Jamf Nation Community

Hi rickgmac,

Thanks for your response, please excuse my noobity here :

I have added the package to Casper admin by dragging it across, would I create the policy through the JSS dash board as well as creating the Smart group etc?

Apologies I'm pretty much in the deep end at the moment - covering for a colleague thats booked off

Thanks again for your response

SEN73

Hi SEN73,

So if you have added the package to casper admin. you should set some basic info for it. If you find the package in Casper admin, you can put some info in it. like group, priority and notes like which version. One extra thing I tend to do is rename the package before adding it to casper admin. I tend to add the version into the name, so you know when its time to update you can just add another without breaking or over writing anything. e.g. Adobe Flash Player 11.9.900.117.pkg

Then in JSS Dashboard create a policy to cache the package and run inventory to all machines.

Then in JSS Dashboard go to smart groups, and create a new group. your criteria needs to be Cached Packages, which will be under the receipts section. And you want to put in the package name which you added into casper admin.

Once you have your smart group. you can then create a second policy in JSS dashboard to install cached package Adobe Flash Player 11.9.900.117.pkg. your target would be your smart group and the trigger would be login.

This would only work if your JSS has login hooks enabled. which you can check in the computer management framework section. If you don't you could either enable to set the policy to run on a different trigger.

hope this helps

Is there a way to further automate this? We would like to be able to automatically update those clients that are in need of a Flash update. Something that tells Casper to run the policy again if the Flash Installer has been updated...

The IRC channel might be a good place to look, just have to sift through some of the condescending remarks aimed towards the JAMF community. No reflection on the IRC community as a whole:

http://osx.michaellynn.org/freenode-osx-server/freenode-osx-server_2014-02-24.html

external image link

To blow up the screenshot:

http://donmontalvo.com/jamf/jamfnation/IRC/irc-20140224-155135.png

Don

It's not a lot of work to download/package the enterprise version of Adobe's Flash update and push using a scope of is not desired version. Not sure I get @gregneagle's "trapped in hell" reference, as this is pretty trivial.

Hey @donmontalvo:

Why not walk @ictbis through this pretty trivial process, then? I'm sure ictbis would appreciate the assistance.

-Greg

@gregneagle What part of @pete_c's post did you find difficult?

@pete_c posted a very straight forward process that most of us use:

My usual for this: of8ycZmdTIOdE3wmzByd I'm looking forward to finally using my old pal @Banks autopkg-JSS importer https://gist.github.com/arubdesu/8190980 scripty goodness going to hopefully eliminate some of this tedium.

@donmontalvo it's not that the process is difficult, it's that it is not what @ictbis was asking for. They were asking about an automated method for doing it, and sadly Casper does not have that functionality. The closest you can get is to implement Jenkis with Alister's script to get the files into Casper. You still need to go edit the policy.

I believe what @gregneagle was pointing out is that Munki can do what @ictbis was asking for. Right Greg?

Many different tools out there to do this stuff. Some of us just choose to use Casper instead of Munki or any of the others. That's all. Now, can't we all just get along? ;-)

+1 what @stevewood said.

I happily use Casper for this, despite the limitations.

Mainly, I'm not interested in managing another solution &/or repo for something I can do in a minute or two via Casper.

I'm also lucky as have no auditory requirements to manage a lot of stuff... So I only have to do this on a limited basis.

If your use case requires managing & updating multiple plugins etc.. Then adding Munki or Jenkins & AutoPKG will no doubt help.

I think I'm in a similar position as @bentoms.

Currently the steps that I have to do in Casper (we are still on 8.x) are kind of clunky. But it is also a bit clunky trying to setup/manage various open source tools for specific tasks. Prior to Casper we had a handful of tools to manage Macs. If it was only one person who had to deal with all of these tools it wouldn't be so bad. But if you need to write documentation or train people on how to use/maintain each of them it becomes less beneficial.

For us it is better to manage/train Casper and deal with the quirks. Obviously i would PREFER that Casper dealt with these things a bit smoother.

Flash is actually pretty easy, since the installer will not run if the currently-installed version is higher than the installer version. It gives you a good margin of error as far as timing goes since you don't have to worry about "downgrading" it.

The way I am planning to move forward with Flash is to create an ongoing "available offline" policy that installs all cached packages at startup and login. When a new Flash version comes out, I cache that package for all of the out of date systems and then I'm done until the next release.

Third-party patching is a difficult topic. JAMF can't control what Adobe does and any attempt to automate patching is prone to break at any time.

@alexjdale - I think you're giving JAMF too much leeway. There are several windows products that implement 3rd party patching, and on the Mac side it seems like the Munki/autopkg combo is doing it well also. JAMF can't control what Adobe does, but what Adobe does is make the latest installer consistently available at the same URL. JAMF could tie into that if they wanted to. That's similar to what Autopkg and the windows 3rd party patching tools I use do.

