best practise to import and distribute Adobe Flash Player

SEN73
New Contributor

Hi All,

JSS/Casper Newbie here, I have been tasked to do a Adobe Flash Player update and would like to know what the best practise to import and distribute Adobe Flash Player and it needs to be a scheduled?

Thanks

SEN73

28 REPLIES 28

rickgmac
Contributor

The best way would be to sign up to distribute flash player from the adobe website
http://www.adobe.com/products/players/flash-player-distribution.html

Then if you want to schedule it or do it safely.
Add the package to casper admin.
Create policy to cache the package and run inventory
Create smart group for computers with flash pkg cached
Create policy to install cached package on login, once per computer to the smart group you just created.

SEN73
New Contributor

Hi rickgmac,

Thanks for your response, please excuse my noobity here :

I have added the package to Casper admin by dragging it across, would I create the policy through the JSS dash board as well as creating the Smart group etc?

Apologies I'm pretty much in the deep end at the moment - covering for a colleague thats booked off

Thanks again for your response

SEN73

rickgmac
Contributor

Hi SEN73,

So if you have added the package to casper admin. you should set some basic info for it. If you find the package in Casper admin, you can put some info in it. like group, priority and notes like which version. One extra thing I tend to do is rename the package before adding it to casper admin. I tend to add the version into the name, so you know when its time to update you can just add another without breaking or over writing anything. e.g. Adobe Flash Player 11.9.900.117.pkg

Then in JSS Dashboard create a policy to cache the package and run inventory to all machines.

Then in JSS Dashboard go to smart groups, and create a new group. your criteria needs to be Cached Packages, which will be under the receipts section. And you want to put in the package name which you added into casper admin.

Once you have your smart group. you can then create a second policy in JSS dashboard to install cached package Adobe Flash Player 11.9.900.117.pkg. your target would be your smart group and the trigger would be login.

This would only work if your JSS has login hooks enabled. which you can check in the computer management framework section. If you don't you could either enable to set the policy to run on a different trigger.

hope this helps

bluebox
New Contributor III

Is there a way to further automate this? We would like to be able to automatically update those clients that are in need of a Flash update. Something that tells Casper to run the policy again if the Flash Installer has been updated...

donmontalvo
Esteemed Contributor II

The IRC channel might be a good place to look, just have to sift through some of the condescending remarks aimed towards the JAMF community. No reflection on the IRC community as a whole:

http://osx.michaellynn.org/freenode-osx-server/freenode-osx-server_2014-02-24.html

external image link

To blow up the screenshot:

http://donmontalvo.com/jamf/jamfnation/IRC/irc-20140224-155135.png

Don

--
https://donmontalvo.com

Not applicable

My usual for this:

  1. add the new Flash package into Casper Admin with proper version number in the name and add the date into the notes.
  2. update the smart group's criteria to the new version number - based on an extension attribute, see https://jamfnation.jamfsoftware.com/discussion.html?id=28
  3. edit the policy that caches and installs the package to remove the previous version and add the newest version.
  4. flush all logs.
  5. test whichever installation triggers were specified and verify the installed version.

I'm looking forward to finally using my old pal @Banks autopkg-JSS importer https://gist.github.com/arubdesu/8190980 scripty goodness going to hopefully eliminate some of this tedium.

donmontalvo
Esteemed Contributor II

It's not a lot of work to download/package the enterprise version of Adobe's Flash update and push using a scope of is not desired version. Not sure I get @gregneagle's "trapped in hell" reference, as this is pretty trivial.

--
https://donmontalvo.com

gregneagle
Valued Contributor

Hey @donmontalvo:

Why not walk @ictbis through this pretty trivial process, then? I'm sure ictbis would appreciate the assistance.

-Greg

donmontalvo
Esteemed Contributor II

@gregneagle What part of @pete_c's post did you find difficult?

