Start with the Enterprise deployment article.
First write the following to \Program Files\Mozilla Firefox\defaults\prefs\autoconfig.js:
pref("general.config.filename", "mozilla.cfg.js"); pref("general.config.obscure_value", 0); Then put your actual settings in \Program Files\Mozilla Firefox\mozilla.cfg.js:
// the first line must be a comment pref("network.negotiate-auth.trusted-uris", "domain.test"); pref("network.automatic-ntlm-auth.trusted-uris", "domain.test"); In the second file you can use defaultPref(key, value), clearPref(key), pref(key, value), or lockPref(key, value); the last three will override user settings.
It's possible to make Firefox download the configuration over HTTPS, but this doesn't give many advantages over plain Group Policy; it can be useful though where AD is not available:
lockPref("autoadmin.global_config_url", "https://example.com/firefox/lockdown.js"); The 3rd-level .js file works the same way as the 2nd-level one.