Java Updates

luke_j_nelson
New Contributor II
16 REPLIES 16

aamjohns
Contributor II

Thank you for the post Luke.

Would you like to help a noob? Unfortunately I'm really a Windows expert. But I have been designated our Casper Administrator. We just purchased and I am setting up. I made an image. A clean OS image.

We have Symantec here and I tried installing that as a package but got an error that Java needed to be installed. So I started investigating that yesterday and I have not really got a gripe on this yet. For a clean OS, do I just deploy the Java 7 update 21 and be done? Or do I need to do more? Also, once I've deployed Java, will the SUS service keep it updated? Or ugh...this is where I get confused. Not only that, I test a Java package last night of 7-21, it ran but the Mac acts like it does not have Java. Any advice for me?

sgrall
New Contributor III

@aamjohns Symantec officially supports Java 6 SE (Apple's Java) with Symantec Endpoint. The latest version of Java 6 available for 10.7 and 10.8 is here: http://support.apple.com/kb/HT5682

If you wish to install Java 7 instead, note that it's not officially supported by Symantec, and you'll need to obtain the Java 7 JDK, not the SDK. See this site to download: http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html

aamjohns
Contributor II

Thank you for that information. You are saving me much time.

Can I ask you something?

This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.

We run in a least privilege environment. So if my user needs the plug-in, how do you handle that? Since they are user level the should not be able to install. Do you face this issue in your environment? Do you package the plug-in?
Sorry for my ignorance.

Aaron.

sgrall
New Contributor III

If you need the Java applet plug-in functionality as well, for loading Java within a web browser, you can install both Apple Java 6, and the Java 7 SDK. This will allow Symantec Endpoint to work as designed, but still allow web pages to load Java applets. The end-user will still have to click to allow the content, but it won't require them to install anything, so even with limited rights, they will be ok.

You would take the .pkg file for both Apple Java and Oracle's Java 7 SDK, and upload them as-is for deployment.

aamjohns
Contributor II

Thanks again for your help. Both of the files I have obtained have been .dmg. Just making sure I am not grabbing the wrong installers.

I just did a test run with 1.6 from Apple. As a test I did it as a self service install. It says is succeeded but due to my blissful ignorance I do not see how to confirm it worked. I see nothing under Preferences, Applications, or Utilities. How does one determine it really is installed?

Actually, looking at the file system I now see JavaForOSX.pkg file on the root of the HD. You said .pkg file, so do I need to take that file and make it into the package?

Sorry I think a little help in the beginning on this stuff will go a long way. I read and re-read the admin pdf but some of this is just not clear.

luke_j_nelson
New Contributor II

Do you have 10.6, 10.7, and 10.8 in your environment? If so, you will need to deploy Java for Mac OS X 10.6 Update 15 to your 10.6 machines and Java for OS X 2013-003 to your 10.7 and 10.8 ones. Those are both Java 6. Those will both be updated by Software Update if you have it configured to update automatically. We do not have an internal sus currently, and we do not want updates to install automatically, so all our updates are deployed through policies. Java 7 will NOT be updated through software update though... that is now supplied directly from Oracle.

We run in a least privilege environment. So if my user needs the plug-in, how do you handle that? Since they are user level the should not be able to install. Do you face this issue in your environment? Do you package the plug-in?

You will need to deploy Java 7 if you need the plugin. We also do not let users install software on their own, so we deploy this to a policy. What you could do, if you don't want it running on all machines, is to have it available in Self Service so they can install it when they need to. No need to package it... just upload the pkg directly to Admin.

I've found it's easier to track versions via a couple extension attributes.

For Java 6:

#!/bin/sh

VER=`/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/java -version 2>&1 | grep "Java(TM) SE Runtime" | awk '{print $6}' | sed 's/)//'`

echo "<result>$VER</result>"

For Java 7:

#!/bin/sh

VER=`/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -version 2>&1 | grep "Java(TM) SE Runtime" | awk '{print $6}' | sed 's/)//'`
VER7=${VER:0:3}

if [ $VER7 != "1.7" ]; then

    VER=""
fi

echo "<result>$VER</result>"

And then create Smart Groups that include conditions for the extension attributes. Assign the Smart Group as the scope of a policy and you're done (with plenty of QA).

sgrall
New Contributor III

.pkg file you see is the package. Drag that file as-is into Casper Admin, and deploy that.

I highly recommend the Casper Certified Administrator course--- I think you'd find it very helpful. :-)

luke_j_nelson
New Contributor II
Actually, looking at the file system I now see JavaForOSX.pkg file on the root of the HD. You said .pkg file, so do I need to take that file and make it into the package?

Yes, you need to extract the pkg from the dmg and upload that to Admin.

luke_j_nelson
New Contributor II
How does one determine it really is installed?

On 10.6 it was simple... open up terminal and enter "java -version"

10.7 and 10.8 add another layer, since both can be installed.

"/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/bin/java -version" will give you the version of Java 6, if it exists.

"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -version" will give you the version of Java 7, if it exists.

luke_j_nelson
New Contributor II
I highly recommend the Casper Certified Administrator course--- I think you'd find it very helpful. :-)

+1

aamjohns
Contributor II

Hi guys,
Great information. Thank you both. Yes, I want to take the courses. I've already run it by my boss. I think it would help me tremendously. But, for the time being I've got to figure this out on my own.

For testing I created two self service packages using the pkg files.

I then installed.

Using the information above to confirm installation yes it worked.

I agree on not deploying Java 7 to all machines but rather just publishing it as self service. And if I understand correctly, the Apple package I installed will be auto updated by SUS. I work at a large University that runs it's own SUS server. I just use it.

Again, all of the information you have offered is very helpful. I have one last question. Let's say I do publish Java 7 through self service and then there is a new version. Say Java 7 update 23. Do I have to execute and uninstall routine for all of the Java 7 21 machines, or can I just remove the self service package and replace it with the new one. Then when the user runs it, it will auto update from 21 to 23? In the Windows world, we can just deploy new versions of Java 7 through SCCM and the msi installer will automatically remove the old and put on the new. I don't know how it works in the Macintosh world though. And yes I need classes and training but as you know things do not always work 'ideally' expecially when funds are tight. I will push to get into the course asap.

taugust04
Valued Contributor

Just to clarify, Adobe Flash Player 11.7.700.169, was released on April 9th, and not a new release this week. The other updates from Apple and Oracle are new. Hope this helps others who were a little confused like myself, who were thinking another new version of Flash Player was released until investigating the version number, since it's not entirely surprising to see a new security related update for that product.

luke_j_nelson
New Contributor II

Yeah, I understand about the training... Always wanting us to do more, but not giving the tools to do so. You'll get lots of help here in the meantime.

You won't need to uninstall Java when an update comes out... just install the new one. I'd probably make a policy that installs automatically when it sees an older version. Yeah, just remove the old self service package and put the new one in.

luke_j_nelson
New Contributor II

Taugust04, you are correct. I just saw the update today and wasn't aware that it's been out for 8 days already.

taugust04
Valued Contributor

Yes - ordinarily one would assume that an 8 day old release is the most current one, but one can never assume that with Adobe Flash Player (or Java) lately... lol...

sgrall
New Contributor III

@aamjohns To update Java 7 later, you would simply upload the new package to the JSS repository, replace the package in your self service policy, and have the end-user install it. The Java package from Oracle automatically overwrites the old version. Do note that the updated plug-in may not take full effect until Safari is quit and relaunched (this applies to Flash Player as well).