Posted on 07-13-2020 05:40 PM
Newbie here so sorry if this has been asked ( i already search the forums beforehand and found nothing)
We want to create a report in Jamf to detect all versions of Java or any Java App installed. I know other applications it's app name +.app for the value when I create an Application title search, but that didn't work. Assuming since java is added mostly as an extension ( i think).
Any help or other links to how it's done would be appreciated!
Thanks
Posted on 07-13-2020 06:00 PM
I just came up with this really quick and I have one java env installed on my device so test test test
#!/bin/zsh
java_vers=$(mdfind -onlyin /Library/Java -name "kMDItemContentType = com.apple.property-list" | xargs -I {} defaults read "{}" CFBundleGetInfoString)
echo "<result>"
echo "${java_vers}"
echo "</result>"
This script assumes you are installing system java in /Library/Java
which is the default install location.
output:
% zsh javavers.sh
<result>
Java SE 1.8.0_201
</result>
Posted on 05-18-2021 07:22 PM
@tlarkin - great stuff!
I'm finding that when I have the JRE installed for our users to access a web app with a jnlp form using Java Webstart that there is nothing in /Library/Java. I do see files installed in
/Library/Application Support/Oracle/Java
/Library/Internet Plug-Ins
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/Preferences
/Library/PreferencePanes
From /Library/Application Support/Oracle/Java I can get the java version using
/usr/bin/defaults read /Library/Application Support/Oracle/Java/Info.plist CFBundleShortVersionString
which in my case gave a result: Java 8 Update 161 build 12
Anyway ... you did say test, test Tom. Thanks for the starter
Posted on 05-18-2021 07:43 PM
@dlondon
So it looks like Oracle has changed a ton of stuff, I just installed Java on my Mac to test and yikes! The stuff in /Library/Application Support/Java
is just a sym link to /Library/Internet Plugins
now and there is not a lot of great spotlight tags. I have no idea what Oracle is doing here, stuff is all over. Looks like here is a text file that stores the release info /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/release
but I am not a java dev so I am not sure exactly what Oracle is doing here on macOS
Posted on 03-22-2023 10:48 AM
Hello,
I saw this article and had some questions. My org is trying to accomplish the same thing as a result of a soft audit from Oracle for Java instances on machines. Can anyone help with more layman terms on this process? Is there a way to return the S/N or what devices have Java to help determine the users we need to reach out to and have them uninstall Java?
Thanks!
Kerry
Posted on 03-22-2023 11:14 AM
@kprimm I use an extension attribute to pull info on what devices have Java JDK and Java JRE. Here are the scripts for those EAs:
Java JDK
#!/usr/bin/env bash
#######################################################################################
# Collects information to determine which version of the Java SE JDK is installed #
# and returns that version back. Builds the result as FEATURE.INTERIM.UPDATE #
#######################################################################################
PATH_EXPR=/Library/Java/JavaVirtualMachines/jdk-*.jdk/Contents/Info.plist
KEY="CFBundleShortVersionString"
RESULTS=()
IFS=$'\n'
for PLIST in ${PATH_EXPR}; do
RESULTS+=( $(/usr/bin/defaults read "${PLIST}" "${KEY}" 2>/dev/null) )
done
RESULTS=( $(/usr/bin/sort -V -r <<< "${RESULTS[*]}") )
unset IFS
if [[ ${#RESULTS[@]} -eq 0 ]]; then
/bin/echo "<result>Not Installed</result>"
else
/bin/echo "<result>${RESULTS[0]}</result>"
fi
exit 0
Java JRE
#!/usr/bin/env sh
#######################################################################################
# Collects information to determine which version of the Java plugin is installed and #
# then returning that version back. #
#######################################################################################
if [ -f "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist" ] ; then
VERSION=$( /usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist" CFBundleVersion )
#Verify that this is version 10 of the Java plugin
# if [ "${VERSION}" != "${VERSION#10.}" ] ; then
# RESULT=${VERSION}
# fi
fi
/bin/echo "<result>$VERSION</result>"
Posted on 03-22-2023 11:24 AM
Thank you for the quick reply. Keep in mind I am a dummy and got tossed into the Jamf stuff.
So I would just copy each of those into separate scripts, then create a separate policy for each script that includes all devices?
Thanks again,
kerry
Posted on 03-22-2023 12:55 PM
@kprimm no worries we all have been there. You will use those within Jamf.
