Search For All Instances Of Java

igarcia
New Contributor II

Newbie here so sorry if this has been asked ( i already search the forums beforehand and found nothing)

We want to create a report in Jamf to detect all versions of Java or any Java App installed. I know other applications it's app name +.app for the value when I create an Application title search, but that didn't work. Assuming since java is added mostly as an extension ( i think).

Any help or other links to how it's done would be appreciated!

Thanks

17 REPLIES 17

tlarkin
Honored Contributor

I just came up with this really quick and I have one java env installed on my device so test test test

#!/bin/zsh
java_vers=$(mdfind -onlyin /Library/Java -name "kMDItemContentType = com.apple.property-list" | xargs -I {} defaults read "{}" CFBundleGetInfoString)
echo "<result>"
echo "${java_vers}"
echo "</result>"

This script assumes you are installing system java in /Library/Java which is the default install location.

output:

% zsh javavers.sh
<result>
Java SE 1.8.0_201
</result>

dlondon
Valued Contributor

@tlarkin - great stuff!

I'm finding that when I have the JRE installed for our users to access a web app with a jnlp form using Java Webstart that there is nothing in /Library/Java. I do see files installed in

/Library/Application Support/Oracle/Java
/Library/Internet Plug-Ins
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/Preferences
/Library/PreferencePanes

From /Library/Application Support/Oracle/Java I can get the java version using

/usr/bin/defaults read /Library/Application Support/Oracle/Java/Info.plist  CFBundleShortVersionString

which in my case gave a result: Java 8 Update 161 build 12

Anyway ... you did say test, test Tom. Thanks for the starter

tlarkin
Honored Contributor

@dlondon So it looks like Oracle has changed a ton of stuff, I just installed Java on my Mac to test and yikes! The stuff in /Library/Application Support/Java is just a sym link to /Library/Internet Plugins now and there is not a lot of great spotlight tags. I have no idea what Oracle is doing here, stuff is all over. Looks like here is a text file that stores the release info /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/release but I am not a java dev so I am not sure exactly what Oracle is doing here on macOS

kprimm
New Contributor III

Hello, 
I saw this article and had some questions.  My org is trying to accomplish the same thing as a result of a soft audit from Oracle for Java instances on machines.  Can anyone help with more layman terms on this process?  Is there a way to return the S/N or what devices have Java to help determine the users we need to reach out to and have them uninstall Java?

Thanks!

Kerry

bcbackes
Contributor III

@kprimm I use an extension attribute to pull info on what devices have Java JDK and Java JRE. Here are the scripts for those EAs:

Java JDK

#!/usr/bin/env bash

#######################################################################################
# Collects information to determine which version of the Java SE JDK is installed  # 
# and returns that version back.  Builds the result as FEATURE.INTERIM.UPDATE         #                                                                          
#######################################################################################

PATH_EXPR=/Library/Java/JavaVirtualMachines/jdk-*.jdk/Contents/Info.plist
KEY="CFBundleShortVersionString"

RESULTS=()
IFS=$'\n'
for PLIST in ${PATH_EXPR}; do
	RESULTS+=( $(/usr/bin/defaults read "${PLIST}" "${KEY}" 2>/dev/null) )
done
RESULTS=( $(/usr/bin/sort -V -r <<< "${RESULTS[*]}") )
unset IFS

if [[ ${#RESULTS[@]} -eq 0 ]]; then
	/bin/echo "<result>Not Installed</result>"
else
	/bin/echo "<result>${RESULTS[0]}</result>"
fi

exit 0


Java JRE

#!/usr/bin/env sh
#######################################################################################
# Collects information to determine which version of the Java plugin is installed and # 
# then returning that version back.   												  #	
#######################################################################################

if [ -f "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist" ] ; then

	VERSION=$( /usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist" CFBundleVersion )
	
	#Verify that this is version 10 of the Java plugin
#	if [ "${VERSION}" != "${VERSION#10.}" ] ; then
#    	RESULT=${VERSION}
#    fi
fi

/bin/echo "<result>$VERSION</result>"

kprimm
New Contributor III

Thank you for the quick reply.  Keep in mind I am a dummy and got tossed into the Jamf stuff.

So I would just copy each of those into separate scripts, then create a separate policy for each script that includes all devices?

