Recently on JAMF Nation there was a discussion about the Adobe Flash Player Distribution site going away. This site is where admins can go to get a copy of Flash that can then be legally distributed to their fleet of machines. The discussion started out to be about the change Adobe recently made to the URL for this site, but quickly turned to a discussion around distribution of Flash via Casper. While I have signed up for the Adobe distribution site, I currently utilize a PKG file that comes from AutoPKGr (I replaced my Jenkins install with AutoPKGr last year sometime). Utilizing AutoPKGr makes my life easier, because I do not have to do anything except update my policy to replace the actual PKG file. I'm not going to go into setting up AutoPKGr for use with Casper, there have been plenty of discussions on that, but rather I am going to list out my procedures for processing Flash upgrades.
It's Upgrade Day
I typically find out that there is a Flash upgrade from JAMF Nation. Someone typically posts that there is a Flash update almost immediately upon release. Once I've verified that the update has been uploaded to my JSS by AutoPKGr, I will go update my policy, changing out the PKG file.
As you will see, the policy is set to trigger on "Recurring Check-In" because I don't care if a web browser is open or not. Flash can be installed while browsers are open, the users just have to restart the browsers that are open after the update. We'll handle letting them know via a CocoaDialog script.
There are a few pre-requisite items we need to have in place for this process to work. First, we need to have a way to grab the Flash version off of the machines in our fleet. Second, we need to have a Smart Group that will capture all of the machines that are out of spec. This will allow us to scope our policy to those machines.
Grab the Version
I utilize an Extension Attribute to grab the version of Flash and store it in the database. While it can be argued that utilizing an EA to grab the version is not efficient, since the EA will run every time a Recon runs, there really isn't another reliable method for grabbing the version.
So, setup an EA to grab the version of Flash. My EA is named "AdobeFlashVersion" and utilizes the following BASH script:
That's pretty straight forward. Now that we have the version, we can build our Smart Group.
As you can see, just pick your EA name out of the list of criteria to search for, and enter the version you are searching for using the "is not" operator.
Now that we've got our Smart Group collecting machines that are out of date, we can build our policy to install the update. We will name our policy "Update Flash Player" and place it in whichever category makes sense to your deployment of Casper.
I have my update policy set to run at "Recurring Check-in", which means that machines will update as soon as they contact the JSS. The frequency is set to "Once per computer", since we only need it to run one time.
We'll click on Packages next so that we can add our Flash package. Click on Configure to get a list of all packages in the JSS:
We should now have a list of all packages that the JSS knows about. Locate our latest Flash Player package and click Add to add it to the policy:
I utilize a script that runs after Flash has been installed to notify end users to restart any open web browsers. My script uses CocoaDialog to make these notifications, but you can use the built in notification process that Casper has. The script I utilize is below:
Now that we've added that script to our policy, we will add a line to the Files & Processes tab to set Flash to not auto update.
That line of information in the Execute Command box simply adds a line to a file called mms.cfg to tell Flash Player to not try to auto update. The line is:
The final thing for us to do is to add our Scope. Just click on the Scope tab at the top and add our Update Flash Smart Group:
That's all there is. Now that we have our update policy in place, each time there's a new version we just have a few simple steps to update our end users:
- Get the new Flash package into the JSS
- Change our Smart Group to look for the new version number
- Change our policy to remove the old version and add the new version
- Finally, Flush All on the policy logs so everyone in the Smart Group gets the update.
I have been utilizing this method for updating Flash for well over a year now, and I have not had any troubles at all.
I hope this quick article has helped you out.