1. Login to your Jamf console and go to Settings>Computer management>Extension Attributes.
2. Click "NEW", call it whatever you want. I'm using "Java JDK Version" and "Java JRE Version" for each.
3. Data Type = String
4. Inventory Display = Whatever you want I'm using Extension Attributes
5. Input Type = Script
6. Then paste the appropriate script I had in the previous post in there and click "Save".
Go back through the same process to do the other one you didn't setup (either JRE or JDK). The next time one of your devices updates the inventory it should populate those fields in that devices computer record in Jamf. You can test this yourself if you have a device that has JDK or JRE on it and run the "sudo jamf recon" command on it. Once it's done look in the computer record for it. It should show the results under whatever you chose for Inventory Display.
Posted on 03-22-2023 04:29 PM
Awesome thank you so much for the help!!! I took a screenshot of a random Macbook and confirmed under Applications they do not have Java but if they did, it would show where its blank in my screenshot correct?
03-23-2023 05:30 AM - edited 03-23-2023 05:33 AM
@kprimm for the Java JDK if it's not installed it should show in your screenshot as "Not Installed". The JRE script will just show blank. Here's an updated version of the JRE EA script you can use. This will return a result of "Not Installed" if it doesn't find anything. I would run another recon command on that computer and then check again.
#!/usr/bin/env sh
#######################################################################################
# Collects information to determine which version of the Java plugin is installed and #
# then returning that version back. #
#######################################################################################
if [ -f "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist" ] ; then
VERSION=$( /usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist" CFBundleVersion )
/bin/echo "<result>$VERSION</result>"
else /bin/echo "<result>Not Installed</result>"
#Verify that this is version 10 of the Java plugin
# if [ "${VERSION}" != "${VERSION#10.}" ] ; then
# RESULT=${VERSION}
# fi
fi
Posted on 03-23-2023 09:36 AM
Thanks a million. So in my screenshot I was just going to managed devices, then randomly choosing a user and clicking "Extension Attributes" on the left pane. Are you saying I need to run the recon command on each device before it will return any version it finds? Apologies for the grandma-level Jamf knowledge.
Posted on 03-23-2023 09:47 AM
No worries! Yes, a recon will need to be ran on each device before it can report back the results. I think most environments have an inventory policy setup to run once a day for all computers. That way the information in the computer record stays current. The other thing to note is if your environment is like mine, there are some devices that are spares and they leave them off all the time. So you will want to make sure the "random" device you are checking is one that had ran the inventory update after you had created your extension attributes.
Posted on 03-23-2023 09:52 AM
Ok great. So is there a way to run the recon script silently in the background and push it out in a policy to run on each devices check-in that would return any current versions of Java? Or just so I understand, you need to do individual remote sessions to run the recon command in terminal on each device to determine if Java is present, correct? Just want to make sure I am understanding everything.
Posted on 03-23-2023 10:32 AM
Yeah you can create a policy to do that. For example, I have one setup called "Update Inventory". In the General Payload I have the following triggers checked: Startup, Login, Recurring Check-in. The Execution Frequency is Once every day. Then go to the Maintenance payload and check the box for "Update Inventory". Next, scope it to all your computers and save it.
Then once a day that policy will run via one of the triggers and the inventory will be updated for each device that is online. Once that policy runs and the inventory is updated you should start seeing the JDK and JRE results in each computer record. The policy is all behind the scenes and your end users should not even know it's running or have already ran.
Posted on 03-23-2023 12:58 PM
I am going to try this and I will let you know.
Endless thanks for all the assistance!
Posted on 03-27-2023 09:00 AM
Happy Monday,
I got the scripts to work, and they are returning the versions if any. Had a quick follow up question. Is there a way to do a bulk export to a .csv or something for all devices? I surely want to avoid going through each PC one by one 😵.
Thank you!
Kerry
Posted on 03-28-2023 09:52 AM
I figured out the export, but 70% of the machines are not returning any info back, just blank. So I think the course of action is to try and figure out how to silently uninstall any/all versions of Java off all devices, if that is even possible....
Posted on 03-28-2023 10:06 AM
Sorry @kprimm I've been tied up with some things. One method for getting reports is to create an "Advanced Computer Search". You can save the search for later use unless you just need a one time thing. Just select the criteria (have to look in show advanced criteria). I'm using the following for criteria
This will display back just those systems that have JDK installed. You can do the same thing for the JRE EA. Then in the Display section you can select what you want to have displayed about those systems in your report. Next in the Reports section you can have it email to you or you can download as a csv if you like.
As for the devices that are not reporting back anything I would check that device out and verify that it's running the recon command and the computer record is reflecting that it had ran recently.