Skip to main content
Question

Set Java Preferences w/script


Forum|alt.badge.img+9

Is there a way to set Java security preferences with a script? We have a lab using Wordle and the site applet gets blocked by Java with the default "High" security level. When I drop the level to medium, it works fine. I'd like to set this level across all machines in this lab remotely. I tried the following defaults command:

defaults write com.oracle.javadeployment.plist deployment.securty.level MEDIUM

This added the key outside of my <dict> array. I'd like to add the MEDIUM security setting inside that array like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> <key>/com/oracle/javadeployment/</key> <dict> <key>deployment.javaws.appicon.index</key> <string>/Users/john/Library/Application Support/Oracle/Java/Deployment/cache/6.0/appIcon/appIcon.xml</string> <key>deployment.javaws.splash.index</key> <string>/Users/john/Library/Application Support/Oracle/Java/Deployment/cache/6.0/splash/splash.xml</string> <key>deployment.modified.timestamp</key> <string>1378397568382</string> <key>deployment.proxy.type</key> <string>0</string> <key>deployment.security.level</key> <string>MEDIUM</string> <key>deployment.version</key> <string>7.21</string> </dict>
</dict>
</plist>

Is there a way I can modify my defaults command or another way to do this?

Thanks,
John

43 replies

bentoms
Forum|alt.badge.img+35
  • Legendary Contributor
  • 4331 replies
  • September 5, 2013

Have a look @ PlistBuddy.

