Posted on 06-20-2017 07:42 AM
I just realized that Patch Reporting for Adobe Flash Player is no longer working.
After the recent 126.96.36.199 update (which patched 188.8.131.52 last week, which in-turn patched 184.108.40.206 in May), I realized that Patch Reporting is no longer working. My JSS has no idea regarding which Macs are up to date and which Macs are not. Never seen this behavior before.
JSS version 9.93
Patch Reporting "sees" that 220.127.116.11 is the most current version available.
Policy, Patch Reporting and the related Smart Groups have been working great for almost a year. Nothing has changed (other than the Flash version itslef). No issues until now.
Inventory is working correctly. The Plug-Ins section of JSS computer records correctly shows the version of Flash (my Macs currently have either 18.104.22.168 or 22.214.171.124), but Patch Reporting is confused.
As a test, I I flushed the logs on the Policy and verified the integrity of my pkg installer, and double checked all my settings. Everything looked perfect. I ran recon on a few Macs to see if the JSS would properly determine what Macs were out of date. No luck.
I rebuilt the following items from scratch:
-Adobe Flash Player 126.96.36.199 package installer (from an AutoPKG recipie)
After rebuilding all of the items above, the JSS still has no idea about Flash versions (shows "0" installed/not installed or "unknown version")
My workaround was to delete both the Patch Reporting Title and Smart Group again, and build a new Smart Group with the older-style critiera of
-Plug-in TItle -HAS- Flash Player.plugin
-Plug-In Version -IS NOT- 188.8.131.52
This "old-fashioned" method working for me now. I wont relace it with "modern" Patch Reporting until I determine what happened.
(Edit - meant to tag it with Flash Player, but selected Firefox by mistake)
Posted on 06-20-2017 09:45 AM
Yes - change the smart group rule
From: Plug-in TItle -HAS- Flash Player.plugin Plug-In Version -IS NOT- 184.108.40.206
To: Plug-in TItle -HAS- Flash Player.plugin Plug-In Version -NOT LIKE- 220.127.116.11
The reason for this is that: "IS NOT" is trying to do a numeric comparison…
and "18.104.22.168" is not a number… it's a string…
So you need to use the string comparator, which is: " LIKE / NOT LIKE "
Since we are specifying: "22.214.171.124" it will be doing an EXACT String comparison…
which is what you want.
Where as if we specify: "NOT LIKE" 26.0 - that is not exact, and would provide only a fuzzy match
matching almost any Vn 26..
Although I would choose the exact form: a full string match on: 126.96.36.199, that way something like 188.8.131.52 would not match, and only precisely 184.108.40.206 would match.
Posted on 06-20-2017 11:02 AM
The JSS should be able to handle this with "Patch Reporting: Adobe Flash Player" <less than> 220.127.116.11"
Flash is one of the natively-supported patch reporting titles, therefore it can handle "greater/less than"
I'd re-recon all systems if possible and let it re-generate the data if necessary.
Posted on 06-20-2017 11:20 AM
We haven't used this feature yet but would assume it is aware of version history?
Posted on 06-20-2017 11:32 AM
Yes - for the titles supported, it tracks the versions and will let you apply "less than/greater than" logic to them for your smart groups. Working fairly well for us so far, only complaint is that the list of supported titles doesn't cover everything in our environment.
Posted on 06-20-2017 11:32 AM
In past versions of the JSS, we would have to run an extension attribute to gather the current version of Adobe Flash Player. Now the JSS does this natively.
If you are running 9.93+, I'd second @Taylor.Armstrong's suggestion: change your smart group criteria to "Patch Reporting Version" and set the version number there, as this allows for more intelligent version comparison.
Posted on 06-20-2017 11:51 AM
Sorry if I wasnt clear: My point of this post is that Patch Reporting (for Adobe Flash Player specifically) is now "broken" on my JSS for some reason. It just happend in the last week (around the time 18.104.22.168 or 22.214.171.124 dropped).
I had no choice but to resort back to an old-school method of tracking Flash versions until I can determine what went wrong with Patch Reporting - and fix it.
You can see in my screenshots below that my JSS thinks none of my managed Macs arent running ANY version of Adobe Flash. This is not correct . They are running version 126.96.36.199 or 188.8.131.52. A few IT Macs have 184.108.40.206 as well. But my JSS has no clue.
Other Patch Reports are runing fine (Firefox, Office 2016 apps, Java 8, etc).
Posted on 06-20-2017 12:05 PM
Thanks Dan - I DID wonder if I was mis-understanding the issue. Have you re-run inventory? This sounds potentially like something screwed up in the database.
FWIW, I just pushed out 220.127.116.11 to production today. I can confirm that patch reporting IS working as expected for me - showing 46% of machines on latest version so far.
Posted on 06-20-2017 12:26 PM
@dstranathan : if you just cleared and reset the patch reporting item, it takes the server a few minutes to calculate the information. We have 8,000 Macs and I had "zero" Macs show up. So I waited a couple of minutes and refreshed. Does refreshing this page do anything?
Posted on 10-17-2017 11:01 AM
Having the same problem here. Patch reporting is not working anymore, though we haven't changed anything. Our problem started around the same time. All Flash versions are being reported as "unknown" here, though.
Posted on 10-17-2017 11:52 AM
Patch Reporting is still not 100% accurate for my environment (Jamf 9.99 here). I'm back to using 'home-made' EAs for my Flash and Java patching. I don't have a warm n fuzzy feeling about Jamf's Patch Reporting...at least not yet.
Posted on 01-24-2020 12:56 PM
Know this is an old thread, Just set up patch reporting for Adobe Flash and it only reports it on 7 computers total. My "is installed" smart group shows 126, so wondering if this is related. Right now I'm doing a hybrid approach to try and get flash up to date, curious if going through a cycle of getting other users up to date will help with this.
Posted on 01-25-2020 09:08 AM
@strayer If you force a recon to gather inventory on systems it will make the patch management numbers catch up to your smart group numbers more quickly. Some sort of extension runs when you enable each patch management title. These extensions to gather the information for patch management were not running at each recon before the enabling of the patch management title.