Patch Reporting for Adobe Flash = Broken?

dstranathan
Valued Contributor II

I just realized that Patch Reporting for Adobe Flash Player is no longer working.

After the recent 26.0.0.131 update (which patched 26.0.0.126 last week, which in-turn patched 25.0.0.171 in May), I realized that Patch Reporting is no longer working. My JSS has no idea regarding which Macs are up to date and which Macs are not. Never seen this behavior before.

JSS version 9.93
Patch Reporting "sees" that 26.0.0.131 is the most current version available.
Policy, Patch Reporting and the related Smart Groups have been working great for almost a year. Nothing has changed (other than the Flash version itslef). No issues until now.
Inventory is working correctly. The Plug-Ins section of JSS computer records correctly shows the version of Flash (my Macs currently have either 26.0.0.126 or 25.0.0.171), but Patch Reporting is confused.

As a test, I I flushed the logs on the Policy and verified the integrity of my pkg installer, and double checked all my settings. Everything looked perfect. I ran recon on a few Macs to see if the JSS would properly determine what Macs were out of date. No luck.

I rebuilt the following items from scratch:

-Patch Reporting
-Smart Group
-Policy
-Adobe Flash Player 26.0.0.131 package installer (from an AutoPKG recipie)

After rebuilding all of the items above, the JSS still has no idea about Flash versions (shows "0" installed/not installed or "unknown version")

My workaround was to delete both the Patch Reporting Title and Smart Group again, and build a new Smart Group with the older-style critiera of

-Plug-in TItle -HAS- Flash Player.plugin
-Plug-In Version -IS NOT- 26.0.0.131

This "old-fashioned" method working for me now. I wont relace it with "modern" Patch Reporting until I determine what happened.

Thoughts?

(Edit - meant to tag it with Flash Player, but selected Firefox by mistake)

12 REPLIES 12

PeterClarke
Contributor II

Yes - change the smart group rule

From: Plug-in TItle -HAS- Flash Player.plugin Plug-In Version -IS NOT- 26.0.0.131

To: Plug-in TItle -HAS- Flash Player.plugin Plug-In Version -NOT LIKE- 26.0.0.131

The reason for this is that: "IS NOT" is trying to do a numeric comparison…
and "26.0.0.131" is not a number… it's a string…

So you need to use the string comparator, which is: " LIKE / NOT LIKE "

Since we are specifying: "26.0.0.131" it will be doing an EXACT String comparison…
which is what you want.

Where as if we specify: "NOT LIKE" 26.0 - that is not exact, and would provide only a fuzzy match
matching almost any Vn 26..
Although I would choose the exact form: a full string match on: 20.0.0.131, that way something like 26.0.0.141 would not match, and only precisely 26.0.0.131 would match.

Taylor_Armstron
Valued Contributor

The JSS should be able to handle this with "Patch Reporting: Adobe Flash Player" <less than> 26.0.0.131"

Flash is one of the natively-supported patch reporting titles, therefore it can handle "greater/less than"

I'd re-recon all systems if possible and let it re-generate the data if necessary.

donmontalvo
Esteemed Contributor III

We haven't used this feature yet but would assume it is aware of version history?

--
https://donmontalvo.com

Taylor_Armstron
Valued Contributor

Yes - for the titles supported, it tracks the versions and will let you apply "less than/greater than" logic to them for your smart groups. Working fairly well for us so far, only complaint is that the list of supported titles doesn't cover everything in our environment.

bradtchapman
Valued Contributor II

In past versions of the JSS, we would have to run an extension attribute to gather the current version of Adobe Flash Player. Now the JSS does this natively.

If you are running 9.93+, I'd second @Taylor.Armstrong's suggestion: change your smart group criteria to "Patch Reporting Version" and set the version number there, as this allows for more intelligent version comparison.

dstranathan
Valued Contributor II

Thanks everyone.

Sorry if I wasnt clear: My point of this post is that Patch Reporting (for Adobe Flash Player specifically) is now "broken" on my JSS for some reason. It just happend in the last week (around the time 26.0.0.126 or 26.0.0.131 dropped).

I had no choice but to resort back to an old-school method of tracking Flash versions until I can determine what went wrong with Patch Reporting - and fix it.

You can see in my screenshots below that my JSS thinks none of my managed Macs arent running ANY version of Adobe Flash. This is not correct . They are running version 25.0.0.171 or 26.0.0.126. A few IT Macs have 26.0.0.131 as well. But my JSS has no clue.

Other Patch Reports are runing fine (Firefox, Office 2016 apps, Java 8, etc).

2729cefe18d847db905b227546da243b

2fb8ec54a022484398180073e6372138

Taylor_Armstron
Valued Contributor

Thanks Dan - I DID wonder if I was mis-understanding the issue. Have you re-run inventory? This sounds potentially like something screwed up in the database.

FWIW, I just pushed out 26.0.0.131 to production today. I can confirm that patch reporting IS working as expected for me - showing 46% of machines on latest version so far.

bradtchapman
Valued Contributor II

@dstranathan : if you just cleared and reset the patch reporting item, it takes the server a few minutes to calculate the information. We have 8,000 Macs and I had "zero" Macs show up. So I waited a couple of minutes and refreshed. Does refreshing this page do anything?

annamentzer
New Contributor II

Having the same problem here. Patch reporting is not working anymore, though we haven't changed anything. Our problem started around the same time. All Flash versions are being reported as "unknown" here, though.

dstranathan
Valued Contributor II

Patch Reporting is still not 100% accurate for my environment (Jamf 9.99 here). I'm back to using 'home-made' EAs for my Flash and Java patching. I don't have a warm n fuzzy feeling about Jamf's Patch Reporting...at least not yet.

AdamCraig
Contributor III

Know this is an old thread, Just set up patch reporting for Adobe Flash and it only reports it on 7 computers total. My "is installed" smart group shows 126, so wondering if this is related. Right now I'm doing a hybrid approach to try and get flash up to date, curious if going through a cycle of getting other users up to date will help with this.

taugust04
Valued Contributor

@strayer If you force a recon to gather inventory on systems it will make the patch management numbers catch up to your smart group numbers more quickly. Some sort of extension runs when you enable each patch management title. These extensions to gather the information for patch management were not running at each recon before the enabling of the patch management title.