Manage Java Control Panel Applet and the Java JRE using Group Policy
Ah, Java. You love it, you hate it.
You know you need it, but don't know how you can manage it for all the computers in your enterprise.
Thank goodness for PolicyPak.
PolicyPak has a pre-configured pak for Java JRE which makes configuring the Java client on your desktops super duper easy.
You want to prevent it updating on a collection of users? Bam! Done.
Need to set security options for one group of users different than another group (users vs. developers)? That's Cake!
Check out this video to see how it's done:
There's simply no way to manage Java the way your enterprise needs in a controlled way.
UPDATE January 2013
The Department of Homeland Security recommends that you disable JAVA until a fix can be found. How will you do this (for Java or your other critical desktop applications?) With PolicyPak, this becomes super easy. See this video to see how it’s done (specifically for Java)
How to Manage the security slider in Java 7:
Our PolicyPak software snaps-in to the Group Policy Editor and mimics the user interface of the Java Applet itself. You can set key settings (like disabling Java from updating), like what is seen here:
You can ensure that the Java Console doesn't start, like what is seen here:
Or ensure your users don't download the JRE / Auto-Download, like what's seen here:
Right now, you've got sand through your fingers – everyone is on their own and you've got no way to manage them correctly. With PolicyPak, you've got the problem bottled up, and you're in charge.
Besides, once you're using PolicyPak to manage Java JRE, you'll also get to manage all your other enterprise desktop applications the same way: Flash, WinZip, Firefox, and any custom applications you have. They're 100% included – absolutely free.
It's all included when you're a PolicyPak Professional customer.
PolicyPak was designed by Group Policy MVP Jeremy Moskowitz – who "wrote the book" on Group Policy, runs GPanswers.com, and lives and breathes Group Policy and enterprise software deployments and desktop lockdown.
When you're ready to get serious about managing the Java applet and the JRE today, PolicyPak is ready for you. Unless you want your users to continue to see this.
Manage Java JRE with Group Policy Video Transcript
Hi, everyone. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software.In this video, I’m going to show you how to manage Java using PolicyPak.
Here in my little demo station here I’ve got a “Win7Computer” and he’s running “Java 6,” and I’ve got a “Win8Computer” station and he’s running “Java” “Version 7.” The point here actually is that it doesn’t matter what version of Java you run, old or new or yet to be created, PolicyPak is going to be able to manage, control it and lock it down.
Let’s talk about some of the settings that are pretty important here. There are some not so important settings like “Debugging.” I’m just a regular user here. I’m logged on as a guy called “eastsalesuser4,” but you probably don’t want users clicking on these three checkmarks and clicking “OK.” That’s just not OK, and it doesn’t make any sense. They really shouldn’t have any access to these debugging items.
The same thing with the “Java console.” You probably want to “Hide console,” but how are you going to do that and deploy that to all of your machines? That’s what PolicyPak is going to do. Let’s go down to “JRE Auto-Download.” The default is to “Always Auto-Download.” I’m guessing you want to make it “Never Auto-Download” and also ensure that users can’t work around the settings. That’s what we’re going to accomplish here. There are a lot of other settings here in terms of“SSL” and “TLS” and things like that. You’re welcome to play with these on your own, but those are the ones that I’m going to go through in my examples.
Just to prove a point here in the slightly older version of Java, it’s kind of the same thing. You’ve got the same basic bells and whistles here, same general concerns, same security holes and same thing for me here. I’m just a guy, “eastsalesuser4,” on my Windows 7 machine, and you wouldn’t want me to check these checkmarks and do these things. You don’t want to leave this up to the user. You are in charge, so make sure you are in charge.
Long story short, let me go ahead and click “OK” here. Let’s go over to my management station, and I’m going to use Group Policy to deploy the directive. Let me go over to my “East Sales Desktops.” I will “Create a GPO in this domain, and Link it here…”and I’ll call this “Manage and Lock Down Java.”
I’ll right click. I’ll click “Edit…” here. Under “Computer Configuration,” under “PolicyPak/Applications/New/Application,”I’ll pick “PolicyPak for Java Control Panel (Windows 7).” There are a lot of other applications that PolicyPak has preconfigured Paks for – over 50 – but some of my favorites are here like “Adobe Reader X,” “Adobe Reader XI,” “Flash,” “Lync,” “Firefox,” “Thunderbird” and, of course, the good old “WinZip.” There are more than 50 preconfigured Paks ready to rock for you on the PolicyPak website.
