diff --git a/.gitignore b/.gitignore
index ea0f5de..b617e87 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,10 +3,8 @@
 .kdev4/*
 client_software/.sync_*.db
 client_software/setup_system.conf
-config/setup_system.conf
-config/*.bak
-config/skel.tar.zst
-config/.sync_*.db
+config/*
+!config/README.md
 config.d/*.conf
 config.d/*.sys
 config.d/*.bak
diff --git a/client_software/0020_nextcloud_mozilla_pre/user_run.sh b/client_software/0020_nextcloud_mozilla_pre/user_run.sh
index ac2a392..6a30af3 100755
--- a/client_software/0020_nextcloud_mozilla_pre/user_run.sh
+++ b/client_software/0020_nextcloud_mozilla_pre/user_run.sh
@@ -21,6 +21,9 @@ from webdav3.client import Client
 #Variables
 thunderbird_tar = os.path.dirname(__file__) + '/thunderbird.tar.zst'
 firefox_tar = os.path.dirname(__file__) + '/firefox.tar.zst'
+#If defined, use another Profile for that Company
+if 'PROFILE_FIREFOX_TAR_FILE' in environ:
+  firefox_tar=environ['PROFILE_FIREFOX_TAR_FILE']
 firefoxhome_path = environ['HOME'] + "/.config/mozilla/firefox"
 firefoxhome_profile_src = os.path.dirname(__file__) + '/profiles_ff.ini'
 firefoxhome_profile_dst = firefoxhome_path + '/profiles.ini'
diff --git a/client_software/0030_desktop_symbols/install.sh b/client_software/0030_desktop_symbols/install.sh
deleted file mode 100755
index 966cf48..0000000
--- a/client_software/0030_desktop_symbols/install.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/usr/bin/env sh
-# SPDX-FileCopyrightText: Daniel Pätzold
-# SPDX-License-Identifier: AGPL-3.0-or-later
-#
-# Sofwareinstallation script for Nextcloud Talk.
-#
-
-#Check for root
-if [ "$EUID" -ne 0 ]; then
-    echo "Error: Script requires root. Please check if ${SCRIPTPATH}/${SCRIPTNAME} is in sudoers rules and if you are a member. And if executed via sudo."
-    exit 1
-fi
-
-cp -n *.desktop $SUDO_HOME/Schreibtisch
-chown $SUDO_USER:$SUDO_USER $SUDO_HOME/Schreibtisch/*.desktop
diff --git a/client_software/0030_desktop_symbols/user_run.sh b/client_software/0030_desktop_symbols/user_run.sh
new file mode 100755
index 0000000..67bbdf6
--- /dev/null
+++ b/client_software/0030_desktop_symbols/user_run.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env sh
+# SPDX-FileCopyrightText: Daniel Pätzold
+# SPDX-License-Identifier: AGPL-3.0-or-later
+#
+# Copies the included Desktop files to the Desktop
+#
+
+cp -n *.desktop $HOME/Schreibtisch
diff --git a/system_setup/config.dist/setup_system.conf.dist b/system_setup/config.dist/setup_system.conf.dist
index 9a0afc3..bede8c8 100644
--- a/system_setup/config.dist/setup_system.conf.dist
+++ b/system_setup/config.dist/setup_system.conf.dist
@@ -68,12 +68,18 @@ if [ "$EUID" -ne 0 ]; then
   export CLIENT_DATA_SYNC_DECLARE="$(declare -p CLIENT_DATA_SYNC)" # Do not remove
   #End of Sync Folder for nextcloud client
 
-  #Firefox Profiles of the User
+  #Firefox Profiles
   export PROFILE_FIREFOX_RESET_LOCAL="true" # Set this to wipe ~/.mozilla each time if you don't want users to setup their own firefox profile
+  # Optional: own Firefox profile used for this company if given as default
+  # You may use any tar file, that contains a valid firefox profile set up to your companies need.
+  # As example look at 0020_nextcloud_mozilla_pre/firefox.tar.zst
+  # You should put it under e.g SYSCONFIGPATH and than use the filepath relative. e.g. "${SYSCONFIGPATH}/firefox.tar.zst"
+  export PROFILE_FIREFOX_TAR_FILE=""
+  #Mozilla profile paths on Nextcloud Server. Syncs your profiles to Nextcloud.
   export PROFILE_FIREFOX_SRC="mozilla_profiles/firefox"
   export PROFILE_FIREFOX_DST="${DECRYPTEDDATADIR}/firefox"
 