@pete_c posted a very straight forward process that most of us use:

My usual for this: of8ycZmdTIOdE3wmzByd I'm looking forward to finally using my old pal @Banks autopkg-JSS importer https://gist.github.com/arubdesu/8190980 scripty goodness going to hopefully eliminate some of this tedium.
--
https://donmontalvo.com

stevewood
Honored Contributor II
Honored Contributor II

@donmontalvo it's not that the process is difficult, it's that it is not what @ictbis was asking for. They were asking about an automated method for doing it, and sadly Casper does not have that functionality. The closest you can get is to implement Jenkis with Alister's script to get the files into Casper. You still need to go edit the policy.

I believe what @gregneagle was pointing out is that Munki can do what @ictbis was asking for. Right Greg?

Many different tools out there to do this stuff. Some of us just choose to use Casper instead of Munki or any of the others. That's all. Now, can't we all just get along? ;-)

bentoms
Release Candidate Programs Tester

+1 what @stevewood said.

I happily use Casper for this, despite the limitations.

Mainly, I'm not interested in managing another solution &/or repo for something I can do in a minute or two via Casper.

I'm also lucky as have no auditory requirements to manage a lot of stuff... So I only have to do this on a limited basis.

If your use case requires managing & updating multiple plugins etc.. Then adding Munki or Jenkins & AutoPKG will no doubt help.

frozenarse
Contributor II

I think I'm in a similar position as @bentoms.

Currently the steps that I have to do in Casper (we are still on 8.x) are kind of clunky. But it is also a bit clunky trying to setup/manage various open source tools for specific tasks. Prior to Casper we had a handful of tools to manage Macs. If it was only one person who had to deal with all of these tools it wouldn't be so bad. But if you need to write documentation or train people on how to use/maintain each of them it becomes less beneficial.

For us it is better to manage/train Casper and deal with the quirks. Obviously i would PREFER that Casper dealt with these things a bit smoother.

alexjdale
Valued Contributor III

Flash is actually pretty easy, since the installer will not run if the currently-installed version is higher than the installer version. It gives you a good margin of error as far as timing goes since you don't have to worry about "downgrading" it.

The way I am planning to move forward with Flash is to create an ongoing "available offline" policy that installs all cached packages at startup and login. When a new Flash version comes out, I cache that package for all of the out of date systems and then I'm done until the next release.

Third-party patching is a difficult topic. JAMF can't control what Adobe does and any attempt to automate patching is prone to break at any time.

CasperSally
Valued Contributor II

@alexjdale - I think you're giving JAMF too much leeway. There are several windows products that implement 3rd party patching, and on the Mac side it seems like the Munki/autopkg combo is doing it well also. JAMF can't control what Adobe does, but what Adobe does is make the latest installer consistently available at the same URL. JAMF could tie into that if they wanted to. That's similar to what Autopkg and the windows 3rd party patching tools I use do.

I'm torn because I want 3rd party patching in the Casper Suite, but they already seem stretched too thin at JAMF with various bugs in their latest release (which is far from a .0 release). I'd hate to see them try to take on patching at the expense of other bugs taking even longer to be addressed (casper imaging creating ghost records, full logs missing since 9.0, etc).

For now I use autopkg to easily get the products I need, then import them into Casper Admin and manage via policies. At some point I want to make time to look at Allister's tie ins.

CasperSally
Valued Contributor II

Also, for anyone interested, there is an existing feature request for 3rd party patch management integration (with some discussion) over here

https://jamfnation.jamfsoftware.com/featureRequest.html?id=662

donmontalvo
Esteemed Contributor II

@stevewood wrote:

Many different tools out there to do this stuff. Some of us just choose to use Casper instead of Munki or any of the others. That's all. Now, can't we all just get along? ;-)

Well said. ;)

--
https://donmontalvo.com

Chris_Hafner
Valued Contributor II

Agreed. Using the Casper suite, @pete_c's solution is about the best I can think of (Which is why that's how I do it).

Kumarasinghe
Valued Contributor

Recently we moved to built-in Flash auto update mechanism and works really well.
No more manual updates. Flash updates silently without any user interaction.

donmontalvo
Esteemed Contributor II

@Kumareshinghe Does this mean clients are each reaching out to external Adobe update servers?

