Safari's trusted Internet plug-ins - possible to set w.Casper?

New Contributor II

I'm not sure why I can't seem to find an easy way to do this, but I believe my issue (should be?) relatively simple (OS X 10.9 and 10.10): When inside Safari > Preferences > Security (tab) > (Internet plug-ins) Website Settings...

My goal is to add "trusted" sites to both Java and Flash plug-ins (internal websites) -- Safari specifically, not the System Prefs' control panels.

  • I've tried using Composer (after deleting the, and setting everything to how I want using the various snapshot types -- no luck.

  • I've tried perusing the JSS for Safari-based settings in Configuration Profiles -- no luck.

I'd like to avoid MCX due to it being a legacy method to set prefs; what else am I missing? This has to be something simple...



Contributor III
Contributor III

I'm using a configuration profile to set Java for our vpn client. Hope this helps. There is also an Apple KB for this.


New Contributor II

Thanks @golbiga -- would you be able to provide a little detail around your use-case? I'm wondering if I can indeed apply a config profile in the JSS for Safari-based settings. Did you create a custom plist ?

New Contributor

@rseys I'm not @golbiga, but we use a configuration profile as well to set various plugin settings, like Java for online testing. The Apple kbase article linked above is what I worked from on a fresh test machine. I set a computer the way I wanted, found the keys the plist was setting via the base article, and deleted everything else from the plist.

When you are making a config profile in the JSS, down at the bottom is "Custom Settings." You can upload your custom plist there, name it, and it will build the config profile for you.

Contributor III
Contributor III

What @emjay said. Back when I created the profile the KB article was not published. I just set up Safari how i wanted it, removed everything but the security settings and then used mcxToProfile to convert it to a profile. Uploaded that to my JSS and scoped it to the appropriate groups.

That said, following the KB article you should be able to use the JSS to create a custom profile.

Contributor II

Question here, if anyone can answer.
I have been able to get the Safari preferences working via a Configuration Profile from withing Casper. When I launch Safari on a Mavericks device all appears to be well (no Yosemite test yet, we need to upgrade server to support Yosemite). Always allow plugin sites for Citrix Receiver and Java are there and working. However, once I connect to our corporate VPN and back out, the Java plugin preferences are all gone. Of course, the Java prefs are needed for the VPN.

The only way that I can get all of the plugin prefs to come back is to delete the file and then run a killall cfprefsd from Terminal.

Has anyone ran into this before? I need this preferences for the plugins to stick (especially Java) otherwise our users are unable to connect to the VPN.

Valued Contributor

I can confirm that the process above is essentially the only way to set these preferences; it makes updates annoying, as you have to re-create and re-upload the entire plist for a simple update. Some of us remember when MCX allowed you to specify arrays as a body of text, and in-line editing was simple...

As to your problem @MTurnerFMRCO, are you guys still using ERA over there?! Why not switch to Pulse?

Contributor II

Is there anything that could be running elsewhere, say some legacy policy, that also is trying to set the VPN plugin settings and it is butting heads with the Config Policy? Thereby having no plugin settings for Java? Can that happen?

We are still on Mountain Lion and not using the Config Profiles yet. I am testing Mavericks and looking forward to Yosemite (server upgrade required). So, the move to Pulse is going forward, but as a tool only, no config in Pulse itself. There will still be a Safari launch to access a URL which brings the user to a VPN server. This keeps Java in the mix.

Valued Contributor II

To enable the Acrobat NPAPI plugin in Safari to "Always Trust" I do the following:

Shell script which fires off a Python script (Pyton script is local on the machine and is cleaned up after):


localUsers=$( dscl . list /Users UniqueID | awk '$2 > 500 && $2 { print $1 }' )

for user in $localUsers; do

sudo -u $user /Users/"$user"/Library/Safari/

rm /Users/"$user"/Library/Safari/


Python script:


import CoreFoundation

ManagedPlugInPolicies = {

Always Allow Sharepoint plugin

"com.adobe.acrobat.pdfviewerNPAPI": { "PlugInFirstVisitPolicy": "PlugInPolicyAllowNoSecurityRestrictions", }}

CoreFoundation.CFPreferencesSetAppValue("ManagedPlugInPolicies", ManagedPlugInPolicies, "") CoreFoundation.CFPreferencesAppSynchronize("")

Valued Contributor

@dgreening Code block, man!
@MTurnerFMRCO Shame; check with your colleague Brian Lankford over in EI. Back when I was there, we went Pulse w/a config precisely because of the java junk. In any case, you very well could have something else in place causing that policy to be overwritten. Check the logs for affected systems for policies that are running, and you could test by manually applying the config to an unmanaged system.