Hi Jamf community!
Wanted to share this with the community and possibly get some input on how else I can block JDK from getting installed. The problem is, JDK uses "Installer" process which makes it really difficult to block that as I dont want to block any other app from being installed. Below are some other methods I've tried so far with the outcomes.
2 things to note:
1. All our users are local admins (yes, i know!)
2. I do not have Jamf Protect.
Code Signature Verification:
- I attempted to block Oracle JDK installations using code signature verification, focusing on the Team Identifier VB5E2TV963 from a previously installed JDK.
- Also tried using hash values for both the dmg and the pkg within it. The closest ive come is that it does detect the installer but does nothing to block it.
- Outcome: I successfully identified the Team Identifier, but my current implementation isn't effectively blocking installations across different paths.
Script Development:
- I created a script located at /usr/local/bin/blockjdk.sh to kill the 'Installer' process during the JDK installation process.
- Outcome: The script interrupts the installation midway, but it’s only a temporary measure and doesn’t prevent users from starting the installation again.
- Also tried using LaunchDaemons to have a continuous monitoring solution but it will not work.
Jamf Policy Creation:
- I created a Jamf policy named "Block JDK install," attaching the blockjdk.sh script and setting it to recurring and ongoing with a custom event trigger called blockjdk.
- Outcome: The policy is in place, but I need further assistance to ensure it works effectively for all users and paths without relying solely on killing the 'Installer' process.
Google Santa:
- I considered using Santa for monitoring installations but encountered issues related to version discrepancies and the absence of 'santad' in the latest version.
- Outcome: This approach hasn’t yielded successful results due to the challenges with Santa’s functionality.
- Apparently, Santa only blocks apps that are already installed by killing the process, and it only kills binaries.
Conclusion
Despite my attempts to block Oracle JDK installations through various methods, including script creation and policy configuration in Jamf, I need a more robust solution to prevent installations effectively. I’m reaching out to the Jamf community for assistance in refining my approach and addressing the current challenges. Happy to share my scripts if anyone is interested in looking at it in depth. I'm able to block JRE installation as they do have a specific process name called "JreMacInstaller" which i can successfully block using Restricted Software but JDK is another beast.
Thank you in advance!
