As a follow-up to my previous post on removing Oracle Java, it’s possible that Mac admins may be requested to block Oracle Java in place of removing it. This may be challenging, but possible with the right information and tools. For more details, please see below the jump.
Normally, there’s three approaches on macOS that you can take when needing to block an app:
- Block by process name
- Block by code signature
- Block with parental controls
Block by process name
Blocking by process name may be problematic in this case, since the process names for Oracle’s Java and any other non-Oracle Java are almost certainly going to be identical (for example, java as the process name.) Blocking Oracle’s Java by process name will mean that the non-Oracle Java you may be installing to replace Oracle’s Java will be caught by the same process-based block.
This is to say nothing of apps which may have embedded Java runtimes you’re not aware of; blocking Oracle’s Java by process may inadvertently also block the processes run by an app’s embedded Java runtime.
Block by code signature
This may be the best approach, as you may be able to use Oracle Java’s code signing signature and bundle identifier to block Oracle Java. Solutions which can do this include the following:
- Google’s Santa
- Jamf Protect
These solutions should be able to block by the code signature’s Team Identifier and the java binaries’ bundle identifier(s). You can find these by running the following command:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
codesign -dv /path/to/java/binary |
Here’s an example of using the codesign command to get the code signature’s Team Identifier and the bundle identifier for the java binary in Oracle’s Java JDK 11.0.20:
- Bundle identifier: Identifier
- Team Identifier: TeamIdentifier
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % codesign -dv /Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/java | |
Executable=/Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/java | |
Identifier=com.oracle.java.11.0.20.java | |
Format=Mach-O thin (arm64) | |
CodeDirectory v=20500 size=936 flags=0x10000(runtime) hashes=18+7 location=embedded | |
Signature size=9010 | |
Timestamp=Jun 14, 2023 at 5:32:54 AM | |
Info.plist entries=5 | |
TeamIdentifier=VB5E2TV963 | |
Runtime Version=11.1.0 | |
Sealed Resources=none | |
Internal requirements count=1 size=188 | |
username@computername ~ % |
Note: The bundle identifier may be different for each version of Oracle’s Java. You may be able to block using only the Team Identifier, but the drawback of this is that you may also block other Oracle apps which use that same code signing Team Identifier, like Oracle’s VirtualBox hypervisor software:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % codesign -dv /Applications/VirtualBox.app | |
Executable=/Applications/VirtualBox.app/Contents/MacOS/VirtualBox | |
Identifier=org.virtualbox.app.VirtualBox | |
Format=app bundle with Mach-O thin (x86_64) | |
CodeDirectory v=20500 size=19145 flags=0x10000(runtime) hashes=587+7 location=embedded | |
Signature size=9009 | |
Timestamp=Jul 27, 2023 at 11:49:35 AM | |
Info.plist entries=17 | |
TeamIdentifier=VB5E2TV963 | |
Runtime Version=10.15.6 | |
Sealed Resources version=2 rules=13 files=224 | |
Internal requirements count=1 size=192 | |
username@computername ~ % |
Block with parental controls:
You can use a macOS configuration profile to set all binaries in a particular directory path to be blocked from running. While this functionality has been deprecated by Apple as of macOS Catalina, it continues to work as of macOS Ventura.
In this case, you can set the enclosing directory paths of Oracle’s Java binaries to the block list and thus prevent Oracle’s Java binaries from running:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
username@computername ~ % java -version | |
exec failed: Error Domain=NSPOSIXErrorDomain Code=13 "Permission denied" UserInfo={NSLocalizedFailureReason=Failed to execute /Library/Java/JavaVirtualMachines/jdk-1.8.jdk/Contents/Home/bin/java: Permission denied} | |
username@computername ~ % |
When setting a blocklist using a profile, one thing to be aware of is that the blocklist can be overridden by an administrator account. If an administrator chooses, they can set the application block to be overridden once or permanently.
For those who want to block Oracle’s Java binaries using a macOS configuration profile, I’ve created an example profile and posted it here on GitHub:
https://github.com/rtrouton/profiles/tree/main/BlockOracleJavaBinariesFromRunning