10 Replies Latest reply on Jul 23, 2015 7:48 AM by flash_a_ah

    Automatic update to Flash 18 via mms.cfg?

    richardc70876012

      We originally deployed Flash 16 to our clients via GPO and configured the mms.cfg as

       

      SilentAutoUpdateEnable=1

      AutoUpdateDisable=0

       

      Flash was updating fine all through the minor releases in 16 and even updated to 17 with no issues.  However,  Flash is not updating to version 18.  Since this is a major release do we have to push out the Flash 18 msi?  We did receive the 17.0.0.190 update the other day but no clients are updating to 18.

       

      I recently noticed this line in the FlashInstall.log file on our clients.    2015-6-30+1-26-0.96 [error] 1221 1115



       

        • 1. Re: Automatic update to Flash 18 via mms.cfg?
          flash_a_ah

          We have the same problem.

           

          I believe it will auto update 30 days after release automatically so you have 30 days of potential vulnerability. Not sure if Adobe staff read this but if they do please remove that 30 wait.

           

          A workaround is to deploy flash by hosting it on a server (IT Admin: Deploying Flash Player via Background Updater) or deploy a Google Chrome setup msi via a GPO and set the GPO to make Chrome the default browser (Since Chrome doesn't need a separate flash plug-in). Chome will auto update on day of the new Chrome release.

          • 2. Re: Automatic update to Flash 18 via mms.cfg?
            Carm01 Level 4

            Why not just script it, then push the script out ?

            It not hard to script the bat to download, cleanup/uninstall and install the new msi files directly.

            Its very simple to push that out.

            • 3. Re: Automatic update to Flash 18 via mms.cfg?
              piyush2508 Adobe Employee

              Hi richardc70876012,

               

              Yes, the information you have provided is correct. 17.0.0.190 is the recent build which was pushed along with 18.0.0.194 as a silent update for all the users who are still on ver17.0, both these builds have the same security fix and thus both of them are secure and no harm to your system.

               

              Now what is a Loud-Release --> For a major release or major feature release we notify all our users that we have a major change in our builds, so all systems will get a notification that a major release is available for download and install. During this period everyone is supposed to goto the Flash Player Install/Update page to get the latest flash player installed which has to be done manually using our Download Manager.

               

              Scenarios:

              1. If you were a 17.0 user and updated to 18.0 via our online downloader you would have got 18.0.0.160, and then will silently updated to 18.0.0.194

              2. If you are on 17.0 you will move to 17.0.0.190, were 17.0.0.190 is the build shipped with 18.0.0.194 which does not have a latest features but has all the security fixes. Every 17.0 user will keep getting the notification to upgrade to 18.0 for which he'll have to download via our online download manager.

               

              Because you have many systems you have to manage I recommend moving yourself to a more controlled and administrative environment where you can manage updates by creating a server for pushing the silent update bits (Adobe Flash Player Distribution | Adobe bits) and all the machines with Flash Player installed will then refer to your system for any update.

               

              Please refer the following links:

              Flash Player enterprise deployment | Adobe Developer Connection

              Adobe Flash Player Distribution | Adobe

              Adobe Flash Player Administration Guide for Flash Player | Adobe Developer Connection

               

              --

              Piyush

              • 4. Re: Automatic update to Flash 18 via mms.cfg?
                chri5b

                Will v17.x (in my case 17.0.0.190) upgrade silently to v18.x at any time?


                We have an mms.cfg deployed via GPO to update clients (direct from Adobe - we don't have an LAN mirror).  However, Firefox automatically treats any Flash lower than 18.0.0.193 as vulnerable so blocks and nags users:

                 

                Blocked Add-ons :: Add-ons for Firefox

                • 5. Re: Automatic update to Flash 18 via mms.cfg?
                  piyush2508 Adobe Employee

                  Hi chri5b,

                   

                  Yes, In some time when we plan to give a complete silent update to v18, all Flash Players still on older v18 or v17 or older will silently move to v18(latest).

                   

                  --

                  Piyush

                  • 6. Re: Automatic update to Flash 18 via mms.cfg?
                    richardc70876012 Level 1

                    chri5b,

                    We also had the mms.cfg deployed via GPO to silently update. And most of us here also use Fire Fox.  I grew tired of seeing the message that flash is vulnerable and having to allow it and each and every site to run Flash and I am sure that my users were tired of this as well.  I ended up writing a script that runs during startup on each client.  The script checks the registry to see what version of Flash is installed on the client.  If the version installed on the client does not match the latest version, then the old version is uninstalled and the latest version is installed, if the client does have the latest version the script stops. Since I am using this method I configured the mms.cfg to no longer silently update and I now receive email notifications when a new version of flash is installed and will then update my script.  I went this route because major releases Flash will not install over the previous version, this is the case anyway going from Flash 17 to 18.

                    • 7. Re: Automatic update to Flash 18 via mms.cfg?
                      flash_a_ah Level 1

                      Hi Ricard - does your script not require administrator rights though?

                      The good thing about the mms system was that it ran as the "local system" account so non-admins (e.g. the users) would be updated without needing admin rights..

                       

                      Ideally the mms would update major flash versions immediately.

                      • 8. Re: Automatic update to Flash 18 via mms.cfg?
                        richardc70876012 Level 1

                        No admin rights needed as the script runs on startup of each client and the Flash exe's are stored in a public directory.  Simply deploying the mms.cfg was nice until this major release was pushed.  Another way around all of this is to limit users to using Chrome only.

                        • 9. Re: Automatic update to Flash 18 via mms.cfg?
                          chendw2015

                          Could you post the script for IE and Chrome?

                          • 10. Re: Automatic update to Flash 18 via mms.cfg?
                            flash_a_ah Level 1

                            This is the deployment method for Chrome:

                             

                            Download the chrome msi (googlechromestandaloneenterprise.msi) from https://www.google.com/work/chrome/browser/

                            create shared folder on the server, and share it out

                            share permissions: "everyone" full control

                            NTFS permissions: "domain computers" full control (note this is "domain computers" not "domain users")

                             

                            Let's say the share is \\servername\gpopublishedapps then the full path to the msi is \\servername\gpopublishedapps\googlechromestandaloneenterprise.msi

                             

                            Now create a GPO:

                            Computer Configuration - Policies - Software Settings - Software installations - New Package - Now browse to the msi in the shared folder as noted above - Then under the Deployment method window set the radio box to "assigned".

                             

                            Now apply this new GPO policy to the OU with your workstations.

                             

                            When they next reboot they will get Chrome installed by the computer account so even users without admin rights will get it installed. By default the msi will also install the Google scheduled task that runs as the system user to autoupdate Chrome to the latest version meaning you will always have a fully patched Chrome and flash. This is a "set and forget" method.

                             

                             

                             

                            You could do the same for flash if there was an msi but you would have to copy in the new msi and refresh the policy each time a new flash came out. No "set and forget" here.

                            Ricardc might give you his method of updating flash with a script...

                             

                            Or maybe as piyush says, adobe will rethink their autoupdate policy and fix their scheduled task so it actually updates to the latest version as soon as a new release is out regardless if it's a "loud release" or not.. Hopefully they will soon after all that crytolocker fun this flash bug has caused