07: Manage Java with Java Rules Manager

Open the right browser for the website, then dictate what version of Java to run FOR that website. A combo made in heaven. See how to do it with PolicyPak MDM and your MDM service.

PolicyPak MDM: Manage Java with Java Rules Manager

Hi, this is Whitney with PolicyPak Software. In this video, we’re going to learn how to map a specific version of Java to a specific website. Then we’re going to deploy those directives using an MDM service. In this video, I’ll be using AirWatch, but you can use whichever one you have available, such as Intune or MobileIron.

Here’s the issue. You may have a situation where you’re stuck running an old version of Java because you have to have it for the compatibility for a particular web app but you’d prefer to be using the most recent version of Java because it’s the most secure. Or you may be stuck unable to use some of your applications because you have to run the latest version of Java.

So you may have something going on like what you see here. You may be running “Java 7 Update 51” for compatibility on one machine, whereas you’re running “Java 8 Update 171 (latest version)” for security on a different machine. That’s just not ideal. What if you wanted to be able to run both on the same machine at the same time?

We have the dream scenario. Your “Timecard.com Web App,” whatever that happens to be, could run “Java 7 Update 51” while everything else falls upward to the most recent version, which at the time of the filming was “Java 8 Update 171.”

Let’s go learn how to manage this dream scenario by using PolicyPak Java Rules Manager. Let’s go over to my virtual environment to check this out. Here we are at my virtual environment on my endpoint. To start off with, I just want to point out that I am not domain joined right now. I could be and everything would work the same way, but it’s not a requirement for this particular component. So I am in just a “WORKGROUP” here.

You’re going to see that I am indeed “Connected to AirWatchMDM” service. Once again, you can use whichever one you have. I’m just using AirWatch for this particular video.

Finally, we see that the “PolicyPak Client-Side Extension” and the “PolicyPak MDM Licenses for PolicyPak” have been installed. They were deployed through that AirWatch service and are installed on my endpoint here. That’s very important to know because you have to have those on your machine in order for the directives that you deploy to then be effective.

Let’s look at one other thing right now. I actually have several versions of Java installed on this machine right now. But when I go to websites that use Java, it’s going to fall upward to the most recent one, which in this case is “Java 8 Update 171.”

If I go to “java.com” and I go ask it “Do I have Java?” it will “Verify Java version” for me. It’s going to let me know that I’m running “Version 8 Update 171.” Now I do actually have several versions installed, as you saw, but it’s falling upward to the most recent, most secure variety.

If I go over to “javatester.org” and click “Test the version of Java used in this browser,” it’s actually not going to work. It’s not quite properly signed, and the security settings won’t let it through. So this is actually broken, and it’s not going to work.

What if I wanted Java.com to run Version 8 Update 25 and I wanted JavaTester.org to run Version 7 Update 51? Well, can I do that at the same time? With Java Rules Manager, I sure can. Let’s go over here and learn how to do that.

I’m going to go over to my management station and I’m going to create a “New GPO.” This doesn’t have to be linked to any particular OU. We’re not using Group Policy to push this through, so we just need to create the GPO in the “Group Policy Objects” node there. I’m just going to call it “JRM Settings,” and I’m going to go ahead and “Edit” this.

Now the Java Rules Manager is one of two components that we have here at PolicyPak that can only work on the computer side on a per computer basis. So we’re going to go over here to the “PolicyPak” node under “Computer Configuration.” Let’s go find “Java Rules Manager.”

Now since we’re going to end up exporting these policies so that we can then deploy them, I’m going to start by creating a new collection so that we can export it all at once rather than having to export a bunch of single policies. So let’s “ADD NEW COLLECTION.”

Once inside that “Collection 1,” I’m going to start with “ADD NEW POLICY.” I want “Java.com gets 8 25.” Now there’s no magic here. That’s just the “Policy Name.” The magic happens right here at the “Location.” That’s where you’re going to put the URL that you want to map to a specific version of Java.

Now this has to be matching exactly, so I’m just going to hop back over here and doublecheck. Yes, it’s “https://java.com” so I’ll just go grab that. Now I’m going to give it “Permission” to “Run” Java. But I do want to run, like I said, Java 8 Update 25, very specific version. So I choose “Java 8” and I scroll down to find “Java SE Update 25.” There we go.