Thanks again, 

kerry

bcbackes
Contributor III

@kprimm no worries we all have been there. You will use those within Jamf.
1. Login to your Jamf console and go to Settings>Computer management>Extension Attributes.
2. Click "NEW", call it whatever you want. I'm using "Java JDK Version" and "Java JRE Version" for each.
3. Data Type = String
4. Inventory Display = Whatever you want I'm using Extension Attributes
5. Input Type = Script
6. Then paste the appropriate script I had in the previous post in there and click "Save". 

Go back through the same process to do the other one you didn't setup (either JRE or JDK). The next time one of your devices updates the inventory it should populate those fields in that devices computer record in Jamf. You can test this yourself if you have a device that has JDK or JRE on it and run the "sudo jamf recon" command on it. Once it's done look in the computer record for it. It should show the results under whatever you chose for Inventory Display. 

kprimm
New Contributor III

Awesome thank you so much for the help!!!  I took a screenshot of a random Macbook and confirmed under Applications they do not have Java but if they did, it would show where its blank in my screenshot correct?

kprimm_0-1679527774511.png

 

@kprimm for the Java JDK if it's not installed it should show in your screenshot as "Not Installed". The JRE script will just show blank. Here's an updated version of the JRE EA script you can use. This will return a result of "Not Installed" if it doesn't find anything. I would run another recon command on that computer and then check again. 

 

#!/usr/bin/env sh
#######################################################################################
# Collects information to determine which version of the Java plugin is installed and # 
# then returning that version back.   												  #	
#######################################################################################

if [ -f "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist" ] ; then

	VERSION=$( /usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info.plist" CFBundleVersion )
    
    /bin/echo "<result>$VERSION</result>"
    
else /bin/echo "<result>Not Installed</result>"
	
	#Verify that this is version 10 of the Java plugin
#	if [ "${VERSION}" != "${VERSION#10.}" ] ; then
#    	RESULT=${VERSION}
#    fi
fi

 

kprimm
New Contributor III

Thanks a million.  So in my screenshot I was just going to managed devices, then randomly choosing a user and clicking "Extension Attributes" on the left pane.  Are you saying I need to run the recon command on each device before it will return any version it finds?  Apologies for the grandma-level Jamf knowledge.

No worries! Yes, a recon will need to be ran on each device before it can report back the results. I think most environments have an inventory policy setup to run once a day for all computers. That way the information in the computer record stays current. The other thing to note is if your environment is like mine, there are some devices that are spares and they leave them off all the time. So you will want to make sure the "random" device you are checking is one that had ran the inventory update after you had created your extension attributes. 

kprimm
New Contributor III

Ok great.  So is there a way to run the recon script silently in the background and push it out in a policy to run on each devices check-in that would return any current versions of Java?  Or just so I understand, you need to do individual remote sessions to run the recon command in terminal on each device to determine if Java is present, correct?  Just want to make sure I am understanding everything.

bcbackes
Contributor III

Yeah you can create a policy to do that. For example, I have one setup called "Update Inventory". In the General Payload I have the following triggers checked: Startup, Login, Recurring Check-in. The Execution Frequency is Once every day. Then go to the Maintenance payload and check the box for "Update Inventory". Next, scope it to all your computers and save it.

Then once a day that policy will run via one of the triggers and the inventory will be updated for each device that is online. Once that policy runs and the inventory is updated you should start seeing the JDK and JRE results in each computer record. The policy is all behind the scenes and your end users should not even know it's running or have already ran. 

kprimm
New Contributor III

I am going to try this and I will let you know.

Endless thanks for all the assistance!

kprimm
New Contributor III

Happy Monday, 

I got the scripts to work, and they are returning the versions if any.  Had a quick follow up question.  Is there a way to do a bulk export to a .csv or something for all devices?  I surely want to avoid going through each PC one by one 😵.
Thank you!

Kerry

kprimm
New Contributor III

I figured out the export, but 70% of the machines are not returning any info back, just blank.  So I think the course of action is to try and figure out how to silently uninstall any/all versions of Java off all devices, if that is even possible....

bcbackes
Contributor III

Sorry @kprimm I've been tied up with some things. One method for getting reports is to create an "Advanced Computer Search". You can save the search for later use unless you just need a one time thing. Just select the criteria (have to look in show advanced criteria). I'm using the following for criteria 

bcbackes_1-1680022933623.png

This will display back just those systems that have JDK installed. You can do the same thing for the JRE EA. Then in the Display section you can select what you want to have displayed about those systems in your report. Next in the Reports section you can have it email to you or you can download as a csv if you like.
As for the devices that are not reporting back anything I would check that device out and verify that it's running the recon command and the computer record is reflecting that it had ran recently.