Jamf Nation Community

I did the same thing and got mine back working. I am going to create a policy that I can put in Self Service.

The problem is that Apple will simply change this file back.

I think if you uncheck the 'Automatically update safe downloads list' (System Preferences > Security & Privacy > Advanced) that this will disable this file from being updated?

Can anyone clarify this?

Thanks for the heads up on this! I can understand Apple pushing a new XProtect min version list IF the new Java plug-in version is out there already, but this is just stupid. At least wait until the new version is out before you start blanket disabling it for your entire user base.
So there are going to be a bunch of Mac users out there that suddenly won't be able to connect to a Webex session and will be wondering what the heck happened. Nice one Apple!

They should pop up a warning "Hey, your version of java exposes you to a risk that we don't think you should accept. However, Click here to continue at your own risk…"

Instead, Apple shuts it down with no path to an upgrade and the workaround a hack like the one mentioned above.

We have critical connections with our vendors that depend on Java.

Yup. Now my remote users could be completely screwed as the java plugin is blocked.

THANKS APPLE

I've got a post up now about this issue:

http://derflounder.wordpress.com/2013/01/31/java-blocked-in-safari-on-10-6-x-10-8-x/

It looks like the workaround for now is Firefox.

I found that running Firefox on a 10.6 Mac this morning disabled Java and wouldn't run until I modified the XProtect.meta.plist file.

Anyone sort out how to programmatically disable the safe downloads list updating??

defaults write /System/Library/LaunchDaemons/com.apple.xprotectupdater Disabled -bool yes

brilliant. i arrived there the same time you answered :)

We downloaded and wrapped both of these earlier this week, they deploy and launch fine on Mountain Lion:

Apple-Java-1.6.0_37
Oracle-Java-1.7.0_11

defaults write /System/Library/LaunchDaemons/com.apple.xprotectupdater Disabled -bool yes

This isn't working for me.

sudo def...

@don check the xprotect file on your machine. Some of our users haven't gotten one, but the ones with JAVA issues have a file from this morning on them.

Well duh. The issue is that it's not clearing the checkbox for "Automatically update safe downloads list" and the file is still being pulled down from Apple. I've found that the /var/db/launchd.db/com.apple.launchd/overrides.plist file is where the setting is changed when you manually check/uncheck the box and I've been able to change the flag manually in the file and see the box clear.

So, I think I'm looking at plistbuddy to manually change the flag.

defaults write /System/Library/LaunchDaemons/com.apple.xprotectupdater Disabled -bool yes

@jared - above worked for me but didn't see the change in GUI until I rebooted.

Reboot hasn't changed the flag for me... hrm.

UPDATE: I used plistbuddy to change it, rebooted, flag cleared in GUI.

UPDATE: Or not. This is completely inconsistent for me.

OK, I clicked the company SSL link in Safari, and got "Your Java is out of date - install".
I click the install button, and it takes me to the Oracle Java DL page, and it's Java 7, update 11.
What gives? I already have Java 7_11 installed.

Working on this along with the great collective here... But does anyone see the ironic humor in the fact that when Apple was releasing Java updates we'd go 6-8 months sometimes following critical vulnerabilities, where as now that they've dumped it back to Oracle they're expecting zero-day fixes? Just thought that's interesting....

I'm also seeing inconsistencies like Jared is so far...

Yes @john_wetter, I definitely noticed the irony there too.

Apple is doing better, but yes, it's kinda funny - well, except that it causes admin's more grief than Windows :)

Ok I've found some consistencies. The reason it's unreliable is because we need to unload the launchdaemon instead of just setting it to disabled and rebooting. Let's all think about launchd 101 here.... This appears to be reliable in initial testing. No reboot needed, checkbox is cleared in the GUI.

#!/bin/sh

#Filename: xprotectDisable.sh
#Purpose: Disable XProtect and delete it's settings file
#Author: Jared F. Nichols

# Disable XProtect
launchctl unload -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

# Kill the xprotect meta file
rm -f /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist

Apple is doing better, but yes, it's kinda funny - well, except that it causes admin's more grief than Windows :)

I've always said that Apple doesn't royally screw up often, but when they do it's spectacular.

It is indeed ironic. It would almost be funny. except that we have a number of internal websites users need to access that require a Java web plugin to work. We're waiting for the calls and tickets to start flooding in. Oy!
I understand Apple is trying to be more proactive in protecting Mac users, which is admirable, but I think they took this one a bit too far.
I will be sure to mention this to our Apple rep next time we speak to him. Apple needs to hear from us about how this action was unacceptable without at least a 24 hour warning that it was coming.

I will be sure to mention this to our Apple rep next time we speak to him.

Pffft mine got a nasty gram hours ago.

Taking it too far, as you say, only forces people to completely disable the protection, making the move even worse on their part. I would stand by and be happy if they gave an error message and the default was to block the plugin, but to do it silently in the background is just wring.

Wow, Apple wants to control Java in OS X but they don't work with Oracle to prevent these issues.

This is one of those $hit or get off the pot moments for Apple. :(

Nothing's reached us yet, but I'm sure there'll be some escalations soon.

Don

Jared, are you just killing the file, or are you then dropping in a hand-edited one? Just thinking about how I'm going to get this to off-site people I can't drop a file to.

I put a ticket in with Apple. They responded with the unload command Jared posted above with a big security risk disclaimer with it.

It's a shame the safe download list check box doesn't allow admins to select which products they can disable, or disable versus notify, etc.

Apple should be popping up a notice when they do this. It just causes client confusion and then more work for support people. I sat on an ER and now I'm going to file it. This process sucks.

We had contemplated doing the same as Jared and disabling the XProtect function altogether, but we won't be going in that direction. Our concern is that we have some clients that go off the network for days or weeks at a time. We don't have an externally facing JSS yet, and so some clients may stay with XProtect disabled for longer than we feel comfortable with. It would just leave those people a bit exposed. As much as this sucks, I'd rather err on the side of overprotecting for now and simply write in an older plug-in value back into the plist each day with an ongoing policy than turn it off completely. We're not willing to take that risk. But that's just us.

May be of help to some:

http://managingosx.wordpress.com/2013/01/31/disabled-java-plugins-xprotect-updater/

Others may need to customize it. (Hint: edit the postflight script)

I've got a post up now about this issue: http://derflounder.wordpress.com/2013/01/31/java-blocked-in-safari-on-10-6-x-10-8-x/ It looks like the workaround for now is Firefox.

And someday soon even this won't be an option:
http://www.pcworld.com/article/2026686/mozilla-plans-to-automatically-block-nearly-all-firefox-plug-...

As long as it's only the web plugin and not the runtime, i'm in the minority of not caring. Java is an optional install for us.

Firefox is not planning on blocking all plug-ins. It's called click to play https://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/ If you want your Java plug-in to run in firefox click the box to allow. I am all for that as opposed to what Apple is doing.

@Nick_Gooch, thanks for the clarification. The article I linked to is misleading in how its worded, but after reading it again I see what you're referring to. The article has statements like "barring all browser plug-ins" so I though Mozilla was changing even how the Click to Play function worked, but you're right. Doesn't seem to be the case.

I read an article that was similarly worded. The one I posted is from mozilla so hopefully that will help clear up some confusion with that.

Another option to fix the Java issue would be to edit the plist for the java applet to report as 1.7.11.22

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Enabled.plist

This would make it so you didn't need to turn off XProtect. Might cause the java auto updater not to update in the future though.