Centralized management of Java Exception Site List – Simple version

Recently we’ve started to update Java in our environment to version 7.1 update 67 but then we realized that there is a “little” issue with this update – Java plugin won’t run unsigned applets anymore. Instead it displays the message “Application blocked by security settings” and you can’t do anything to bypass it.

Of course the best method would be to get working, digitally signed applet version, but unfortunately – in most cases it not up to us.

Second way, which I followed – is to create a centralized Exception Site List for all Java installed clients. And this seems to be working just fine. Only problem here is that users won’t be able to add any permanent exceptions on their own anymore.

2015-01-07 09_41_03-sneu0223 - Remote Desktop Connection

So, our goal here is to create single exceptions list which is deployed to all computers with Java installed.

There are two options to achieve it:

  • Deployment per user: File exception.sites has to be copied to the profile directory of each user located under:
    Windows XP – ‘%APPDATA%\Sun\Java\Deployment\security’
    Windows 7 – ‘%USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security’
  • Deployment for all users: File ‘exception.sites’ has to be defined by declaring its path in the ‘%windir%\Sun\Java\Deployment\deployment.properties’. Example: deployment.user.security.exception.sites=C:/Windows/Sun/Java/Deployment/exception.sites

We gonna deploy exception.sites to each user using Group Policies. First of all we have to create a WMI filter so we can apply policy only to computers with Java 7 installed.

Step 1: Open up Group Policy Management Console and go to WMI Filters, right click, create a new one, type in a name and following query:

Be aware of that this query points only to Java 7 installation on default system drive C. If any of these differs in your environment, adjust this query to make it work.2015-01-07 10_09_02-sneu0223 - Remote Desktop Connection

Step 2: Open up Sysvol fileshare for your domain: \\contoso.com\sysvol\contoso.com (replace contoso.com with your domain name) and create new directory called for example “JavaPolicy”. Inside this directory create new file named exception.sites – this file will contain your domain-wide exceptions. Here’s sample content:

2015-01-07 10_12_20-sneu0223 - Remote Desktop Connection

As you can see above – one URL address per line. As simple as that.

Step 3: In GPMC create new group policy linked to selected OU (might be just under the domain so it applies to all OUs) and set it’s WMI Filtering to use filter created in Step 1.

2015-01-07 10_15_19-sneu0223 - Remote Desktop Connection

Step 4: Now when our new policy applies to all computers with Java 7 installed, we have to make sure our exception.sites file is copied to all userprofiles on that PCs. Edit your policy and go to the following setting:

User -> Configuration -> Preferences ->Windows Settings -> Files -> Create new file

2015-01-07 10_42_42-sneu0223 - Remote Desktop Connection

 

  • Action: Replace (we want to make sure file is being updated every time, if we would select “Update” option it will only update attributes of the file, not contents which is actually more important for us).
  • Source files(s): \\contoso.com\sysvol\contoso.com\JavaPolicy\exception.sites (Path to file we created in Step 2)
  • Destination File: %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
  • Common Tab -> Mark “Run in logged-on users’s security context (user policy option)

Click OK to save the policy. At the end your policy should look like that:

2015-01-07 10_47_28-sneu0223 - Remote Desktop Connection

Step 5: Run gpupdate /force on any computer, log off, log on and then open up Control Panel -> java and check if exceptions from your centrally managed file appeared.

I hope this article will help you managing Java in domain environment! 😉 If you need details on deploying exceptions file for All Users profile (second method) – please leave a comment, I’ll try to describe that in spare time.

07.05.2015 Update!  Since there’s already version 8 of java I tried to use same policy for both – java 7 and 8 at the same time – and it works just fine! One thing I had to do it is change WMI filter – you can either change (Step1) jre7 to jre8 or just like I did – remove jre7 and stick to Program Files\Java … therefore policy will apply to all versions of java. 

8 thoughts on “Centralized management of Java Exception Site List – Simple version

Leave a Reply