Solved

Gatekeeper and JNLP - method to pre approve using spctl?

Forum|Forum|11 years ago
October 30, 2014
11 replies
58 views

alan_trewartha
Contributor

Anybody sussed this yet? I want to keep Gatekeeper on "Mac App Store and identified developers", but want some JNLP launched applications work without intervention.

I know if I use "Open anyway" (and admin authorise it manually) that that JNLP - perhaps identified by the URL? - works ok any time after.

I was hoping I could download approved JNLPs, package them up to install in /tmp and run spctl on them, but simply sudo-ing ```
spctl --add /path/to/downloaded.jnlp
``` doesn't look like its working. (To me.)

Best answer by alan_trewartha

Just for reference, the JNLPs ended up all being unique so the simplest solution was a 2-line applescript called "JNLP launcher" that was basically "choose file with prompt… " and "do shell script…"

+13

psliequ
Contributor
Forum|Forum|11 years ago
October 30, 2014

Have you tried adding a label to your rule with the --label switch?

alan_trewartha
Author
Contributor
Forum|Forum|11 years ago
October 30, 2014

yep. Sounds like you think the method *should* work. Anyone confirm that? I'll have another shot on a clean OS

+12

sean
Contributor
Forum|Forum|11 years ago
October 31, 2014

We use an internal jnlp, and our settings are as you have above. We also have the Java settings set high.

I wrap the jnlp as an application using Platypus and a script to launch the jnlp. The jnlp needs to be signed (in as much as you can't sign one, but it needs to be the same as the jnlp in the signed JAR).

http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/signed_jnlp.html

Since a jnlp is just a text file, I believe this is why trying to add it using spctl wont work.

alan_trewartha
Author
Contributor
Forum|Forum|11 years ago
November 3, 2014

The problem is these aren't JNLPs within my control - they are 3rd party applications. So I was hoping there might be a way to allow only known JNLPs to launch without intervention.

Am I out of options?

+12

sean
Contributor
Forum|Forum|11 years ago
November 4, 2014

Never tried with an externally sourced JNLP. If you wrap it into your own application, then it is no longer a downloaded item and so shouldn't be quarantined, but you may have to relax your Java settings depending upon the JNLP.

Give it a go. You can always try communicating with the suppliers of the JNLP if there is still an issue.

alan_trewartha
Author
Contributor
Forum|Forum|11 years ago
November 5, 2014

Thanks. And thanks for the tip off re Platypus. I'll take a look and see if that can get past it by wrapping up a simple shell script like

/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/javaws ./approved.jnlp

Or some approach like that anyway.

alan_trewartha
Author
Contributor
Forum|Forum|11 years ago
November 6, 2014

Looking good on a test! Going to try it on a real world JNLP and actual person next…

+12

sean
Contributor
Forum|Forum|11 years ago
November 7, 2014

For info, I run Java Web Start rather than reference the old Java version. Of course, this may not be for you.

open -a "Java Web Start" ../../Contents/Resources/my.jnlp

alan_trewartha
Author
Contributor
Answer
Forum|Forum|11 years ago
November 26, 2014

+21

sepiemoini
Employee
Forum|Forum|9 years ago
July 6, 2016

@alan.trewartha We're running into a similar issue at my organization as well. Do you mind sharing your Apple Script that you used?

alan_trewartha
Author
Contributor
Forum|Forum|9 years ago
September 10, 2016

Here's the basic idea…

on run
    set jnlp_file to (choose file with prompt "Choose a JNLP file")
    do shell script "/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/javaws " & quoted form of POSIX path of jnlp_file
end run

You can probably adapt this to make it a droplet too

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded