Java – Is it possible to set Java to update automatically? Pros/cons

group-policyjava

We have a few hundred users and about 40-50 of them need Java for one reason or another. The problem we run into (as have many others online apparently) is that Java seems to want to update all the time. How this differs is that most people online seem to all want to disable automatic updates. I was curious if you could set it to automatically update without prompting the user?

Personally I'd not want that because in the past updating Java to the latest and greatest has caused issues with ASDM for me, and this may be the case with other end users' programs as well (or may not). I'm just trying to weigh my options and figure out if this is possible as one less pop-up prompting them to update (when they can't without admin rights) would be great. And, I don't like the idea of ignoring potential security risks, I'd rather update things as they need to be updated.

Thanks in advance for your thoughts.

Best Answer

This is definitely a balance for your environment. There are two diametrically opposed camps on whether or not to update Java automatically:

The case for

Java is an extremely common exploit vector. J. Random Website and their ad-providers can and do load java to exploit stuff. Since this is Java, it'll exploit not just IE users but Chrome and Firefox users as well. The malware writers really like it since it's installed everywhere and not commonly updated. Keeping it updated means less machines requiring rebuilds due to malware infestations.

The case against

It breaks our Java apps when we update. We have to test each and every one, and doing so for each and every bugfix release is too expensive.

If your office is not using Java apps, then the second case is not relevant. My office does; there are two pieces of hardware that have Java consoles, these consoles don't get updated nearly often enough so we have to keep old/busted java installs around just to use it. You may not have that problem.

I've found that Java and GPO-based software deployments actually go together fairly well. Even better, it's not that hard to get at the needed MSI. A few clicks, and everyone will get updated Java on their next reboot. There may be registry-hacks to do it directly in the Java updater, but I'm not sure what they are.

Related Solutions

Disable Java Automatic Update – How to Disable Java Automatic Update

Actually this problem is due to the control panel requiring administrator privileges to allow the Java control panel to save your settings (it hasn't been fixed for ages, thanks to Sun Microsystems).

First, you need to find the Java Control Panel executable, in one of the following locations:

C:\Program Files\Java\jre[version]\bin\javacpl.exe

C:\Program Files (x86)\Java\jre[version]\bin\javacpl.exe

The path will differ depending on your system's architecture and which version of Java you have installed. For example, a 32-bit version of Java 7 installed on a 64-bit version of Windows will have it in:

C:\Program Files (x86)\Java\jre7\bin\javacpl.exe

Once you've found the file, right-click it and select "Run as administrator".

From there, un-check "Check for Updates Automatically" on the Update tab and click OK. You can verify that the setting has been applied by navigating to the same screen as you normally would through the Control Panel.

You can also check your running processes to see that jusched.exe is no longer running - it was automatically terminated when you clicked OK.

Ubuntu – Where to set java heap options (e.g. -Xmx) for Tomcat 6 under Ubuntu 9.04

At least on Ubuntu 10.04, /etc/init.d/tomcat6 sources /etc/default/tomcat6 if it exists. That's where I put my overrides, and I believe it's generally the "approved" way to make such changes.