Scripting Pearson’s TestNav: Safari and Java Exception Lists

[UPDATE 2015-05-13]: Pearson is getting DDoS’d again.

Pearson experienced intermittent issues with PearsonAccess and TestNav beginning at 7:13 a.m. this morning. These issues continue to occur.
Pearson has confirmed that a Distributed Denial-of-Service (DDoS) attack to Pearson?s firewall is causing degraded performance issues.  Pearson is actively monitoring the issue and working to resolve.

[UPDATE 2015-05-05]: Don’t use full screen with TestNav.  See below from Pearson:

…If the browser is set to Full Screen mode prior to students logging in, it will create a conflict with TestNav that may cause students to experience difficulty logging into their tests, being exited from TestNav unexpectedly or cause students to not be able to use built-in tools. This applies to all browsers on all operating systems…

[UPDATE 2015-04-23]: Pearson is back online after a DDoS, hardware failure, and firewall configuration error.  They also posted some tips and tools for resuming tests.

[UPDATE 2015-04-22]: 

Minnesota Department of Education Temporarily Suspends Minnesota Comprehensive Assessments
Education Commissioner Brenda Cassellius announced today that the state will temporarily suspend administration of the Minnesota Comprehensive Assessments, until all technical problems with the testing system are resolved.
Over the past week there have been three days during which students have experienced issues logging into the testing system. The testing window has been open since March 9 without major incident, with nearly 400,000 tests completed. As the number of students testing neared its peak today, Pearson has identified some technical problems with their system and are currently working to resolve them. These technical problems have not adversely impacted the 400,000 tests that have already been completed.
“Students already give up precious instructional time for annual accountability tests,” said Cassellius. “We cannot allow these disruptions to further impact student learning.”
Pearson is working on identifying the technical issues that are causing the problems. The department has informed Pearson that testing cannot resume until they assure the state that students will encounter an error-free and smooth testing experience.
“We hold our students to high standards and we expect no less of Pearson. Students deserve a worry-free testing experience without interruptions,” said Cassellius.

[UPDATE 2015-04-21]: In addition to the problems we face every day on our end, Pearson is having trouble, too.

At approximately 08:55 AM Central Time on 4/21/2015, Pearson detected that the TestNav online delivery system was registering an unknown issue resulting in degraded test delivery. Primary symptoms of this condition included user difficulty in logging on, slow test item download, slow test submissions, and a warning screen to notify their teacher or test proctor.

While such conditions are frustrating, online testing may continue at this time. Iowa City Technology Operations is working diligently to correct the issues.

[Update 2015-04-15]: Java 8u45 and Flash 17.0.0.169.

[UPDATE 2015-03-16]: Java 8u40 has been updated to Java 8u40.

[UPDATE 2015-03-13]: Flash 17.0.0.134 is out.  Hooray.  X-protect hasn’t been updated yet, but I’m certain it will soon, at which point TestNav will break.

[UPDATE]: Pearson recently discovered that an active Dropbox sync process, including those that may be running in the background, will cause a 7037 error when TestNav attempts to launch.

[UPDATE]: Useful resource: TestNav Error Messages.

[UPDATE]: Download the Safari.plist, which can be used to create a Configuration Profile.  This is the .plist I use in my environment.  You may need to run this command before uploading it:

plutil -convert xml1 ~/Downloads/com.apple.Safari.plist

The .plist has the settings to

  • let the TestNav URLs to run in unsfafe mode
  • disable Autofill
  • allow pop-ups

[UPDATE]: More Flash fun.  (16.0.0.305)  And Apple just disabled the older version.

[UPDATE]: Xprotect disables all but the latest version of Flash (16.0.0.296), so if you do not have that version installed, you may end up with Message 7037: Internal Communication Error.

[UPDATE]: Representatives from Pearson, Apple, the Minnesota Department Of Education (MDE), as well as technology staff from school districts attended a meeting today to discuss the issues with TestNav, Java, and the Safari “unsafe mode.”

