Managing Java browser plug-in settings for Apple’s XProtect malware protection

In response to a number of recent Java exploits, both Apple and Mozilla have begun blocking vulnerable versions of Java from running in their respective browsers via their malware protection mechanisms. While this is the right move from a security perspective, it can leave enterprises without the ability to access mission-critical systems that use Java applets running in a browser.

The fix should be to update those affected machines with the latest version of Java. However, this assumes that a) the latest available version of Java is not itself blocked and b) the mission-critical system is able to use the latest version of Java.

From my own perspective, what Apple is doing from a malware protection standpoint is the right thing. I just don’t want my users to lose the ability to access our systems that use a Java applet, especially when the latest available version of Java is blocked and I don’t have a way to otherwise satisfy Apple’s XProtect malware protection without disabling XProtect.

My fix was this: manage XProtect’s ability to disable the Java browser plug-in by modifying the Java browser plug-in settings in the affected Mac’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file. See below the jump for the details.

Read more…

Filing bugreports with Oracle for Mac OS X’s Java 7

Want to file a bug report about an issue having to do with Java 7 for OS X? It can be tricky to find the right place to submit it, so here’s some guidance for filing it in the right place.

---

Update: I’ve been informed that it is necessary to install the current JRE of Java 7 from the Oracle JDK7 test site before Oracle will accept bug reports from you.

JDK7 is available from http://jdk7.java.net/, with the download site being http://jdk7.java.net/download.html.

The reason that Oracle does it this way is that they want customers to use Oracle Java SE Support. This is for-pay support and Oracle’s preferred way for non-developer customers to get support.

All that said, if the issue you’re running into also occurs on the JRE from the Oracle JDK site, file a bug using the procedure below.

---

For example, here’s how to file a bug report for the Java 7 installer for OS X.

1. Go to http://bugreport.sun.com/bugreport/

2. Scroll down to the Submit a Bug section

3. Check the box for Check this box to indicate that you understand this is not a place to receive support….

4. Click the Start a new Report button.

5. On the next page, go to the Start A Report: section

6. For an installer bug, select the following:

Type: Bug

Product/Category: Java Platform Standard Edition (JDK/JRE)

Subcategory: JDK/JRE installation (install)

Release: Java Platform Standard Edition 7

Operating System: Mac OS X 10.7 (Oracle VM)

7. When ready to proceed, click the Continue button.

8. On the next page, provide the information requested to file your bug report and click the Submit button when completed.

Good luck! Filing bug reports doesn’t guarantee that your problem will be fixed, but it raises the odds that it will be. Not filing it may mean that Oracle is completely unaware of the problem and thus will never fix it.

Emulating specific Apple models in VMWare Fusion VMs

Once you have a VM built, you may want to edit it to emulate a specific Mac model. One reason for doing this would be to test model-specific updates from Apple’s Software Update.

To set your VM to report itself as a specific Mac model, you would need to add the hw.model flag to your VM’s .vmx configuration settings. See below the jump for how to do this.

Read more…

Open Directory needs multiple processors to run in a VM

As more servers and services move off of physical servers and onto virtual servers, there’s been an issue that Mac admins have run into more than once:

“I’m trying to set up Open Directory in this VM, but the service won’t enable.”

Another related issue has to do with Profile Manager, where Profile Manager crashes when you try to set it up in a VM. The root cause is the same: Profile Manager needs to have Open Directory running and Open Directory won’t turn on.

The fix is simple – give your VM more than one processor. Once you give the VM multiple processors (two is fine), Open Directory should begin working. This will also fix the Profile Manager crashing issue, as Open Directory should now enable properly.

As far as I can tell, this is an issue no matter what virtualization solution is being used. It’s been reported on Parallels, VMWare Fusion and VMWare ESXi.

Deploying Java for Mac OS X 10.6 Update 12 using the softwareupdate tool

With the latest round of Java browser blockages and updates being released, I wanted a way to deploy Apple’s Java for Mac OS X 10.6 Update 12 to those 10.6.x Macs that needed it. However, I wanted to make sure that I wasn’t deploying to machines that already had it. I also didn’t want to do a general Apple software update, I just wanted to update Java.

Fortunately, Apple’s softwareupdate command-line tool gives me a way to do this. I’m able to use the softwareupdate tool to list all available updates, then grep the list to see if the Java update I want is included:

softwareupdate -l | grep "Java"

For Macs that haven’t had Java for Mac OS X 10.6 Update 12 installed, the update should be named and described as follows:

   * JavaForMacOSX10.6-12.0
	Java for Mac OS X 10.6 Update 12 (12.0), 70724K [recommended]

The name that softwareupdate uses for the update will appear as the first item listed. In this case, it’s JavaForMacOSX10.6-12.0. I can also use softwareupdate to specify and install that update:

softwareupdate --install JavaForMacOSX10.6-12.0

I then wrote the following script that uses softwareupdate to install Java for Mac OS X 10.6 Update 12. It does the following:

1. Verify that Java for Mac OS X 10.6 Update 12 is an available update for this Mac.

2. If Java for Mac OS X 10.6 Update 12 is an available update, the script logs that the update is being installed. Apple’s softwareupdate tool then installs that update silently in the background.

3. If Java for Mac OS X 10.6 Update 12 is not an available update, the script logs that information then exits silently.

#!/bin/sh

#
# Using the softwareupdate tool
# to detect if the Mac has
# Java for Mac OS X 10.6 Update 12
# as an available update.
#

JAVA_UPDATE_DETECT=$( softwareupdate -l | grep -o "JavaForMacOSX10.6-12.0" )

#
# If Java for Mac OS X 10.6 Update 12
# is an available update, script installs
# the update. If Java for Mac OS X 10.6 Update 12 is
# not an available update, script reports that and
# exits.
#

if [[ "${JAVA_UPDATE_DETECT}" = "JavaForMacOSX10.6-12.0" ]]; then
      logger "Installing Java for Mac OS X 10.6 Update 12"
      softwareupdate --install JavaForMacOSX10.6-12.0
   else
      logger "Java for Mac OS X 10.6 Update 12 not an available update. Exiting."
fi

exit 0

This script is available here on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_apple_java_updates

Slides from the FileVault 2 Session at MacIT 2013

For those who wanted a copy of my FileVault 2 talk at MacIT 2013, here are links to the slides in PDF and Keynote format.

PDF: http://tinyurl.com/MacIT2013PDF

Keynote slides: http://tinyurl.com/MacIT2013key