-  #Thunderbird Profiles
+  #Thunderbird Profiles to also be synced
   export PROFILE_TB_SRC="mozilla_profiles/thunderbird"
   export PROFILE_TB_DST="${DECRYPTEDDATADIR}/thunderbird"
 
diff --git a/system_setup/install.sh b/system_setup/install.sh
index c201a3b..d8e0e9b 100755
--- a/system_setup/install.sh
+++ b/system_setup/install.sh
@@ -361,8 +361,12 @@ if [[ -n "$EXISTING_OEMDRV_DEV" ]]; then
         fi
 
         if [[ -f "$MOUNT_POINT/system_setup/setup_system.inc.sh" && -f "$MOUNT_POINT/config/setup_system.conf" ]]; then
+            if [ ! -z $REPO_URL ]; then BACK_REPO_URL="$REPO_URL"; fi
+            if [ ! -z $REPO_BRANCH ]; then BACK_REPO_BRANCH="$REPO_BRANCH"; fi
             info "Reading existing configuration from ${MOUNT_POINT} ..."
             source "$MOUNT_POINT/system_setup/setup_system.inc.sh"
+            if [ ! -z $BACK_REPO_URL ]; then REPO_URL="$BACK_REPO_URL"; fi
+            if [ ! -z $BACK_REPO_BRANCH ]; then REPO_BRANCH="$BACK_REPO_BRANCH"; fi
         fi
 
         # ── Check existing git repository origin ──────────────────────────────
diff --git a/system_setup/logon_script.sh b/system_setup/logon_script.sh
index 26697ad..756d415 100755
--- a/system_setup/logon_script.sh
+++ b/system_setup/logon_script.sh
@@ -47,9 +47,12 @@ if [[ $? -ne 0 ]]; then
     echo "Error: python3-ipaclient is not installed. Please install it via: sudo dnf install python3-ipaclient"
 fi
 
-#TODO C: Check if Desktop is KDE/Plasma and support other Displays
-# Make kdesu use sudo
-kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo >/dev/null 2>&1
+if [ "${XDG_CURRENT_DESKTOP}" = "KDE" ]; then
+    # Start each session empty (not restoring previous apps) - avoids stale mounts and autostart conflicts
+    kwriteconfig5 --file ksmserverrc --group General --key loginMode 2 >/dev/null 2>&1
+    # Make kdesu use sudo
+    kwriteconfig5 --file kdesurc --group super-user-command --key super-user-command sudo >/dev/null 2>&1
+fi
 
 # Mount the private Directory
 elog_add_command "${SYSCONFIGPATH}/system_setup/mount_ecrypt_home.sh"
diff --git a/system_setup/mount_ecrypt_home.sh b/system_setup/mount_ecrypt_home.sh
index a0820c1..2f1d35a 100755
--- a/system_setup/mount_ecrypt_home.sh
+++ b/system_setup/mount_ecrypt_home.sh
@@ -93,10 +93,20 @@ if [ ! -d "${DECRYPTEDDATADIR}" ] || [ ! -f "${HOME}/.config/gocryptfs/gocryptfs
     mkdir -p ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} ${HOME}/.config/gocryptfs
     gocryptfs -init -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} >/dev/null
 fi
-systemd-run --user --scope --unit=gocryptfs-home \
-    gocryptfs -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
+systemd-run --user --unit=gocryptfs-home \
+    --property="ExecStop=/usr/bin/fusermount -u ${DECRYPTEDDATADIR}" \
+    --property=KillMode=none \
+    --property=TimeoutStopSec=30 \
+    gocryptfs -fg -noprealloc -allow_other -passfile ${XDG_RUNTIME_DIR}/IPAVAULTKEY -config ${HOME}/.config/gocryptfs/gocryptfs.conf ${ENCRYPTEDDATADIR} ${DECRYPTEDDATADIR} >/dev/null
 RETVAL=$?
-rm ${XDG_RUNTIME_DIR}/IPAVAULTKEY
+# Service starts asynchronously - wait for the FUSE mount to appear before removing
+# the passfile, otherwise gocryptfs may not have read it yet
+_t=0
+while [ "${_t}" -lt 10 ] && ! grep -q "${DECRYPTEDDATADIR}" /proc/mounts 2>/dev/null; do
+    sleep 1
+    _t=$((_t + 1))
+done
+rm -f ${XDG_RUNTIME_DIR}/IPAVAULTKEY
 cd ${EXECDIR}
 if [ ${RETVAL} -eq 0 ]; then
     echo "Sucessfully mounted encrypted private Directory ${DECRYPTEDDATADIR}"