- Jamf Nation Community
- Products
- Jamf Pro
- Re: Java & Flash vs El Capitan
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Java & Flash vs El Capitan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2015 06:26 AM
https://derflounder.wordpress.com/2015/09/14/system-integrity-protection-and-the-end-of-xprotect-management-for-browser-plug-ins/
This is the end, beautiful friend This is the end, my only friend, the end
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2015 06:39 AM
It only makes sense that they wouldn't allow that to be manageable on client-side. After all, that's another security mechanism. However, one of the comments does make the good point that it can be managed server-side if you have an Apple SUS implemented. I think it would be great to be able to manage it server side a get granular instead of it being all or nothing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2015 07:07 AM
It can be managed to the extent of turning off the updates for XProtect, but I don't recommend that.
Meanwhile, XProtect's blacklist currently defines an older version of Java 8's browser plug-in as being the minimum allowed version. So if you have something that needs Java 7's browser plug-in, you're going to have a problem right away after upgrading to El Capitan even if you have XProtect updates blocked otherwise.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2015 11:10 AM
This could always be managed in com.apple.Safari.plist via the ManagedPlugInPolicies key; you apply the updates as they come so that insecure versions of plugins don't run on arbitrary sites, and white-list the sites you care about.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2015 11:36 AM
You can set plug-ins to run in Unsafe Mode, but my observations have always been that XProtect-blocked plug-ins won't run and will prompt instead for updates. Have you observed different behavior?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2015 12:23 PM
Yes, with Always Run enabled, they simply run.
Edit: To clarify, I understand "Unsafe Mode" to refer to sandboxing (allowing plugin cross-talk), and the Allow settings to pertain to run permissions. Always Allow means "even when Xprotect says it's unsafe".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2015 05:40 PM
Thanks, @JPDyson. I've now updated the post with that information.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-17-2015 10:27 AM
Sweet. For those who are going to embark on this via Config Profiles, note that it's a custom payload. You'll probably want to think of a safe place to keep copies of plist "snippets" containing the keys you intend to manage (and nothing else), as you won't be able to easily update the payload to make simple edits.
This worked better via MCX in Casper 8 when you could specify 'array' as a key type and edit the text in-browser. I've complained quite a bit about that feature's removal, but I grow tired of tilting at that particular windmill...
