Deploying Suns Java was already pain in the ass when they came out with V6 and 7. But with V8 they just shot the bird at a unknown high level :-( My Boss told me to create a package for this application with the following requirements:
- Remove any existing Java Installer and Settings
- Install 32bit and 64bit Version
- Easy future deployment with just replacing the msi’s
- Deploy the Exception Sites list with it
- Deploy the Configurations and Settings
- Add the companys own Certificate for Deep Packet inspection
- Remove ugly update messages
Yes those are the requirements…. Now get started.
The first problem you will encounter is that Java has a death trigger, which will enforce the users to install a newer version of Java as soon as a specific timestamp is reached. The second problem you will encounter (most important one) is that most applets use all permissions they can get. Because java does not like such security holes it will run those applets in a very restricted container that has no connection to the Host.
The actual script:
wmic product where "name like 'Java 9%%'" call uninstall /nointeractive wmic product where "name like 'Java 8%%'" call uninstall /nointeractive wmic product where "name like 'Java 7%%'" call uninstall /nointeractive wmic product where "name like 'JavaFX%%'" call uninstall /nointeractive wmic product where "name like 'Java(TM) 7%%'" call uninstall /nointeractive wmic product where "name like 'Java(tm) 6%%'" call uninstall /nointeractive wmic product where "name like 'J2SE Runtime Environment%%'" call uninstall /nointeractive del "C:\WINDOWS\Sun" /Q /S /F for /D %i in ("C:\Users\*") do del "%i\AppData\LocalLow\Sun\Java\Deployment\deployment.properties" /Q /S /F del "C:\Program Files (x86)\Java" /Q /S /F REM Set depoyment.expiration.check.enabled to disabled, because otherwise Java Update every month is needed setx deployment.expiration.check.enabled false /m REM Set depoyment.expiration.check.enabled to disabled, because otherwise Java Update every month is needed javaws -userConfig deployment.expiration.check.enabled false REM Stop processes that use java taskkill.exe /F /IM jqs.exe /IM java.exe /IM javaw.exe /IM javaws.exe REM Set the deployment config and the properties to the right place md C:\WINDOWS\Sun md C:\WINDOWS\Sun\Java md C:\WINDOWS\Sun\Java\Deployment copy /y "%~dp0deployment.config" "C:\WINDOWS\Sun\Java\Deployment\deployment.config" copy /y "%~dp0deployment.properties" "C:\WINDOWS\Sun\Java\Deployment\deployment.properties" copy /y "%~dp0exception.sites" "C:\WINDOWS\Sun\Java\Deployment\exception.sites" REM The Java installer itself with some options start /wait msiexec /i "%~dp0jre1.8.0_51x64.msi" /qn start /wait msiexec /i "%~dp0jre1.8.0_51.msi" /qn REM Add Certificates so that the stupid Java does not answer with a Warning certutil -addstore "AuthRoot" "%~dp0MyCert.cer" setx deployment.expiration.check.enabled false /m REM Set depoyment.expiration.check.enabled to disabled, because otherwise Java Update every month is needed javaws -userConfig deployment.expiration.check.enabled false del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java" /Q /S /F EXIT /B 0
Short explanation what the script does:
- First i uninstall all Java Applications with wmic
- Delete pre configurations in Userspace and in the Windows folder
- Remove Existing Executables
- Set Expiration check to false
- Kill all tasks with java
- Create the necessary folder and copy the files
- Start the Installer
- Add your companys certificate
- Set the deployment expiration check again to disable
- Delete the Startmenu icon that got created
This script will work with SCCM and LANDESK (for landesk remove the for loop line, because Landesk cant do loops :-( )
To manage all settings and the exception site list centraly, we created a GPO rule that replaces on all workstations the exception.sites and deployment.properties. We changed the permission on those files so that the local helpdesk can write to those, either to change them or to add a site to the exception list.
Keep in mind that most applications will work per default because of the security settings. The best way (probalby most easy one) is to add them to the exceptions.sites list.
ATTENTION: The exceptions.sites file does NOT accept WILDCARDS If you have a url with a applet like https://www.jans.li/foo/foo/foofoo/applet.java then you add https://www.jans.li/ to the exception sites list.
You can download my full package with all files from here: [https://www.jans.li/files/Java8.zip] the Password is www.jans.li
Hope this helps you, if there is a question that is not answered here, write a mail to [email protected]