Manage security settings centrally (via xcd files)

Hi there, hope you all are doing great!

We use LibreOffice in a professional environment and must therefore be able to administratively manage security and data protection settings.

My first question is: are there group policy templates (ADMX) for LibreOffice 24?

The German Federal Office for Information Security (BSI) has issued a recommendation regarding secure settings for LibreOffice, but refers to the use of XCD files in “C:\Program Files\LibreOffice\share\registry\res”, which would be more cumbersome than group policies, but still okay. However, this recommendation was written for LibreOffice 7.2.4.1 - so it is no longer up to date.

Hence my second question: is the use of xcd files in the folder “C:\Program Files\LibreOffice\share\registry\res” still best practice and is there a list somewhere with the configurable parameters?

Best regards!

The recommendations can be found here (pdf-file is german though):

Please use copy and paste, I don’t want to link to external sites, although they are secure at the moment.

https://wiki.documentfoundation.org/Deployment_and_Migration#Windows_Group_Policy_ADMX_files
They work with any version of LibreOffice that supports configuration using group policy. They contain some subset of settings, considered useful by the authors; neither current version, nor the versions for which they were created / modified initially, were covered fully ever. They allow ~easy extension, if needed.

Since you explicitly mention Wndows-specific paths, then - well, group policy configuration is more convenient, more flexible in domain management/configuration (e.g., it’s easier to maintain several different configurations for different GPOs). But on the other hand, XCD don’t depend on Active Directory domains (or other uses of group policies), and work both on Windows, and on other platforms. The “still” in your question implies some point, when XCD really was the best practice (likely as in “preferred over everything else”) - if so, then at least since introduction of GP support, there’s an alternative, that can’t be said “worse” or “better” universally.

Thank you very much for your answer.

Concerning the admx-files, I was confused by the fact, that those files don’t seem to be newer than version 6.4, so I wasn’t sure, if they were working. But I can check them out.

Since the recommendations referred to the use of xcd-files, I will also check this option, although GPO would be easier.

The most important question remains: is there any list with all the configurable parameters? It would be hard to guess all the available settings.

Adobe for example lists all settings/security settings of their products - yes, I know, they are a huge company with lots of money. But still, I have to provide secure settings for all users.

Best regards!

For me, the best way is the following: open the graphical user interface of LibreOffice and change the desired settings via “Extras” “Options”. Then open the folder C:\Users<username>\AppData\Roaming\AppData\Roaming\LibreOffice\4\user and open the file “registrymodifications.xcu” with a text editor. LibreOffice already writes everything into this file in the exact syntax you need. Simply select the desired entries and use them for an xcd file in the folder “C:\Program Files\LibreOffice\share\registry\res”. This is actually very practical, as LibreOffice already creates the content.

My question about a complete overview of all parameters has now been answered. Although a list would be nice, the total number of parameters are simply all the options that can be set in LibreOffice in the graphical user interface via “Extras” “Options”.

The only thing I have not found and which is not created by LibreOffice in my xcu file is the option to disable Java (perhaps because I do not have a Java environment installed here).

Note that all the XCUs used in LibreOffice (most of them constitute the default set of settings in LibreOffice installation) are available in the source code:
https://opengrok.libreoffice.org/search?path=xcu&project=core&sort=fullpath&n=1000
(a bit overwhelming). Similarly, you may find useful to inspect their accompanying XCS files, too.

This may sound stupid, but simply setting the write protection for this file (file properties attribute read-only) actually prevents a user from activating Java. The user interface allows the check mark to be set (for “Use a Java runtime environment”), but when you click on “Apply”, the check mark simply disappears again. LibreOffice doesn’t seem to mind the write protection either, the program starts correctly. An admin could copy the file via script/GPO to clients in the user profile of the user and revoke the user’s rights to change the file (read-only rights).

Never occurred to me! Nice!

One might want to keep this write-protection in mind though, since LibreOffice itself no longer can update this file. Might be problematic during updates/upgrades.