How to block Oracle JDK from getting installed via Jamf Pro?

findanish
New Contributor

Hi Jamf community!

Wanted to share this with the community and possibly get some input on how else I can block JDK from getting installed. The problem is, JDK uses "Installer" process which makes it really difficult to block that as I dont want to block any other app from being installed. Below are some other methods I've tried so far with the outcomes. 

2 things to note:
1. All our users are local admins (yes, i know!)

2. I do not have Jamf Protect.

  1. Code Signature Verification:

    • I attempted to block Oracle JDK installations using code signature verification, focusing on the Team Identifier VB5E2TV963 from a previously installed JDK.
    • Also tried using hash values for both the dmg and the pkg within it. The closest ive come is that it does detect the installer but does nothing to block it. 
    • Outcome: I successfully identified the Team Identifier, but my current implementation isn't effectively blocking installations across different paths.
  2. Script Development:

    • I created a script located at /usr/local/bin/blockjdk.sh to kill the 'Installer' process during the JDK installation process.
    • Outcome: The script interrupts the installation midway, but it’s only a temporary measure and doesn’t prevent users from starting the installation again.
    • Also tried using LaunchDaemons to have a continuous monitoring solution but it will not work. 
  3. Jamf Policy Creation:

    • I created a Jamf policy named "Block JDK install," attaching the blockjdk.sh script and setting it to recurring and ongoing with a custom event trigger called blockjdk.
    • Outcome: The policy is in place, but I need further assistance to ensure it works effectively for all users and paths without relying solely on killing the 'Installer' process.
  4. Google Santa:

    • I considered using Santa for monitoring installations but encountered issues related to version discrepancies and the absence of 'santad' in the latest version.
    • Outcome: This approach hasn’t yielded successful results due to the challenges with Santa’s functionality.
    • Apparently, Santa only blocks apps that are already installed by killing the process, and it only kills binaries.

Conclusion

Despite my attempts to block Oracle JDK installations through various methods, including script creation and policy configuration in Jamf, I need a more robust solution to prevent installations effectively. I’m reaching out to the Jamf community for assistance in refining my approach and addressing the current challenges. Happy to share my scripts if anyone is interested in looking at it in depth. I'm able to block JRE installation as they do have a specific process name called "JreMacInstaller" which i can successfully block using Restricted Software but JDK is another beast.

Thank you in advance!

2 REPLIES 2

Shyamsundar
Contributor

It is commendable that you have meticulously implemented the measures to block the installation of the Oracle JDK. However, given that Oracle has made it a licensed version, we face a challenge in effectively preventing its installation. While it may be possible to remove the JDK immediately upon its installation, creating a launch daemon to monitor the installation path and execute the uninstallation script would be a more effective approach.

 

Furthermore, it is crucial to communicate effectively with users to encourage them to use an open-source JDK. If users require an Oracle JDK and it must be approved and approved by the department, it may be more appropriate to consider process refinement rather than technical challenges. As administrators, we will be responsible for this stage, but it primarily involves process-related issues rather than technical difficulties.

 

AJPinto
Honored Contributor III

You need a security tool like Jamf Protect, Carbon Black Protect, Sentinel, CyberArk EPM, etc. These tools would hook in to the system events and look for the install action, and block it from happening; this not something Jamf Pro can do. Use the right tool for the job or have a bad time.