Help

Flashback - disable Java for all users script

rmanly
Contributor III

Posted on ‎04-09-2012 04:03 PM

If you want to disable Java for all users in Safari and Firefox (from what I have seen it doesn't appear to target Chrome) you can run the following script.

Here is the pretty uncommented version:

#!/bin/bash

ff_users=()
os_version=$(sw_vers -productVersion)

while read -r -d $'�'; do
    ff_users+=("$REPLY")
done < <(mdfind -name pluginreg.dat -0)

for dat_file in "${ff_users[@]}"; do
    username=$(stat -f "%Su" "${dat_file}")
    if [[ ${os_version%.*} == 10.7 ]]; then
        { rm "${dat_file}" && awk 'BEGIN{FS=OFS=":"}/JavaAppletPlugin/{count=3}count&&!--count&&($3==1||$3==5){$3--}1' > "${dat_file}"; } < "${dat_file}"
    else
        { rm "${dat_file}" && awk 'BEGIN{FS=OFS=":"}/JavaPlugin/{count=3}count&&!--count&&($3==1||$3==5){$3--}1' > "${dat_file}"; } < "${dat_file}"
    fi
    chown "${username}" "${dat_file}"
done

for user in /Users/*; do
    if [[ -e "${user}"/Library/Preferences ]]; then
        defaults write "${user}"/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool FALSE
        defaults write "${user}"/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool FALSE
        chown "${user##*/}" "${user}"/Library/Preferences/com.apple.Safari.plist
    fi
done

And here is the nasty one for those of you who want to know what is going on:

#!/bin/bash

ff_users=()
os_version=$(sw_vers -productVersion)

# find all users with a Firefox profile and pluginreg.dat file within it using mdfind as suggested by Christoph von Gabler-Sahm (cvgs on jamf nation)

while read -r -d $'�'; do
    ff_users+=("$REPLY")
done < <(mdfind -name pluginreg.dat -0)

# here is the find version
# while read -r -d $'�'; do
#   ff_users+=("$REPLY")
# done < <(find /Users -name pluginreg.dat -print0 2> /dev/null


# now we are going to disable java in Firefox
# for this we are going to use awk to modify the list of pluginreg.dat files in the ff_users array
# if statement checks for 10.7 as the relevent line is named JavaAppletPlugin in 10.7 with FF 11.0
# else use JavaPlugin as found in 10.6

for dat_file in "${ff_users[@]}"; do
    username=$(stat -f "%Su" "${dat_file}")
    if [[ ${os_version%.*} == 10.7 ]]; then
        { rm "${dat_file}" && awk 'BEGIN{FS=OFS=":"}/JavaAppletPlugin/{count=3}count&&!--count&&($3==1||$3==5){$3--}1' > "${dat_file}"; } < "${dat_file}"
    else
        { rm "${dat_file}" && awk 'BEGIN{FS=OFS=":"}/JavaPlugin/{count=3}count&&!--count&&($3==1||$3==5){$3--}1' > "${dat_file}"; } < "${dat_file}"
    fi
    chown "${username}" "${dat_file}"
done

# disable Java in Firefox
# after poking around in Firefox's sqlite files I went googling and found this post by Clay Caviness
# https://plus.google.com/109088229817689076273/posts/7yH5QGJhuyN
# I didn't know enough AWK to make that happen in a bash script but after a few tries 'mute' in #awk got it right for me

# awk 'BEGIN{FS=OFS=":"}/JavaAppletPlugin/{p=3}p&&!--p&&($3==1||$3==5){$3--}1'

# we can edit in-place with a little trick I orginally saw here
# http://www.unix.com/shell-programming-scripting/35591-sed-awk-inplace-inline-edit.html


# disable Java in Safari for all users

for user in /Users/*; do
    if [[ -e "${user}"/Library/Preferences ]]; then
        defaults write "${user}"/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool FALSE
        defaults write "${user}"/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool FALSE
        chown "${user##*/}" "${user}"/Library/Preferences/com.apple.Safari.plist
    fi
done
0 Kudos
Reply
5 REPLIES 5

rmanly
Contributor III

Posted on ‎04-09-2012 04:21 PM

For an explanation on the awk basically what it does is

set the field seperators to :
search for the Java line we want
assign variable count=3
count down from 3
now if the third field =1 or the third field =5 subtract 1

0 Kudos
Reply

RobertHammen
Valued Contributor II

Posted on ‎04-11-2012 06:23 AM

Haven't had time to dig into it, but both your extension attribute and this disable script fail on pre-10.5 machines. Not a huge concern since the handful of ones I have are legacy servers, not user-facing, and I know not officially supported by later versions of the jamf binary.

Here's the error from the policy log:

Script Result: /private/tmp/disableJavaSafariFirefox.sh: line 7: syntax error near unexpected token `"$REPLY"'
/private/tmp/disableJavaSafariFirefox.sh: line 7: ` ff_users+=("$REPLY")'

0 Kudos
Reply

rmanly
Contributor III

Posted on ‎04-11-2012 08:01 AM

@RobertHammen yea I don't have any 10.5.x machines anymore so I didn't bother checking for compatibility....sorry for not mentioning that.

0 Kudos
Reply

rmanly
Contributor III

Posted on ‎04-12-2012 01:56 PM

RUN SOFTWARE UPDATE

https://support.apple.com/kb/HT5242

0 Kudos
Reply

eWhizz
New Contributor II

Posted on ‎05-01-2012 07:53 AM

Could be done Globally with —
defaults write /Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false
defaults write /Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false

Might be an idea to set the defaults for new users too somehow in the User Template. This would definitely be possible with Safari, setting the defaults in FireFox is more difficult, but not impossible.

So set specifically in the User Template with
defaults write /System/Library/User Template/English.lproj/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false
defaults write /System/Library/User Template/English.lproj/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false

0 Kudos
Reply