Ahhhh how are you blocking the minecraft.jar

rob_potvin
Contributor III
Contributor III

So have a bunch is kids just downloading and running the jar file! Is there a way to black list jar files with jar launcher?

2 ACCEPTED SOLUTIONS

AndyBeaver
Contributor II

We are killing these processes and it works, but its definitely " whack-a-mole".

MinecraftSP
Net.minecraft.launcherFrame
org.spoutcraft.launcher.main
magic.launcher.Launcher

View solution in original post

JRM
Contributor

The best defense I have found is to remove the rights to the local support files. It would be best to run at user login.

#!/bin/sh
# current user is $3

# first, lets make the directory if one doesn't exist.
if [ ! -d "/Users/$3/Library/Application Support/minecraft" ]; then mkdir "/Users/$3/Library/Application Support/minecraft" ; fi

# Remove the permissions on the folder and everything in it unless they were already set
if [ ! `ls -la | grep minecraft | awk '{print $1}'` == "d---------" ]; then 
     chmod -R 000 "/Users/$3/Library/Application Support/minecraft"
fi 

# Set the owner and group to root : wheel
if [ ! `ls -la | grep minecraft | awk '{print $3}'` == "root" ] && [ ! `ls -la | grep minecraft | awk '{print $4}'` == "wheel" ]; then
     chmod -R root:wheel "/Users/$3/Library/Application Support/minecraft"
fi

With the launcher app, downloaded jar file, and web hosted jar file - they try to cache files and won't run unless it can add them here. I don't know about some of the custom jar launchers... but this should stop any unmodified versions. If anyone has access to other version give this a try and let us know.

You could also make a network aware, and possibly time restricted, script that might restore access - for a 1-1 scenario where no one cares if they play a game when at home.

You could also be mean delete all of their saved world by adding the following to the script: rm -rf "/Users/$3/Library/Application Support/minecraft"

View solution in original post

21 REPLIES 21

bmweeks
New Contributor

Not that we have found yet. You can block java but that creates more problems. Have not tried it yet but in the advanced tab of a policy you can have it search and delete a file not sure if that will work.

AndyBeaver
Contributor II

We are killing these processes and it works, but its definitely " whack-a-mole".

MinecraftSP
Net.minecraft.launcherFrame
org.spoutcraft.launcher.main
magic.launcher.Launcher

technicholas
Contributor

Users are also running SWF files in their own web browsers. Is this something we can block???? Thanks for the suggestions Andy!

rob_potvin
Contributor III
Contributor III

Can't wait till they figure out that here!!

nextyoyoma
Contributor

What we are doing is running an Applescript to check if "java" is the frontmost Application, and if so, just kill java. This way java web applets are not affected. If you wanted to do it all in applescript:

tell application "System Events"
    set frontApp to the name of every process whose frontmost is true
end tell

set isMatch to "0" = (do shell script "[[ " & quote & frontApp & quote & " =~ [Jj]ava ]]; printf $?")

if isMatch is true then
    do shell script "ps -axo pid,comm | awk '/[Jj]ava/{print $1}' | xargs kill"
end if

This is only minimally tested, but it's pretty close to what I do that already works.

rob_potvin
Contributor III
Contributor III

I thought of something like that unfortunately I am running papercut here and all users have to use the papercut client, which is a java app.

Anyway until there is a way to lock down java there is really nothing we can do, just have the teachers teach responsible computing...

CasperSally
Valued Contributor II

Thanks for posting the process list @AndyBeaver

amelia
New Contributor
New Contributor

Very Nice DVG

DVG
New Contributor III

We actually use a script to search for "minecraft", crank the machine volume to 10 and use a Say command to not play Minecraft on this machine, as it is against our AUP. It's not foolproof, but it's been a pretty good deterrent--our teachers actually appreciate it when we catch someone because they're immediately aware. Our next step is to start deleting map files and the app itself, but I'd just rather disable the process, if possible. Our EOC browser is a jar, so we can't kill java outright.

Dusty VanGilder

franton
Valued Contributor III

@DVG : That I would like to see! Can you post that script please DVG?

JRM
Contributor

The best defense I have found is to remove the rights to the local support files. It would be best to run at user login.

#!/bin/sh
# current user is $3

# first, lets make the directory if one doesn't exist.
if [ ! -d "/Users/$3/Library/Application Support/minecraft" ]; then mkdir "/Users/$3/Library/Application Support/minecraft" ; fi

# Remove the permissions on the folder and everything in it unless they were already set
if [ ! `ls -la | grep minecraft | awk '{print $1}'` == "d---------" ]; then 
     chmod -R 000 "/Users/$3/Library/Application Support/minecraft"
fi 

# Set the owner and group to root : wheel
if [ ! `ls -la | grep minecraft | awk '{print $3}'` == "root" ] && [ ! `ls -la | grep minecraft | awk '{print $4}'` == "wheel" ]; then
     chmod -R root:wheel "/Users/$3/Library/Application Support/minecraft"
fi

With the launcher app, downloaded jar file, and web hosted jar file - they try to cache files and won't run unless it can add them here. I don't know about some of the custom jar launchers... but this should stop any unmodified versions. If anyone has access to other version give this a try and let us know.

You could also make a network aware, and possibly time restricted, script that might restore access - for a 1-1 scenario where no one cares if they play a game when at home.

You could also be mean delete all of their saved world by adding the following to the script: rm -rf "/Users/$3/Library/Application Support/minecraft"

rob_potvin
Contributor III
Contributor III

@JRM. Awesome. Love you. And yes I am mean. :)

Rm a coming kids...

Okay still will discuss it with the edu team.

technicholas
Contributor

JRM,

I have errors come up saying that fi is error when I run this policy/script what is wrong?

steventhemacman
New Contributor III

I have the same issue as technicholas. This is the error log I get.

