Jamf Nation Community

RogerH · ‎02-06-2015

Hey everyone Happy Friday!!
I am working on a script to set the com.apple.Safari.plist to allow the java applet to run in untrusted mode for our VPN to work. The script below works and the changes appear in the plist but then are quickly erased and replaced with the original version. I am at my wits end today with this. Right now the only way to have it stick is to change it manually through safaris preferences. Please Help!!

some useful info
System OS: 10.10.2
Safari version:8.03

#!/bin/bash
# @Author: Roger Herling w/credit to maxbehr and bajankinch
# @email: roger.herling@ul.com
# @Date:   2014-11-10 14:22:27
# [~Last] Modified by:   46199
# [~Last] Modified time: 2014-11-11 13:25:58
# Purpose: Cheange Safari's default security settings for Java to allow the SSL VPN Extender to run on Mac OS X

#Casper User variable
USER=$3

# enable logging
exec 3>&1 4>&2
trap 'exec 2>&4 1>&3' 0 1 2 3
exec 1>/var/log/javafix1.log 2>&1


#path to user's Safari plist
theFile=/Users/$USER/Library/Preferences/com.apple.Safari.plist
echo "path set to "$theFile
##############
#JAVA Plug-In#
##############

#Determine how many DICT items exist in plist
DICT_COUNT=`sudo -u $USER /usr/libexec/plistbuddy -c "print ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies" $theFile | grep "Dict" | wc -l | tr -d " "`
echo "Number of DICT="$DICT_COUNT
#Determine if a entry already exists for your server
VPN_PRESENT=`sudo -u $USER /usr/libexec/plistbuddy -c "print ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies" $theFile | grep "ra.ul.com" | wc -l | tr -d " "`



if [ $DICT_COUNT -gt 0 ] && [ $VPN_PRESENT -gt 0 ]; then
  echo "Both DICT exists and a VPN entry exists"
#Both DICT exists and a vnet entry exists. Set the preferences
for idx in `seq 0 $((DICT_COUNT - 1))`
do

     val=`/usr/libexec/PlistBuddy -c "Print ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInHostname" $theFile`

    if [ $val = "ra.ul.com" ]; then
       sudo -u $USER /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInHostname ra.ul.com" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInLastVisitedDate $(date)" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInPageURL  https://ra.ul.com/SNX/extender" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInPolicy PlugInPolicyAllowNoSecurityRestrictions" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInRunUnsandboxed  True" $theFile
    fi
done

elif [ $DICT_COUNT -gt 0 ] && [ $VPN_PRESENT -eq 0 ]; then
  echo "Java array has DICT entries, but VPN is not one of them"
#Java array has DICT entries, but vnet is not one of them. Add it to the next available array index
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies array" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInHostname string ra.ul.com" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInLastVisitedDate date $(date)" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInPageURL string https://ra.ul.com/SNX/extender" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInPolicy string PlugInPolicyAllowNoSecurityRestrictions" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInRunUnsandboxed bool True" $theFile

else
  echo "No DICT entries exist. Creating new one at index 0"
#No DICT entries exist. Create new one at index 0
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies array" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInHostname string ra.ul.com" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInLastVisitedDate date $(date)" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInPageURL string https://ra.ul.com/SNX/extender" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInPolicy string PlugInPolicyAllowNoSecurityRestrictions" $theFile
       sudo -u $USER /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInRunUnsandboxed bool True" $theFile
fi

rtrouton · ‎02-06-2015

Unfortunately, scripted methods of managing Safari's internet plug-ins generally stopped working after Safari 6.1.*

In 10.10.x, I would recommend using a profile instead. Apple has a KBase article that describes how to set one up to manage Safari's plug-ins available from here:

http://support.apple.com/en-us/HT202947

*I have a post on how I used to manage the Java whitelist available from here:

https://derflounder.wordpress.com/2013/04/19/managing-safaris-java-whitelist/

View solution in original post

rtrouton · ‎02-06-2015

Unfortunately, scripted methods of managing Safari's internet plug-ins generally stopped working after Safari 6.1.*

In 10.10.x, I would recommend using a profile instead. Apple has a KBase article that describes how to set one up to manage Safari's plug-ins available from here:

http://support.apple.com/en-us/HT202947

*I have a post on how I used to manage the Java whitelist available from here:

https://derflounder.wordpress.com/2013/04/19/managing-safaris-java-whitelist/

RogerH · ‎02-06-2015

Thanks Rich I will check it out!

bentoms · ‎02-06-2015

@RogerUL, the behaviour you were seeing with the plist sounds like preference caching. https://macmule.com/2014/02/07/mavericks-preference-caching/

Josh_Smith · ‎02-07-2015

I agree with @bentoms about the cached preferences, I had a similar script to the one you posted working but used "killall cfprefsd" just before all of the plistbuddy commands.....seemed to stick then. I am abandoning that in favor of the configuration profile (as Rich suggested above).

If you need a sample of a custom Safari Plug-In Configuration Profile you can reference this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ManagedPlugInPolicies</key>
    <dict>
        <key>com.oracle.java.JavaAppletPlugin</key>
        <dict>
            <key>PlugInFirstVisitPolicy</key>
            <string>PlugInPolicyAsk</string>
            <key>PlugInHostnamePolicies</key>
            <array>
                <dict>
                    <key>PlugInHostname</key>
                    <string>java.com</string>
                    <key>PlugInLastVisitedDate</key>
                    <date>2015-02-06T13:52:36Z</date>
                    <key>PlugInPageURL</key>
                    <string>https://www.java.com</string>
                    <key>PlugInPolicy</key>
                    <string>PlugInPolicyAllowNoSecurityRestrictions</string>
                    <key>PlugInRunUnsandboxed</key>
                    <true/>
                </dict>
            </array>
        </dict>
    </dict>
</dict>
</plist>

This is only preferences for one plug-in (Java) and for one URL (Java.com)...but you can copy the whole ManagedPlugInPolicies key out of com.apple.Safari (after you manually configure Safari to taste) and paste it into a plist then upload it to make your custom Config Profile. Seems to be working well for me with 3 plug-ins and 14 different URLs.

RogerH · ‎02-09-2015

thanks for the advice I decided to go with config profile and it seems to be working!

Jamf Nation Community

Java Managed Plugin Policy on Safari not sticking!