Jamf Nation Community

stevewood · ‎03-05-2010

There was a question on the list back in January about how to locate the
Flash plug-in version, which is something I've wanted to do. The idea got
me thinking about not just Flash but also Silverlight, and really this could
apply to any plug-ins. So I embarked on writing some scripts and I wanted
to share them with you.

First Flash. It was suggested to parse the contents of a text file inside
the Flash Plug-in inside of /Library/Application Support/Adobe/Flash Player,
however I found that location did not always exist. So instead, I did it
with the plug-in inside /Library/Internet Plug-Ins. In here I used a bash
script to dump the contents of Info.plist inside the package and parse that
to find the version. The only hang up I had was comparing the version with
a known version using regular expressions and arithmetic operations. Tom
had suggested using this if statement:

if [[ $CurrentVersionFlash -gt 9 ]]

However, since the version number of Flash is always going to be a floating
point number, that won't work. Instead, you have to compare to a specific
number, which is a slight downside to the script that follows. You have to
update the version to check for each time Flash is updated by Adobe. You'll
notice I am only checking the revision number from the piece of the
Info.plist I am pulling out with awk.

The script checks the version, and if it is lower than the current version a
package receipt is dumped into /Library/Application Support/JAMF/Receipts
named FlashTooOld.pkg. A smart group is then scoped in JSS to look for that
package receipt, thus giving me a group to update. I have a policy scoped
against that group to run at login. The policy uses Growl Notify to notify
users that Flash is being updated and installs the Flash plug-in. I had to
put a sleep statement in my growl notify script to wait for the desktop to
come up fully before running.

Here is the Flash Version script:

#!/bin/bash

# get the current version of the flash player plug in

CurrentVersionFlash=`/bin/cat /Library/Internet Plug-Ins/Flash
Player.plugin/Contents/Info.plist | grep -m 1 10. | /usr/bin/awk '{ print $5
}'`

# now check to see if it is greater than version 9
echo $CurrentVersionFlash
if [[ "$CurrentVersionFlash" < r45 ]]

then

touch /Library/Application Support/JAMF/Receipts/FlashTooOld.pkg /usr/sbin/jamf recon

fi

exit 0

Now, the Silverlight check is done very similarly, so I will not bore you
with details. Here is the Silverlight script:

#!/bin/sh

# Name: silverlightversion.sh
# Date: 04 March 2009
# Author: Steve Wood (swood at integer.com)
# Purpose: to grab the version of Silverlight and place the version in the
Position tag in
# the location information of a machine.

# grab the version from the plug-in
version=`cat /Library/Internet
Plug-Ins/Silverlight.plugin/Contents/Info.plist | grep -m 1 3. | sed
's/[/]//' | sed 's/<string>//g'`

/usr/sbin/jamf recon -position $version
echo $version
if [[ "$version" < 3.0.50106.0 ]]

then

touch /Library/Application Support/JAMF/Receipts/SilverlightTooOld.pkg
/usr/sbin/jamf recon
fi

exit 0

Hope that helps someone. If any of you see something to do differently, let
me know.

Steve Wood
Director of IT
swood at integer.com

The Integer Group | 1999 Bryan St. | Ste. 1700 | Dallas, TX 75201
T 214.758.6813 | F 214.758.6901 | C 940.312.2475

milesleacy · ‎01-18-2016

Script edited below to remove typo 2016 01 18 14:41:50 PST

In light of last week's reported Silverlight zero-day, I thought I'd share this update/simplification. Since the Silverlight version is being read from a plist, I used defaults to get the value:

#!/bin/bash

if [ -e /Library/Internet Plug-Ins/Silverlight.plugin ]; then
   version=`defaults read /Library/Internet Plug-Ins/Silverlight.plugin/Contents/Info.plist SilverlightVersion`
else
   version "n/a"
fi

echo "<result>$version</result>"

exit 0

Luckily, I don't have any Silverlight installed in my environment, but as a best practice, I built a reporting and remediation process just in case a vulnerable version turns up.

MichaelC · ‎01-18-2016

Why use an extension attribute, when Casper can already collect data on installed plugins the same way it does for applications?

donmontalvo · ‎01-18-2016

Depends on what you need to do. Sometimes it is easier to pull reports if you can show a column for <item-version-via-EA>. Different ways to skin a cat:

$ time defaults read /Library/Internet Plug-Ins/Silverlight.plugin/Contents/Info CFBundleShortVersionString
5.1.40416.0

real    0m0.033s
user    0m0.016s
sys 0m0.015s

Or

$ time defaults read /Library/Internet Plug-Ins/Silverlight.plugin/Contents/Info.plist SilverlightVersion
5.1.40416.0

real    0m0.033s
user    0m0.016s
sys 0m0.015s

About the same speed.

Don

--
https://donmontalvo.com

sean · ‎01-18-2016

The following really isn't going to work all the time. In fact if I run that I get an empty variable. The number 10 could appear a whole bunch of times in other key/value pairs.

#!/bin/bash

# get the current version of the flash player plug in

CurrentVersionFlash=`/bin/cat /Library/Internet Plug-Ins/Flash Player.plugin/Contents/Info.plist | grep -m 1 10. | /usr/bin/awk '{ print $5}'`

Consider reading a key directly as posted by Don

For example

defaults read /Library/Internet Plug-Ins/Flash Player.plugin/Contents/Info.plist CFBundleShortVersionString

or if you only wanted a range of fields, e.g. 2,

defaults read /Library/Internet Plug-Ins/Flash Player.plugin/Contents/Info.plist CFBundleShortVersionString | cut -d "." -f 1-2

@milesleacy yours is going to fail too, as /Library/Internet Plug-Ins/Silverlight.plugin is a directory and not a file.

So you could have:

if [ -d /Library/Internet Plug-Ins/Silverlight.plugin ];

or even -e or -x should work too.

And as mentioned, Casper can do all the work for you regarding version checking, so the script doesn't need to have a fixed version to check against.

`

milesleacy · ‎01-18-2016

@MichaelC Because plugin inventory collection is one of the less-awesome parts of the Casper Suite.

@sean Good eye, thanks! That was a typo. It should read "if [ -e ..."
Post above has been edited accordingly.

mm2270 · ‎01-18-2016

Turning on full blown plug-in inventory collection can bloat ones JSS database and cause performance issues. Sometimes JAMF even recommends (large) customers disable it for that exact reason. So, yeah, an EA can make a huge amount of sense, especially if you only need to track a handful of plug-ins and don't care about the potentially hundreds of ones that often get picked up with the built in inventory collection.

sean · ‎01-19-2016

Yeah, but can't you set an EA in Casper as a version number? So you use the EA to get the version number and set it as such in Casper, then you can leverage Casper to do the work for is greater than rather than doing it in the script (or am I mis-remebering what Casper can do?). That way you don't need to keep updating the script, you can instead create a group based on the EA version is less than x.

millersc · ‎01-19-2016

Interesting I never saw this post before. I've built off some others automated scripts for plug-ins to be updated, via script. I've turned these on for monthly run, but can always manually flush them all, forcing them to update immediately.

Periodically I check to see what version is being updated and have a smart group made for what is not updated to that version. This allows for monitoring completion rates when I get asked.

The only one that concerns me is Java, since some software can be fussy about versions. But I'm monitoring and working well for Reader DC, Flash, Shockwave, Silverlight and Java.

I've posted them to github for anyone wanting to use or build on them more.

Jamf Nation Community

Find Flash and Silverlight versions