Now note that you do have to have that specific version of Java installed on your endpoint in order for this to work. It won’t work if I try to run “Java SE 8 Update 60.” That’s just not on my machine, and so it won’t work. So we’re going to go use that one because we know that’s “Exact.”

I you have a situation where you know a user is running Java 8 but you don’t know exactly which update, you could of course choose “Latest in family” and that way it will just run whatever version of “Java 8” is latest on the machine. So you can do that there. I’m going to choose “Exact” though, and I’m going to tell that “OK.”

I’m going to add one more new policy because we want to have JavaTester.org get Java 7 Update 51. So once again, let me just make sure that I’m going to get this exactly correct. There we go. I’ll “ADD NEW POLICY.” I’m going to call this “JavaTester gets 7 51.” I will go ahead and paste that URL there, and I’m going to tell it to “Run.” I want it to run “Java 7,” “Java SE 7 Update 51” right there. Tell it “OK.”

So now we’ve created a map for two specific websites. We said Java.com is going to get Java 8 Update 25 and JavaTester.org is going to get Java 7 Update 51. That will happen at the same time on the same machine, which is pretty magical.

We’ve created these directives, and now we need to be able to deploy them. I’m going to right click on here, and I’m going to “Export Collection as XML.” I’m going to save it as “JRM Settings.” That’s just going to pop right up on the desktop here. There we go.

Now that we have that XML, we need to use the PolicyPak Exporter Tool in order to wrap that up as an MSI that you can then deploy to your MDM enrolled machines. Let’s go use the “PolicyPak Exporter Tool,” which installs on your management station alongside the admin console MSI. I’m going to choose it right here.

This actually does a few things, but right now what we want to do is “Create a new MSI installer.” I’ll click “Next.” It wants us to add some XML files, so I’m going to “Add Existing Files” and I’m going to choose those “JRM Settings.” It’s going to “Install For” the “Computer” with a “Target” of “All Users.” We’ll choose “Next.”

We can give it a “Product Name” which is what will show up in Uninstall a Program on your Control Panel. We’re going to call it “PPJRM Settings.” You could add the “Manufacturer” or the “Comments” if you want to. We’ll do “Next.” We’re just going to “Save” it as “JRM Settings” and that’s that.

Now what I would need to do is go to my AirWatch console. Once again, I’m using AirWatch. You can use whichever one you’d like. I would need to go, “Login” and upload my MSI so that I could then deploy it. Notice that the “PolicyPak Client-Side Extension” and the “PolicyPak MDM Licenses for *@policypak.com” are already deployed.

Now here I would go ahead and upload and deploy, but it’s going to take a little while. So I’m going to pause the video, and then we’re going to come back when we can get back on my endpoint and see the results of the directives we just deployed. We’ll be right back.

And we’re back. You can see that we got our MSI deployed and installed. It’s right here: “PPJRM Settings.” Now we go to Internet Explorer. I say Internet Explorer because it’s the only browser that still supports Java, so you have to go there.

We’re going to go to “java.com.” We’ll go to “javatester.org.” Let’s see. We said we wanted Java 8 Update 25 to be mapped to Java.com, so let’s see if that worked. Let’s “Verify Java version.” Sure enough. There we are: “Version 8 Update 25,” just like we said. If we go to JavaTester.org and we want to “Test the version of Java used in this browser,” then we’ll give it a second and Java 7 Update 51, just like we said.

Now just to prove a point I want to point out that, again, anything that doesn’t have a route will fall upward to the latest version on the machine. So if I go to a different Java test that’s actually on our PolicyPak website here, I can test this. It’s going to be Java 8 Update 171 because that’s the most recent one on the machine. There we go.

So there you have it. We have worked some Java magic, and we have mapped two separate versions of Java to two separate websites that run at the same time. So we’re running, again, Java 8 Update 25 on one website, we’re using Java 7 Update 51 on another website, and we’re using Java 8 Update 171 on yet a third website. We did that and we deployed it using an MDM solution and made the magic happen.

If that’s interesting to you, get in touch with us and we will get you started on a trial right away.

Thanks for watching, and we’ll see you in the next video.

  • 637
  • 11-Nov-2019