Skip to main content
Question

Java & Flash vs El Capitan

  • September 14, 2015
  • 7 replies
  • 41 views
R
Forum|alt.badge.img+5

https://derflounder.wordpress.com/2015/09/14/system-integrity-protection-and-the-end-of-xprotect-management-for-browser-plug-ins/

This is the end, beautiful friend This is the end, my only friend, the end

    7 replies

    bpavlov
    Forum|alt.badge.img+18
    • bpavlov
    • Esteemed Contributor
    • September 14, 2015

    It only makes sense that they wouldn't allow that to be manageable on client-side. After all, that's another security mechanism. However, one of the comments does make the good point that it can be managed server-side if you have an Apple SUS implemented. I think it would be great to be able to manage it server side a get granular instead of it being all or nothing.

    R
    Forum|alt.badge.img+33
    • rich.trouton
    • Hall of Fame
    • September 14, 2015

    It can be managed to the extent of turning off the updates for XProtect, but I don't recommend that.

    Meanwhile, XProtect's blacklist currently defines an older version of Java 8's browser plug-in as being the minimum allowed version. So if you have something that needs Java 7's browser plug-in, you're going to have a problem right away after upgrading to El Capitan even if you have XProtect updates blocked otherwise.

    J
    Forum|alt.badge.img+13
    • JPDyson
    • Valued Contributor
    • September 14, 2015

    This could always be managed in com.apple.Safari.plist via the ManagedPlugInPolicies key; you apply the updates as they come so that insecure versions of plugins don't run on arbitrary sites, and white-list the sites you care about.

    R
    Forum|alt.badge.img+33
    • rich.trouton
    • Hall of Fame
    • September 14, 2015

    @JPDyson,

    You can set plug-ins to run in Unsafe Mode, but my observations have always been that XProtect-blocked plug-ins won't run and will prompt instead for updates. Have you observed different behavior?

    J
    Forum|alt.badge.img+13
    • JPDyson
    • Valued Contributor
    • September 14, 2015

    Yes, with Always Run enabled, they simply run.

    Edit: To clarify, I understand "Unsafe Mode" to refer to sandboxing (allowing plugin cross-talk), and the Allow settings to pertain to run permissions. Always Allow means "even when Xprotect says it's unsafe".

    R
    Forum|alt.badge.img+33
    • rich.trouton
    • Hall of Fame
    • September 15, 2015

    Thanks, @JPDyson. I've now updated the post with that information.

    J
    Forum|alt.badge.img+13
    • JPDyson
    • Valued Contributor
    • September 17, 2015

    Sweet. For those who are going to embark on this via Config Profiles, note that it's a custom payload. You'll probably want to think of a safe place to keep copies of plist "snippets" containing the keys you intend to manage (and nothing else), as you won't be able to easily update the payload to make simple edits.

    This worked better via MCX in Casper 8 when you could specify 'array' as a key type and edit the text in-browser. I've complained quite a bit about that feature's removal, but I grow tired of tilting at that particular windmill...

    Terms & ConditionsCookie settingsAccessibility statement