Type: ```
man plistbuddy
``` into terminal


Forum|alt.badge.img+5
  • Contributor
  • 25 replies
  • September 5, 2013

John,

This looks like it would lend itself well to an MCX setting and then you wouldn't have to script it. I am actually trying to create one right now to test as I have found this to be an issue for us as well.

bentoms,

Just so others don't get confused, it has to be "man PlistBuddy" or else will return cannot find man.


Forum|alt.badge.img+10
  • Contributor
  • 91 replies
  • September 6, 2013

We have a few areas that required different Java security in the past. I created JavaConfig.dmg using Monitor File System Changes in Composer which has worked well for us...


Forum|alt.badge.img+5
  • Contributor
  • 25 replies
  • September 6, 2013

So, I have found that for me the Plist doesn't change the slider in the Java Preferences Pane. The file I found that does this is, ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties.

I tried creating a dmg using Monitor File System Changes in Composer but it won't let me create a dmg, just a pkg.. Keep getting:

Error Creating DMG
There was an error creating the package. Please make sure that the location you are saving to is writable and try again.

Command failed with error code (1): '/usr/bin/hdiutil'


Forum|alt.badge.img+5
  • Contributor
  • 25 replies
  • September 6, 2013

Actually John, I found this to work for me

#!/bin/bash
for folder in /Users/*; do
    if [ -f $folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties ]; then
    sed -i "" 's/deployment.security.level=.*/deployment.security.level=MEDIUM/g' $folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties
else
    echo "$folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties does not exist"
    fi
done

EDIT

This includes changing the plist as well

#!/bin/sh
for folder in /Users/*; do
    if [ -f $folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties ]; then
        sed -i "" 's/deployment.security.level=.*/deployment.security.level=MEDIUM/g' $folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties
    else
        echo "$folder/Library/Application Support/Oracle/Java/Deployment/deployment.properties does not exist"
    fi

    if [ -f $folder/Library/Preferences/com.oracle.javadeployment.plist ]; then
        /usr/libexec/PlistBuddy -c "set '/com/oracle/javadeployment/:deployment.security.level' MEDIUM" $folder/Library/Preferences/com.oracle.javadeployment.plist
    else
        echo "$folder/Library/Preferences/com.oracle.javadeployment.plist does not exist"
    fi
done

Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • May 9, 2014

hi, I've been trying to set the Java security preferences for users.
This was the best resource I could find, but I can't get it working. This is what I am trying

/usr/libexec/PlistBuddy -c "add ':/com/oracle/javadeployment/:deployment.security.level:' string MEDIUM" ~/Library/Preferences/com.oracle.javadeployment.plist

which works somewhat, and it adds this to the plist

<key>deployment.security.level</key> <dict> <key></key> <string>MEDIUM</string> </dict> <key>deployment.version</key>

I really only want it to add

<key>deployment.security.level</key>
<string>MEDIUM</string> <key>deployment.version</key>

anyone have suggestions? with the nested values we have to use plistbuddy right?

thanks Dan


Forum|alt.badge.img+31
  • Honored Contributor
  • 2721 replies
  • May 9, 2014

Hi Everyone,

I don't have a way to test this but if you do a defaults read, what will it output?

defaults write /Users/username/Library/Preferences/com.oracle.javadeployment.plist deployment.security.level

If defaults can read that value of that key, it can write to it as well. This may or may not help, and I cannot test it currently but hopefully it will help some of you.

Edit - had read instead of write, and the javastuff was just a place holder.

Thanks,
Tom


Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • May 9, 2014

tlark- it doesn't exist yet. when you manually toggle the setting in the Java control panel, its added with the string MEDIUM.

thanks for looking
Dan


Forum|alt.badge.img+31
  • Honored Contributor
  • 2721 replies
  • May 9, 2014

So what if you did something like this:

defaults write com.javastuff.plist -dict-add deployment.security.level -key MEDIUM

I would think the defaults binary should support this. I can try to play with it when I have more time. Hopefully this might also help. You may have to direct the dictionary item first, then write the key after? Not sure on that one.

Thanks,
Tom


Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • May 9, 2014

defaults write ~/Library/Preferences/com.oracle.javadeployment.plist deployment.security.level 'MEDIUM'
adds the key but outside of the dictionary . Addition Shown here in bold

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>/com/oracle/javadeployment/</key> <dict> <key>deployment.expiration.decision.10.51.2</key> <string>later</string> <key>deployment.expiration.decision.suppression.10.51.2</key> <string>true</string> <key>deployment.expired.version</key> <string>10.51.2</string> <key>deployment.log</key> <string>true</string> <key>deployment.modified.timestamp</key> <string>1399659346937</string> <key>deployment.version</key> <string>7.21</string> </dict> <key>deployment.security.level</key> <string>MEDIUM</string> </dict> </plist>

when I toggle the setting in the GUI it places the <key>deployment.security.level</key> <string>MEDIUM</string>
above the "Deployment Version" key.

this is what the plist looks like when its working under medium security

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>/com/oracle/javadeployment/</key> <dict> <key>deployment.expiration.decision.10.51.2</key> <string>later</string> <key>deployment.expiration.decision.suppression.10.51.2</key> <string>true</string> <key>deployment.expired.version</key> <string>10.51.2</string> <key>deployment.log</key> <string>true</string> <key>deployment.modified.timestamp</key> <string>1399658395550</string> <key>deployment.security.level</key> <string>MEDIUM</string> <key>deployment.version</key> <string>7.21</string> </dict> </dict> </plist>

bentoms
Forum|alt.badge.img+35
  • Legendary Contributor
  • 4331 replies
  • May 9, 2014

You'll want to use PlistBuddy to write to the dict.

Sorry I can't help more atm, in a taxi home from CCE.


Forum|alt.badge.img+14
  • Contributor
  • 165 replies
  • May 9, 2014

Perhaps something to work with in this thread?:
https://jamfnation.jamfsoftware.com/discussion.html?id=6489

We are using the script from Andrew with some minor mods to accomplish several tasks. For example, I was asked to tweak another preference and added a line similar to this:
/bin/echo deployment.security.mixcode=HIDE_RUN >> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deployment.properties

The deployment.config file could also be factored in I suppose:
/Library/Application Support/Oracle/Java/Deployment/deployment.config
(e.g. deployment.system.config=path_to_deployment.properties and deployment.system.config.mandatory = true)

Don't mean to distract from current discussion, might be pointing in the wrong direction. Not my forte.


Forum|alt.badge.img+31
  • Honored Contributor
  • 2721 replies
  • May 9, 2014

Looking at the defaults man page, I don't see a way to add a key and a string to an existing dictionary item. So, I think @bentoms is right when he mentions PlistBuddy. Looking at that man page it can add these items.

