- Jamf Nation Community
- Products
- Jamf Pro
- FYI: Xprotect/Gatekeeper and Safari 6.1
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
FYI: Xprotect/Gatekeeper and Safari 6.1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-23-2013 09:48 AM
Safari 6.1 seems to require the presence of the Gatekeeper Xprotect manifest (/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist). If your previous approach to preventing Apple from disabling Java via this mechanism included deleting the file entirely, or preparing one with preferred versions, you'll need to update it. The manifest itself has changed considerably; the better approach seems to be to manage via mcx what sites are allowed to always run (that mechanism is still working for me, at least for Java and our Network Connect urls).
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-23-2013 09:50 AM
Additional note: A symptom of not having a current manifest is that plugins will be marked as "unsafe" in Preferences - Security - Manage Website Settings... even if they're current versions. It seems that "innocent until proven guilty" is out the window here; plugins require positive identification as "safe".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-23-2013 10:42 AM
For those interested in managing XProtect instead of disabling it, my solution for managing XProtect's ability to block the Java plug-in continues to work on 10.9:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-23-2013 11:51 AM
Indeed; since your script only modified the lines that apply to Java, when a new manifest is created, the other keys remain unmodified. I contend that this is managing the problem at the wrong end, and has perhaps an even worse side-effect: no matter what version of Java a client is running, this method will permit it to be used by Safari for ALL sites (not just your trusted sites).
Rather than disabling xprotect, or modifying its manifest, white-listing trusted sites via managed preferences seems like the most secure and simple approach. You maintain functionality of the currently-deployed version on your trusted sites, while allowing xprotect to enforce minimum safe versions on others (and you don't have to have a launchdaemon constantly un-doing what xprotect is doing, creating a race condition).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-24-2013 03:35 AM
You can also now manage Xprotect settings via Server 3.0 under Software Update.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-24-2013 07:44 AM
all i see under software update is URL for update server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-24-2013 08:04 AM
Indeed; I don't see this under Software Updates either. I couldn't tell if he meant under the Software Updates config in the Server.app (not there) or in Config Profiles (not there either). @charles.hitch Can you clarify?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-24-2013 09:25 AM
Like I said above, the old WhiteListedBlockedPlugins still works, but the new ManagedPluginPolicies dict allows for specifying not just whether it should run, but if indeed it should run "Unsafe" (un-sandboxed) for certain URL's as well. I've addressed a particular application for this (Juniper Network Connect) here:
https://jamfnation.jamfsoftware.com/discussion.html?id=8789
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-24-2013 11:14 AM
I haven't been able to look yet, but the way Apple told me they implemented it is that its configured under Software Update in Server.app. ie You have to be running the Software Update Service.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-24-2013 11:46 AM
oh so its like the customize setup assistant feature they announced, you probably have to have apple do that for you. :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-24-2013 11:47 AM
Or call it vapor ware like I do.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-11-2013 08:48 AM
There is, in fact, an update called XProtectPlistConfigData (at least, on my Net/SUS 2 appliance) released on 8 October; appears they're letting us release these as we see fit.