--
https://donmontalvo.com

Kumarasinghe
Valued Contributor

milesleacy
Valued Contributor

Hey all, just to satisfy my own curiosity... why deploy Flash Player at all? Does Google Chrome with it's integrated and Google-updated Flash Player not meet needs?

From my perspective, I'd rather keep Flash out of my OS and use Chrome where a Flash crash can only take out a single browser window and not my whole OS. I'd rather eliminate an issue than spend time & effort fixing it.

Just thoughts.

donmontalvo
Esteemed Contributor II

Browser plugins are sandboxed now in Mavericks, so not much of an issue. But still, I'd rather take Adobe Flash Player out back, shoot it, then stab it, then bury it, then that night show up with a flashlight and a shovel, unearth it, set it on fire, then drag it over broken glass, then toss it in the sewer. That ought'a do the trick.

http://www.engadget.com/2013/10/24/flash-player-now-sandboxed-for-safari-users-running-os-mavericks/

--
https://donmontalvo.com

Chris_Hafner
Valued Contributor II

Heh, yea. I like the sentiment. In any event, we prefer to control the update process. There may be a time in the future when we DON'T want an update going out. Also, we wish to keep the traffic internal. Otherwise, you know your user base the best. If automatic updates are cool, the by all means. It's one less thing to worry about.

gregneagle
Valued Contributor

The "silent" update mechanism for Flash Player has not always been so silent. Not yet convinced I should trust it. Additionally, what is the impact to your network bandwidth and performance impact to your machines if every piece of software on every single machine does its own updating from servers across the internet?

If Office and Adobe Photoshop and Flash Player and OmniGraffle and VLC and Google Chrome and TextMate and VMware Fusion and ... are all checking for updates on the hundreds or thousands of machines you manage, what is the network bandwidth impact?

We've chosen software management systems like Casper to manage the software on our Macs. It should be fast and easy to manage updates for managed software.

ernstcs
Contributor III

Having Flash, or any Adobe product for that matter, just automatically update itself when a new version comes out? No thanks. There is this thing called testing...

donmontalvo
Esteemed Contributor II

@ernstcs][/url wrote:

Having Flash, or any Adobe product for that matter, just automatically update itself when a new version comes out? No thanks. There is this thing called testing...

Automagically deploying untested updates is a good way to violate corporate security mandates, can cost a company a lot of money, and goes without saynig may get someone in a whole lot of trouble.

--
https://donmontalvo.com

donmontalvo
Esteemed Contributor II

@gregneagle wrote:

We've chosen software management systems like Casper to manage the software on our Macs. It should be fast and easy to manage updates for managed software.

...or Munki, or Absolute, or Filewave. Irrespective of the tool used, someone's got to vet the stuff before it goes out.

Don

--
https://donmontalvo.com

ernstcs
Contributor III

Basically this...

Follow this page: https://jamfnation.jamfsoftware.com/viewProduct.html?id=41&view=info

Download the PKG when a new one is available. Dump it into your (hopefully a QA) JSS and go through whatever testing procedures are required of you. If you have none...scary voodoo, man.

Once tested (vetted as @donmontalvo uses) upload into Production JSS.

Update smart group that looks for Macs that DO NOT HAVE this new version number you updated for the group based on Extension Attribute for Flash version, and NOT the package Casper has deployed if your users have admin. I noticed there wasn't an official Extension Attribute on the above site, but just submitted this for approval:

#!/bin/sh
#
############################################################################
#
# Extension Attribute checks to display Adobe Flash Player Version number.
#
#
############################################################################
FlashPluginVersion=`/usr/bin/defaults read /Library/Internet Plug-Ins/Flash Player.plugin/Contents/Info CFBundleVersion`
echo "<result> $FlashPluginVersion </result>"

exit 0

Go to the policy that pushes it out and update it's deploy scope (like if you set the policy to expire at some point, which I recommend) and then flush the policy history.

Follow-up at pre-determined time, likely the next Flash update you'll get in about a week or less, with systems that did not update correctly.

Rinse and repeat.