With the release of Java 7 Update 51 and the introduction off the Exception Site List, Oracle just made IT Administrators life...more complicated.
In the search for a way to get back in control over the enterprise desktops and laptops, I've found a way not only to manage Java's Control Panel but also a way to manage the Exception Site List.
On an enterprise with more than 8000 machines to manage, obviously we get a lot of the work done using GPOs so...we needed something similar to make it possible to quickly change whatever we want in a system-wide perspective.
On a default Java installation, the Java Control Panel settings are managed using the file deployment.properties located on "%APPDATA%\LocalLow\Sun\Java\Deployment\" but of course, this is a per-user configuration.
Fortunately this can be bypassed using a file called deployment.config that point to a system-wide deployment.properties file.
Now..with no further delays, here's what you need to do:
deployment.config File
This file is used to specify where the deployment.properties file is located and if it's mandatory or not. On this file you only have to set 2 parameters, here's an example:
deployment.system.config=file\:c\:/Windows/Sun/Java/Deployment/deployment.properties
deployment.system.config.mandatory=true
deployment.properties File
This file manages Java Control Panel settings. For a complete list of parameters, go to http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html
So, here's an example of what you can do with deployment.properties:
#REMOVE JAVA DESKTOP SHORTCUT
deployment.javaws.shortcut=never
#SET SECURITY LEVEL AND LOCK IT
deployment.security.level=HIGH
deployment.security.level.locked
#ENABLE USER HOME JAVA POLICY
deployment.security.use.user.home.java.policy=true
#DISABLE AUTOMATIC DOWNLOADS
deployment.javaws.autodownload=never
#DISABLE JAVA OUT OF DATE CHECK
deployment.expiration.check.enabled=false
#SET EXCEPTION SITES LIST PATH
deployment.user.security.exception.sites=c\:/Windows/Sun/Java/Deployment/exception.sites
exception.sites File
Here, you'll enter an url per line for the website you want to whitelist and nothing more is needed.
Pushing the files to all your network
So, now that you have the 3 necessary files, you'll need to put the on the machines. There are several ways to do it, I'll explain here what was the best approach for me, which was, using Group Policy Preferences (GPP).
- Put the 3 files you've previously created on a network share accessible to all machines
- Now, create or open an existing GPO and navigate to Computer Configuration -> Preferences -> Windows Settings -> Files
- Create 3 file properties matching the name of the 3 files you've created. In each file you'll need to give it an action, a source and a destination path (where the destination path needs to match what you've configure for deployment.system.config.
For example
Action: Replace
Source File(s): \\sharename\javapolicies\deployment.properties
Destination File: %windir%\Sun\Java\Deployment\deployment.properties
And...your done!
After this, just restart the machines so the GPP it's applied.
Everytime you'll need to make a change on Java configuration or add a new website to the Exception Site List, you'll just need to add it centrally!
Hope this helps anyone with similar issues.
No comments:
Post a Comment