IT Management Suite

I previously wrote up my process as an article for installing Java 7 update 51 as a manged software delivery.  Figured I’d do another article for java 8 for a spot to crowdsource from the community as I always learn from comments how to improve how I do things in CMS.  Don't forget support for Java 7 ends in April!

Download the latest offline .exe installer (you won’t see the 64 bit offline installer unless using 64 bit windows).  Note that Oracle recommends 32 bit Java unless for some reason you use 64bit browsers - we use the 32 bit download.

1. Extract the MSI
   1. Download and launch in GUI mode the Windows Offline Installation executable (.exe) file. 
   2. When Welcome to Java window appears do not click Install button and navigate to LocalAppData folder (the user Application Data folder). The location of the LocalAppData folder differs for each Windows platform. 
       
   3. You can also navigate directly to APPData folder by typing : %APPDATA% in Windows Explorer Address Bar or Run. 
       
      1. Windows Vista and Windows 7
         C:\Users\<user>\AppData\LocalLow\Sun (or Oracle)\Java\jre<version_number>
      2. Windows XP
         C:\Documents and Settings\<user>\Local Settings\ApplicationData\Sun (or Oracle)\Java\jre<version_number>
      3. Windows 2000
         C:\Documents and Settings\<user>\ApplicationData\Sun (or Oracle)\Java\jre<version_number>   
2. Copy .msi to folder to folder on desktop
3. Create (or copy existing if you have them already C:\Windows\sun\java\deployment\) deployment.config and deployment.properties file to same folder where .msi is, these are plain text files.

   Our deployment.config file contains these 2 lines
   deployment.system.config.mandatory=true
   deployment.system.config=file:\\C\:\\Windows\\Sun\\Java\\Deployment\\deployment.properties

   Our deployment.properties file is following
   deployment.expiration.check.enabled=false
   deployment.security.mixcode=HIDE_RUN
   deployment.javaws.shortcut.locked
   deployment.javaws.shortcut=NEVER   

   You can add more options to the properties file based on what’s available in the current release. See http://docs.oracle.com/javase/8/docs/technotes/guides/deploy/properties.html

   The folder on the desktop should now have 3 files, deployment.config, deployment.properties, & .msi file.

   Note: As of Java 8u20, there is no more Medium security level support. Any sites that don’t conform to Java’s security practices will be blocked. If you have sites in your organization you want to whitelist, you can do so with a third text file exception.sites. Make sure to set the deployment.user.security.exception.sites value in deployment.properties if you do this. I am not using that as our high profile sites all loaded without it, but you can get more info here

4. Open CMS and navigate to Manage – Software Catalog - Import
5. Click plus button and navigate to folder where all 3 java related files exist, select all files and then select open
6. Make sure .msi file is bolded, if not highlight it and select “Set Installation File”
7. Select Next, files upload to CMS.  Edit name, etc as desired. Leave checkbox checked for edit software resource… Select OK.
8. On package tab, delete Install, install no IU and install for all users leaving just Install for all users with no UI/Repair/Uninstall options (not necessary).  We edit our “Install for all users with no UI” command line to be msiexec.exe /i "jre1.8.0_31.msi" AUTOUPDATECHECK=0 IEXPLORER=1 JAVAUPDATE=0 JU=0 MOZILLA=1 /qn ALLUSERS=2

   Note: I originally had IEXPLORER and MOZILLA keys in the command line, but they didn’t end up in the registry, so I don’t think they’re supported anymore, so I removed them. Anyone know if any of that is documented anywhere?

