Jamf Nation Community

+1 for autopkg/(autopkgr or jenkins). There is also a great script floating around that will update

LSinNY

I use the script, however I don't have to manage a lot of apps. If you have to manage many apps spend the time to learn and use autopkgr or jenkins.

C

here is a script harvested from @rtrouton .

You could make a button in self service available to people that don't meet version criteria or you could just have it always running and always available for people to download in Self Service.

#!/bin/sh

# This script downloads and installs the latest Flash player for compatible Macs

# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

# Determine current major version of Adobe Flash for use
# with the fileURL variable

flash_major_version=`/usr/bin/curl --silent http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_en_mac_pl.xml | cut -d , -f 1 | awk -F" '/update version/{print $NF}'`

# Specify the complete address of the Adobe Flash Player
# disk image

fileURL="http://fpdownload.macromedia.com/get/flashplayer/current/licensing/mac/install_flash_player_"$flash_major_version"_osx_pkg.dmg"

# Specify name of downloaded disk image

flash_dmg="/tmp/flash.dmg"

if [[ ${osvers} -lt 6 ]]; then
  echo "Adobe Flash Player is not available for Mac OS X 10.5.8 or below."
fi

if [[ ${osvers} -ge 6 ]]; then

    # Download the latest Adobe Flash Player software disk image

    /usr/bin/curl --output "$flash_dmg" "$fileURL"

    # Specify a /tmp/flashplayer.XXXX mountpoint for the disk image

    TMPMOUNT=`/usr/bin/mktemp -d /tmp/flashplayer.XXXX`

    # Mount the latest Flash Player disk image to /tmp/flashplayer.XXXX mountpoint

    hdiutil attach "$flash_dmg" -mountpoint "$TMPMOUNT" -nobrowse -noverify -noautoopen

    # Install Adobe Flash Player from the installer package stored inside the disk image

    /usr/sbin/installer -dumplog -verbose -pkg "$(/usr/bin/find $TMPMOUNT -maxdepth 1 ( -iname *.pkg -o -iname *.mpkg ))" -target "/"

    # Clean-up

    # Unmount the Flash Player disk image from /tmp/flashplayer.XXXX

    /usr/bin/hdiutil detach "$TMPMOUNT"

    # Remove the /tmp/flashplayer.XXXX mountpoint

    /bin/rm -rf "$TMPMOUNT"

    # Remove the downloaded disk image

    /bin/rm -rf "$flash_dmg"
fi

exit 0

Thanks @dderusha! I want to automate the process and never have to rely on users running the script for Self-Service. So would I just have this policy/script run on login/interval or something of the sort once a week or at whatever interval i choose?

Thanks again for everyone's feedback and help! Much appreciated!!!

-Ronnie

you could make a Extension Atty for flash and depending on those results, use a smart group to populate the flash update policy that runs that script.

#!/bin/sh
#
############################################################################
#
# Extension Attribute checks to display Adobe Flash Player Version with Release number.
#
# Uses CFBundleShortVersionString because this is the "release version number of the bundle"
# Ref: https://developer.apple.com/library/IOS/#documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
#
############################################################################

if [ -d /Library/Internet Plug-Ins/Flash Player.plugin ] ; then

    flashVersion=$( defaults read /Library/Internet Plug-Ins/Flash Player.plugin/Contents/version CFBundleShortVersionString )

    echo "<result>$flashVersion</result>"

else
# the number 55 is just a placeholder for "Not Installed" represented by a number
    echo "<result>55</result>"

fi

exit 0

@dderusha thanks for sharing the script, works beautifully.... except for one issue I've been having. I ran it from Self Service as well as a policy. Each time the JSS sees the outcome as a failure when it actually was successful in downloading the latest version of flash.

Have you ran into this issue?

@chad.fox I have not ran it in my JSS for over a year. Boss thought it was too much automation, so I've had it sitting in the wings since then... :0) Since then 10.11 has come out.... what OS are you running? Might need to add some updates to the scripts tmp dir.

@dderusha I'm running 10.11. It's weird because it works perfectly each time, the JSS just gets angry. Might be because it's Monday, who knows.

@chad.fox Try this current one from @rtrouton 's github

#!/bin/bash

# This script downloads and installs the latest Flash player for compatible Macs

# Determine OS version
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')

# Determine current major version of Adobe Flash for use
# with the fileURL variable

flash_major_version=`/usr/bin/curl --silent http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_en_mac_pl.xml | cut -d , -f 1 | awk -F" '/update version/{print $NF}'`

# Specify the complete address of the Adobe Flash Player
# disk image

fileURL=http://fpdownload.macromedia.com/get/flashplayer/current/licensing/mac/install_flash_player_"$flash_major_version"_osx_pkg.dmg

# Specify name of downloaded disk image

flash_dmg="/tmp/flash.dmg"

if [[ ${osvers} -lt 6 ]]; then
  echo "Adobe Flash Player is not available for Mac OS X 10.5.8 or below."
fi

if [[ ${osvers} -ge 6 ]]; then

    # Download the latest Adobe Flash Player software disk image

    /usr/bin/curl --output "$flash_dmg" "$fileURL"

    # Specify a /tmp/flashplayer.XXXX mountpoint for the disk image

    TMPMOUNT=`/usr/bin/mktemp -d /tmp/flashplayer.XXXX`

    # Mount the latest Flash Player disk image to /tmp/flashplayer.XXXX mountpoint

    hdiutil attach "$flash_dmg" -mountpoint "$TMPMOUNT" -nobrowse -noverify -noautoopen

    pkg_path="$(/usr/bin/find $TMPMOUNT -maxdepth 1 ( -iname "*Flash*.pkg -o -iname *Flash*.mpkg )")"

    # Before installation on Mac OS X 10.7.x and later, the installer's
    # developer certificate is checked to see if it has been signed by
    # Adobe's developer certificate. Once the certificate check has been
    # passed, the package is then installed.

    if [[ ${pkg_path} != "" ]]; then
       if [[ ${osvers} -ge 7 ]]; then
         signature_check=`/usr/sbin/pkgutil --check-signature "$pkg_path" | awk /'Developer ID Installer/{ print $5 }'`
         if [[ ${signature_check} = "Adobe" ]]; then
           # Install Adobe Flash Player from the installer package stored inside the disk image
           /usr/sbin/installer -dumplog -verbose -pkg "${pkg_path}" -target "/"
         fi
       fi

    # On Mac OS X 10.6.x, the developer certificate check is not an
    # available option, so the package is just installed.

       if [[ ${osvers} -eq 6 ]]; then
           # Install Adobe Flash Player from the installer package stored inside the disk image
           /usr/sbin/installer -dumplog -verbose -pkg "${pkg_path}" -target "/"
       fi
    fi

    # Clean-up

    # Unmount the Flash Player disk image from /tmp/flashplayer.XXXX

    /usr/bin/hdiutil detach "$TMPMOUNT"

    # Remove the /tmp/flashplayer.XXXX mountpoint

    /bin/rm -rf "$TMPMOUNT"

    # Remove the downloaded disk image

    /bin/rm -rf "$flash_dmg"
fi

exit 0

@dderusha Same issue with the updated script. Not a huge deal, just seems odd that the JSS reports a failure when it runs successfully.

Chrome.

+1 @jarednichols
Flash player is not supported as far as I am concerned. If you need to look at Flash, I have two pieces of advice...
1. Find a better site/service/webapp
2. Use Chrome. It's already got built-in auto updating for its integrated Flash player.

Thanks @milesleacy

As a community we spend an extraordinary amount of time managing a plugin that is exceedingly going away. Let someone else do it.

@dderusha @chad.fox, the likely reason that the JSS is reporting it failed is that the policy's logs of the script output includes the word Error at some point. The script hasn't actually failed, it's just that the word is present in the script's output in the logs. This was something that Casper 9.82 is supposed to fix, but earlier versions of Casper will detect and report a failed status because of it.

With regard to using my script, there are two options to fix this:

A. Run the script using a payload-free package, as that will report on whether the package installed successfully (and avoid the spurious Error word in the log which Casper sees.)

I have a payload-free package for this script available from the following link:

https://github.com/rtrouton/rtrouton_scripts/blob/master/rtrouton_scripts/install_latest_adobe_flash...

B. Edit the script to change the references to /usr/sbin/installer -dumplog -verbose -pkg to be /usr/sbin/installer -pkg instead, as the verbose logging is what is what is causing the word Error to be picked up by Casper's logging.

@rtrouton That's it! Worked beautifully, I can't thank you enough.

@jarednichols I wish we could push everyone over to Chrome. I can't wait for the day when we can say goodbye to Flash...

@chad.fox Why can't you? Does your organization make decisions based on facts and reason? The argument is fairly simple and straightforward. When the need for a change is obvious, a direct, concise presentation of the facts can shame the blockers/gatekeepers into facing the indefensibility of their position.

@milesleacy Does it really matter? Whatever the reason, if a company doesn't allow it, they don't allow it. It could be that they don't allow any Google products on their computer. Could be that they don't want their end users running a web browser which the IT organization will not support. Who knows? Who cares? Deploying Flash is stupid simple. Pointing users to Chrome is one way to approach the problem. Deploying Flash for all other web browsers is another approach. Scripting it out is yet another approach. Doesn't really matter so long as you're providing support for your end users within the guidelines/policies your organization has set.

@bpavlov It matters quite a bit.

• The existence of this discussion proves that deploying Flash (and keeping it patched) is not "stupid simple."
• Many smart people waste many hours on these conversations and the process of building deployment and update mechanisms for this, and other, unnecessary or problematic software and systems.
• Not allowing Google products is another nest of nonsense to unravel, as is the concept of "supporting a browser".

While the approaches you reference are technically achievable, my question is, are they productive courses of action for the organization to pursue? Would time and energy be better spent elsewhere rather than reinventing a proverbial wheel that someone else has already built?

Any technical problem is solvable, given enough effort. My point is that to use our resources properly, we need to define which problems don't need to be solved, which ones have been solved by others, and which ones are worth spending our own and our organizations' finite resources on.

I don't have access to JAMF Nation demographics, but I feel fairly confident in saying that a majority of JAMF Nation participants are Casper Suite customers. Why? You could write your own deployment scripts. Apple's MDM framework is available to all developers. There are open source projects that can achieve many of the same goals. It's a fair bet to say that you (in the collective sense), or at least your organizations, recognize that we (sysadmins) can't and shouldn't build everything ourselves. We recognize that the time and effort needed to build and maintain these tools are beyond the available bandwidth in our teams. We recognize that if someone has already solved the problem, we should use their solution. In a sense, this is the one of the most basic reasons why JAMF gets paid - because it's a senseless waste to reinvent solutions when they've already been discovered. So, if we accept this concept in a macro way regarding management tools, why do we have difficulty with the concept when it comes to the minutiae?

I know that my own team has more work than we have available time to handle, and that this has always been the case throughout my professional life. I have never encountered an IT engineering team with spare cycles. Reinventing a wheel rather than using an extant solution carries real lost opportunity costs. I would be doing my organization a disservice by taking on any unnecessary work.

Google solved the Flash problem with Chrome. Hooray! I have unsolved problems to tackle.

It really isn't solving the problem though. You are just telling an end user to use Google Chrome. Why can't the end user continue to use Safari or Firefox if that's their web browser of choice? Because as an admin you can't be bothered to deploy Flash for other web browsers? Ironically Adobe released a Flash update today. Got it deployed within 1 minute. And if you have something like Autokpkgr tied into your JSS, doesn't take any time at all....

You are right that most people wouldn't build a system to take on many of the functions that commercial products already offer, but then again some people do. That's why tools like Munki, AutoPkg, DeployStudio, Imgar, etc exist. But we digress. And even with the Casper suite it's just a framework. You still have to package things up, write scripts, etc. So you can make all the arguments you want regarding how you spend your time and resources, but at the end of the day we have to support end users. If you want to tell your end users, you don't have time to support flash on non-Chrome web browsers then that's fine too. Every organization is different.

Anyways, that's the last I'll say on this topic.

To say that the "use Chrome" solution to Flash deployment and updating is a "can't be bothered" approach is to minimize the very real factor of finite work cycles and ignore the additional problems and work Flash carries with it. Saying "I don't have time" to fulfill a request is perfectly acceptable, especially when it's true, alternatives are provided, and fulfilling the request would introduce unnecessary additional problems and risks, especially when alternative means of viewing the content is provided to the user.

To keep the conversation focused on Flash - it's bad software. It's a resource hog, buggy, and prone to exploits. These are not controversial statements but axiomatic in the world of sysadmins, and should be reasons enough to not deploy the software. Apple began its Flash ban with the iPhone in 2007, and has since been joined to some extent or another by Microsoft, Mozilla, Google and recently, even Adobe.

Inside the organization, internal developers should be banned from using Flash and external vendors should be abandoned if they refuse to abandon Flash. Granted, some of this may take a slow "weaning" process, but also keep in mind that I'm not advocating "no Flash for clients", just "Chrome is how clients consume Flash content".

An organization that deploys Flash invites problems, necessitating the introduction of additional tools such as, as mentioned, Autopkgr. Did it take zero time and resources to implement Autopkgr? Will it take zero resources to keep it updated and maintained? To re-point it to Adobe's source if and whenever necessary? No. So in this organization, we've introduced known-bad software and taken on additional tools and work necessary to keep Flash from being a security risk to the organization. If I accept that an organization wants to implement Autopkgr or similar solutions regardless of Flash, there are still the performance and stability issues to consider.

Chrome, which many, if not most, organizations deploy anyway, provides the alternative solution. It's self contained and self-updating, requiring no plugins to manage and no additional mechanism to keep up to date. Using Chrome for Flash content is as close to a "no-brainer" solution as any I've encountered.

I recognize that for some of the folks in this forum, I may be arguing architecture to carpenters. If you're tasked with "deploy Flash" and you have no decision-making input, then I know this line of discussion is not helpful to you. I am addressing the decision makers. For those of us responsible for client environments and user experience, I hold that to make the decision to deploy Flash is to do your organization a disservice.

@milesleacy and @jarednichols

I did a quick search but didn't find any posts about how do you block Flash? Do you just use the built in JSSRestricted Software?

Thanks

C

PS Just to throw gas on the fire @bpavlov you deployed this mornings flash with out testing against your internal apps? Also why would you push an non-security update? : ) Nothing is that easy

You know, I agree with everyone. There are many valid points in all of these statements. Supporting computers- reminds me of "Choose Your Own Adventure" books I read as a kid. It's nice to know there are so many solutions to pick from.

@gachowski I don't block Flash. I just don't deploy it or support it.

I've got a mixed user community of those with administrative privileges and those without. I only detect occasional Flash installs and xprotect will keep them from getting too hairy. If the computer gets compromised in any meaningful way, then it's educate, erase, install, enroll.

@gachowski I work for Apple. WTF is Flash?!

@jarednichols VERY NICE !!!!! : )

C

@jarednichols yeah, but haven't we all at some point :P

I hate to be part of the fuel that started the flash fire. I understand the viewpoints and opinions that were thrown out, but Safari is going to stick around for a bit.

I've been using the script above for months now, however it appears the URL: http://fpdownload.macromedia.com/get/flashplayer/current/licensing/mac/install_flash_player_24_osx_pkg.dmg
No longer works :(

It appears the fine folks at Adobe are changing some of there distribution urls based on the below reddit link. It stands to reason if the SCUP url is updated the mac url most likely has changed also

https://www.reddit.com/r/sysadmin/comments/5n89y7/psa_adobe_flash_scup_catalog_url_changed/

In case it hasn't been posted yet, the script posted by @rtrouton on GitHub works perfectly to update Flash. It works flawlessly as of today.

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/install_latest_adobe_flash_player