Lowering XProtect

We needed to use older versions of Java for a few business apps. Apple would update the XProtect file which would disable older versions of Java. We use this script to lower the blocked version to the version we need to use. We use Tivoli Endpoint Manager to check for changes to the file, but you could also do that with launchd.

:::bash
#!/bin/sh
## This script will update XProtect.meta.plist and will set our minimum java version if it is lower than Apples.
## First get the newest def update from Apple

OUR_MIN_VERSION="1.6.0_37-b06-434"
XPROTECT_META_PLIST="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist"

rm $XPROTECT_META_PLIST
/usr/libexec/XProtectUpdater

if [ ! -e $XPROTECT_META_PLIST ]; then
    printf "XProtect.meta.plist not found\n"
    exit 0
fi

APPLE_MIN_VERSION=$(/usr/libexec/PlistBuddy -c "Print :JavaWebComponentVersionMinimum" "${XPROTECT_META_PLIST}")

if [[ $APPLE_MIN_VERSION > $OUR_MIN_VERSION ]]; then
    printf "Setting lower minimum version\n"
    /usr/libexec/PlistBuddy -c "Set :JavaWebComponentVersionMinimum $OUR_MIN_VERSION" "${XPROTECT_META_PLIST}"
else
    printf "No changes necessary\n"
fi

exit 0