I'm torn because I want 3rd party patching in the Casper Suite, but they already seem stretched too thin at JAMF with various bugs in their latest release (which is far from a .0 release). I'd hate to see them try to take on patching at the expense of other bugs taking even longer to be addressed (casper imaging creating ghost records, full logs missing since 9.0, etc).

For now I use autopkg to easily get the products I need, then import them into Casper Admin and manage via policies. At some point I want to make time to look at Allister's tie ins.

Also, for anyone interested, there is an existing feature request for 3rd party patch management integration (with some discussion) over here

https://jamfnation.jamfsoftware.com/featureRequest.html?id=662

@stevewood wrote:

Many different tools out there to do this stuff. Some of us just choose to use Casper instead of Munki or any of the others. That's all. Now, can't we all just get along? ;-)

Well said. ;)

Agreed. Using the Casper suite, @pete_c's solution is about the best I can think of (Which is why that's how I do it).

Recently we moved to built-in Flash auto update mechanism and works really well.
No more manual updates. Flash updates silently without any user interaction.

@Kumareshinghe Does this mean clients are each reaching out to external Adobe update servers?

@donmontalvo
Yes.

Hey all, just to satisfy my own curiosity... why deploy Flash Player at all? Does Google Chrome with it's integrated and Google-updated Flash Player not meet needs?

From my perspective, I'd rather keep Flash out of my OS and use Chrome where a Flash crash can only take out a single browser window and not my whole OS. I'd rather eliminate an issue than spend time & effort fixing it.

Just thoughts.

Browser plugins are sandboxed now in Mavericks, so not much of an issue. But still, I'd rather take Adobe Flash Player out back, shoot it, then stab it, then bury it, then that night show up with a flashlight and a shovel, unearth it, set it on fire, then drag it over broken glass, then toss it in the sewer. That ought'a do the trick.

http://www.engadget.com/2013/10/24/flash-player-now-sandboxed-for-safari-users-running-os-mavericks/

Heh, yea. I like the sentiment. In any event, we prefer to control the update process. There may be a time in the future when we DON'T want an update going out. Also, we wish to keep the traffic internal. Otherwise, you know your user base the best. If automatic updates are cool, the by all means. It's one less thing to worry about.

The "silent" update mechanism for Flash Player has not always been so silent. Not yet convinced I should trust it. Additionally, what is the impact to your network bandwidth and performance impact to your machines if every piece of software on every single machine does its own updating from servers across the internet?

If Office and Adobe Photoshop and Flash Player and OmniGraffle and VLC and Google Chrome and TextMate and VMware Fusion and ... are all checking for updates on the hundreds or thousands of machines you manage, what is the network bandwidth impact?

We've chosen software management systems like Casper to manage the software on our Macs. It should be fast and easy to manage updates for managed software.

Having Flash, or any Adobe product for that matter, just automatically update itself when a new version comes out? No thanks. There is this thing called testing...

@ernstcs][/url wrote:

Having Flash, or any Adobe product for that matter, just automatically update itself when a new version comes out? No thanks. There is this thing called testing...

Automagically deploying untested updates is a good way to violate corporate security mandates, can cost a company a lot of money, and goes without saynig may get someone in a whole lot of trouble.

@gregneagle wrote:

We've chosen software management systems like Casper to manage the software on our Macs. It should be fast and easy to manage updates for managed software.

...or Munki, or Absolute, or Filewave. Irrespective of the tool used, someone's got to vet the stuff before it goes out.

Don

Basically this...

Follow this page: https://jamfnation.jamfsoftware.com/viewProduct.html?id=41&view=info

Download the PKG when a new one is available. Dump it into your (hopefully a QA) JSS and go through whatever testing procedures are required of you. If you have none...scary voodoo, man.

Once tested (vetted as @donmontalvo uses) upload into Production JSS.

Update smart group that looks for Macs that DO NOT HAVE this new version number you updated for the group based on Extension Attribute for Flash version, and NOT the package Casper has deployed if your users have admin. I noticed there wasn't an official Extension Attribute on the above site, but just submitted this for approval:

#!/bin/sh
#
############################################################################
#
# Extension Attribute checks to display Adobe Flash Player Version number.
#
#
############################################################################
FlashPluginVersion=`/usr/bin/defaults read /Library/Internet Plug-Ins/Flash Player.plugin/Contents/Info CFBundleVersion`
echo "<result> $FlashPluginVersion </result>"

exit 0

Go to the policy that pushes it out and update it's deploy scope (like if you set the policy to expire at some point, which I recommend) and then flush the policy history.

Follow-up at pre-determined time, likely the next Flash update you'll get in about a week or less, with systems that did not update correctly.

Rinse and repeat.