Here are the highlights I heard while listening via Webinar:

  • A config profile can be created to allow Java to run in unsafe mode but this does not disable the “Do you want to run this Java applet” dialog; it just eliminates the “Trust this site” sheet that Safari displays
  • System Check tool has been updated
  • TestNav documentation won’t be overhauled for spring, but it is planned
  • TestNav 8 (2015-16) is being built from the ground up and has  “mobile-first” design
    • HTML5
    • does not need Flash or Java if using the app
    • will work on Chromebooks

[UPDATE]: Calculator crashing your test?  Pearson won’t fix it, but here is their solution:

There has been an issue reported when using the calulator [sic] during testing. Sometimes the test will hang or crash if the calculator is opened and the next button is selected soon after. Pearson recommends that the calculator be closed before student’s press the next button.

[UPDATE]: Disable Java updates via script

[UPDATE]: More Flash (but there is hope)

[UPDATE]: I think the Java exceptions and Safari exceptions scripts are working again (at least in my environment).

[UPDATE]: Yet another Java update.  Also another Flash vulnerability found.

[UPDATE]: MDE reps will meet with school technology staff at TIES.

[UPDATE]: Pearson released a PDF saying they understand people are having difficulty with TestNav and are holding seminars about how to use the software.  Nothing yet on a fix.

[UPDATE]: The Java exception list script no longer seems to work on the new versions.  The System Check was 4.3.0.38 at the time of this article and now it is 4.3.0.52.  I tried modifying the script a few different ways, but to no avail.  The actual TestNav site also has an updated version.  Maybe the hack no longer works.

If possible, you should get a signed certificate and create a DeploymentRuleset.jar (well-worth the price)!

[UPDATE]: Even though Chrome became supported by Pearson, you will still have issues because Google is eliminating NPAPI plugins, but you can work around them.

[UPDATE]: Update your Flash again.

[UPDATE]: There is an article in the Pioneer Press about the hardships with Pearson’s TestNav

[UPDATE]: I wrote a post on how to set up TestNav for Windows machines

[UPDATE]: Pearson posted a technical bulletin detailing the manual steps of getting their software to run.

The Problem

Minnesota gave Pearson a $33.8 million contract for student testing, but their Website/software, TestNav, is a hardship for the technology staff getting it setup.  It uses both Java (outdated version) and Flash.  Just trying to go to the site or run the TestNav System Check, you are prompted with a bunch of annoying dialogs:

trust_testnav

proctorcachetrust

applet_request applet_request2

systemcheckareyousure testnav_runthis

I recently had to set up over 500 computers for this test and I wasn’t about to spend my time going around to each computer, logging in, navigating to the site, clicking through all the dialog boxes, and then running the system check.  And if I just left it as-is, students would not be able to log into the test, or they might click “Never trust this site,” which would just make problems worse.  I also wanted to run the system check prior to testing to make sure the computers would work before the students arrived.  All of this was repetitive and mundane, which humans are not good at–but computers are.

The Solutions

Best Option (Buy A Signed Certificate And Create A DeploymentRuleset.jar)

This has worked very well for our district.

  1. Create a signed DeploymentRuleset.jar with all the Java exceptions for the TestNav site
  2. Create a config profile using this Safari template, which allows the site to run in unsafe mode
  3. Optionally, create a Bookmarks.plist with the TestNav sites (cannot be made into a config profile)

Free Option (Complex Shell Scripts)

I used some shell scripts sent via Apple Remote Desktop (ARD) to do the following (the first two bullets are the most important):

  • add the URLs to the Safari exception list (set to run in unsafe mode)
  • add the URLs to the Java Control Panel exception list
  • log into the GUI from the login window as the student user
  • if the Java and Safari exceptions scripts don’t work, click through the warning dialog boxes that appear saying things like: “Trust this developer,” “Run this applet,” or “Ignore this update.”

This is certainly not easy to do, but was better than spending a few days going around to each computer to do this manually.  Plus, my computer labs were already set up for GUI scripting.  There might be easier methods of doing this, but here is what I did.

Add TestNav To Java and Safari Exception Lists

This is really the crux of the issues with TestNav–getting the warning dialogs to never show up.  I strongly recommend using a signed DeploymentRuleset.jar if possible as it will save you a massive headache, but if your District won’t do that, you can try to use the scripts provided below to dismiss the dialogs.

Safari Exceptions

This script will add the URL TestNav URLs to Safari’s exception list and set them as “Run in unsafe mode.”  You may need to adjust the username or additional URLs per your environment.

I tried to just open the URLs I needed on one machine and manually added them to the list, then looked at the Safari .plist to determine what URLs should be included in the script.

safari exceptions

Java Exceptions

This script (modified from Rich Trouton’s script) will add the TestNav URLs to the Java Control Panel exception list.  The domains in the script below are the ones we deployed in our DeploymentRuleset.jar, but there may be others you need to add.java_exceptions

exceptionlist

Another Java Problem

TestNav relies on Java to work, but Oracle is always updating it.  So if they happen to release an update during a testing session, the pop-up can disrupt the test while students are taking it.

Pearson even explains this:

Upon receiving this pop-up notification, TestNav immediately closes the testing session. To resume testing, an administrator must accept the update. The test monitor must then resume the test-taker’s session in the testing administration platform before testing can resume.

but they do not offer an automated solution to disable updates.

java update

It is issues like these that makes it difficult to believe Minnesota dished out 33.8 million for this software.  To avoid this, you can run this script (as root) to disable Java from checking for updates automatically.

How-to Automate More Of This Process

To be sure things are working, you may want to log into the System Check Website to make sure it will work for students.  If you want to check this on a lot of computers, automation is the way to go.  If you got the Java and Safari exception lists working, you have already saved yourself a ton of time.  But if you are looking to do more automation and verification, you will need a few things:

Install Utilities To Lab Computers

On the computers that will be running the test, install tccutil.py  and click , using your Desktop Management software.  We use Casper, so I just made two packages using Composer that install the utilities to /usr/sbin  and /usr/bin  Once the software is on the computer, you will be able to use them via ARD. You will need to make sure the utilities are executable by running these commands as root:

chmod 755 /usr/sbin/tccutil.py
chmod 755 /usr/bin/click

Enable Access To Assistive Devices

This is what allows you to script the GUI login, click buttons, open windows, and perform other GUI tasks.  Without this step, you won’t be able to click the dialog buttons as easily or instruct the computers to open the URL and type in the username.  You will also not be able to send a UNIX command to log a user in from the OS X Login Window.

Snow Leopard through Mountain Lion

If you are running 10.6-10.8 you can enable this on each computer with a single command sent as root through ARD’s Send UNIX Command:

sudo touch /private/var/db/.AccessibilityAPIEnabled

Reboot to apply the change and you are ready to go.

Mavericks and Yosemite

Starting in 10.9, these settings were moved to a per-app basis, so each app that needs access, must to be added manually by dragging-and-dropping the app into the Accessibility tab under Security & Privacy settings within System Preferences. accessibility_apps But don’t worry, you can automate this, too, thanks to tccutil.py. Just run these commands as root from ARD once the utility is installed:

/usr/sbin/tccutil.py --insert com.apple.systemevents
/usr/sbin/tccutil.py --insert com.apple.RemoteDesktopAgent

Alternatively, you can run these commands (as root) without installing tccutil.py, but they are a little more complex and more prone to error.

sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.systemevents',0,1,1,NULL);"
sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db "INSERT INTO access VALUES('kTCCServiceAccessibility','com.apple.RemoteDesktopAgent',0,1,1,NULL);"

Log In As The Student User

The rest of the settings are user settings, so it will be easiest to just log in as that user on each computer, then the commands can be as from ARD as the current user.  Use the script below, sent via ARD as root, while the computers are at the loginwindow, to log in the user (adjust the username and password per your environment).

osascript -e 'tell application "System Events"
	keystroke "student"
	keystroke tab
	keystroke "student"
	keystroke return
	keystroke return
end tell'

I have found that this works best right after a reboot so that the cursor is focused on the username field.  There is also no screensaver to contend with.

Run System Check

The system check will not detect Flash (even though it is installed) until the URLs are added to the exception list and Java is working properly.flashcheckfailed

Open the System Check URL

Run this script as the current user via ARD.  It will open Safari and navigate to the System Check URL.

Click the Start Button

This is where the click  program comes in handy.  It will click at an X, Y coordinate.  This means you don’t have to go to each computer and click the start test button.  Fortunately, all of my Macs had the same screen resolution, so it was easy to set a static coordinate to click.

Finding the Coordinates to Click

You can use the screenshot tool to find out where to click on the screen.  Just press Command+Shift+4 and you will get a little crosshair.  Hover over the place where you want to click and take note of those coordinates.  Press Escape when done.   If you are using MouseTools, you can find the coordinates of the mouse by running this command:

MouseTools -location

which will return an X and Y coordinate.  Useful if you can not see the little crosshair that easily.

Open Sample Test Site

If the system check passed, you may want to open a sample test site to verify functionality.  Use the script below to do this.  You can use the other script to enter the test user credentials.

Open the Real Test Site (And Bookmark It)

Next, you will probably want to open the real testing URL and bookmark it so students can get back to it easy without your assistance.  Or you can try sending out the bookmarks via a script:

If The Spinning Indicator Never Goes Away…

endless If you get the endless spinning indicator the most likely cause is that the sites are not configured in the Java exception list properly.  You may also get this error message:

7022 – “Failed to load applet. Your test administrator will need to make sure this computer is running the correct versions of necessary software and try again.”

error7002 The error or spinning dialog could also mean the site is not on the “run in unsafe” list, but you may also need to empty the Java cache (per Pearson support).  I did so with this command:

find /Users/student/Library/Application\ Support/Oracle/Java/Deployment/cache -type f | xargs rm

I’m not sure if this helps or not, but I also delete any Java-related files from the regular cache folder.

find /Users/student/Library/Caches -name *java* | xargs rm -rf

I have also started getting this error dialog after emptying the cache (even emptying it manually). after_emptying_cache Pearson support said to add the root domain to the exception list, which is already implemented in the script provided earlier.

Disable Java Cache

You may want to just completely disable Java cache to try and avoid these problems.  I tried scripting this, but the setting seems to disappear after a reboot on my machine running Mavericks.

Chrome Settings

Chrome is supported according to Pearson, but since Chrome is disabling NPAPI plugins (Java) it’s probably not a good idea to invest your time into it.  However, here is what you can try.

Enabling Java

If you are using Chrome , you will need to deploy a .plist to allow Java to run (and allow pop-ups).  However, since Google is disabling NPAPI plugins, using Chrome may not be the best choice.  You can copy the file, or deploy it using a script (run as root) like this:Once deployed, open Chrome and navigate to chrome://policy.  Your settings should show up here if it was successful.

chrome-settings

Opening The URLS

There is only a slight difference in using Chrome to open a URL:

# Open system check site
killall Safari > /dev/null
osascript -e 'tell application "Google Chrome"
open location "https://proctorcaching.pearsonaccess.com/ems/systemCheck/systemCheck.jsp?acc=mn"
end tell'

ARD Workflow

Below is a screenshot of the workflow I use in ARD using saved templates.  Each one runs the scripts from above so I can quickly deploy it to the computers necessary.

ard-setup

Alternative Method

Jeffery Johnson came up with a similar process, but instead of scripting everything, he just packaged everything up and deployed it to the machines (download files):

  • Testing user is logged in as testing account.
  • Launch the TestNav app built by me that executes a shell script…
  • Verifies Java and Flash version and then copies and overwrite the Java and
  • Safari settings to work as needed and the launches the testing URL

His Steps

  • Login as testing user, go through the motions and verify testing is
    working
  • with correct browser and Java settings.  You can use the temp testing URL
    from Pearson.
  • I do the above so I don’t run into hiccups later on.
  • I used an app such as InstallEase or Composer to automagically capture the
    changed items needed… They can be grabbed them manually too.
  • You can get an idea what to from the scripts ToInstall.sh

30 Replies to “Scripting Pearson’s TestNav: Safari and Java Exception Lists”

    1. Yes.

      You can also try using MouseTools, which is very similar, but also allows you to get the coordinates of the mouse. I have considered switching to that as the syntax is pretty much the same, but click has always been reliable, so there has been no reason to switch.

  1. One problem fixed. Now for another (and thanks in advance for everything). I copied over the tccutil.py and the click files to both /usr/bin/ and /usr/sbin/ – I can see them in terminal if I ls – however running them via sudo on the local workstation gets command not found, and running anything via ARD gives me permission denied (even running as root) this is on 10.9.4 with a 13-inch Mid 2010 Macbook. Ideas on where I am falling flat?

    1. You need to make tccutil.py executable first with this command:

      sudo chmod 755 /usr/sbin/tccutil.py.

      I have been meaning to just make an installer for it so you do not need to do this step; I just haven’t gotten to it.

      Please let me know if the Java or Safari scripts work for you, too if you are going that route. They have not been working as well with the latest TestNav updates.

      We finally decided to go with a DeploymentRuleset.jar, which has saved us massive headaches! I strongly recommend going that route if possible.

      1. Well going with the scripting and the first parts seem promising. However, I wish I had your full skillset. I can typically reverse engineer from an existing script just fine. However, my Linux fu is still a little rough around the edges. I am learning lots, but don’t know java. Still wishing that Pearson could just be like NWEA and make a lock down browser application. Would certainly make my life easier. Deploying that was easy peasy.

        1. Same here. It wouldn’t be so bad if Pearson avoided Java and Flash all together.

          Let me know if you have any more questions. I tried to make it as easy as I could for others, but it’s tough anyway. Even though I wrote the scripts, I still get confused!

          1. I am so glad I was just able to find this page with the right amount of “Google-Fu” Because Pearson just kinda throws you to the wolves. Gotta love them. Thanks again for sharing this with the tech community. Any objections for me sharing this resource with my tech coordinator list-serv here in Illinois? I am sure there are plenty of other Mac Districts that might benefit. Especially if I can guinea pig everything to ensure the slightly less techie ones can figure it out. 🙂

          2. Yes, share away.

            Maybe enough people will talk to Pearson that they will get their act together. I plan on re-editing this article since I just sort of threw it together while I was getting stuff ready. Now we won’t test for a while so I have some time to make it a little easier to follow.

  2. *brick wall* – so Your code will add all four of the intems into Safari, but won’t configure them to run in unsafe mode, yet it’s not flagged to run in -unsafe mode- but it’s set to allow. I then tried creating a mobileconfig file from my rather broken profile manager at the moment, and installing that via CLI, but no joy there either. If I don’t have this sorted out by mid next week, the process of hand configuring all of these devices will have to start, suffice it to say, I am doing my hardest to avoid that route. So what am I missing in the Safari exceptions, that isn’t switching things to run in unsafe mode, yet of course everything looks like it is correctly configured.

    Thanks! Allyn

    1. I have been having trouble with this as well lately. The .plist entry PlugInRunUnsandboxed bool true, is supposed to be the line that sets it to run in unsafe mode. My very first version of the script, worked when I first wrote this article, so you can give that a try. I am also going to take a look and try to modify the script so it works appropriately. I have some time tonight and tomorrow, so I will see if I can get it to work.

    2. Try the script now. I change bool true to bool YES after looking at the .plist (I manually made the changes). It seems to work on my system.

      1. THAT!!! That worked. I did have to “re-push” that particular safari script twice, because I thought everything was good, went to walk thru the steps, and said it wasn’t in unsafe mode. So I just repushed it, tried again, and EUREKA!! Now, I am not installing those Java updates because I am fearful that it will change the .plist syntax somehow again. But, I am working over here. Going to share this all with that List-Serv – you sir, are a life saver!!!

          1. Ok. Well probably not 100 percent yet, but better than a full brick wall where people would have had to jump thru several menus to make everything work. First unit I worked on, everything was gravy. Second unit I tested is running into the “Java” prompts beyond the trust box, and using click alone doesn’t seem to be consistantly reliable, but I also haven’t tried the updated Java script yet, so let me grab that and see if I can replicate. However it’s Friday, and I am already much farther along than I was at the beginning of the week. So part of me is thinking I might just save the testing until Monday. 🙂

          2. I’m just interested to see if others can get the Java portion working so there is an alternative if you can’t get a signed DeploymentRuleset.jar.

