With the release of Java 7 Update 51 and the introduction off the Exception Site List, Oracle just made IT Administrators life...more complicated.
In the search for a way to get back in control over the enterprise desktops and laptops, I've found a way not only to manage Java's Control Panel but also a way to manage the Exception Site List.
On an enterprise with more than 8000 machines to manage, obviously we get a lot of the work done using GPOs so...we needed something similar to make it possible to quickly change whatever we want in a system-wide perspective.
On a default Java installation, the Java Control Panel settings are managed using the file deployment.properties located on "%APPDATA%\LocalLow\Sun\Java\Deployment\" but of course, this is a per-user configuration.
Fortunately this can be bypassed using a file called deployment.config that point to a system-wide deployment.properties file.
Now..with no further delays, here's what you need to do:
This file is used to specify where the deployment.properties file is located and if it's mandatory or not. On this file you only have to set 2 parameters, here's an example:
This file manages Java Control Panel settings. For a complete list of parameters, go to http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html
So, here's an example of what you can do with deployment.properties:
#REMOVE JAVA DESKTOP SHORTCUT
#SET SECURITY LEVEL AND LOCK IT
#ENABLE USER HOME JAVA POLICY
#DISABLE AUTOMATIC DOWNLOADS
#DISABLE JAVA OUT OF DATE CHECK
#SET EXCEPTION SITES LIST PATH
Here, you'll enter an url per line for the website you want to whitelist and nothing more is needed.
Pushing the files to all your network
So, now that you have the 3 necessary files, you'll need to put the on the machines. There are several ways to do it, I'll explain here what was the best approach for me, which was, using Group Policy Preferences (GPP).
- Put the 3 files you've previously created on a network share accessible to all machines
- Now, create or open an existing GPO and navigate to Computer Configuration -> Preferences -> Windows Settings -> Files
- Create 3 file properties matching the name of the 3 files you've created. In each file you'll need to give it an action, a source and a destination path (where the destination path needs to match what you've configure for deployment.system.config.
Source File(s): \\sharename\javapolicies\deployment.properties
Destination File: %windir%\Sun\Java\Deployment\deployment.properties
After this, just restart the machines so the GPP it's applied.
Everytime you'll need to make a change on Java configuration or add a new website to the Exception Site List, you'll just need to add it centrally!
Hope this helps anyone with similar issues.