On 10 December 2014, Browsium hosted a webinar titled: Manage and Secure Java with Browsium Ion. The webinar was a huge success and generated a number of great questions from the audience. We have compiled the complete set with answers to share with all attendees, and anyone else who is interested in Java management. If you missed the webinar, you can watch the video archive on YouTube today.
Read on to see the questions (and our responses) from the Java webinar.
How do you determine that you are running a different version of Java within a browser instance?
There are a few methods to determine the version of Java that is running within a browser instance. One method is to inspect the DLLs used by that browser instance. The DLLs loaded in any given process within Windows can be inspected with Process Explorer. By investigating the list of DLLs loaded under iexplore.exe, you can usually determine the specific version of Java in use. Another somewhat simpler method is to navigate to the javatester.org website within an Ion profile. This can be done by setting a specific rule for Javatester for that profile or appending the string that triggers another rule that uses that profile to the javatester.org URL (e.g., http://javatester.org/version.html?ruletriggertext).
Does Browsium Ion work with Java Web Start?
Yes, Ion can be used to manage different versions of Java Web Start required by different web applications by leveraging Ion’s Custom Registry settings. As a note, some Java Web Start settings or application functions exist outside the browser and Ion is limited to managing functions within the web browser.
What happens if the target system doesn’t have Java installed in that folder – does it fail or does it use the default version of Java instead?
If Ion attempts to load a previous version of Java and it is unable to locate the required files, the default version of Java will be loaded. Browsium recommends using environment variables and defined locations on systems to reduce misconfiguration situations like this.
What kind of logging capabilities does Browsium provide? Can they be leveraged to discover what applications users are accessing which require Java?
Ion provides standard Windows application logging to the event viewer. In addition, Ion can be configured to collect data about which applications the users are accessing. At this time, Browsium would need to work with your organization to convert those data logs into usable and actionable reporting. In 2015, Browsium will release a new product specifically designed to enable organizations to collect and report on all aspects of user web actions, this will include documenting which sites require Java.
Could you please provide any approximate timeline for when this new version (with better logging and reporting) will be available?
At this time, the new product is planned for delivery in 2015.
Is it required to have all Java versions, for which we have created rules, deployed/available on all the end-points?
All versions of Java required by the end user must be installed on that user’s PC. But that user need not have all versions of Java defined in the Ion configuration. However, many organizations prefer to create a single Windows image with all versions of Java required by the organization and a single Ion configuration for all applications used by the organization. You can choose the deployment strategy that works best for your organization.
Will you need to have Java installed in Static Mode?
Ion does not require Java to be installed in Static Mode, but will support static installations of Java. More information on Static Mode can be found on the Oracle Java documentation website.
How would you install multiple versions of Java on the local machine without using the static switch?
A best practice for installing multiple versions of Java is to install in reverse order, from newest to oldest. This will install each version in a unique directory and allow all versions to be installed side-by-side. Once these versions are installed, only the most current version will attempt to auto-update. The legacy versions will be maintained on the system without prompts for updates.
Are there triggers other than the URL? Can you trigger from internal calls from an application without having a visible embedded URL?
Ion is able to review any http or https call made by any Windows application, so links can be visible/interactive for the user or hidden/silent programmed actions and Ion will trigger based on defined Rules.
How do you install multiple versions of Java when one version uninstallls the previous one?
Installing a new version of Java will typically upgrade and remove a prior installation from the same version family (e.g., Java 7 update 71 will upgrade and remove Java 7 update 67). But the same installation will not affect an installation from a prior version family (Java 7 update 71 will not affect Java 6 update 45). A best practice for installing multiple versions of Java is to install in reverse order, from newest to oldest. This will install each version in a unique directory and allow all to be installed side-by-side.
Can Ion manage Java in Internet Explorer only, or does it also work with Chrome/Firefox?
Today Ion provides Java management for Internet Explorer only. However, this functionality can be used in conjunction with Browsium Catalyst to provide additional Java security. For example, an organization could configure Ion to enable multiple versions of Java in Internet Explorer for intranet applications and then use Catalyst to direct all Internet traffic to Chrome with Java disabled for maximum security. More information about using Ion and Catalyst for Java security can be found on the Browsium Blog.
Can Ion help to disable the “Java out of date” warning messages?
Yes, Ion can be used to set custom registry settings for a specific application. This includes setting the registry key to disable Microsoft legacy ActiveX blocker as documented in the Ion Knowledge Base. In addition, Ion’s Custom Files Manager can be used to configure a substitute version of Java’s deployment.properties file to suppress various Java version warnings.
Will I need to modify my Ion configuration when Oracle releases a new Java update?
As new major versions of Java are released, changes are expected with the file installation paths. Browsium recommends using a standard naming convention for each major Java version (e.g. Java 7, Java 8, etc.) so file paths are easy to manage and updates will not impact Ion configurations.
What keeps malicious web pages from invoking old versions of Java if they’re installed on all my PCs?
Ion uses an opt-in model to determine when legacy versions of Java are to be loaded. Unlike other solutions that rely on the coding of a webpage, the Ion approach reacts only based on the specific web location. This design prevents a malicious website from being able to gain access to the legacy Java files, as Ion would not surface them to an undefined or unapproved website.
Does Ion work with Java 8?
Yes, Ion can be used to invoke an old version of Java when Java 8 is the default. So, for example, you could have Java 8 update 25 as the default version and invoke Java 6 update 45 for a specific application. Oracle has made changes to Java in the most recent Java 7 and Java 8 releases that require a few simple additional remediation steps. These have been detailed in the Ion Knowledge Base.