Java: Configuring System-Wide Settings
Java can be pain for system administrators. It seems to release a new version every few months that are almost required due to security issues, and there used to not be a good way to configure computer-wide policies for the platform. Starting with at least Java 7 update 45, Oracle changed this. Now administrators can deploy two files to machines to control all sorts of settings.
This article will detail those two files and their locations, as well as provide a guide for all of the settings.
File 1: Enforce System Policies
First, we have a two line file that tells the Java runtime to look for a file that will apply to the entire machine. Create a new text file on your desktop called deployment.config. Be sure to remove the .txt extension from the text file. Open this file with Notepad and add these lines:
This file MUST be copied to “C:\Windows\Sun\Java\Deployment”. This folder does not exist by default. You made need to modify the first line to point to your properties file. I elected to keep it in the same folder for simplicity.
File 2: Properties File
Next, we have the file that actually contains our Java settings. This file is the one referenced in line 1 of our config file. To create this file, add a new text document to your desktop and rename it deployment.properties (once again remembering to remove the .txt extension). This file will contain a list of properties and their definition. You can also add the same line and add “.locked” to the end to make it so that users cannot change it back. I will illustrate this later.
There are many properties that you can define. I would suggest going through the Java control applet in the Windows Control Panel and setting your properties. Then, you can go to your personal deployment.properties file and copy it to the rest of your machines. When you have your properties defined, go to “C:\Users\<username>\AppData\LocalLow\Sun\Java\Deployment” and copy the deployment.properties file from this directory. There are some properties that cannot be defined from the Control Panel applet, so will have to added later.
Here is what two lines from my file look like. These lines are two that cannot be modified from the Control Panel applet, so I had to add them manually.
These two lines disable the expiration check in Java. As you can see, I’m also locking the setting using the method stated above.
For a full list of configurable properties, see this Oracle document: https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/jcp/properties.html.
Finally, I would recommend delivering the deployment.config file with you Java package. With SCCM, you can either script a file copy after the installation of Java, or modify the MSI to include this file.
For the deployment.properties file, I would recommend either delivering this file via Group Policy to the location that I use, or save it to a file share and have very computer reference that. The only issue with this method, as you might imagine, is if the computer is not connected to your network. If Java cannot see the file, it will not load it, meaning that there may be session that are not controlled by your policy. The advantage to either of these methods is that you can have a dynamic file – one that you change be sure your clients get the updates.