Let me go ahead and click on the “Java Control Panel” applet here. You can see here we look pretty much like Java. The first thing I want to do is I want to head over to that “Advanced” button. You saw that I checked these as a user, these “Debugging” guys. I want to deliver uncheck, so if they are checked by default, I want to make sure I can uncheck them. I want to do more than just uncheck them. I actually also want to "Lockdown this setting using the system-wide config file."I’ll go ahead and lockdown all those three guys so users can’t work around those.
For this “Java console,”of course we want to “Do not start console” and once again "Lockdown this setting using the system-wide config file."I’ll go over to “Advanced 2” and I will also “Never Auto-Download” the “JRE Auto-Download.” Once again while I’m here, I will perform the "Lockdown this setting using the system-wide config file."
That’s it. I’m locked and loaded. Let’s go over to my target machines here. Let me go ahead and run a good old “gpupdate” on each of these machines. Again in these examples, I happen to be using Group Policy to deliver the PolicyPak directives, but you don’t have to. You could be using SCCM or LANDesk or Kase or your own systems management utility. It doesn’t matter. I just happen to be using Group Policy in these examples.
Let me go ahead and close this out. I’ll go ahead and close this out, and now I’m ready to run “Java.” Let’s go ahead and run it on my first machine here. Let’s go over to “Advanced,” go over to “Debugging” and remember those things were checked. Now I’ve delivered uncheck and also grayed it out and locked it down so a user can’t work around the setting.
If I go to “Java console,” it was set to “Show console.” It has now been delivered to “Do not start console,” and once again it’s locked down. My regular user who is not running with admin rights can’t work around that setting.If I go over to the “JRE Auto-Download,” once again I can make it “Never Auto-Download,” and you can see I’ve grayed it out so the user can’t work around the setting.
Let’s just make sure it all took effect on my “Win8Computer,” which happens to be running a slightly newer version of Java here. Sure enough, you can see all those checkmarks are checked just the way we expect. “Java console” is grayed out and set to “Do not start console.” Lastly, “JRE Auto-Download” is set to “Never Auto-Download.”
There you go. PolicyPak is doing exactly what it’s supposed to do: delivering settings, performing lockdown and doing exactly what you need to make your world more secure. If you’re looking to get more information on PolicyPak and also a free trial, go ahead and click on the “Webinar/Download” button on the right, and we’ll get you started as soon as we see you there.
Thanks so much, and we’ll talk to you soon.
PolicyPak: Turn off Java immediately on all machines
Hi, everyone. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you how to very quickly disable Java on all of your machines if there’s an outbreak or something you need to correct for.
As of right now, there’s an exploit out there. This can happen for any number of applications. In this particular example, I’m going to deal with Java. There have been exploits like this for Acrobat and other types of applications. If you are a PolicyPak customer, you have the fire extinguisher for when the next problem occurs. This video is going to show you exactly how you would fix that if you were a PolicyPak customer.
With that in mind, let’s make sure I actually have Java running. What I’m going to do is go to the “Control Panel” on this example machine and go to “java” here. Let’s go ahead and go to the “Java” tab and click “View….” You’ll see here I’ve actually gone the extra mile. I’ve actually got Java “1.6” and “1.7” installed, and you can see that right here. What happens if you’ve got two versions of Java installed? What are you going to do then? Let’s correct all these problems all in one shot by delivering the setting that will un-“Enable” Java here.
Let’s really make sure it’s really working and I’m not pulling a fast one on you. What I’m going to do is I’m going to go to “Internet Explorer” first and I’m going to run “java test.” Let’s just see if Java is functioning properly in the two main browsers here. Here’s “java test.” “How do I test whether Java is working on my computer?” This is the kind of prompt a user would get. They would click run, and sure enough, Java is working.
Let’s go to “Firefox,” and we will also do “java test.” Let’s see. Is it working here? Yes. You can see, Java is in fact registering and working. You can see it’s listing the Java version right there, and it’s listing the Java version right there.
