Today I encountered a challenge which I think needed to be shared with you all.
Currently I’m working with other colleagues on building a brand new Citrix XenApp 7.5 environment based on Server 2012 R2 x64 in combination with RES Workspace Manager 2014 SR1, together with mandatory profiles and RES Zero Profiling technology.
A user who works with several java applications encountered the following problem:
figure 1.1: Java Application Blocked by Security Settings
Since this error is generated by Java, I immediately went to the control panel to investigate the available options for configuring Java.
You can find the Java control panel applet, when you change the “Category” view in your control panel to “Large” or “Small” icons.
figure 1.2: Control Panel – Java (32-bit)
Click the “Java (32-bit)” shortcut in your control panel, and the following screen will appear:
figure 1.3: Java Control Panel
Now for example, if we want to change the security level of Java, which prevents the current Java application from running, change the security level from “High”
figure 1.4: Java Control Panel – Security High
figure 1.5: Java Control Panel – Security Medium
And click “OK”.
This would do the trick, but how can this setting be passed on to users logging on to a Citrix environment with mandatory profiles?
Since we are using RES Workspace Manager, I did the following:
First of all I needed to capture the setting with some kind of tool. You’ve got two options here:
- Regshot, wich is an opensource and free tool to capture and compare system state registry and file system changes between two snapshots and show the result as to what has changed
- ProcMon, which is a great tool for checking realtime processes, registry behavior and much more.
I chose for ProcMon, (make sure it runs in admin mode!)
figure 1.6: ProcMon
Now, when ProcMon is started, make sure you stop capturing (leave ProcMon running for some time and you’ll know why 😉 ) and make sure the list of captured events is made empty by clearing the screen:
figure 1.7: ProcMon – Capture and Clear Screen
Now that’s out of the way, since we want to capture some Java activity, go to Filter in the menu, and add the following filter: “Path” contains “Java”
figure 1.8: ProcMon – Add filter
Click “Add” and then “Apply”.
Now you have made a filter only showing event’s which concern the word “Java”.
Now repeat the configuration of the Java security level on the Java control panel menu. And you will see the following appearing in ProcMon:
figure 1.9: ProcMon – Results
As you can see here, Java writes the changes to the following path: “C:\Users\Administrator\Appdata\LocalLow\Sun\Java\Deployment\deployment.properties”
Examining this location reveals the following:
figure 1.10: Windows Explorer – File location
If you open this file with notepad, you will find several properties which indicate how Java is configured on your machine.
figure 1.11: Deployment.Properties – Content
So there you have it: the Java configuration file.
The same goes when adding certain trusted websites to the Java applet:
figure 1.12: Java Control Panel – Edit Site List
If you click “Edit Site list” the following screen appears:
figure 1.13: Exception Site List
By clicking “Add”, another screen appears:
figure 1.13: Exception Site List – Adding the website
For example, by adding Google.com to the list of trusted sites to run Java-applets, you’ll receive security warning if you click “OK”
figure 1.13: Exception Site List – Just click OK…
And by clicking “Continue”, the website will be added to the list of trusted sites to run Java-applets. Again a setting which will be written to a config file, this time on the following location:
figure 1.14: Windows Explorer – File location
If you open this file with notepad, you will find the website we’ve just added:
figure 1.15: Exception.Sites – Content
Now, how can this be incorporated for every user signing into a Citrix environment with mandatory profiles you ask?
In the RES Workspace Manager console, go to “Administration > Custom Resources”, and add the deployment.properties and / or the exception.sites file as a custom resource:
figure 1.16: RES Workspace Manager Console – Custom Resources
Go to “Composition > Execute Command” and click “New Command”
In the properties pane, make sure the script is executed “At logon after other actions” as command specify the following: “%script%”, this makes sure you can use the “Script” pane which can hold far more complex and even more important, multiple lined scripts.
figure 1.16: RES Workspace Manager – Execute Command
As you can see, I’ve pasted the following script in the “Script” pane:
figure 1.17: Execute Command – Script
The exact content of the script is:
script 1.1: Copy Java security permission file to designated location
xcopy %rescustomresources%\deployment.properties "C:\Users\%UserName%\AppData\LocalLow\Sun\Java\Deployment" /i /c
figure 1.18: RES Workspace Manager – Execute Command
Now each time a user log’s into the Citrix environment the Java configuration file “deployment.properties” will be copied from the database used by RES, into the specified location. Setting the correct Java security level, trusted websites and other related settings for each user, during each session.
As you can see an entire different warning appears, which is just perfectly normal. It hopefully makes users aware of the potential risk opening the Java applet. But 90% of the users will happily make use of their trigger-finger twitch!
figure 1.19: Java Security Warning
Got anything to add, got a trick up your sleeve which can simplify this action, or am I just doing it all wrong? 🙂 Please leave your comments in the comment section!