disable "Automatically update safe downloads list" via script

Question

Level 1

5 points

disable "Automatically update safe downloads list" via script

With XProtect, it has been causing us like many others a lot of heart ache with java based apps that only support 6 like Oracle. We manage our systems not Apple so I would like to script disabling XProtect by unchecking the box in Securiyt & Privacy Advanced page for "Automatically update safe downloads list". I have been searching for a while now for the plist or other file necessary to modify to disable this via a scirpt and have had no success.

Has anyone out there been able to script this change so we can deploy to our Macs and not have to do it one at a time for 1000+ macs?

Any help will be much appreciated.

Posted on Apr 26, 2013 10:29 AM

Reply

Answer 1

jbNco Author

Level 1

5 points

Apr 26, 2013 2:15 PM in response to jbNco

FYI...the file is is located at /private/var/db/launchd.db/com.apple.launchd/overrides.plist

There needs to be an entry in there:

<key>com.apple.xprotectupdater</key>

<dict>

<key>Disabled</key>

<true/>

</dict>

I will post a script that will complete disable XProtect and modify the XProtect.meta.plist file when I have it done.

Reply

Answer 2

Apr 26, 2013 2:27 PM in response to jbNco

The Mac Enterprise Mailing list has had some discussions related to client management and dealing with Xprotect; check the mailing list archives. In particular, see the Java allow/block feature in latest Safari update thread from earlier this month. Also see several threads from February, including the Installing Java 6 on 10.8.2 thread for getting Java 6 on 10.8, and XProtect replacement 'YProtect' and XProtect Packager utility threads.

FWIW, the most recent round of Oracle Java protection mechanisms and Safari updates can whitelist sites.

AFAIK, Java 6 was deprecated by Oracle.

I would not encourage disabling Xprotect entirely as that controls/blocks/protects more than just Java, but that's obviously your call. I'd look to finesse the Java requirements, and leave Xprotect otherwise enabled.

Reply

Answer 3

jbNco Author

Level 1

5 points

May 8, 2013 7:11 AM in response to jbNco

Thanks MrHoffman...The reason I want to disable it is becuase Apple is forcibly blocking Java which is not very Enterprise frendly. We have applications that require certain version of Java and has caused many headache in our environment. I didn't totally diable XProtect. I just updated the XProtect.meta.plist to allow our supported version of Java a newer and disabled the autodownload of the updated XProtect file.

For those of you that would like to be able to block XProtect files from from updating automatically, I have two scripts for you. The first one is for a silent deployment using an Enterprise Desktop Management System. The second is a user friendly script (user needs to have elevated rights and we have a method to elevate our users to admin for a short time) that captures their password from a terminal window and sets all the correct settings. Hope this helps some people with the heart ache.

First Script - silent push

#!/bin/bash

#Variables

buddy=/usr/libexec/PlistBuddy

xprotect=/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProte ct.meta.plist

override=/var/db/launchd.db/com.apple.launchd/overrides

overrideplist=/var/db/launchd.db/com.apple.launchd/overrides.plist

xProtect_disable(){

$buddy -c "set :JavaWebComponentVersionMinimum 1.6.0_36-b06-435" $xprotect

$buddy -c "set :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion 1.7.12.22" $xprotect

$buddy -c "set :LastModification Fri, 26 Apr 2016 00:34:40 GMT" $xprotect

$buddy -c "set :Version 1000000" $xprotect

overrideExist=`defaults read $override | grep xprotectupdater`

if [[ $overrideExist ]]; then

$buddy -c "set :com.apple.xprotectupdater:Disabled true" $overrideplist

else

$buddy -c "add :com.apple.xprotectupdater:Disabled bool true" $overrideplist

fi

launchctl unload /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

sleep 5

launchctl load /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

}

xProtect_disable

# End of Script

Second script - user interative

#!/bin/bash

#Variables

buddy=/usr/libexec/PlistBuddy

xprotect=/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProte ct.meta.plist

override=/var/db/launchd.db/com.apple.launchd/overrides

overrideplist=/var/db/launchd.db/com.apple.launchd/overrides.plist

xProtect_disable(){

echo $netpass | sudo -S ls /Users

errorReturn=$?

if [[ "$errorReturn" -ne "0" ]]; then

osascript -e 'tell application "Finder"' -e 'activate' -e 'with timeout of 2 seconds' -e 'display dialog "There was an issue fixing Java on this system." & return & return & "This is probably related to an incorrect password." & return & return & "Ensure you have admin rights, re-run the command, and verify you are entering the password you log into the Mac with at logon" buttons ["OK"] default button 1 with title "Java Fix" with icon caution' -e 'end timeout' -e 'end tell'

exit 1

fi

echo $netpass | sudo -S $buddy -c "set :JavaWebComponentVersionMinimum 1.6.0_36-b06-435" $xprotect

echo $netpass | sudo -S $buddy -c "set :PlugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion 1.7.12.22" $xprotect

echo $netpass | sudo -S $buddy -c "set :LastModification Fri, 26 Apr 2016 00:34:40 GMT" $xprotect

echo $netpass | sudo -S $buddy -c "set :Version 1000000" $xprotect

clear

echo "YOU WILL SEE SEVERAL PASSWORD PROMPTS."

echo "PLEASE DON'T ENTER ANYTHING ELSE."

echo "THIS WINDOW WILL CLOSE WHEN DONE."

overrideExist=`echo $netpass | sudo -S defaults read $override | grep xprotectupdater`

clear

if [[ $overrideExist ]]; then

echo $netpass | sudo -S $buddy -c "set :com.apple.xprotectupdater:Disabled true" $overrideplist

else

echo $netpass | sudo -S $buddy -c "add :com.apple.xprotectupdater:Disabled bool true" $overrideplist

fi

echo $netpass | sudo -S launchctl unload /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

clear

sleep 5

echo $netpass | sudo -S launchctl load /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

clear

osascript -e 'tell application "Finder"' -e 'activate' -e 'with timeout of 2 seconds' -e 'display dialog "Java has been fixed on this Computer." & return & return & "Ensure you are running at least Java 6 Upade 37 or Java 7 Update 13 to continue." buttons ["OK"] default button 1 with title "Java Fix" with icon caution' -e 'end timeout' -e 'end tell'

}

echo "Please enter network password"

echo -n "Network Password: "

read -s netpass

echo "Please verify your network password"

echo -n "Network Password: "

read -s netpass2

while [[ "$netpass" != "$netpass2" ]]; do

clear

echo "The passwords entered do not match"

echo "Please reenter your network password"

echo -n "Network Password: "

read -s netpass

echo "Please verify your network password"

echo -n "Network Password: "

read -s netpass2

done

clear

echo "YOU WILL SEE SEVERAL PASSWORD PROMPTS."

echo "PLEASE DON'T ENTER ANYTHING ELSE."

echo "THIS WINDOW WILL CLOSE WHEN DONE."

xProtect_disable

exit 0

Reply