            Have a great weekend.

  3. Ok, so grabbed a unit before I left – in order to get some more progress for the weekend. So, as you point out above, is the “expiration” prompt. On this thread – https://jamfnation.jamfsoftware.com/discussion.html?id=6489 – they cover discussing making modification to the auto-update. Not fully sure of what I am reading in the scripting myself, they provide a fairly lengthy script that is supposed to kill off any method of triggering or asking about updating Java. Script copied below for convenience, but I am certainly not taking credit..

    I am also getting the “Do you want to run this Application?” Prompt for SystemCheck. So I am assuming that the Java code is not working as intended. Room to make purchases for IT solutions is quite limited. I have been reaching out to my typical support structure but no Joy. So – Kinda leaning on the script work here, to try and figure it all out. I thank you again for all the hard work you have done, and continue to do on this. Even from where i am at now, worst case, I can ask a few classrooms of kiddos to help me click on the correct buttons, to get finished. As at least the Safari stuff is working, but obviously a completely finished solution would be amazing. Although what would be mind blowing… If Pearson just made a lockdown app like NWEA… Although that’s me sounding like a broken record……

    Copy/paste of relevant comment form thread linked above…___________________

    Looks as if the documentation Oracle provides to manage enterprise level Macs is inaccurate. Just took me all of Friday to dig in and correctly setup system wide settings. Using the script already provided I have added some tweaks and also the creation of system wide config and properties file.

    If you look at the documentation link below, you can add/remove options that get written to properties file.
    http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/properties.html

    Note that the system wide config location is incorrect and correct one should be under /Library and not ~/Library in Oracle’s documentation.

    Also please note the properties file can be placed anywhere on the local Mac the location I chose is inside the same config location.

    Script below:
    #!/bin/sh

    # Java Plugin Location
    javaPlugin=”/Library/Internet Plug-Ins/JavaAppletPlugin.plugin”

    # Config File Location
    configFile=”/Library/Application Support/Oracle/Java/Deployment/deployment.config”

    # Properties File Location
    propFile=”/Library/Application Support/Oracle/Java/Deployment/deployment.properties”

    # Checks if Java Plugin is installed
    if [ -e “$javaPlugin” ]; then

    /bin/echo “Java Plugin is installed…”

    # Checks if config file is present
    if [ ! -f “$configFile” ]; then

    /bin/echo “The deployment.config file does not yet exist. Will create…”

    # Create deployment.config file
    /usr/bin/touch “$configFile”

    /bin/echo “Created deployment.config file”

    # Change ownership on this new file
    /usr/sbin/chown root:wheel “$configFile”

    /bin/echo “Changed ownership on deployment.config file”

    # Write contents of this file
    /bin/echo deployment.system.config=file://$propFile >> “$configFile”
    /bin/echo deployment.system.config.mandatory=false >> “$configFile”

    /bin/echo “Wrote content to deployment.config file.”

    else

    /bin/echo “deployment.config file already exists. Removing and building new version…”

    # Delete existing version of the file
    /bin/rm -f “$configFile”

    /bin/echo “Deleted previous deployment.config file”

    # Create deployment.config file
    /usr/bin/touch “$configFile”

    /bin/echo “Created deployment.config file”

    # Change ownership on this new file
    /usr/sbin/chown root:wheel “$configFile”

    /bin/echo “Changed ownership on deployment.config file”

    # Write contents of this file
    /bin/echo deployment.system.config=file://$propFile >> “$configFile”
    /bin/echo deployment.system.config.mandatory=false >> “$configFile”

    /bin/echo “Wrote content to deployment.config file.”

    fi

    # Checks if properties file is present
    if [ ! -f “$propFile” ]; then

    /bin/echo “The deployment.properties file does not yet exist. Will create…”

    # Create deployment.properties file
    /usr/bin/touch “$propFile”

    /bin/echo “Created deployment.properties file”