9. Detection rule is auto created.  For Applicability, enter as needed (I leave mine at default).  Click OK to save.
10. Navigate to your CMS sharepoint \\cms\SoftwareLibrary and find the UUID of the folder uploaded (latest time /date stamp).  This is the same UUID folder name that gets copied locally to workstation when rolling out.
11. Create command script task to copy deployment files to right location.  My script also includes lines to delete javaUpdate registry file if it exists because some people had this from previous versions and the Java 7 51 installer wasn’t clearing it and leaving the update tab in the control panel app.    Here’s example script – replace 9f283b6e-34b5-4e23-a171-82d3axxxxxxx with the UUID from step 10.

    xcopy "C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{9f283b6e-34b5-4e23-a171-82d3axxxxxxx}\cache\deployment.config" C:\Windows\sun\java\deployment\ /y
    xcopy "C:\Program Files\Altiris\Altiris Agent\Agents\SoftwareManagement\Software Delivery\{9f283b6e-34b5-4e23-a171-82d3axxxxxxx }\cache\deployment.properties" C:\Windows\sun\java\deployment\ /y
    reg add "HKLM\Software\JavaSoft\Java Update\Test"
    reg delete "HKLM\Software\JavaSoft\Java Update" /f

12. Create vbscript to remove previous versions of Java if needed.  I was going from Java 8 from 7 and the 8 installer doesn’t remove Java 7.  I got my script from “serverkudsk” comment in this thread .  I changed the line strCurrentVersion line to be “strCurrentVersion = "Java(TM) 8 Update 31"”, this script removes all versions of java on machine below 1.8.31.  Update 8/20/15 - I'm now using the script posted by Darren Collins in this thread because I was having issues with Java 8 versions not uninstalling properly.
13. Create Managed software delivery Policy with 2 scripts and add software task.  If you’re not 7.5, consider adding a task to delete software cache (this regenerates the software listed in inventory, there was a bug in 7.1 where old software doesn’t get removed unless you clear cache), and then run a software inventory scan.  7.5 fixes this bug and Delete SoftwareCache is no longer needed.  Set applied to and schedule.

     This is what my policy looks like

Installing java with the browser opened seems to continue to cause issues.  I saw some machines in add/remove programs saying the app was installed, but it didn’t work in the browser and there was no control panel icon.  So, I set the policy to only run if no user logged in under schedule – advanced options

I also set the advanced settings for the software install to only run “only when no user is logged on.”  This is probably not necessary, but I thought it was a failsafe.

Our users typically leave machines in locked or powered off states, so my plan is to leave these ‘install at logout’ precautions in place for a week or 2 and then eventually set it to run whenever for all users not yet updated and deal with the corrupted installs that happen manually.  I’m happy so far in first few days of policy being on about half of users have been updated.

To maintain Java, I have some filters set up. 

1. Static filter for “Needs Latest Java” that is maintained at our helpdesk level so if someone calls in needing java, they get added to the static filter.
2. Dynamic filter for “Has Java 8 Update 31” that just checks for latest version of Java.  This is built easily in software section of CMS by right clicking on your software resource selecting action, create installed software filter.
3. Dynamic filter for “Waiting for Latest Java Install” that includes all machines in “Needs Latest Java” except those also in “Has Java 8 Update 31”.  This is the filter the managed software delivery policy gets scoped to.
4. Static filter for “Needs Outdated Java” for 2-3 users that require an old version of Java for a specific app also maintained by helpdesk
5. Dynamic filter for “Has Java Installed” that is based on SQL query below that some nice person on Connect probably helped me do

   SELECT sw._ResourceGuid [Guid]
   FROM [vSoftwareComponent] sc
   inner join [Inv_InstalledSoftware] sw
   on sw.[_SoftwareComponentGuid] = sc.[Guid]
   where sc.[Name] LIKE '%JAVA%'
   and sw.[InstallFlag]=1

6. Finally, a dynamic filter “Remove Java” that is based on ‘Has Java Installed’ but excludes ‘Needs Outdated Java’ and also excludes ‘Needs Latest Java’.  This I scope a policy with script to remove Java for everyone who isn’t approved to have it.  This policy runs with update software inventory as well so users fall out of the dynamic group after uninstall is successful.