmg", copies the bundle with cp -r "/Volumes/Firefox/Firefox.app" "/Applications", detaches the volume with hdiutil detach "/Volumes/Firefox", and removes /var/tmp/Firefox.dmg. The script then rechecks /Applications/Firefox.app and exits 0 on success or 1 on failure, with stdout messages surfacing in the Automox activity log.

Firefox deployment requirements

  • macOS 10.15 (Catalina) or later – Mozilla's current Firefox baseline for signed DMGs

  • Intel or Apple Silicon processor; Mozilla's universal DMG covers both architectures

  • Outbound HTTPS reachability from the endpoint to download.mozilla.org and the Mozilla CDN

  • Approximately 250 MB of free disk space (DMG plus extracted Firefox.app bundle)

  • Automox agent running with root privileges, which is the default agent context on macOS

  • No competing MDM configuration profile pinning a different Firefox version or blocking writes to /Applications

Expected state after Firefox deployment

After successful remediation, Firefox.app appears at /Applications/Firefox.app with the current stable Mozilla build signed and notarized for Gatekeeper. The next Worklet evaluation returns compliant and the remediation step is skipped on subsequent policy runs. Users can launch Firefox immediately from the Applications folder or Spotlight, and can sign in with a Firefox account to sync bookmarks, tabs, and passwords across endpoints. Enhanced Tracking Protection is enabled by default, so the browser blocks known cross-site trackers and third-party cookies without further configuration.

To validate the deployment on a pilot Mac, run mdls -name kMDItemVersion /Applications/Firefox.app to read the installed version, then compare against the current Firefox release on the Mozilla release notes page. For audit evidence, capture the codesign verification output with codesign -dv --verbose=4 /Applications/Firefox.app, which surfaces the Mozilla developer team identifier and the notarization receipt. Review the Automox activity log for the policy run identifier so the codesign output can be tied back to a specific deployment event. The Worklet pulls the en-US locale by default; end users who need another language can change the setting in Firefox preferences without breaking the next evaluation.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets