Jamf Nation Community

John,

This looks like it would lend itself well to an MCX setting and then you wouldn't have to script it. I am actually trying to create one right now to test as I have found this to be an issue for us as well.

bentoms,

Just so others don't get confused, it has to be "man PlistBuddy" or else will return cannot find man.

We have a few areas that required different Java security in the past. I created JavaConfig.dmg using Monitor File System Changes in Composer which has worked well for us...

So, I have found that for me the Plist doesn't change the slider in the Java Preferences Pane. The file I found that does this is, ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties.

I tried creating a dmg using Monitor File System Changes in Composer but it won't let me create a dmg, just a pkg.. Keep getting:

Error Creating DMG
There was an error creating the package. Please make sure that the location you are saving to is writable and try again.

Command failed with error code (1): '/usr/bin/hdiutil'

Actually John, I found this to work for me

#!/bin/bash
for folder in /Users/*; do
    if [ -f $folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties ]; then
    sed -i "" 's/deployment.security.level=.*/deployment.security.level=MEDIUM/g' $folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties
else
    echo "$folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties does not exist"
    fi
done

EDIT

This includes changing the plist as well

#!/bin/sh
for folder in /Users/*; do
    if [ -f $folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties ]; then
        sed -i "" 's/deployment.security.level=.*/deployment.security.level=MEDIUM/g' $folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties
    else
        echo "$folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties does not exist"
    fi

    if [ -f $folder/Library/Preferences/com.oracle.javadeployment.plist ]; then
        /usr/libexec/PlistBuddy -c "set '/com/oracle/javadeployment/:deployment.security.level' MEDIUM" $folder/Library/Preferences/com.oracle.javadeployment.plist
    else
        echo "$folder/Library/Preferences/com.oracle.javadeployment.plist does not exist"
    fi
done

hi, I've been trying to set the Java security preferences for users.
This was the best resource I could find, but I can't get it working. This is what I am trying

/usr/libexec/PlistBuddy -c "add ':/com/oracle/javadeployment/:deployment.security.level:' string MEDIUM" ~/Library/Preferences/com.oracle.javadeployment.plist

which works somewhat, and it adds this to the plist

<key>deployment.security.level</key> <dict> <key></key> <string>MEDIUM</string> </dict> <key>deployment.version</key>

I really only want it to add

<key>deployment.security.level</key>
<string>MEDIUM</string> <key>deployment.version</key>

anyone have suggestions? with the nested values we have to use plistbuddy right?

thanks Dan

Hi Everyone,

I don't have a way to test this but if you do a defaults read, what will it output?

defaults write /Users/username/Library/Preferences/com.oracle.javadeployment.plist deployment.security.level

If defaults can read that value of that key, it can write to it as well. This may or may not help, and I cannot test it currently but hopefully it will help some of you.

Edit - had read instead of write, and the javastuff was just a place holder.

Thanks,
Tom

tlark- it doesn't exist yet. when you manually toggle the setting in the Java control panel, its added with the string MEDIUM.

thanks for looking
Dan

So what if you did something like this:

defaults write com.javastuff.plist -dict-add deployment.security.level -key MEDIUM

I would think the defaults binary should support this. I can try to play with it when I have more time. Hopefully this might also help. You may have to direct the dictionary item first, then write the key after? Not sure on that one.

Thanks,
Tom

defaults write ~/Library/Preferences/com.oracle.javadeployment.plist deployment.security.level 'MEDIUM'
adds the key but outside of the dictionary . Addition Shown here in bold

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>/com/oracle/javadeployment/</key> <dict> <key>deployment.expiration.decision.10.51.2</key> <string>later</string> <key>deployment.expiration.decision.suppression.10.51.2</key> <string>true</string> <key>deployment.expired.version</key> <string>10.51.2</string> <key>deployment.log</key> <string>true</string> <key>deployment.modified.timestamp</key> <string>1399659346937</string> <key>deployment.version</key> <string>7.21</string> </dict> <key>deployment.security.level</key> <string>MEDIUM</string> </dict> </plist>

when I toggle the setting in the GUI it places the <key>deployment.security.level</key> <string>MEDIUM</string>
above the "Deployment Version" key.

this is what the plist looks like when its working under medium security

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>/com/oracle/javadeployment/</key> <dict> <key>deployment.expiration.decision.10.51.2</key> <string>later</string> <key>deployment.expiration.decision.suppression.10.51.2</key> <string>true</string> <key>deployment.expired.version</key> <string>10.51.2</string> <key>deployment.log</key> <string>true</string> <key>deployment.modified.timestamp</key> <string>1399658395550</string> <key>deployment.security.level</key> <string>MEDIUM</string> <key>deployment.version</key> <string>7.21</string> </dict> </dict> </plist>

You'll want to use PlistBuddy to write to the dict.

