Thanks @golbiga -- would you be able to provide a little detail around your use-case? I'm wondering if I can indeed apply a config profile in the JSS for Safari-based settings. Did you create a custom plist ?

@rseys I'm not @golbiga, but we use a configuration profile as well to set various plugin settings, like Java for online testing. The Apple kbase article linked above is what I worked from on a fresh test machine. I set a computer the way I wanted, found the keys the plist was setting via the base article, and deleted everything else from the plist.

When you are making a config profile in the JSS, down at the bottom is "Custom Settings." You can upload your custom plist there, name it com.apple.Safari, and it will build the config profile for you.

What @emjay said. Back when I created the profile the KB article was not published. I just set up Safari how i wanted it, removed everything but the security settings and then used mcxToProfile to convert it to a profile. Uploaded that to my JSS and scoped it to the appropriate groups.

That said, following the KB article you should be able to use the JSS to create a custom profile.

Question here, if anyone can answer.
I have been able to get the Safari preferences working via a Configuration Profile from withing Casper. When I launch Safari on a Mavericks device all appears to be well (no Yosemite test yet, we need to upgrade server to support Yosemite). Always allow plugin sites for Citrix Receiver and Java are there and working. However, once I connect to our corporate VPN and back out, the Java plugin preferences are all gone. Of course, the Java prefs are needed for the VPN.

The only way that I can get all of the plugin prefs to come back is to delete the com.apple.safari.plist file and then run a killall cfprefsd from Terminal.

Has anyone ran into this before? I need this preferences for the plugins to stick (especially Java) otherwise our users are unable to connect to the VPN.

I can confirm that the process above is essentially the only way to set these preferences; it makes updates annoying, as you have to re-create and re-upload the entire plist for a simple update. Some of us remember when MCX allowed you to specify arrays as a body of text, and in-line editing was simple...

As to your problem @MTurnerFMRCO, are you guys still using ERA over there?! Why not switch to Pulse?

Is there anything that could be running elsewhere, say some legacy policy, that also is trying to set the VPN plugin settings and it is butting heads with the Config Policy? Thereby having no plugin settings for Java? Can that happen?

We are still on Mountain Lion and not using the Config Profiles yet. I am testing Mavericks and looking forward to Yosemite (server upgrade required). So, the move to Pulse is going forward, but as a tool only, no config in Pulse itself. There will still be a Safari launch to access a URL which brings the user to a VPN server. This keeps Java in the mix.

To enable the Acrobat NPAPI plugin in Safari to "Always Trust" I do the following:

Shell script which fires off a Python script (Pyton script is local on the machine and is cleaned up after):

!/bin/sh

localUsers=$( dscl . list /Users UniqueID | awk '$2 > 500 && $2 { print $1 }' )

for user in $localUsers; do

sudo -u $user /Users/"$user"/Library/Safari/Safari_Acrobat_Plugin_Enable.py

rm /Users/"$user"/Library/Safari/Safari_Acrobat_Plugin_Enable.py

done

Python script:

!/usr/bin/python

import CoreFoundation

ManagedPlugInPolicies = {

Always Allow Sharepoint plugin

"com.adobe.acrobat.pdfviewerNPAPI": { "PlugInFirstVisitPolicy": "PlugInPolicyAllowNoSecurityRestrictions", }}

CoreFoundation.CFPreferencesSetAppValue("ManagedPlugInPolicies", ManagedPlugInPolicies, "com.apple.Safari") CoreFoundation.CFPreferencesAppSynchronize("com.apple.Safari")

@dgreening Code block, man!
@MTurnerFMRCO Shame; check with your colleague Brian Lankford over in EI. Back when I was there, we went Pulse w/a config precisely because of the java junk. In any case, you very well could have something else in place causing that policy to be overwritten. Check the logs for affected systems for policies that are running, and you could test by manually applying the config to an unmanaged system.