Jamf Nation Community

alan_trewartha · ‎10-30-2014

Anybody sussed this yet? I want to keep Gatekeeper on "Mac App Store and identified developers", but want some JNLP launched applications work without intervention.

I know if I use "Open anyway" (and admin authorise it manually) that that JNLP - perhaps identified by the URL? - works ok any time after.

I was hoping I could download approved JNLPs, package them up to install in /tmp and run spctl on them, but simply sudo-ing ```
spctl --add /path/to/downloaded.jnlp
``` doesn't look like its working. (To me.)

alan_trewartha · ‎11-26-2014

Just for reference, the JNLPs ended up all being unique so the simplest solution was a 2-line applescript called "JNLP launcher" that was basically "choose file with prompt… " and "do shell script…"

View solution in original post

psliequ · ‎10-30-2014

Have you tried adding a label to your rule with the --label switch?

alan_trewartha · ‎10-30-2014

yep. Sounds like you think the method *should* work. Anyone confirm that? I'll have another shot on a clean OS

sean · ‎10-31-2014

We use an internal jnlp, and our settings are as you have above. We also have the Java settings set high.

I wrap the jnlp as an application using Platypus and a script to launch the jnlp. The jnlp needs to be signed (in as much as you can't sign one, but it needs to be the same as the jnlp in the signed JAR).

http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/signed_jnlp.html

Since a jnlp is just a text file, I believe this is why trying to add it using spctl wont work.

alan_trewartha · ‎11-03-2014

The problem is these aren't JNLPs within my control - they are 3rd party applications. So I was hoping there might be a way to allow only known JNLPs to launch without intervention.

Am I out of options?

sean · ‎11-03-2014

Never tried with an externally sourced JNLP. If you wrap it into your own application, then it is no longer a downloaded item and so shouldn't be quarantined, but you may have to relax your Java settings depending upon the JNLP.

Give it a go. You can always try communicating with the suppliers of the JNLP if there is still an issue.

alan_trewartha · ‎11-05-2014

Thanks. And thanks for the tip off re Platypus. I'll take a look and see if that can get past it by wrapping up a simple shell script like

/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/javaws ./approved.jnlp

Or some approach like that anyway.

alan_trewartha · ‎11-06-2014

Looking good on a test! Going to try it on a real world JNLP and actual person next…

sean · ‎11-07-2014

For info, I run Java Web Start rather than reference the old Java version. Of course, this may not be for you.

open -a "Java Web Start" ../../Contents/Resources/my.jnlp

alan_trewartha · ‎11-26-2014

Just for reference, the JNLPs ended up all being unique so the simplest solution was a 2-line applescript called "JNLP launcher" that was basically "choose file with prompt… " and "do shell script…"

sepiemoini · ‎07-06-2016

@alan.trewartha We're running into a similar issue at my organization as well. Do you mind sharing your Apple Script that you used?

alan_trewartha · ‎09-10-2016

Here's the basic idea…

on run
    set jnlp_file to (choose file with prompt "Choose a JNLP file")
    do shell script "/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/javaws " & quoted form of POSIX path of jnlp_file
end run

You can probably adapt this to make it a droplet too

Jamf Nation Community

Gatekeeper and JNLP - method to pre approve using spctl?