https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man8/PlistBuddy.8.html

I can try to test this later.

Thanks,
Tom


Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • May 9, 2014

nested values is where plist buddy shines, but I can't get it to fall under the <dict> <key>/com/oracle/javadeployment/</key> <dict>

it creates another dictionary and then java doesn't seem to read the key at all.
still messing with it let me know what you @tlarkin , @bentoms come up with.
thank you for all the suggestions so far
Dan


Forum|alt.badge.img+11
  • Contributor
  • 176 replies
  • May 12, 2014

Just throwing out a link to the java documentation regarding the deployment.properties file.

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html

User Preferences: ~/Library/Application Support/Oracle/Java/Deployment/deployment.properties System Level Preferences: /Library/Application Support/Oracle/Java/Deployment/deployment.config

It looks like the system file isn't created by default, have you tried customizing the XML with your desired configuration and deploying that file to the system level?


Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • May 12, 2014

@freddie.cox - we want to tweak the user prefs. But the setting we want to change is nested and I can't get it in the existing dictionary. were so close with plistbuddy! that is a good reference for additional settings thank you! Worst case we will make a dmg for the plist and deploy it after the java install.


Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • May 14, 2014

Got it! Thanks to Tony Tang, noticed a extra :

/usr/libexec/PlistBuddy -c "add ':/com/oracle/javadeployment/:deployment.security.level' string MEDIUM" ~/Library/Preferences/com.oracle.javadeployment.plist

new issues! This writes to the plist and that is awesome! But when you open the java system preference, the deployment.security.level and string go away, and the security is still HIGH the default. I tried to change permissions to the plist to 755 and tried it again and it made no difference. Suggestions?
Thank you
Dan


Forum|alt.badge.img+12
  • Contributor
  • 529 replies
  • May 14, 2014

Read the documentation that @freddie.cox suggested.

The users plist file and the users deployment properties work in tandem. One file will overwrite the other if they aren't the same.

I'd recommend instead of setting these at user level, remove these files and set the deployment properties in the main library.

For example:

cat /Library/Application Support/Oracle/Java/Deployment/deployment.config 
deployment.system.config=file:///Library/Application Support/Oracle/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true
cat /Library/Application Support/Oracle/Java/Deployment/deployment.properties 
#deployment.properties
deployment.macosx.check.update=false
deployment.macosx.check.update.locked
deployment.expiration.check.enabled=false
deployment.expiration.check.enabled.locked
deployment.security.level=VERY_HIGH
deployment.security.level.locked
deployment.console.startup.mode=HIDE
defaults read /Library/Preferences/com.oracle.java.Java-Updater
{
    JavaAutoUpdateEnabled = 0;
}

Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • May 14, 2014

Thanks Sean, I started looking at the documentation again this morning and it states - file can't be altered.


Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • May 14, 2014

in conclusion, Configuring Java user settings - defaults write was not the solution. Plistbuddy was able to write the nested dictionary, but was overwritten, so it was also not the solution. @freddie.cox suggested it, I was so focused on getting plistbuddy to work, as Sean stated read Oracles Documentation- http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html

Create deployment.config
deployment.properties here
/Library/Application Support/Oracle/Java/Deployment/
I also had to create the Deployment directory and gave it the same user and permissions as the Parent Java directory.
add your files deployment.config and deployment.properties

the examples Sean has listed are good. I changed my security level to MEDIUM and we are in business. if you add the .locked line it will also prevent your users from changing the settings.

Thank you @bentoms @tlarkin @freddie.cox @sean and Tony Tang


Forum|alt.badge.img+6
  • Contributor
  • 34 replies
  • September 11, 2014

Hey dderusha,
Can you explain the steps you took in more detail? I'm a bit confused and trying to work through this issue as well.


Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • September 11, 2014

@kempt I made a DMG with the settings, scripting it didn't work for me.
I used composer, made my own "finder folder structure"
Step one is to create the file
deployment.config and place it into /Library/Application Support/Oracle/Java/Deployment/

and add this to the file

#deployment.config
#Tue May 13 20:51:30 CDT 2014
deployment.system.config=file:///Library/Application Support/Oracle/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true

Next step is to make a deployment.properties file and place it in the same Deployment Directory you made in Composer.

add this to the file

#deployment.properties
#Tue May 13 20:51:30 CDT 2014
deployment.macosx.check.update=false
deployment.macosx.check.update.locked
deployment.expiration.check.enabled=false
deployment.expiration.check.enabled.locked
deployment.security.level=MEDIUM
deployment.security.level.locked
deployment.console.startup.mode=HIDE

We wanted the settings set to medium as shown above.

We offer this in self service. I have the java 7r67.pkg that installs followed by the package we described above.
its a global package for all users.

let me know if you have more questions.

Dan


Forum|alt.badge.img+6
  • Contributor
  • 34 replies
  • September 15, 2014

Dan,
Thanks for getting back to me. I’m fairly new to editing system files, so, did you start with a blank .config, and a blank .properties file, and then add exactly what you sent to me before saving? Also, I’m unclear as the “finder folder structure” you mention about creating in Composer.


Forum|alt.badge.img+15
  • Contributor
  • 208 replies
  • September 15, 2014

@kempt No problem
You could create a new file using text edit, name the files as described above -deployment.config and the second file called - deployment.properties copy and past the suggested text from the above post.
save the files in the path above...here are the permissions I have set on the files
-rw-rw-r--@ 1 root admin 197 May 14 13:43 deployment.config
-rw-rw-r--@ 1 root admin 315 May 14 14:01 deployment.properties

I'm pretty sure we have to create the "Deployment" Directory.
here are the permissions on that directory
drwxr-xr-x 4 root admin 136 Jul 16 09:06 Deployment

If you create this directory, and place the files into it, the next step is to open composer.

when composer opens, drag the two files to the left side of the composer window.
when its done, click the button to make a .dmg and that should do it.

Dan


Forum|alt.badge.img+6
  • Contributor
  • 34 replies
  • September 16, 2014

@dderusha
Thanks! A few more questions:
1. How do I create that directory in Composer?
2. Are you setting the permissions normally, using Get Info?
3. Do I place these files in the paths you listed AND also in the newly created Composer Directory?


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings