Like I suppose a lot of people, we have a Windows/Active Directory environment and a lot of internal line of business apps that require Java. Our experience is that Java does not play nice in such a corporate network environment. Initial installation is fine (at least there's an MSI these days), but keeping things ticking over can be quite a challenge.
Specific issues we encounter include:
- Java has it's own updater, and so it does not tie into our internal patch management systems.
- The lack of any tools for management of Java settings via GPOs.
- The requirement for users to manually configure certain settings.
- Multiple Java runtimes on each machine (Oracle Jinitiator is a particular culprit here).
- Critical settings files stored under the Program Files folder.
with us it's mostly a batch of logon scripts and hacky workarounds, but I'm interested in hearing how other people handle these items, and if there are any other things one needs to watch out for here.
Best Answer
To speak to each of your concerns:
I've been deploying Java runtime environment releases for a few years now as software installation assignments from Group Policy. I disable updater functionality as a transform to the MSI and deploy updates, as necessary, through mandatory upgrades. If machines need to keep an older JRE (because some application requires it), I use security groups to keep machines from receiving newer upgrades. (Fortunately, I have not had to do this frequently.)
I build transforms to Sun's MSI using Microsoft's Orca tool. It might be nice to have a tool like Adobe's "Customization Wizard", but I can do everything I need with Orca.
I haven't had occasion for users to "manually configure certain settings", but I'd handle it one of two ways. If it's a matter of some users needing some settings that are different that the "norm", I'd either deploy a Group Policy "preference" to set that setting (assuming it's in the user portion of the registry), or an Administrative Template to change the setting (assuming it's in the computer portion of the registry). If it's required that hte user be allowed to change the setting on-demand, I'd grudgingly alter the permissions on the registry to allow the user (really, a security group containing the user) to do so. Grudgingly.
If an app requires its own JRE I'd be apt to tie the installation of that JRE in with the script / GPO that deploys the application and treat the two as a unit. That's the simplest way I can think of to deal with it.
I'm having a hard time recalling what settings live under "Program Files", but I'd grudgingly grant permission to a security group containing user accounts that need to modify these settings, if that was required. I'd probably also hold my head in my hands and curse Sun.
Until Sun gets their act together re: enterprise deployment and management of the JRE, I think it's likely that all of us are going to have hacky workarounds to deal with it. It's frustrating, but sadly typical. It seems like the vast majority developers have no concept of what it's like to do sysadmin work. <sigh>