If you are a PolicyPak customer, it’s very simple. Let’s go over to our management station. Here on my management station, I’ve got all my “PreConfigured PolicyPaks.” PolicyPak ships with over 50 preconfigured Paks for popular applications like Flash, Firefox, Acrobat Reader, FileZilla, Office, Lync – all sorts of applications that if a vulnerability occurs and a manufacturer makes a suggestion for what to flip on or off, you can deliver and enforce and remediate that setting using PolicyPak.
I’ve already gone through the motions and copied in the right file to the right place here. What I’m going to do is I’m going to do this for my entire domain. For my entire domain, I’m going to “Stop Java Everywhere.” I’m going to right click over and click “Edit…” here. Under computer side “PolicyPak/Applications/New/Application,” here are just some of the Paks that I’ve slid in in advance. I’ve got “Adobe Reader,” “Flash,” “Chrome,” “Firefox” and here’s “Java.” These are some of the applications that you could control.
Here’s “Java,” and we’ll go ahead and pick the latest, greatest version here. Now that we’re here, this looks exactly like the Java application itself, the knobs and the switches and such. What you’re going to want to do here is go to the “Miscellaneous” tab here.
The way that this happens to work is that based on the order that you installed each of your Javas in – for instance, if you did Java 6 first and Java 7 second – you’d be able to enable or disable each of these guys. What we want to do here is deliver uncheck, and therefore we’re going to disable both “Java 0” and “Java 1,” which is both of those Java versions.
Now while we’re here, let’s go into some other settings here. I want to, for instance, also while I’m here disable “Shortcut Creation” and also “Lockdown this setting using the system-wide config file” so users can’t work around it. I’ll also do the same thing for the “Java Console.” I will make sure that users can’t start the Java Console. I’m just doing those extra settings for fun.
All we’re going to do next is wait for Group Policy to update. We’ll use “gpupdate” in order to do that here. Now that we’re done, let’s first go over to “java” here and let’s see what occurred. Let’s go over to “Advanced,” and you can see here those settings that I specifically set to “Never allow” and “Do not start console,” plus I locked down those features so users can’t work around it.
Let’s also go over to the “Java” tab and go to “View…,” and you can see here that both of those checkmarks are now disabled. If we were to try to rerun Internet Explorer and we were to go to “java test” – we’ll run it here – you’ll get nothing, which is exactly what you need during this emergency situation. If we go over to “Firefox” and we do the same thing and we run “java test,” you can see once again Java is disabled during this emergency situation. How would you re-enable it? You’ve got PolicyPak.
Just to put a fine point on it, like I said, PolicyPak ships with tons of preconfigured Paks for all sorts of situations. This is not the first time, and certainly not the last time, a vendor will suggest – or in this case, the Department of Homeland Security suggests – that you disable an application or a particular checkbox which would involve some kind of threat vector.
With that in mind, I hope this gives you some insight on how you can immediately fix your problem as the problem is being addressed by the vendor, which can sometimes take days, weeks or sometimes months.
Thank you very much for watching. If you’re looking to get a demo of PolicyPak, come on over and we’ll show you what it’s all about. Click on the Webinar/Download button on the right in the PolicyPak.com website.
Thanks so much, and we’ll talk to you soon.
PolicyPak: Manage Java (more!) using PolicyPak video transcript
Hi, everyone. This is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. We’ve been getting some questions about how to manipulate and manage Java with all the nonsense that came out in January 2013. One of the things that we got asked about is, how do we manage this “Security” slider and also lock it down so users can’t work around it?
As you can see, I’m logged on here as a guy called “westsalesuser4.”Of course, what you don’t want to do is let your users reduce their own security. That would not be good, so don’t let them do that. You may also want to update or change this checkmark here. In fact, if you were to do this with admin rights and you click “Apply,” you would see that the user is prompted for admin credentials – not good.
What you’re looking for is a way to manipulate and manage this setting without the use of admin rights, and PolicyPak can deliver the setting regardless of the status of the user. If I do give some admin rights here, you can see what happens. It will gray this out. That’s all well and good, but then again a user would need admin rights in order to deal with this. That’s very cumbersome and not very popular.
Instead, what we’re going to do is we’re going to use PolicyPak to manage these settings and ensure that this stuff is delivered the way you want – maybe “Very High” security – and also locked down so users can’t work around it. Let’s go ahead and do that now.
I’ve already got the preconfigured Pak for Java ready to rock on my management station. I’m going to “Manage Java using PolicyPak.” We’ve got some other videos on the website for you to check out to do some other tricks with Java and PolicyPak, but this is an update video here.