Sorry I can't help more atm, in a taxi home from CCE.

Perhaps something to work with in this thread?:
https://jamfnation.jamfsoftware.com/discussion.html?id=6489

We are using the script from Andrew with some minor mods to accomplish several tasks. For example, I was asked to tweak another preference and added a line similar to this:
/bin/echo deployment.security.mixcode=HIDE_RUN >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

The deployment.config file could also be factored in I suppose:
/Library/Application Support/Oracle/Java/Deployment/deployment.config
(e.g. deployment.system.config=path_to_deployment.properties and deployment.system.config.mandatory = true)

Don't mean to distract from current discussion, might be pointing in the wrong direction. Not my forte.

Looking at the defaults man page, I don't see a way to add a key and a string to an existing dictionary item. So, I think @bentoms is right when he mentions PlistBuddy. Looking at that man page it can add these items.

https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man8/PlistBuddy.8.ht...

I can try to test this later.

Thanks,
Tom

nested values is where plist buddy shines, but I can't get it to fall under the <dict> <key>/com/oracle/javadeployment/</key> <dict>

it creates another dictionary and then java doesn't seem to read the key at all.
still messing with it let me know what you @tlarkin , @bentoms come up with.
thank you for all the suggestions so far
Dan

Just throwing out a link to the java documentation regarding the deployment.properties file.

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html

User Preferences: ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties System Level Preferences: /Library/Application Support/Oracle/Java/Deployment/deployment.config

It looks like the system file isn't created by default, have you tried customizing the XML with your desired configuration and deploying that file to the system level?

@freddie.cox - we want to tweak the user prefs. But the setting we want to change is nested and I can't get it in the existing dictionary. were so close with plistbuddy! that is a good reference for additional settings thank you! Worst case we will make a dmg for the plist and deploy it after the java install.

Got it! Thanks to Tony Tang, noticed a extra :

/usr/libexec/PlistBuddy -c "add ':/com/oracle/javadeployment/:deployment.security.level' string MEDIUM" ~/Library/Preferences/com.oracle.javadeployment.plist

new issues! This writes to the plist and that is awesome! But when you open the java system preference, the deployment.security.level and string go away, and the security is still HIGH the default. I tried to change permissions to the plist to 755 and tried it again and it made no difference. Suggestions?
Thank you
Dan

Read the documentation that @freddie.cox suggested.

The users plist file and the users deployment properties work in tandem. One file will overwrite the other if they aren't the same.

I'd recommend instead of setting these at user level, remove these files and set the deployment properties in the main library.

For example:

cat /Library/Application Support/Oracle/Java/Deployment/deployment.config 
deployment.system.config=file:///Library/Application Support/Oracle/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true

cat /Library/Application Support/Oracle/Java/Deployment/deployment.properties 
#deployment.properties
deployment.macosx.check.update=false
deployment.macosx.check.update.locked
deployment.expiration.check.enabled=false
deployment.expiration.check.enabled.locked
deployment.security.level=VERY_HIGH
deployment.security.level.locked
deployment.console.startup.mode=HIDE

defaults read /Library/Preferences/com.oracle.java.Java-Updater
{
    JavaAutoUpdateEnabled = 0;
}

Thanks Sean, I started looking at the documentation again this morning and it states - file can't be altered.

in conclusion, Configuring Java user settings - defaults write was not the solution. Plistbuddy was able to write the nested dictionary, but was overwritten, so it was also not the solution. @freddie.cox suggested it, I was so focused on getting plistbuddy to work, as Sean stated read Oracles Documentation- http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html

Create deployment.config
deployment.properties here
/Library/Application Support/Oracle/Java/Deployment/
I also had to create the Deployment directory and gave it the same user and permissions as the Parent Java directory.
add your files deployment.config and deployment.properties

the examples Sean has listed are good. I changed my security level to MEDIUM and we are in business. if you add the .locked line it will also prevent your users from changing the settings.

Thank you @bentoms @tlarkin @freddie.cox @sean and Tony Tang

Hey dderusha,
Can you explain the steps you took in more detail? I'm a bit confused and trying to work through this issue as well.

