Jamf Nation Community

mconners · ‎04-02-2019

Hello Everyone,

With two different versions of flash being available for us on the Mac platform, which of them are you deploying, if any?

There are users who may need to use it from time to time and I am not sure if I should continue to deploy flash to our computers. It hasn't been an issue so far to put both versions on our computers, but with Patch Management and Patch Policies not supporting BOTH versions, I am trying to decide on a path forward. This summer we are moving all of our computers to Mojave.

Thoughts?

larry_barrett · ‎04-02-2019

We do just PPAPI. Here's the script (we also kill the auto updates which you'll see on the bottom).

#!/bin/sh
## Created by Ariel Peralta - Carbon Technologies, 31-May-2016
## Original by Peter Loobuyck, 26-Jan-2016
## Inspired by https://jamfnation.jamfsoftware.com/discussion.html?id=7658
## Update 15-Jan-2017
## This scripts take into consideration new Adobe download URLs as per https://www.jamf.com/jamf-nation/discussions/7658/flash-update-script
## Removed old download URLs, shortver variable, and updated fileURL variables

## Name of the temporary dmg that will be created when Adobe Flash Installer is downloaded.  
## This file will be automatically created and deleted after installation
flash_dmg="/tmp/FlashInstaller.dmg"

# Specify a /tmp/flash_update.XXXX mountpoint for the disk image
TMPMOUNT=`/usr/bin/mktemp -d /tmp/flash_update.XXXX`

## This Function will take defined variables and install Flash
Update_Flash () {
    ## Compare the two versions, if they are different of Flash download and install the new version. 
    if [ "${currentinstalledver}" != "${latestver}" ]; then
        /bin/echo "`date`: Current Flash ${FlashType} version: ${currentinstalledver}"
        /bin/echo "`date`: Available Flash ${FlashType} version: ${latestver}"
        /bin/echo "`date`: Downloading newer ${FlashType} version."

        # Download and Mount Flash Plugin disk image to /tmp/flash_update.XXXX mountpoint
        /usr/bin/curl -S -# -o "$flash_dmg" "$fileURL"      
        /bin/echo "`date`: Mounting installer disk image." 
        hdiutil attach "$flash_dmg" -mountpoint "$TMPMOUNT" -nobrowse -noverify -noautoopen

        # Before installation, the installer's developer certificate is checked to
        # see if it has been signed by Adobe's developer certificate. Once the 
        # certificate check has been passed, the package is then installed.

        if [[ "${pkg_path}" != "" ]]; then
            signature_check=`/usr/sbin/pkgutil --check-signature "$pkg_path" | awk /'Developer ID Installer/{ print $5 }'`
            if [[ ${signature_check} = "Adobe" ]]; then
                # Install Flash from the installer package stored inside the disk image
                /bin/echo "`date`: Installing..."
                /usr/sbin/installer -pkg "${pkg_path}" -target "/"
            fi
        fi

        # Clean-up

        # Unmount the Flash disk image from /tmp/flash_update.XXXX
            /bin/sleep 10
            /bin/echo "`date`: Unmounting installer disk image."
            /usr/bin/hdiutil detach -force "$TMPMOUNT"

        # Remove the /tmp/flash_update.XXXX mountpoint      
            /bin/sleep 10
            /bin/echo "`date`: Deleting disk image."
            /bin/rm -rf "$TMPMOUNT"

        # Remove the downloaded disk image
            /bin/rm -rf "$flash_dmg"

        # Check to see if update was successful         
            newlyinstalledver=`/usr/bin/defaults read "${plugincheck}" CFBundleShortVersionString`
            if [ "${latestver}" = "${newlyinstalledver}" ]; then
                    /bin/echo "`date`: SUCCESS: Flash ${FlashType} has been updated to version ${newlyinstalledver}"
            else
                /bin/echo "`date`: ERROR: Flash ${FlashType} update unsuccessful, version remains at ${currentinstalledver}."
                /bin/echo "--"
            fi

    ## If Flash is up to date already, just log it and exit.       
    else
        /bin/echo "`date`: Flash ${FlashType} Plug-in is already up to date, running ${currentinstalledver}."
        /bin/echo "--"
    fi
}

## Set NPAPI Variables
## Query Adobe Flash Updater XML page and return latest version in decimal form 
latestver=`/usr/bin/curl --silent http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_en_mac_pl.xml | awk -F " /"update version="/'{print $2}' | sed s/,/./g`
fileURL=https://fpdownload.adobe.com/get/flashplayer/pdc/"${latestver}"/install_flash_player_osx.dmg
plugincheck="/Library/Internet Plug-Ins/Flash Player.plugin/Contents/info"
pkg_path=$TMPMOUNT/Install Adobe Flash Player.app/Contents/Resources/Adobe Flash Player.pkg
FlashType=NPAPI

## Check and get the version number of the currently-installed Flash Player NPAPI Plugin, if any.
if
    [ -e "${plugincheck}.plist" ]; then
        currentinstalledver=`/usr/bin/defaults read "${plugincheck}" CFBundleShortVersionString`
        ## Calling function to update NPAPI plugin
        Update_Flash
else
    /bin/echo "`date`: No Flash NPAPI Plug-in Installed."
    /bin/echo "--"
    currentinstalledver=none
    ## Remove ## From Line below if you want to force Flash Install on new systems during thin-imaging
##  Update_Flash

fi          

## Set PPAPI Variables
latestver=`/usr/bin/curl --silent http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_en_mac_pep.xml | awk -F " /"update version="/'{print $2}' | sed s/,/./g`
fileURL=https://fpdownload.adobe.com/get/flashplayer/pdc/"${latestver}"/install_flash_player_osx_ppapi.dmg
plugincheck="/Library/Internet Plug-Ins/PepperFlashPlayer/PepperFlashPlayer.plugin/Contents/info"
pkg_path=$TMPMOUNT/Install Adobe Pepper Flash Player.app/Contents/Resources/Adobe Flash Player.pkg
FlashType=PPAPI

