02: Use Group Policy to dictate which version of Java for what website

Configure websites to use the version of Java you choose, or block Java websites entirely – this demo uses Group Policy. Making a Java Deployment Rule Set for your Enterprise has never been easier or more flexible.

PolicyPak Java Rules Manager: Use Group Policy to dictate which version of Java for what website

Hi, this is Whitney with PolicyPak Software. In this video, we’re going to look at tackling the Java problem. Well, one of them anyway.

How many of you have had a situation where you’d really like to run the latest version of Java on all your endpoints but you have, say, old and crusty TimecardApp.com that just has to use an older version? So you’re stuck with a decision of, do you run for security or do you run for compatibility? What if you could do both? That’s what we’re going to look at today with the PolicyPak Java Rules Manager here.

Let me just show you that I actually have several versions of Java already installed on my machine here. Let’s check this out. We have “Java 7 Update 51,” “Java 8 Update 25,” “Java 8 Update 171” and “Java 6 Update 24.”

But if I go to a Java tester just to find out “Do I have Java?” and “Verify Java version, “Yes,” let’s tell it to run, there we go. It’s showing me that I am running Java “8 Update 171.” It’s the latest version and the recommended version because it has the most security. But what if you’re stuck in a situation where you really need to run the old version for TimecardApp.com? Well, we’re going to look at how you can do both.

Let’s go on over to my management station here. Let’s “Create a GPO in this domain, and link it here” and get this handled. We’ll call it “JRM Demo.” Let’s “Edit” this bad boy. We’re going to go over here on the computer side. Java Rules Manager is one of two of our components that is required to be run on a per computer basis.

Let’s hop over here to the Java Rules Manager, and I’m going to select “ADD NEW POLICY.” What I want is I’m going to map specific versions of Java to those specific websites. JavaTester.org was one of the tabs I had open as well as Java.com. Right now, I want to map, let’s say, “8 25 to Java.com.” The “Policy Name” is kind of irrelevant. That’s just so I can remember what’s going on.

I want to do Java.com. Actually, let me just make sure I get this exactly right: “https://www.java.com.” There we go. The “Permission” being “Default,” I don’t actually want that because I would actually want to map that 8 25 to my Java.com. So I’m going to choose “Java 8,” “Update 25.” There we go. And I want to use that “Exact” match. Please note that you do have to have this version of Java on the endpoint. It doesn’t install any versions of Java. It just uses what’s available there. So tell that “OK.”

The next thing I want to do is “ADD NEW POLICY” and I’m going to map “7 51 to Javatester.org.” Once again, let me just double check and make sure I’m going to get this exactly right: “https://javatester.org.” I’m going to choose “Run.” I want “Java 7,” “Update 51,” “OK.”

There we have it. All I need to do now is close this down and close this too. Let’s just run a GP Update (“gpupdate”), and we’ll see the results in just a minute. All right, let’s go check out what we’ve done.

Let me open up Internet Explorer again, and let’s hop over here to “java.com.” “Do I have Java?” We’re going to “Verify Java version.” What it will show us is that it’s running version 8 25 instead of falling upward to the 8 171 because we mapped that particular version to this website. There we go: Java “Version 8 Update 25” just like we said.

Now let’s hop over here to this other website that we looked at and let’s “Test the version of Java used in this browser.” We mapped Java version 7 51 to this particular website, so once it renders here we’ll see what we’ve mapped. There we have it: Java version “7,” “51” just like we told it to.

Now every other website that uses Java if it doesn’t have a map, it will fall upward and it will use the most secure version. But if you have a situation where TimecardApp.com needs to run a particular version of Java, then you can absolutely make the maps that you need to.

One other thing I’d like to show you, if we come back over here, let’s use an existing policy. What I want to do is instead of “Run,” I want to actively “Block” it. So “java.com” will not get Java anymore. I’m going to call it “Block Java.com.” The “Block Message” is “No Java for you!” I’ll tell it “OK.”

Once again, we’ll just run a quick GP Update (“gpupdate”). Actually, I’m going to close this out first. There we go. We’ll run a quick GP Update (“gpupdate”) and watch the block in action. All right, we’ve updated successfully.

Let’s go open up Internet Explorer one more time. Let’s go check out “java.com” here. “Do I have Java?” Watch it be blocked. There we go: “Application Blocked by Deployment Rule Set” just like we wanted it to be. “No Java for you!”

So there we were able to map two different versions of Java to two different websites and then have them run on the same browser at the same time. And we also were able to block Java completely if that’s the desired effect.

If that’s interesting to you, let us know. We’ll get you on a webinar, and then we’ll hand over the bits and get you started on a trial right away.


  • 632
  • 11-Nov-2019