Alex headshot

AlBlue’s Blog

Macs, Modularity and More

Disabling Java in WebKit programmatically

2009, howto, java, mac, security

If you’re a sysadmin and you’re worried about the recent security vulnerabilities in Mac OS X, here’s how you can disable a user’s Safari settings programmatically:

osascript -e 'tell application "Safari" to quit'
sleep 1
defaults write com.apple.Safari WebKitJavaEnabled -bool false

If you want to do this for all users on the machine, do:

defaults write /Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false

Note that Safari may overwrite the setting when it quits, so doing this once Safari isn’t open is a good idea (hence the tell). If you have access to the network share where the user’s preferences are stored, you can also overwrite them directly:

defaults write /home/users/a/alblue/Library/Preferences/com.apple.Safari WebKitJavaEnabled -bool false

It’s also possible to grep the files for the string WebKitJavaEnabled (to see whether the string is mentioned there in the first place) although by default, the .plist will be in the ‘binary xml’ format that Apple loves. If you want to convert to XML, use the following:

plutil -convert xml1 com.apple.Safari.plist
cat com.apple.Safari.plist
<dict>
  <key>WebKitJavaEnabled</key>
  <false/>
</dict>

Lastly, if you’ve got a directory-controlled way of setting preferences (such as Workgroup Manager) then you can set a policy to disable it directly. dscl is your friend here; you can import MCX records. Dump this as a String into the mcx_settings key:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>mcx_application_data</key>
        <dict>
                <key>com.apple.Safari</key>
                <dict>
                        <key>Forced</key>
                        <array>
                                <dict>
                                        <key>mcx_preference_settings</key>
                                        <dict>
                                                <key>WebKitJavaEnabled</key>
                                                <false/>
                                        </dict>
                                </dict>
                        </array>
                        <key>mcx_targets</key>
                        <array>
                                <string>user-managed</string>
                        </array>
                </dict>
        </dict>
</dict>
</plist>

That will ensure that any user inheriting those MCX settings can only ever have this setting of disabled. But there’s an easier way of doing this (if dscl is configured and authroised to make changes) - you can run:

dscl /Local/Default -mcxset /Users/alblue com.apple.Safari WebKitJavaEnabled always false

Of course, /Local/Default is the name of the local machine’s directory – if you’ve got an LDAP server then it’ll probably be something like /LDAPv3/ldap.example.com; and your username will be different, too :-) MCX settings can also be changed on a computer (or computer group list) as well, but that’s outside the scope of this post.

Hopefully, you should be secure in surfing from now on until Apple gets their act together and kills secures Java.