    # Change ownership on this new file
    /usr/sbin/chown root:wheel “$propFile”

    /bin/echo “Changed ownership on deployment.properties file”

    # Write contents of this file
    /bin/echo ‘#deployment.properties’ > “$propFile”
    /bin/echo deployment.security.validation.ocsp=false >> “$propFile”
    /bin/echo deployment.security.validation.ocsp.locked >> “$propFile”
    /bin/echo deployment.macosx.check.update=false >> “$propFile”
    /bin/echo deployment.macosx.check.update.locked >> “$propFile”
    /bin/echo deployment.expiration.check.enabled=false >> “$propFile”
    /bin/echo deployment.expiration.check.enabled.locked >> “$propFile”
    /bin/echo deployment.console.startup.mode=HIDE >> “$propFile”

    /bin/echo “Wrote content to deployment.properties file.”

    else

    /bin/echo “deployment.properties file already exists. Removing and building new version…”

    # Delete existing version of the file
    /bin/rm -f “$propFile”

    # Create deployment.properties file
    /usr/bin/touch “$propFile”

    /bin/echo “Created deployment.properties file”

    # Change ownership on this new file
    /usr/sbin/chown root:wheel “$propFile”

    /bin/echo “Changed ownership on deployment.properties file”

    # Write contents of this file
    /bin/echo ‘#deployment.properties’ > “$propFile”
    /bin/echo deployment.security.validation.ocsp=false >> “$propFile”
    /bin/echo deployment.security.validation.ocsp.locked >> “$propFile”
    /bin/echo deployment.macosx.check.update=false >> “$propFile”
    /bin/echo deployment.macosx.check.update.locked >> “$propFile”
    /bin/echo deployment.expiration.check.enabled=false >> “$propFile”
    /bin/echo deployment.expiration.check.enabled.locked >> “$propFile”
    /bin/echo deployment.console.startup.mode=HIDE >> “$propFile”

    /bin/echo “Wrote content to deployment.properties file.”

    fi

    # Change the auto updater preference
    /usr/bin/defaults write /Library/Preferences/com.oracle.java.Java-Updater JavaAutoUpdateEnabled -bool false

    /bin/echo “Changed the auto updater preference file.”
    /bin/echo “Java settings have been deployed. Exiting”

    else

    echo “Error: Failure to find Java Plugin path. Either Java is not installed, or the path within the plugin has changed. Exiting”
    exit 1

    fi

  4. So in regards the the deploymentruleset.jar – if I am reading this page correctly (https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets) I can self-sign it using a dedicated server and then deploy?

    Alternatively I found this… https://www.globalsign.com/en/code-signing/code-signing-tool/ Cause I come from a cash strapped district that would not be wanting to spend the money on a legit code signing cert.

    Cause all of the code says it should work, but it doesn’t work. It’s still not suppressing all of the additional security prompts. So I think having to use the deploymentruleset is really the only way to go in this case.

    So far, I think you have been the most knowledgable and helpful person I have found, so was wondering if I am correct on my understanding, in which case my earbuds are being pulled out tomorrow, and I am getting this thing finished. 🙂

    1. You can self sign it, but if you my luck, you will pull your hair out trying to get it to work. We tried and tried but could not get it to go and finally broke down and bought a cert.

      How are you deploying your scripts? I use ARD to send them out. I would like to know more about your situation so I can try to help.

      1. I have a mostly (95%) 10.9.4 environment with a few 10.10 clients mixed in. My ARD is on 10.10 I of course am having minor issues with ARD (once a computer logs in/logs out it will break the connection to ARD. I then have to close and open ARD again to have it re-authenticate. ((That’s another issue entirely))

        I attempted to use profile manager at the beginning of this year, but apparently I bricked it according to apple due to the order of operations in which I configured it. (I added it to my AD late in the game, instead of somewhere around step 1) So they suggested that I blow it ALL APART, and start fresh. I decided not to make that move about two weeks into the school year. So I have a very broken and un-reliable Profile Manager as well.