Any ideas?

/usr/sbin/jamf is version 8.63
Executing Policy Stop Minecraft App Support...
Mounting smb://jss.bcpsk12.net/CasperShare to /Volumes/CasperShare...
Running script Stop Minecraft App Support.sh...
Script exit code: 2
Script result: /private/tmp/Stop Minecraft App Support.sh: line 15: syntax error near unexpected token `fi'
/private/tmp/Stop Minecraft App Support.sh: line 15: `fi'
Unmounting file server...

JRM
Contributor

Apologies: I never saw that there were issues on this. The if statement was missing a "then"

#!/bin/sh
# current user is $3
set -x
# first, lets make the directory if one doesn't exist.
if [ ! -d "/Users/$3/Library/Application Support/minecraft" ]; then 
    mkdir "/Users/$3/Library/Application Support/minecraft" 
fi

cd "/Users/$3/Library/Application Support/"

# Remove the permissions on the folder and everything in it unless they were already set
if [ ! `ls -la | grep minecraft | awk '{print $1}'` == "d---------" ]; then 
     chmod -R 000 "/Users/$3/Library/Application Support/minecraft"
fi 

# Set the owner and group to root : wheel
if [ ! `ls -la | grep minecraft | awk '{print $3}'` == "root" ] && [ ! `ls -la | grep minecraft | awk '{print $4}'` == "wheel" ]; then
     chown -R root:wheel "/Users/$3/Library/Application Support/minecraft"
fi

matt4836
Contributor II

This applescript seemed to work pretty well, we set it to a 60 second launch agent. For some reason it needs to be saved from Applescript Editor as Text, not as a script. Then point to it using osascript /path/to/text.applescript

try tell application "System Events" ignoring white space and case set killme to unix id of every application process where displayed name contains "minecraft" end ignoring end tell do shell script "kill " & killme
on error errorMessage log "Minecraft isn't running"
end try

sean
Valued Contributor

Assuming something in the users minecraft directory changes at launch or shortly afterwards

/Library/LaunchAgent/your.plist

Set a plist with a watchpath to the users minecraft directory (or sub directory as appropriate). As of 10.8, LaunchAgents recognise ~/. If it changes:

killall -HUP loginwindow

or

reboot

Aggressive, but they'll soon learn!

ctangora
Contributor III

So I just launched Minecraft (on my personal machine) and the process comes up as "Minecraft". What is the problem with just blocking that Process?

DVG
New Contributor III

cd /users find . -type d -name 'Minec' -exec rm -rfv {} ; find . -type d -name 'minec' -exec rm -rfv {} ; find . -type f -name 'Minec' -exec rm -rfv {} ; find . -type f -name 'minec' -exec rm -rfv {} ; osascript -e 'set volume 10' say 'Do not play minecraft at school!'

Sorry it took me a bit to post this...Crude, yes, but effective.... :)

Dusty VanGilder

doomguy
New Contributor

I hate to ask since this thread is so old, but how do you actually run this script?

jaredgrieve
New Contributor II

I realize this thread is fairly old but I used to just block the JAR launcher in /System/Library/CoreServices/ which effectively prevented this in the past only to find now it does not. JAMF pops up saying JAR Launcher is a restricted app but still launches the file. Currently I have implemented the AppleScript and Launch Daemon method as I don't know of any java based apps we actually utilize and can deploy the script and daemon only to known offenders by creating an EA that looks for the existence of the minecraft folder then create a Smart Group from that EA and scope a policy to install a pkg containing the Launch Daemon plist and script.

EA:

#!/bin/sh
if [ -d /Users/*/Library/Application Support/minecraft ]
then 
  echo "<result>True</result>"
else
  echo "<result>False</result>"
fi

Daemon: (Changing "yourcompany" in the Label string, possibly the path to where you want the script to reside, and the "x" under StartInterval to a number in seconds for how often you want it to run)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>KeepAlive</key>
    <dict>
        <key>SuccessfulExit</key>
        <false/>
    </dict>
    <key>Label</key>
    <string>com.yourcompany.nominecraft</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/osascript</string>
        <string>/Library/Scripts/NoMinecraft.scpt</string>
    </array>
    <key>RunAtLoad</key>
    <false/>
    <key>StartInterval</key>
    <integer>x</integer>
</dict>
</plist>

Script: per @nextyoyoma

tell application "System Events"
    set frontApp to the name of every process whose frontmost is true
end tell

set isMatch to "0" = (do shell script "[[ " & quote & frontApp & quote & " =~ [Jj]ava ]]; printf $?")

if isMatch is true then
    do shell script "ps -axo pid,comm | awk '/[Jj]ava/{print $1}' | xargs kill"
end if

The pkg can be put into a policy scoped only to computers in the Smart Group and the daemon can be kicked off by configuring a Files & Processes payload to include "launchctl load /Library/LaunchDaemons/com.yourcompany.nominecraft.plist" as an execute command... no " " needed in the actual command.

As I am doing this in Mojave I did have to also create a PPPC for osascript in /usr/bin using [PPPC Utility](https://github.com/jamf/PPPC-Utility7bd680e104eb4d0381455bd3726ce5de as of 10.14.5 this is working.

Thanks @nextyoyoma I also tried @JRM solution for what I found on a student computer but it didn't seem to have any effect on the ability to launch the jar files they had in their /Library/Application Support/minecraft folder.

I have a similar daemon and applescript for kids that search for unblocked games in class all day that simply looks for keywords in the tabs of browsers and closes the tabs it finds those keywords in for Safari and Chrome. I'm all for teaching responsible computer use and classroom management but sometimes you just need a hammer.