Java & Flash vs El Capitan

ronb
New Contributor II

https://derflounder.wordpress.com/2015/09/14/system-integrity-protection-and-the-end-of-xprotect-management-for-browser-plug-ins/

This is the end, beautiful friend This is the end, my only friend, the end

7 REPLIES 7

bpavlov
Honored Contributor

It only makes sense that they wouldn't allow that to be manageable on client-side. After all, that's another security mechanism. However, one of the comments does make the good point that it can be managed server-side if you have an Apple SUS implemented. I think it would be great to be able to manage it server side a get granular instead of it being all or nothing.

rtrouton
Release Candidate Programs Tester

It can be managed to the extent of turning off the updates for XProtect, but I don't recommend that.

Meanwhile, XProtect's blacklist currently defines an older version of Java 8's browser plug-in as being the minimum allowed version. So if you have something that needs Java 7's browser plug-in, you're going to have a problem right away after upgrading to El Capitan even if you have XProtect updates blocked otherwise.

JPDyson
Valued Contributor

This could always be managed in com.apple.Safari.plist via the ManagedPlugInPolicies key; you apply the updates as they come so that insecure versions of plugins don't run on arbitrary sites, and white-list the sites you care about.

rtrouton
Release Candidate Programs Tester

@JPDyson,

You can set plug-ins to run in Unsafe Mode, but my observations have always been that XProtect-blocked plug-ins won't run and will prompt instead for updates. Have you observed different behavior?

JPDyson
Valued Contributor

Yes, with Always Run enabled, they simply run.

Edit: To clarify, I understand "Unsafe Mode" to refer to sandboxing (allowing plugin cross-talk), and the Allow settings to pertain to run permissions. Always Allow means "even when Xprotect says it's unsafe".

rtrouton
Release Candidate Programs Tester

Thanks, @JPDyson. I've now updated the post with that information.

JPDyson
Valued Contributor

Sweet. For those who are going to embark on this via Config Profiles, note that it's a custom payload. You'll probably want to think of a safe place to keep copies of plist "snippets" containing the keys you intend to manage (and nothing else), as you won't be able to easily update the payload to make simple edits.

This worked better via MCX in Casper 8 when you could specify 'array' as a key type and edit the text in-browser. I've complained quite a bit about that feature's removal, but I grow tired of tilting at that particular windmill...