You can do this either on the “User” side or the “Computer” side. We’ll go to “New/Application” and we’ll just go ahead and pick “PolicyPak for Java Control Panel (Windows 7)” here. Now you can see I’ve got some other cool Paks here like “Adobe Reader” and “Firefox” and “WinZip.” There are over 50 other preconfigured Paks, but we’re dealing with Java right now.
When we click it, what I want to help you go to is this “Security Main.” I have a tab here called “Security Main.” We don’t have a slider for that, but what we do have is a drop down. You can see that we’ve set “High,” “Medium,” “Low” and “Very High.” When you click on something in PolicyPak when it underlines, underline means we’re going to deliver that setting. Let’s just do nothing else. Let’s just deliver that setting just like that.
Just to prove we’re not pulling a fast one on you here, if I show you here, you can see it’s currently set to “Medium” as regular user. What I’m going to do is run “gpupdate” here, get the latest, greatest Group Policy settings. Now I happen to be using Group Policy for this. You don’t have to. You can, if you want to, use SCCM or LANDesk or KACE or Intune or any other technology to deploy your settings using PolicyPak. I just happen to be using Group Policy.
When I click on “Java” here and I go back to “Security,” it’s set to “Very High.” That’s fantastic, but still a user could work around the setting and just click “Apply.” That’s not something you want your users to be able to do. However, one of PolicyPak superpowers is that just by default even if they’re offline PolicyPak will continuously reiterate those settings. Even if the computer is offline or in a basement or a submarine or something, those settings are always remediated and ensured.
But actually, we’re going to go the extra mile. We’re going to lock this puppy down and make sure that users can’t work around it. I’ll leave it at “Very High” just to prove a point here. What the heck? I’ll go to “Medium” and we’ll do two birds with one stone. I’ll go ahead and click “OK” here.
I’ll go back. Let’s go back to the “Group Policy Management Editor” here and go back to that “Security Main” tab. What we want to do here is we want to right click and “Lockdown this setting using the system-wide config file.” By doing this setting, what I’m doing is I’m delivering another change to Java which will lock that whole slider down so users can’t work around it.
Now that that’s done, let’s click back on “Java” here, go back to “Security” and there you go. It’s set to “Very High,” and users can’t work around it. You may also come up with a situation where you want to uncheck this checkbox, the “Enable Java Content in the browser.” But if you tell you users to do it, they’re going to get prompted with “User Account Control” credentials – not what you want to do. Instead here, it says “Only disabled for this user.” You want to disable it for everybody.
To be on the super clear side to make sure everybody gets this, we’re going to use Group Policy and PolicyPak to do it. Just to prove a point here, it’s now currently set. Let’s uncheck it and also lock this setting out so the user cannot work around it to enable it or disable it and don’t get the UAC prompt. Let’s go ahead and do that together.
We’ll go back here to PolicyPak. We’ll go click on the “Security Main.” We’ll uncheck this checkbox to “Enable Java Content in the browser.” What we’ll also do, we’ll right click this guy and “Lockdown this setting using the system-wide config file.” By doing that, the next time we run “gpupdate” on the client system, we’re getting the latest, greatest settings using Group Policy to deliver this, which will react for all users on the system, not just this one particular user.
We’ll wait until this is finished, go ahead and rerun “Java,” and when we do this – click on “Security – you can see that it’s disabled. It says “Only disabled for this user,” but it’s not. It’s actually disabled for every user, and I can prove that by logging off and logging on as, say, a new user, a guy that’s never logged on before. Let’s go ahead and do that now.
I’m logged on as a guy called “westsalesuser4.” Let me go ahead and “Log off” here, and I’m going to log on as a new guy called “westsalesuser3.” Give it a second to log on. Okay, now that we’re all logged on, we’re now “westsalesuser3.” Let’s go over to “Control Panel.” We’ll type in “java” here. We’ll go over to “Java,” take a look at “Security” and you can see that it is in fact set to uncheckable for that user and also the security is maintained at “Very High.”
I hope this helps you out. We have tons of preconfigured Paks for lots of applications. The next time a big security fire hits if you are a PolicyPak customer, you’ve got this enormous arsenal to help remediate and deliver and enforce settings just like you saw it here in the “Java Control Panel” applet.
Thanks so much. Talk to you soon.