@kempt I made a DMG with the settings, scripting it didn't work for me.
I used composer, made my own "finder folder structure"
Step one is to create the file
deployment.config and place it into /Library/Application Support/Oracle/Java/Deployment/

and add this to the file

#deployment.config
#Tue May 13 20:51:30 CDT 2014
deployment.system.config=file:///Library/Application Support/Oracle/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true

Next step is to make a deployment.properties file and place it in the same Deployment Directory you made in Composer.

add this to the file

#deployment.properties
#Tue May 13 20:51:30 CDT 2014
deployment.macosx.check.update=false
deployment.macosx.check.update.locked
deployment.expiration.check.enabled=false
deployment.expiration.check.enabled.locked
deployment.security.level=MEDIUM
deployment.security.level.locked
deployment.console.startup.mode=HIDE

We wanted the settings set to medium as shown above.

We offer this in self service. I have the java 7r67.pkg that installs followed by the package we described above.
its a global package for all users.

let me know if you have more questions.

Dan

Dan,
Thanks for getting back to me. I’m fairly new to editing system files, so, did you start with a blank .config, and a blank .properties file, and then add exactly what you sent to me before saving? Also, I’m unclear as the “finder folder structure” you mention about creating in Composer.

@kempt No problem
You could create a new file using text edit, name the files as described above -deployment.config and the second file called - deployment.properties copy and past the suggested text from the above post.
save the files in the path above...here are the permissions I have set on the files
-rw-rw-r--@ 1 root admin 197 May 14 13:43 deployment.config
-rw-rw-r--@ 1 root admin 315 May 14 14:01 deployment.properties

I'm pretty sure we have to create the "Deployment" Directory.
here are the permissions on that directory
drwxr-xr-x 4 root admin 136 Jul 16 09:06 Deployment

If you create this directory, and place the files into it, the next step is to open composer.

when composer opens, drag the two files to the left side of the composer window.
when its done, click the button to make a .dmg and that should do it.

Dan

@dderusha
Thanks! A few more questions:
1. How do I create that directory in Composer?
2. Are you setting the permissions normally, using Get Info?
3. Do I place these files in the paths you listed AND also in the newly created Composer Directory?

@kempt
Were just going to create that directory in the Finder, and place the two files we created with a text editor such as text edit or text wrangler. Then open Composer and drag the two files into the left side of composer.....wait and it will re-create the folder structure with the files. You can check the permissions at the bottom of the window on composer.
Dan De Rusha

@dderusha
So, when you're saying "Create that directory in the Finder", how are you accomplishing this? The way I would do it doesn't seem to be re-creating in Composer - it just adds the one file.

ok forget composer for a minute...... Go to your finder. Do you see this path?
/Library/Application Support/Oracle/Java/Deployment/
If not in the Finder, go up to File - New Folder. and create this exact folder structure.
Drop your config and properties files into Deployment.
Now open composer.
Drag the config and properties files to the left hand side of composer.
wait and composer now should create this same path with the files in it...hit the button at the top to make a .dmg and your done. Dan De Rusha

That's what I tired doing before. I was expecting to see the path on the left, but if I click the .txt file I dragged in, the path in the main window is correct.

@kempt
Left side will show the name of the package....click on it to change the name.
Right side shows the path.

Gotcha. Just ran it in Self-Service - policy ran but no change in the settings occurred. Also, is there any way to allow non-admins to run this policy? We need to push it out to our non-admin students.

you can "push" it with a policy if you would like. you can also set it up in self service. regarding no change in the settings, did you set the permissions before making it?

I did, according to your description. We have one Owner (our admin account) and one Group (students). For Deployment, the Owner has RWX, Group has RX, and Everyone has X. For the two files, Owner has RW, Group has RW and Everyone has R.

This is a global preference not at the user level
/Library not ~/Library
the owner is root, group is admin

drwxr-xr-x 5 root admin 170 May 14 14:15 Java

all the way down

FYI,

From http://www.java.com/en/download/help/jcp_security.xml

Starting with Java 8 Update 20, the Medium security level has been removed from the Java Control Panel. Only High and Very High levels are available. The exception site list provides users with the option of allowing the same applets that would have been allowed by selecting the Medium option but on a site-by-site basis therefore minimizing the risk of using more permissive settings.

I was wondering if anyone has been able to disable "Check for Updates Automatically" via script with version 8 update 20?

If so would you mind sharing??

Thanks in advance...

@dderusha, I switched the path to the root pay rather than the user. However, I'm still unclear on how you're telling me to set the permissions. What do you mean by "drwxr-xr-x 5 root admin 170 "?

@kemt
can you post the permissions of your directory and files?

Owner: root (0) R W X
Group: admin (80) R X
Everyone: X

Same for both files.