Jamf Nation Community

ryan_s · ‎12-08-2014

Hey all,

Currently I am testing the below on OS X 10.10.1 -- I am going around in circles trying to get Java configured in our corporate environment to be as close to our Windows configuration as I can. My end goals from deploying with Casper are this:

Creation of an Exception Site List
Setting various fields in deployment.properties
Ensuring the sites listed in the first bullet are functional in Safari, Chome, and Firefox

The first bullet I've successfully deployed using this example: http://derflounder.wordpress.com/2014/01/16/managing-oracles-java-exception-site-list/
...meaning the exception.sites is populated with the websites I want listed.

The second bullet I've accomplished (local only, haven't deployed with Casper yet) with lots of googling and verified if I manually import my file to: /Library/Application Support/Oracle/Java/Deployment/ ...the security slider in the Java control panel is indeed moved to the appropriate level and locked from user-interaction (good).

What I am actually struggling with is: even when a site is listed in the exception.sites file, when I browse to the site in Safari I am still prompted with: "Java blocked for this website" error (i.e. "do you want to trust the website <name> to use the Java plug-in?")

I can manually click the Trust button and the site works fine, but I need to suppress this for our end-users and I thought since the site is explicitly noted in the exception.sites file, it should then be trusted? What am I missing here...

Both Chrome and Firefox seem to be completely different animals that I've barely looked at, aside to verify both aren't working correctly. For now, I'm more concerned with getting Safari working as expected and I'll re-visit those.

Please let me know if you need any more info from me, otherwise I'm curious if anyone has ideas. Thanks!

nortonpc · ‎12-08-2014

I use a script to add sites to the exception list.

#!/bin/bash

exceptionList="$HOME/Library/Application Support/Oracle/Java/Deployment/security/exception.sites"
exceptionListPath="$HOME/Library/Application Support/Oracle/Java/Deployment/security/"
SITES=( "http://Site1" "SITE2" "SITE5" "https://SITE4" )

MYLOG="$HOME/Library/Logs/java_exception.log"

if [ ! -d "$exceptionListPath" ]
then
mkdir -p "$exceptionListPath"
/bin/echo "Created exception list path in: $exceptionListPath " >> "$MYLOG"
fi

touch "$exceptionList"
touch "$MYLOG"

/bin/echo "=================Start `date "+DATE: %m-%d-%Y TIME: %H:%M:%S"`===================" >> "$MYLOG"
for MYSITE in "${SITES[@]}"
do
if grep -Fxq "$MYSITE" "$exceptionList"
then
/bin/echo "NOT ADDED:  $MYSITE - Already exists." >> "$MYLOG"
else
echo "$MYSITE" >> "$exceptionList"
/bin/echo "ADDED:  $MYSITE" >> "$MYLOG"
fi
done

/bin/echo "=================Complete `date "+DATE: %m-%d-%Y TIME: %H:%M:%S"`===================" >> "$MYLOG"


#Scott Code to modify ownership of ~/Library/Application Support/Oracle
echo "Modifying permissions"

USER="$(w | grep console | awk '{print $1}')"
echo "current user is: ${USER}"

echo "Modifying /Users/${USER}/Library/Application Support/Oracle"
/usr/sbin/chown -R ${USER} /Users/${USER}/Library/Application Support/Oracle

exit 0

Since the site stuff is user level, this script gets the logged in user and then adds the sites to their exception list.

I know I poached this from somewhere. I am pretty sure it was Rich Trouton, but I am sorry I can't remember where I got it.

nkalister · ‎12-08-2014

Sounds like you're successfully getting Java settings configured, so I'd say the java blocked dialog is due to your safari settings. You'll need to set Safari to trust the Java plugin for that page. This is handled in the safari.plist, and strangely enough I randomly had to write a script to do this myself this morning.
Here's what I came up with:

#!/bin/bash

#path to user's Safari plist
declare -x CONSOLE_USER="$(who | awk '/console/{print $1}')"
declare -x loggedInUser="$CONSOLE_USER"
theFile=/Users/$loggedInUser/Library/Preferences/com.apple.Safari.plist

# kill safari if it's still running
while [[ `ps aux | grep "Safari" | grep -v grep | awk 'NR<=1 {print $2}'` != "" ]]; do
    kill `ps aux | grep "Safari" | grep -v grep | awk 'NR<=1 {print $2}'`
done

# kill cfprefsd in case it's protecting the plist.
killall cfprefsd


##############
#Configure the Safari JAVA Plug-In settings
##############

#Determine how many DICT items exist in plist
DICT_COUNT=`/usr/libexec/plistbuddy -c "print ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies" $theFile | grep "Dict" | wc -l | tr -d " "`
#Determine if a entry already exists for whatever you're looking for
YOUR_THING_PRESENT=`/usr/libexec/plistbuddy -c "print ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies" $theFile | grep "foo" | wc -l | tr -d " "`


if [ $DICT_COUNT -gt 0 ] && [ $YOUR_THING_PRESENT -gt 0 ]; then
    #Both DICT exists and our entry exists. Set the preferences
    for idx in `seq 0 $((DICT_COUNT - 1))`
    do
        val=`/usr/libexec/PlistBuddy -c "Print ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInHostname" $theFile`
        if [ "$val" == "foo" ]; then
            /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInHostname foo.com" $theFile
            /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInLastVisitedDate $(date)" $theFile
            /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInPageURL https://foo.com/" $theFile
            /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInPolicy PlugInPolicyAllowNoSecurityRestrictions" $theFile
            /usr/libexec/plistbuddy -c "set ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${idx}:PlugInRunUnsandboxed  True" $theFile
        fi
    done
elif [ $DICT_COUNT -gt 0 ] && [ $YOUR_THING_PRESENT -eq 0 ]; then
    #Java array has DICT entries, but our thing is not one of them. Add it to the next available array index
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies array" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInHostname string foo.com" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInLastVisitedDate date $(date)" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInPageURL string https://foo.com/" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInPolicy string PlugInPolicyAllowNoSecurityRestrictions" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:${DICT_COUNT}:PlugInRunUnsandboxed bool True" $theFile
else
    #No DICT entries exist. Create new one at index 0
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies array" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInHostname string foo.com" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInLastVisitedDate date $(date)" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInPageURL string https://foo.com/" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInPolicy string PlugInPolicyAllowNoSecurityRestrictions" $theFile
    /usr/libexec/plistbuddy -c "add ManagedPlugInPolicies:com.oracle.java.JavaAppletPlugin:PlugInHostnamePolicies:0:PlugInRunUnsandboxed bool True" $theFile
fi
defaults read $theFile

I haven't had time to switch this over to Python to deal with cfprefsd properly, so this is just bash and it kills cfprefsd. Tested on 10.10, 10.9, 10.8, and 10.7 (even though 10.7 Safari doesn't have per-site settings I wanted to see if writing the dict to safari's plist would freak it out at all and it did not) but make sure to test, test, test yourself.

Bones of this script came from another script I found on jamfnation back in the day, too, but I'm not sure who originally posted this.

ryan_s · ‎12-11-2014

Thanks nkalister! I'll preface my reply in saying I am no scripting guru -- when I run the script I receive the "terminated 15" in Terminal, signifying processes are killed, but there doesn't seem to be much behavior changed in Safari. To be clear I am checking a particular website in my safe sites list. I am also checking the Safari Preferences > Security > (Internet Plug-Ins) Website Settings.

Anyway, I still receive a "Java Blocked for this website" message... any more thoughts of what I might be missing?

Jamf Nation Community

JRE 7u67 -- assistance with trusting sites and setting security