Deploy Mozilla Firefox to macOS endpoints by pulling the latest signed DMG directly from Mozilla
This Automox Worklet™ deploys the latest stable Mozilla Firefox build to macOS endpoints without any end user interaction. The script downloads the signed DMG from download.mozilla.org using curl -Ls with the product=firefox-latest, os=osx, and lang=en-US parameters, follows redirects to the current release, and writes the image to /var/tmp/Firefox.dmg. The Worklet then mounts the disk image with hdiutil attach, copies Firefox.app from /Volumes/Firefox into /Applications using cp -r, unmounts the volume with hdiutil detach, and removes the staged DMG file.
Firefox ships with Enhanced Tracking Protection enabled by default and runs on the Gecko rendering engine that web developers rely on for cross-browser QA. Deploying Firefox alongside Safari or Chrome gives your macOS fleet a non-Chromium cross-platform option when a Chromium-engine vulnerability requires you to steer users to a different browser.
Evaluation is a single check for /Applications/Firefox.app, so already-compliant endpoints return in milliseconds and only endpoints missing the application bundle pull the DMG.
Browser coverage on a managed Mac fleet is often inconsistent. Engineering laptops may carry Firefox because developers install it themselves for Gecko-engine testing, while sales and finance laptops carry only Safari or Chrome. That leaves your security and IT teams without a consistent second browser to fall back on when a critical Chromium-engine vulnerability surfaces. Deploying Firefox through this Worklet produces a signed, current Mozilla build on every macOS endpoint, downloaded over TLS from download.mozilla.org and verified by Gatekeeper through the standard notarization chain.
Apply this Worklet to your standard macOS endpoint group; the hdiutil and cp flow places Firefox.app in /Applications on every endpoint under Automox management. The policy reinstalls Firefox on any endpoint where the bundle is later removed.
Evaluation phase: The Worklet checks for /Applications/Firefox.app on the endpoint. If the application bundle is present, the script exits 0 and the endpoint is reported compliant. If /Applications/Firefox.app is missing, the script exits non-zero and Automox schedules the remediation phase. The check runs in milliseconds and adds no measurable load to the agent.
Remediation phase: The script runs curl -Ls against the download.mozilla.org installer URL (with product=firefox-latest, os=osx, and lang=en-US parameters) to fetch the current signed DMG to /var/tmp/Firefox.dmg. It mounts the image with hdiutil attach "/var/tmp/Firefox.dmg", copies the bundle with cp -r "/Volumes/Firefox/Firefox.app" "/Applications", detaches the volume with hdiutil detach "/Volumes/Firefox", and removes /var/tmp/Firefox.dmg. The script then rechecks /Applications/Firefox.app and exits 0 on success or 1 on failure, with stdout messages surfacing in the Automox activity log.
macOS 10.15 (Catalina) or later – Mozilla's current Firefox baseline for signed DMGs
Intel or Apple Silicon processor; Mozilla's universal DMG covers both architectures
Outbound HTTPS reachability from the endpoint to download.mozilla.org and the Mozilla CDN
Approximately 250 MB of free disk space (DMG plus extracted Firefox.app bundle)
Automox agent running with root privileges, which is the default agent context on macOS
No competing MDM configuration profile pinning a different Firefox version or blocking writes to /Applications
After successful remediation, Firefox.app appears at /Applications/Firefox.app with the current stable Mozilla build signed and notarized for Gatekeeper. The next Worklet evaluation returns compliant and the remediation step is skipped on subsequent policy runs. Users can launch Firefox immediately from the Applications folder or Spotlight, and can sign in with a Firefox account to sync bookmarks, tabs, and passwords across endpoints. Enhanced Tracking Protection is enabled by default, so the browser blocks known cross-site trackers and third-party cookies without further configuration.
To validate the deployment on a pilot Mac, run mdls -name kMDItemVersion /Applications/Firefox.app to read the installed version, then compare against the current Firefox release on the Mozilla release notes page. For audit evidence, capture the codesign verification output with codesign -dv --verbose=4 /Applications/Firefox.app, which surfaces the Mozilla developer team identifier and the notarization receipt. Review the Automox activity log for the policy run identifier so the codesign output can be tied back to a specific deployment event. The Worklet pulls the en-US locale by default; end users who need another language can change the setting in Firefox preferences without breaking the next evaluation.


Loading...
Consider Worklets your easy button
A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

AUTOMOX + WORKLETS™
Uncover new possibilities with simple, powerful automation.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
By submitting this form you agree to our Master Services Agreement and Privacy Policy.
Already have an account? Log in