Smart Group for Java

Contributor II

I have Java RE 7u60 packaged currently and have a smart group setup to deploy to any system without that version. That works great for the most part and reinstalls if anyone removes the software. But if someone upgrades to a newer version before i have it packaged I start seeing the installation constantly rerun and dumping errors in the jamf.log

Error - You are trying to install Java 7 Update 60, however Java 7 Update 65 is already installed.

I know we can't use greater than or less than in criteria ( So the only thing i can think of is this:

Plug-in Title does not have "JavaAppletPlugin.plugin
OR Plug-in Version not like "Java 1"
OR Plug-in Version not like "Java 2"
OR Plug-in Version not like "Java 3"
OR Plug-in Version not like "Java 4"
OR Plug-in Version not like "Java 5"
OR Plug-in Version not like "Java 6"
OR Plug-in Version not like "Java 7 Update 1"
OR Plug-in Version not like "Java 7 Update 2"
OR Plug-in Version not like "Java 7 Update 3"


Valued Contributor II

Isn't that a good error to have? At least it doesn't pull it back down and gives you a notification of sorts that you are behind. At which point you can upgrade to catch up with the proper process. In my case I include a script to disable java auto update after each and every version of java I push to users. Now, that said, I've used this logic before with our "supported browsers".

For example, We use Firefox ESR as one of our supported browsers. Because it's easy to get ahead of the ESR I don't necessarily want to downgrade my users without having a GOOD reason. So, my smart group goes something like:

has - licensed software - Firefox 24.4 ESR or has - licensed software - Firefox 24.5 ESR or has - licensed software - Firefox 24.6 ESR AND does not have - licensed software - Firefox 24.7 ESR

Obviously this is an example pulled out of my rear, but it will ONLY offer the upgrade to clients within your upgrade path. This means it will leave anyone who's left the path on their own and you without errors.

Still. Getting a notification that you're behind the times on Java seems like a pretty good thing to me. I've actually NOT used this logic when dealing with Java simply because I want to see said errors.

Contributor III

I stopped collecting plug-in information on my JSS in order to reduce the database size, and instead created extension attributes for plug-in's that I need to manage. Here is the extension attribute that I created for Java:


# Set path to plugin info file
InfoFile="/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info"

# If Java plugin file exists
if [ -e "$InfoFile.plist" ]; then
    # Get Java version
    prodversion=`defaults read "$InfoFile" CFBundleVersion | sed -e 's/r/./g'`
# If Java plugin does not exist
    # Set prodversion
    prodversion="Not installed"

# Output Java version
echo "<result>$prodversion</result>"

# Exit script
exit 0

We are currently using Java 7 Update 51 due to issues with a third-party web app that is used by many of our end users. To deploy Java 7 Update 51 to our pilot group, I created a smart group using the extension attribute. The criteria is as follows:

Computer Group member of MacPilot
and Plug-In: Oracle Java is not
and Plug-In: Oracle Java is not
and Plug-In: Oracle Java is not
and Plug-In: Oracle Java is not
and Plug-In: Oracle Java is not
and Plug-In: Oracle Java is not
and Plug-In: Oracle Java is not

Like @Chris_Hafner I also disable Java auto updates when I deploy a new version, and don't downgrade users that have already left the upgrade path.

I hope this helps.

Valued Contributor II

Heh, yep. I've got to be brutally honest here. I keep a licensed software record for Java and run a SMART group ONLY against it's supported OSs and that single licensed software record. If my users are too old then they get upgraded and the auto updates are disabled. If they are too new, then Java's installer package sorts it our for me, resulting in that error and stopping the process. It may be a bit less stringent than it ought to be but it is very effective in my use case.

Contributor II

I have an Extension Attribute that grabs the Java vendor and version, and a Smart Group to tell me when it's out of date. Admittedly, I need to manually update the Smart Group whenever there's a new version, but I find it's a small price to pay for the convenience.

From there I just have a policy that runs against any computer in my "!Java out of date" Smart Group.

external image link

New Contributor III

Yeah, we're running an extension attribute also through a smart group.

It takes a minute to populate since they need to have the inventory run after the extension attribute is installed.

During the Java install I also update the inventory so it doesn't trip the install again on the next check in or startup.

Contributor II

Interesting seeing common tactics with Java updates: EA pulling version/vendor > smart group scopes to all outside of current version > policy installing.

I only tweak this process slightly by having a master installer policy, that I update whenever a new version comes out, but then trigger that policy only 1x/machine via 3 phased, run once policies firing off on different dates based on our rollout schedule, then expiring 2 weeks from go-live. This ensures machines won't check-in a month later and install stale Java (no one likes cold coffee).

The ability to have the smart group notify you when membership changes is also a good way of knowing when someone updates Java outside of the "latest" version specified in your smart group.

Anyone know if something similar to what @rtrouton][/url has done with curling latest Flash version from Adobe would be possible with Oracle? This has made Flash updates remarkably easier:

EDIT: to clarify, even if we could merely pull latest Java version from Oracle, we could likely scope an EA to set the latest version of Java direct from vendor, notify or scope machines in/out of certain groups based on that knowledge.

Valued Contributor II

Well... I'm still avoiding automated scripting of the upgrade. I'm super simple.

•) I download the very latest .pkg from Oracle
•) I use the java plugin version EA (Found it here somewhere)


if [ -e /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java ]; then
    java_version=`/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -version 2>&1 | head -n 1 | cut -d" -f 2`
    echo "<result>$java_version</result>"
    echo "<result>Not Installed</result>"
exit 0

•) I have a smart group based on this info - Scopes the OSs that are applicable (i.e. has OS like 10.7. or OS like 10.8. or OS like 10.9.) - Scopes against the latest deployed Java plugin ( is not Java Plugin Version 1.7.0_65)

•) My policy runs an inventory after and pulls the unit from the smart group.

That's it. If someone is newer than my supported version Java itself will throw an error and refuse to replace a newer version and will hence, leave that user alone while notifying me that I'm behind the cycle.

I know I mentioned this all before. I just didn't write it down expressly. This is just one of those processes that is so easy I refuse to completely automate it. At least this way I still have the ability NOT to move to a new version if I have a good reason.

Release Candidate Programs Tester


With the exception of AutoPkg grabbing the latest updates for me (and emailing me to let me know that it's done so), my Java updating process is very similar to yours.

Valued Contributor II

... and updated again. Fitting. 7u67

Contributor II


I use a Python script to find out what version is on the Oracle website, and shoots me through an email notification if it's newer. This is completely outside of Casper, but I use it as part of my (manual) workflow. I just have a cron job set up to run every hour to run this.

I also use an almost identical script for Flash.


import urllib2
import re
import sys

response = urllib2.urlopen("")
raw =

m=re.compile("Version (d+) Update (d+)").search(raw)

if (m == None):

with open ("~/.java", "r") as myFile:
    d ="
", "")

verstr = "1.%s.%s" % (,

if verstr != d:
    with open("~/.java", "w") as myFile:

import smtplib

SERVER = "mailserver"
FROM = "fromaddress"
TO = ["toaddress"]
SUBJECT = "[ALERT] Java has been updated to " + verstr 
TEXT = "The Oracle Java package has been updated to " + verstr + ". Please update the JSS/Casper scripts accordingly"

message = """
From: %s
To: %s
Subject: %s

""" % (FROM, ", ".join(TO), SUBJECT, TEXT)

server = smtplib.SMTP(SERVER)
server.sendmail(FROM, TO, message)

Valued Contributor II

May I introduce you to:


with a brief how-to by @rtrouton: