Disabling Java via the command line in OS X is not easy

After the Flashback malware was found to be exploiting Mac systems via security holes in Java, one recommendation was for Mac users to disable Java if they do not use it, either in the Web browser or more globally using the Java Preferences utility.

OS X has historically come with Java pre-installed, but even though it is optional in the latest version (OS X Lion), unfortunately once installed on a system there is no official way to uninstall it. The only options that Apple provides are to manage Java preferences on a per-user basis to prevent the Java runtime from being activated for that user, rather than doing so for the entire system.

This means that disabling Java for an entire system is not as easy as logging in as an administrator and unchecking the Java runtimes. Instead, to disable Java for the whole system you will need to make these changes for each user account on the system, and then do it for any new account you create.

For home environments with one system and a few user accounts this is not too difficult to manage; however, it does impose a burden on those who manage multiple systems such as computer labs. Some people in these situations have been curious about options for adjusting these settings quickly via the command line.

MacFixIt reader "Ray S." writes:

Because of the flashback malware, I am looking for a solution to disable Java on dozens of Macs from the command line. I have been a sysadmin for a while but for the life of me I cannot find a plist or other file that holds the On/Off switch for enabling/disabling Java in OS X.

While an option to quickly disable Java system-wide would be convenient to have, unfortunately this is just not possible for how Java is implemented in OS X. You can use Terminal commands to alter the settings necessary for disabling Java, but they are very dependent on the OS version and setup being used, resulting in the commands being quite extensive and complex.

Considering Terminal commands
In OS X, not only are the Java preferences handled on a per-user basis, but their settings are stored in ways that require you to take into account various unique aspects of the individual system that you are managing. First you will need to know the number of installed Java runtimes on the system, then know all of the local user accounts on the specific machine, and finally know the individual hardware identifier numbers for each machine.

These are required because the Java settings are stored in the "ByHost" preferences folder within each user account, which stores settings on a per-computer basis. Additionally, in situations where home folders are stored in a central server, the ByHost preference files will change depending on what computers are being used by that account.

Furthermore, the settings within the user's Java preferences file that enable or disable each runtime are nested deep in a tree of parameters, making it impossible to use the more common "defaults" command to target them and instead require the use of "PlistBuddy" in a manner similar to the following (thanks to Jaharmi's Irreality for the ioreg component):

sudo /usr/libexec/PlistBuddy -c set PreferredJVMOrder:any:0:JVMUserData:JVMEnabled 0 /Users/USERNAME/Library/Preferences/ByHost/com.apple.java.`ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }'`.plist

In this command, we're using the PlistBuddy program and are commanding it to target the nested JVMEnabled variable for the first runtime listed in the user's Java preferences, and then set it to be disabled. The command also uses an in-line evaluation of an "ioreg" command to look up and parse the computer's hardware UUID string to get the UUID number.

If you change the "USERNAME" text in the command to be the short name of the target user, then it will disable the first Java runtime for that user; however, even though this command will work in some situations, it will not work in all. For systems prior to OS X 10.6, OS X may use different hardware identifiers than the UUID for host-specific property lists, or use alternate means of storing them besides in the IO Registry's "PlatformExpertDevice" listing. These differences mean that should you choose to tackle this with a command-line approach, then you would need to research what unique identifier is used, and how to extract it for use in the command.

In addition, you would need to rerun the command and change the first zero in it to a 1, and then a 2, and so on, in order to target other Java runtimes on the system. After this is done, then you would need to repeat this option for all users on the system.

If all of that seems a bit complex, confusing, and burdensome, then do not be alarmed; it is.

While some people may be able to use this approach for scripting a means of disabling Java for all accounts on all of their computers, this demonstrates that if you need to disable Java, then for most people the only feasible ways will be to do so within each user account using the Java Preferences utility, or by uninstalling Java itself.

Uninstalling Java
While Java is a core aspect of older versions of OS X, you can essentially uninstall it on systems that do not need to use it by removing critical components of the Java framework and runtime that allow it to function. The framework and its components are only used for the purposes of running Java, so if you have determined that you do not want any users on the system to run Java, then you can take a few simple steps to remove it from the system.

For people who wish to disable Java on multiple machines that are used by many different users, this is likely the most practical approach.

The core of the Java installation is its runtime, which in OS X is in the /System/Library/Java/JavaVirtualMachines/ folder and is named something similar to "1.6.0.jdk." Deleting this and any other similarly named files from this folder should fully break the Java installation and prevent Java applications and applets from working.

Uninstalling via the command line
If you manage multiple systems and would like to break the Java runtime for them, then doing so is far easier than managing the Java preferences on a per-user and per-machine basis. Since the removal of the Java runtime is the only needed step to break Java, you can do so by running the following command when logged into the system:

sudo rm /System/Library/Java/JavaVirtualMachines/*.jdk

This command will delete all of the Java virtual machines that contain the necessary tools, libraries, and other resources necessary for running Java applications. With this component removed, if you need to run Java programs again you can download and apply any of the Java updates from the Apple Web site (be sure to grab the latest one for your system), which should contain the necessary and applicable Java runtimes.

While this command deletes the Java runtimes from the system, an alternative approach is to simply rename, archive, or move the Java runtime files so the resources that link to them will be broken. There are various approaches to doing this, such as the following, which should move them to the system library root and thereby prevent them from being used:

sudo mv /System/Library/Java/JavaVirtualMachines/*.jdk /System/Library/

Questions? Comments? Have a fix? Post them below or email us!
Be sure to check us out on Twitter and the CNET Mac forums.