With the below configuration the end device should be able to automatically update without granting users extra permissions. The service can automatically update the files without user intervention and even if a browser window is open, it will update as soon as the browser is closed.
How does it work?
A simple breakdown of how the new auto-updating system works is:
- Install Adobe Flash 11.2.x on a PC – this version contains the logic for the auto-updater.
- The install process creates a Scheduled Task that executes daily and checks for an update. This task is run as the SYSTEM account.
- If a new update is found, it downloads it, uninstalls the old version and installs the new version.
If the PC is not online at the time of running the scheduled task, it will run every hour for 24 hours until it gets internet access.
- If a browser is open at the time – the old version of Flash is used, and when the browser is reopened it will load the new browser plug-in.
More detailed information:
- The Scheduled Task has the following properties:
- Task name is ‘Adobe Flash Player Updater’
- Run as SYSTEM
- Trigger = C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
- Schedule to run Daily – After triggered, will repeat every hour for 1 day until internet connectivity available
- The installation creates a service with the following properties:
- Service Name is ‘AdobeFlashPlayerUpdateSvc’ (Adobe Flash Player Update Service)
- Manual startup
- Runs as Local System Account
- Path to execute = C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
- A good resource to read the Overview of how the Background Updater works:
Introducing Adobe Flash Player Background Updater for Windows
Problems in the enterprise
There are several problems at hand when it comes to the enterprise, some with a workaround but others that will hopefully be addressed with future updates.
Proxy server support
This has been asked for quite a bit on the forums. The underlying problem is that the SYSTEM account that is trying to access the internet does not know of proxy servers in your environment, in particular it does not know the proxy address or port number.
This configuration can be hard coded on a client using proxycfg.exe. The problem with this method is that if its a laptop that may connect to wifi outside the business, some internet access (where the system account is used) may not work.
My method of deploying Flash in the enterprise
There are several sections that we need to individually configure to get it all to work, and at the end they should all work together to give us the end result of auto-updating clients in the enterprise.
Deploying the client
Deploying the client in the enterprise is relatively straight forward and I have covered it in the a previous article:|
Adobe Flash 11 Deployment via GPO
A couple of points while deploying the client to help you:
- Adobe Flash Player client needs to be version 22.214.171.124 or higher to support the auto-updating feature
- The GPO deployment can be an update to previous Flash versions
Pushing out mms.cfg configuration file to clients
Adobe provide specifications for an configuration file that configures Adobe Flash player. The user settings are set either within the browser or through the Windows Control Panel. The computer settings are set through the mms.cfg file. This configuration file overrides any user settings that are set in thefile and applies to the computer.
The details about the mms.cfg file are below:
|Encoding||UTF-8 or UTF-16
Reference: Flash Player 11.2 Admin Guide – Page 22
SilentAutoUpdateServerDomain=your.server.comReference: More customisation options (28 different options under version 11.2) are available in the Flash Player 11.2 Admin Guide – Page 22
As you can see its a simple 3 liner cfg file that needs to be created\copied in the corresponding folder to force your desired configuration.
What I do is use Group Policy Preferences to copy a file from the network (I have saved to the GPO source location eg. \\Domain.local\DFS\Install\AdobeFlash\mms.cfg) to the client destination.
Note: I have attached a sample mms.cfg file which is included in the package at the bottom of this article.
Here is an article that specifically details how to deploy the files to your client computers:
How to deploy mms.cfg config file to your Adobe Flash Player clients?
Hosting Flash Update files internally (web server)
This part is required for any organisation who want to overcome the following scenarios:
- Internal network gains internet access via Proxy Server – Computer system accounts are not aware of proxy server configurations
- Bandwidth concerns – do not want hundreds/thousands of users from downloading the latest version of Flash on the same day (even if it is staggered)
What we will have at the end of this is an internal web server which hosts the files for your clients to access, a DNS entry with a common name to access the files, and a scheduled task which runs a script to download the latest files every day (directly from the Adobe download site).