        My district is small. About 100 or so devices in all I need to touch, but my feeling is, this has to be something that can be centrally configured otherwise larger districts would be fully up a creek without a paddle. (Mind you I have about another 100 chromebooks that we will be using as well, so I am not *that* small).

        However due to our limited size, there is also very limited tech funds to work with, and I just don’t see the likelihood of them approving purchase of something that’s going to be used for just one thing, especially when there are free alternatives (hand configuring).

        I figure that once I hit the beginning of February I really will just have to move toward that hybrid of pushing out as much as I can with the script and then have students (or myself) hand configure the rest.

        I think that’s everything. LOL.

        1. ARD is a bit flaky, but I have a few tips to help with that.

          Do you have broken profiles that are deployed to the machines that are messing things up?

          I don’t believe the Chromebooks support Java (I may be mistaken) so you won’t be able to run TestNav on those.

          The scripts seem to work on my devices just fine now. Our Macs are not bound to AD, so we just have a “student” user, which makes deploying the settings a bit easier.

          1. Testnav has a special app that runs in Kiosk mode. So, those are “so easy even a caveman can do it” deployments. Just pick the app, apply it in the google admin panel, and away it goes.

            I am using a single AD account for configuring all testing, to make life easier in that regard, and the students are logging into only the single account. This way, even if we have to do a hybrid configuration it only has to be done once per device.

            As far as the profile manager, it’s the fact that nothing actually pushes. Or when it does push, it’s forcing the WiFi off instead of on, just really weird off the wall behaviors. I called Apple enterprise and they told me to brick it all and start over, so that’s a summer project at this point.

            All of the scripts work as intended. Sites are getting added into all the correct places, but the issue is that I am still getting more GUI prompts than I am thinking I should be getting. I should only get the trust prompt, but I am also getting the prompts to Run the java code, along with the (check here to not be annoyed again) boxes. (the ones that you have linked above as

            ( http://jacobsalmela.com/wp-content/uploads/2014/10/systemcheckareyousure.png )

            I didn’t think I would get those based on what the scripts should be doing. I should only get the trust prompt. So that’s where I am falling just a bit short.

          2. When both scripts work properly, you should not get any prompts at all.

            Are you using the latest versions of the Safari and Java scripts? Just make sure to change the username.

            I would be interested to know where they are failing (i.e. which URLs still get the warnings). In my most recent testing, both scripts seem to eliminate the dialogs.

            I never knew about the TestNav app. If it works, that almost sounds better than dealing with all of this on the Macs. But our District is mostly Macs anyway and I have 500+ computers to get this ready for.

          3. Well I thought all of the code was right, let me double check.. Maybe I missed something. After I check the code, I will let you know which sites are giving me issues.

            Thanks again for everything.

  5. New Comments. In order to suppress any popups, the deploymentruleset.jar MUST be used. No way around it as far as I can tell. However using directions here.. http://scottorgan.net/deploymentruleset/ — and basically removing references to windows .exe extensions I was able to reverse engineer things and get a self signed that pushed successfully to a workstation. Finding the original cacerts file was annoying for me but I found it. Now with that deploymentruleset.jar the ONLY GUI element to click in the initial trust button. That’s the only thing that comes up.

    1. The scripts work for me as well as others I have spoken with. I have already tested hundreds of students using the scripts to get the workstations ready. Admittedly, without some scripting experience, some will have difficulty deploying things this way.

      The scripts basically create an exceptions.sites file. So either that or the DeplyomentRuleset.jar will work.

      The method doesn’t really matter so long as students can test.

      I am glad you got things working though! More to report after tomorrow’s meeting with MDE.

    1. That’s not surprising. I hope it was helpful to you. I had a funny experience the other day when our Web filter actually classified one of Pearson’s sites as a virus and completely blocked it. =)

      1. oh man! we have several end-of-course exams scheduled this week…we’ve done system checks on the machines multiple times, but i’m always nervous that something will go wrong

        1. I get that. Even after having a few “successful” rounds of testing, I still get nervous every time I have to load them up. Inevitably, there are a bunch that still don’t work no matter what I try.

Leave a Reply