rmanly ccaBadge
5

Comments

Flashback - disable Java for all users script

Posted 4/9/12 at 6:03 PM by rmanly

If you want to disable Java for all users in Safari and Firefox (from what I have seen it doesn't appear to target Chrome) you can run the following script.

Here is the pretty uncommented version:

#!/bin/bash

ff_users=()
os_version=$(sw_vers -productVersion)

while read -r -d $'\0'; do
ff_users+=("$REPLY")
done < <(mdfind -name pluginreg.dat -0)

for dat_file in "${ff_users[@]}"; do
username=$(stat -f "%Su" "${dat_file}")
if [[ ${os_version%.*} == 10.7 ]]; then
{ rm "${dat_file}" && awk 'BEGIN{FS=OFS=":"}/JavaAppletPlugin/{count=3}count&&!--count&&($3==1||$3==5){$3--}1' > "${dat_file}"; } < "${dat_file}"
else
{ rm "${dat_file}" && awk 'BEGIN{FS=OFS=":"}/JavaPlugin/{count=3}count&&!--count&&($3==1||$3==5){$3--}1' > "${dat_file}"; } < "${dat_file}"
fi
chown "${username}" "${dat_file}"
done

for user in /Users/*; do
if [[ -e "${user}"/Library/Preferences ]]; then
defaults write "${user}"/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool FALSE
defaults write "${user}"/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool FALSE
chown "${user##*/}" "${user}"/Library/Preferences/com.apple.Safari.plist
fi
done



And here is the nasty one for those of you who want to know what is going on:

#!/bin/bash

ff_users=()
os_version=$(sw_vers -productVersion)

# find all users with a Firefox profile and pluginreg.dat file within it using mdfind as suggested by Christoph von Gabler-Sahm (cvgs on jamf nation)

while read -r -d $'\0'; do
ff_users+=("$REPLY")
done < <(mdfind -name pluginreg.dat -0)

# here is the find version
# while read -r -d $'\0'; do
# ff_users+=("$REPLY")
# done < <(find /Users -name pluginreg.dat -print0 2> /dev/null


# now we are going to disable java in Firefox
# for this we are going to use awk to modify the list of pluginreg.dat files in the ff_users array
# if statement checks for 10.7 as the relevent line is named JavaAppletPlugin in 10.7 with FF 11.0
# else use JavaPlugin as found in 10.6

for dat_file in "${ff_users[@]}"; do
username=$(stat -f "%Su" "${dat_file}")
if [[ ${os_version%.*} == 10.7 ]]; then
{ rm "${dat_file}" && awk 'BEGIN{FS=OFS=":"}/JavaAppletPlugin/{count=3}count&&!--count&&($3==1||$3==5){$3--}1' > "${dat_file}"; } < "${dat_file}"
else
{ rm "${dat_file}" && awk 'BEGIN{FS=OFS=":"}/JavaPlugin/{count=3}count&&!--count&&($3==1||$3==5){$3--}1' > "${dat_file}"; } < "${dat_file}"
fi
chown "${username}" "${dat_file}"
done

# disable Java in Firefox
# after poking around in Firefox's sqlite files I went googling and found this post by Clay Caviness
# https://plus.google.com/109088229817689076273/posts/7yH5QGJhuyN
# I didn't know enough AWK to make that happen in a bash script but after a few tries 'mute' in #awk got it right for me

# awk 'BEGIN{FS=OFS=":"}/JavaAppletPlugin/{p=3}p&&!--p&&($3==1||$3==5){$3--}1'

# we can edit in-place with a little trick I orginally saw here
# http://www.unix.com/shell-programming-scripting/35591-sed-awk-inplace-inline-edit.html


# disable Java in Safari for all users

for user in /Users/*; do
if [[ -e "${user}"/Library/Preferences ]]; then
defaults write "${user}"/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool FALSE
defaults write "${user}"/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool FALSE
chown "${user##*/}" "${user}"/Library/Preferences/com.apple.Safari.plist
fi
done

5

Comments

rmanly ccaBadge
Posted 4/9/12 at 6:21 PM by rmanly

For an explanation on the awk basically what it does is

set the field seperators to :
search for the Java line we want
assign variable count=3
count down from 3
now if the third field =1 or the third field =5 subtract 1

RobertHammen
Posted 4/11/12 at 8:23 AM by RobertHammen

Haven't had time to dig into it, but both your extension attribute and this disable script fail on pre-10.5 machines. Not a huge concern since the handful of ones I have are legacy servers, not user-facing, and I know not officially supported by later versions of the jamf binary.

Here's the error from the policy log:

Script Result: /private/tmp/disableJavaSafariFirefox.sh: line 7: syntax error near unexpected token `"$REPLY"'
/private/tmp/disableJavaSafariFirefox.sh: line 7: ` ff_users+=("$REPLY")'

rmanly ccaBadge
Posted 4/11/12 at 10:01 AM by rmanly

@RobertHammen yea I don't have any 10.5.x machines anymore so I didn't bother checking for compatibility....sorry for not mentioning that.

rmanly ccaBadge
Posted 4/12/12 at 3:56 PM by rmanly

RUN SOFTWARE UPDATE

https://support.apple.com/kb/HT5242

eWhizz
Posted 5/1/12 at 9:53 AM by eWhizz

Could be done Globally with —
defaults write /Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false
defaults write /Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false

Might be an idea to set the defaults for new users too somehow in the User Template. This would definitely be possible with Safari, setting the defaults in FireFox is more difficult, but not impossible.

So set specifically in the User Template with
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false
defaults write /System/Library/User\ Template/English.lproj/Library/Preferences/com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled -bool false