At the bottom of this article is the source files for the script, and the exe tools required for it to work. You will need these tools before you begin this section:
- Download the source files from the bottom of this article called GetFlashUpdateVerXXX.zip and extract the contents to a working directory. I extracted mine to C:\FlashUpdate but any similar location is suitable (avoid using the IIS published folder directory)
Build your web server (IIS in my case)
Don’t think this is doom and gloom – its pretty straight forward and does not require a lot of configuration. I have not concentrated on security as is hosted internally and not published to the internet.
Find a suitable server that you already have in your environment that does not use any web service (in
particular does not use port 80 or 443 for any communication). Note: Its not hard to migrate this to another server if you follow my steps again, install IIS using these steps:
- Click Start, point to Control Panel, and then click Add or Remove Programs.
- In Add or Remove Programs, click Add/Remove Windows Components.
- In the Windows Components Wizard, under Components, select Application Server.
- Click Next.
- After the wizard completes the installation, click Finish
Install SSL Certificate
An SSL certificate is required for this to work. I have an SSL certificate that I installed, and an internal CA would work well for this exercise. If you do not have an internal CA, or a means of attaining a valid certificate I recommend generating your own self-signed certificate. To do this use the following:
- Navigate to your working directory: c:\FlashUpdate from within command prompt
- Enter the following command to generate and register your new certificate:
selfssl.exe /N:CN=flashupdate.contoso.com /K:1024 /V:900 /S:1 /P:443 /T
To break this down:
- /T Adds the self-signed certificate to “Trusted Certificates” list. The local browser will trust the self-signed certificate if this flag is specified.
- /N:cn Specifies the common name of the certificate. The computer name is used if not specified.
- /K:key size Specifies the key length. Default is 1024.
- /V:validity days Specifies the validity of the certificate. Default is 7 days.
- /S:site id Specifies the id of the site. Default is 1 (Default Site).
- /P:port Specifies the SSL port. Default is 443.
- Navigate to https://flashupdate.contoso.com and validate that a certificate is installed (even if not trusted by that machine
- Configure DNS to point to a friendly name using a new CNAME record. I personally used flashupdate.contoso.com which directed to my actual server SYDAPP01.contoso.com.
- Test the new URL internally. It should work straight away with a basic IIS config and will display a basic page like below:
Configuring the automatic downloads script
- Go to the source files you downloaded earlier.
- Edit the batch file (getflashupdate.bat) with appropriate details under the Configuration section only. I have provided adequate instructions within the script.
Here is the script if you want to view it online:
@ECHO OFF REM ================== About Script ====================== REM Author: Ivan Dretvic REM Email: firstname.lastname@example.org REM URL: http://ivan.dretvich.com REM Date: 09/05/2012 REM Ver: 1.0 REM REM REFERENCES: REM -wget.exe used for fetching files from internet REM http://www.gnu.org/software/wget/manual/wget.html REM -Bulk of this script was written by Tyrone Wyatt of www.cloudportal.org REM Thank you for saving me from writing the script. REM -All Adobe information in this script was attained from the Flash Player Administrators Guide REM http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_11_2_admin_guide.pdf REM ====================================================== REM ================= Script Config ====================== REM TITLE REM Used to identify script name within the rest of script. Useful if using multiple instances of script for different sites in organisation. REM Default setting is: REM set TITLE=flash-update set TITLE=flash-update REM LOG REM The LOG option is the name and location of the log file. REM This field must be populated otherwise the script will fail. Removal of ">> %LOG% 2>&1" in the rest of the script would be necessary REM to not produce log file. (not recommended) REM Default setting is: REM set LOG=./%TITLE%.log set LOG=./%TITLE%.log REM SOURCE REM The SOURCE option is the mirror on which you would like to download the flash files from. REM Default setting is: REM set SOURCE=http://fpdownload2.macromedia.com set SOURCE=http://fpdownload2.macromedia.com REM DESTINATION REM The DESTINATION option is where you would like your downloaded files to go. If you will