3 Replies Latest reply on Jun 1, 2018 2:54 AM by phoffmann

    Flash Plugin Scan and Autoupdate with Landesk 2016

    Zackm Rookie

      Hello! I hope everyone's having a good day [=

       

      So, what the IT department here has been doing is getting the MSIs for the new Flash plugins when they're released, updating the distribution packages, creating a task, and deploying it to all systems.

       

      I'm wondering if there's a way to set a task to continuously (Or maybe once per day or such) scan workstations to see if they're up to date, and update them if they aren't.

      And also if there's a way for Landesk to fetch the latest Flash updates automatically.

       

      I came from a work place that used PDQ and this process was possible through PDQ. So just wondering if it's possible here too.

       

      Thanks in advance for any input!

        • 1. Re: Flash Plugin Scan and Autoupdate with Landesk 2016
          phoffmann SupportEmployee

          "Yes and no -- and 'it's more complicated' ".

           

          So - the quick stuff first.

           

          • I'm wondering if there's a way to set a task to continuously (Or maybe once per day or such) scan workstations to see if they're up to date, ...
            • ... yes - it is. It's called "download patch content & scan against it". We'll update vulnerability definitions when a new version of Flash comes out, so all of those devices should show up as vulnerable until updated.

              If you're unfamiliar with how the patch content stuff works, have a poke in the patch section of community as a starting point -- Patch Manager -- to get you started.

              If you / your company do not have the patch section licensed, then automating this will be more difficult, as you'd be reduced to "just" using software distribution tech.
          • ... and update them if they aren't.
            • "Yes and no".
            • The 'easy' answer here is "Autofix" which (for the patch module) translates as "as SOON as you notice a device is vulnerable to this, install a patch for it!".
            • HOWEVER ... Flash is a very annoying thing in that it can't be updated with open browsers. So people often/usually include some kind of "kill-script" to kill of browsers. While that makes installing the update easier, it's NOT the sort of thing you want to spring on users unexpectedly / with no warning (that's how you get this "mythical" virus called LANDesk / Ivanti among the workforce btw).

              ... which in turn makes AutoFix somewhat dangerous to use because of this .

              Patching Flash (and a few other things, like Java) is usually a "sit down & think it through" type effort, where you need to decide on a process and then COMMUNICATE it out to your workforce.

              That way, they can be prepared that "things will be killed off if open" on a Friday at 18:00 (for instance) ... communication is important here, as you WILL need to do some horrible things in order to patch some things (again - Java, Flash being among the most egregious), and you'll need to reboot Windows to actually update that thing too .
            • Also - adding a little bit of corporate branding (to show the users that "we're doing stuff" and "this is your corporate IT, not something bad" is a big help usually).
          • And also if there's a way for Landesk to fetch the latest Flash updates automatically.
            • ... "used to be - but no more".
            • So Adobe changed their licensing rules a few years ago now, and the flash installers are no longer publicly available. In order to get them, you need to have a distributor license / agreement with Adobe.
            • Long & short of it is -- we're no longer legally allowed to "just give you the file". You need to get it from Adobe ... but you can then throw it into our repo, we'll pick up that it's there (next time you download content)  & can make use of it. It's a legal thing - sorry.
            • The patches we CAN offer you up are the ones that are "without legal agreement / checkbox / etc" available, so many Microsoft patches (notice that some extended patches *DO* require special agreements, and so we can only provide detection logic & fixing logic, but not the actual files themselves).

              Welcome to the (legal) joy of patching.

              I'm not a fan of vendors hiding their stuff behind a legal wall, but hopefully Flash is going to die a much-deserved death soon. Just a few more years now ...

           

          Hope that answers everything sensibly?

           

          In short, everything is "technically possible". Legally & "would you WANT to..." are different matters entirely .

          1 of 1 people found this helpful
          • 2. Re: Flash Plugin Scan and Autoupdate with Landesk 2016
            Zackm Rookie

            This helped greatly, actually [= I appreciate your patience and understanding!

            • 3. Re: Flash Plugin Scan and Autoupdate with Landesk 2016
              phoffmann SupportEmployee

              Happy to help.

               

              Patching isn't a small topic, and there's a lot of fine points to learn (both in regards to "the tool" and "fun with patching" type gotchas, such as Flash & Java being a royal pain in the back).

               

              And - as an aside, you can (ab-)use the patching engine for MANY things, once you get beyond the immediate problem. I've abused it for all manner of things from finding/locating "weird but expensive hardware that's otherwise not really visible in the OS" to marking devices for various purposes.

               

              It's got a LOT of uses .