## Check and get the version number of the currently-installed Flash Player PPAPI (Pepper) Plugin, if any.
if
    [ -e "${plugincheck}.plist" ]; then
        currentinstalledver=`/usr/bin/defaults read "${plugincheck}" CFBundleShortVersionString`
        ## Find latest version of Flash
        ## Calling function to update PPAPI plugin
        Update_Flash
else
    /bin/echo "`date`: No Flash PPAPI Plug-in Installed."
    /bin/echo "--"
    currentinstalledver=none
    ## Remove ## From Line below if you want to force Flash Install on new systems during thin-imaging
##  Update_Flash    
fi

# Configure Adobe Flash to *not* update
# This will set the preference for both NPAPI and PPAPI
#
# Modified by Ariel Peralta, 31-May-2016
# Modified by Carlos Echevarria, 7-Apr-2016
# Modified by Chris Jackson, 3-Mar-2016
# Original by Dan K. Snelson, 7-Nov-2014
#
# Inspired by Lance Berrier
# https://jamfnation.jamfsoftware.com/viewProfile.html?userID=12774

directory="/Library/Application Support/Macromedia/"
file="/Library/Application Support/Macromedia/mms.cfg"

if [ -f "$file" ] ; then

    # Flash Player is installed, has been launched and mms.cfg exists
    # let's configure it to not update

    grep -q -r "AutoUpdateDisable" "$file" && sed -i '' 's/AutoUpdateDisable=0|AutoUpdateDisable=1/AutoUpdateDisable=1/g' "$file" || echo "AutoUpdateDisable=1" >> "$file"
    grep -q -r "SilentAutoUpdateEnable" "$file" && sed -i '' 's/SilentAutoUpdateEnable=0|SilentAutoUpdateEnable=1/SilentAutoUpdateEnable=0/g' "$file" || echo "SilentAutoUpdateEnable=0" >> "$file"
    grep -q -r "DisableAnalytics" "$file" && sed -i '' 's/DisableAnalytics=0|DisableAnalytics=1/DisableAnalytics=1/g' "$file" || echo "DisableAnalytics=1" >> "$file"

    RESULT="Configured Adobe Flash Update Preferences to Never Check for Updates"

else
    ## Only create update override if flash is installed.  If no flash is installed by this point, then leave alone.
    if [ -e "${plugincheck}.plist" ] ; then
        # mms.cfg doesn't exsist, but flash is installed
        mkdir "${directory}"

        echo "AutoUpdateDisable=1" >> "$file"
        echo "SilentAutoUpdateEnable=0" >> "$file"
        echo "DisableAnalytics=1" >> "$file" 

        RESULT="Created and configured Adobe Flash Update Preferences to Never Check for Updates"

    else
        echo "No Plugin installed, no changes made to Adobe Flash Update Preferences"
    fi
fi

echo "$RESULT"

We scope it to a SmartGroup that contains computers that are not on the current version. The only real maintenance you have to do on it is to update the smartgroup when new releases are ready for deployment.

stephaniemm77 · ‎05-23-2019

Sorry, super Newbie here...I love the script....anyone have instructions on how to actually deploy flash?

larry_barrett · ‎05-23-2019

I do it with a smart group.

If the plugin doesn't exist, a policy will execute that runs the above script.

Here's a screenshot of the policy

And the scope (which is the Smartgroup from the first step

stephaniemm77 · ‎05-23-2019

Thank you, I guess I have to learn my wording better...How do you package it using composer? I saw on another thread you need to apply to be a distributor, which I have done.

larry_barrett · ‎05-23-2019

You don't need to package this. Each computer is going to download the file and run the install. I almost never package anything with composer if I can avoid it. Flash is a necessary evil at this point, but I want to spend as little time as possible maintaining it. This script turns on auto-update.

My argument against packaging is as such: every time a new release comes out, you'll have to repackage it. In some environments a flash update might break something, so YMMV, but I'm at a school, I just want to keep it updated.

stephaniemm77 · ‎05-23-2019

gotcha...When I put the script in place it didnt seem like anything happened i am assuming you set up the script first in the scripts area then add the smart group?...I will give it your shot using the info you provided! thanks for helping this extreme newbie :-)

larry_barrett · ‎05-23-2019

1) Settings -> Computer Management -> Scripts.
2) Policy -> Test on one machine.

3) Setup smartgroup. Verify members of the smartgroup are your intended targets.
4) Go back to policy and add Smartgroup into the scope.
5) Under policy -> Logs. You can see which ones have completed or failed. If it fails, flush and try again.

6) Sit back. Drink coffee. Browse Reddit.

stephaniemm77 · ‎05-23-2019

lol thank you, but seeing we just got this product and we have a software list a mile long i wont be relaxing anytime soon! I am sure you will see me posting again.

rpoladiya · ‎09-13-2019

@larry_barrett - how do you update the flash if it already exists on the machine?

Taylor_Armstron · ‎09-13-2019

@rpoladiya ... not Larry, but for us, we simply use a standard Jamf patch management policy and autopkgr to patch where it exists. Fortunately that collection is smaller and smaller each month.

larry_barrett · ‎09-13-2019

@rpoladiya The same script does both.

One smart group for inital install.

One smart group that needs the update.

The criteria for the first one is the app not being installed.

For the second:

The only thing that SUCKS is end users will get the popup to upgrade day 1 of the new release, so make sure you have your frequency set to weekly/monthly so you have time to test it before changing the value to the new version (and thus letting loose your install)

Come on December 2020!

Jamf Nation Community

Which Flash are you deploying, if any