be testing package before updating the REM masses, you must change the destination to not be in the default published IIS folder. If you did not configure IIS, and would like REM the update to propogate to all users please leave the default settings. REM Default setting is: REM set DESTINATION=C:\inetpub\wwwroot set DESTINATION=C:\inetpub\wwwroot REM VERSION REM The VERSION option is the current major version of Flash Player. (Eg. for Flash Player 11.2, the major version is 11). REM When it comes to the major version changing, please investigate any changes that Adobe have made to their software and update system. REM Default setting is: REM set VERSION=11 set VERSION=11 REM HTTP_PROXY REM The Proxy settings for wget to use. This is an optional parameter that can be ommited if you run as a configured users context. REM It is recommended to configure this field if you do use a proxy server. REM Note: the required string here is: http:\\<<PROXYSERVERNAME>>:<<PORTNUMBER>> REM Default setting is: REM set HTTP_PROXY=http://proxy.contoso.com:8080 set HTTP_PROXY=http://proxy.contoso.com:8080 REM ================= Script Core ======================== REM This is the guts of the script. Please dont modify this section of the script unless its to improve it, in which case please let me know. echo =O====== %date% %time% ======== >> %LOG% 2>&1 if exist %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\xml ( echo Folders Exist. Skipping destination folder structure creation. >> %LOG% 2>&1 ) else ( echo Creating destination folder structure. >> %LOG% 2>&1 mkdir %DESTINATION%\pub >> %LOG% 2>&1 mkdir %DESTINATION%\pub\flashplayer >> %LOG% 2>&1 mkdir %DESTINATION%\pub\flashplayer\update >> %LOG% 2>&1 mkdir %DESTINATION%\pub\flashplayer\update\current >> %LOG% 2>&1 mkdir %DESTINATION%\pub\flashplayer\update\current\sau >> %LOG% 2>&1 mkdir %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION% >> %LOG% 2>&1 mkdir %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\xml >> %LOG% 2>&1 mkdir %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install >> %LOG% 2>&1 ) echo Downloading files... >> %LOG% 2>&1 wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/xml/version.xml -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\xml\version.xml >> %LOG% 2>&1 wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_ax_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_ax_sgn.z >> %LOG% 2>&1 wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_pl_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_pl_sgn.z >> %LOG% 2>&1 wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_64_ax_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_64_ax_sgn.z >> %LOG% 2>&1 wget.exe -nv %SOURCE%/pub/flashplayer/update/current/sau/%VERSION%/install/install_all_win_64_pl_sgn.z -O %DESTINATION%\pub\flashplayer\update\current\sau\%VERSION%\install\install_all_win_64_pl_sgn.z >> %LOG% 2>&1 echo Script complete! See log file for more infomation %LOG% echo =X====== %date% %time% ======== >> %LOG% 2>&1 echo. >> %LOG% 2>&1 REM ================= Script End =========================
- Once your document is saved you are ready to schedule a task to run Daily. Ill assume the script is located at C:\FlashUpdate\GetFlashUpdate.bat and you are saving it directly to your IIS folder.
- Create the scheduled task to execute “C:\FlashUpdate\GetFlashUpdate.bat”, with user credentials (that has access to Proxy server), to run once a day. All other settings can be left as default.
- Right click on your new scheduled task and run it.
- Open IIS Manager, expand the server name, then expand the folder Web Sites. Right click on Default Web Sites and click Open.
- Here you should see 2 files (iisstar.htm and pageerror.gif) and a folder called PUB. Navigate through the folder and make sure you see all 5 files have been downloaded by the script.Further information on file names can be found under Background updates from an internal server, Page 10 http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_11_2_admin_guide.pdf
You are done. If your clients are running a version of Flash greater than 126.96.36.199 the auto-updating should update your clients as expected. If you want to force the updates on a client to test, you can:
- run the scheduled task (as administrator because the task is a system task)
- execute C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Please let me know if i have been vague or inconsistent/inaccurate in any way so I can update it.
- Source files used to configure this solution
- How to Install IIS on Windows Server 2003
- Adobe Flash Player Administration Guide for Flash Player 11.2
- Introducing Adobe Flash Player Background Updater for Windows