Java’s quarterly release for July 19, 2016 (Java 8 update 101) contains fixes for security vulnerabilities. Admins are advised to apply this critical patch to systems as soon as possible to protect against potential attacks. Here’s a quick guide to silently install Java 8 and then manage Java settings for added security and control. Below is a video tutorial on these steps.
Silently Install Java 8
In PDQ Deploy you have a couple options to silently install Java 8. You can use the Package Library which has a Java 8 deployment package that is ready to import and silently install across your network. (PDQ Deploy trial users have access to up to three free package imports from the Package Library during their trial.) Alternatively, you can build your own package using the free version of PDQ Deploy.
little lot biased and do recommend using the Java 8 package available in the Package Library. This deployment package contains additional steps that ensure your deployment will be successful such as uninstalling past versions of Java and exiting programs that can cause deployments to fail.
Bonus, the work building the package is already done…so why not use what’s already there?
- Import your package Navigate to the Package Library and select Java 8 Update 101 64 or 32-bit (depending on what machines you are deploying to). Click “Import” to begin downloading your package.
- Send your deployment to target computers Your import can be found (by default) in the left tree under the Packages folder. Highlight the Java Package and click “Deploy”. From there you’ll be able to select target computers from AD, Spiceworks, or PDQ Inventory. Click deploy and you’re done!
Building Your Own Deployment Package
- Download the offline version of Java. Online versions are smaller in size and will not silently install successfully.
- Extract the Java MSI. You will want the Java MSI over the EXE because MSIs have already defined silent parameters, which you must have for a successful deployment. If you don’t have silent parameters you could see error messages, have failed deployments or worse.
- Now you’re ready to build your deployment package. Add the Java MSI to the Install File line, and be sure to select Include Entire Directory. Then you’ll want to add the following parameters on the parameters line to disable auto updates and machine reboots:
JU=0 JAVAUPDATE=0 AUTOUPDATECHECK=0 RebootYesNo=No
Manage Java Settings
Now that you have that deployed…it’s time to manage Java settings.
- Create a new GPO for managing Java settings in your Group Policy editor.
- In your Group Policy Management Editor, right click and select the Oracle Java pak. (Refer to this video to learn how to set up PolicyPak and add your Java “pak”.
- Double-click on your newly added Java pak to start managing. You’ll see several tabs of options for settings in Java. Here are a few suggested settings to look at:
- Update Uncheck “Check for Updates Automatically”. Having this checked means you can decide when Java gets updated and can deploy patches on your terms and not leave it to Oracle (or your user) to decide.
- Security Select “Very High” from the Security Level dropdown.
- Exception Site List You can set MODE=REPLACE to override any site list settings or you can set MODE=MERGE to add site to possibly existing site lists.
With your settings you can (and probably should for utmost protection against users tampering with your settings) right click and select “Perform ACL Lockdown”.