[BESAdmin-Announcements] Important: December Update on the BigFix Flash removal program

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Thu Dec 31 10:47:08 PST 2020 

BigFix has delivered Flash-free content in the BigFix Console across the portfolio to provide the same level of functionality and user experience  as the content that was replaced.
Please see details on delivered sites below.

Deployment of updated Flash-free content happens through regular site updates, with no intervention needed from the end user unless their BigFix deployment is running in an air-gapped configuration.
In some cases, Flash dashboards are still delivered as part of the BigFix sites, even when the corresponding functionality has been made available in non-Flash content. This is meant to ease the transition. When BigFix claims a site is Flash free, it means all functionality can be achieved without Flash Player installed. The legacy Flash dashboards will stop working when Flash Player is uninstalled.


Important: Windows Update for Removal of Adobe Flash Player

Microsoft has published content titled “Update for Removal of Adobe Flash Player” on October, 27th.
https://support.microsoft.com/en-us/help/4577586/update-for-removal-of-adobe-flash-player

It is an Optional update. It will move to a Recommended update in early 2021, but installation will not be forced. Customers will see Flash removal rolled into Windows cumulative updates, and therefore installed without specific user interaction, no sooner than summer of 2021.
Please note that this update cannot be uninstalled. Once removed, Flash Player cannot be restored to functionality. BigFix therefore recommends that this update not be applied to any computer running the BigFix Console until you have verifies your needed content is available in Flash free format.


Important: Adobe Flash Player End of Life statement

Adobe has announced they will no longer provide security updates to Flash Player after Dec 31st, 2020. They also communicated Flash Player will stop working by default on or after Jan 12th, 2021.
See announcement here:  https://www.adobe.com/products/flashplayer/end-of-life.html#<https://www.adobe.com/products/flashplayer/end-of-life.html>

After Jan 12th remaining Flash dashboards in BigFix Console will stop working by default.
Up  to the date when “Windows Update for Removal of Adobe Flash Player” is automatically installed (presumably in Q3 2021), it will still be possible to run Flash content in Allow List mode. Allow List mode will ensure only selected local Flash content certified by BigFix is allowed to run. This will mitigate the risk of keeping Adobe Flash installed for the needed timeframe. Additional mitigation entails firewall-protecting communication between the BigFix Server and the BigFix Console running Flash content.
For further detail on how to enable Allow List mode for Flash Player, see section below.


BigFix Web Reports and Flash

Flash content is still present in BigFix Web Reports 9.2 Overview page, for fixpacks prior to 9.2.21. Please plan to install 9.2.21 or later before uninstalling Adobe Flash Player or blocking Flash execution in your browser, or some of the information in the Overview page will not be available.
Flash content is still present in BigFix Web Reports 9.5 Overview page, for fixpacks prior to 9.5.13. Please plan to install 9.5.13 or later before uninstalling Adobe Flash Player or blocking Flash execution in your browser, or some of the information in the Overview page will not be available.
Flash content is not present in BigFix Web Reports 10.0 Overview page.

Custom reports, including the ones created with the older version of the product, are not using Flash code.
BigFix Web Reports predefined reports delivered through the following sites: Power Management, Security Compliance Manager, Remote Control have been made Flash free as part of the respective site updates.


Sites Certified Adobe Flash Free

The following site versions deliver the new Flash free dashboards:

BES Support, site version 1444
Software Distribution, site version 93
Remote Control, site version 68
Patching Support, site version 926
Patches for Solaris Live Upgrade, site version 223
Patches for Mac OS X, site version 482
Patches for ESXi, site version 112
Virtual Endpoint Manager, site version 60
Power Management, site version 73
SCM Reporting, site version 133
Client Manager for Endpoint Protection, site version 4522


Sites with Remaining Flash Content

A few sites still include Flash content that has not been replaced so far. BigFix team plans to complete the replacement work in the beginning of 2021. In the meantime, Flash content can be run after applying Allow List mode and other mitigations (see below).

OS Deployment and Bare Metal Imaging
As of version 92, OS Deployment and Bare Metal Imaging provides most of the content in Flash free technology. All Flash dashboards are still available and can be used after having added the site to the Allow List. In addition, OS Deployment can be configured for running in air-gapped environment.
For further information on existing limitations please see  https://forum.bigfix.com/t/new-update-in-bigfix-os-deployment-and-bare-metal-imaging-site-v92/36583

BES Inventory and License
Flash dashboards in this site have not yet been replaced as of today. They will be accessible as the site is added to the Allow List.

MaaS360 Mobile Device Management
Flash dashboards in this site have not yet been replaced as of today. They will be accessible as the site is added to the Allow List.


How to enable Allow List mode for Adobe Flash Player

Allow List mode permits execution of restricted Flash content, thus greatly limiting the security attack surface.

It can be enabled by editing the configuration file, that must be created if non existing:
C:\Windows\SysWOW64\Macromed\Flash\mms.cfg

For allowing BigFix content you must add to the Allow List all the site folders that include Flash content still to be run, located in the BigFix Console cache.

AllowListUrlPattern=file:///c:/Users/<Windows User>/AppData/Local/BigFix/Enterprise%20Console/<Server Name or IP>/<Operator name>/Sites/<Site Name>

where any whitespace character must be replaced with “%20”. Path format may differ based on computer configuration. Verify existence of site folder before adding it to mms.cfg.

Example:

AllowListUrlPattern=file:///c:/Users/Administrator/AppData/Local/BigFix/Enterprise%20Console/10.11.12.13/BFAdmin/Sites/OS%20Deployment%20and%20Bare%20Metal%20Imaging

will allow all Flash content included in “OS Deployment and Bare Metal Imaging” site only.

Allow List mode will be enabled by default on or after Jan 12th. For testing the Allow List configuration in advance of that date, you can force the Allow List mode by adding the following line in mms.cfg:

EnableAllowList=1

For more information on Allow List mode and Adobe Flash Player administration , please see:
https://www.adobe.com/content/dam/acom/en/devnet/flashplayer/articles/flash_player_admin_guide/pdf/latest/flash_player_32_0_admin_guide.pdf


Alessandro Dinia            [signature_1922887225]
Product Manager, BigFix
Phone: +39 345 5906645

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20201231/fee1c4f8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 25818 bytes
Desc: image001.png
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20201231/fee1c4f8/attachment.png>

More information about the Besadmin-announcements mailing list