BigFix - Flash announcement

Adobe Flash Player will be at End of Life as of December 31, 2020. Within BigFix, Adobe Flash Player is used for the display of some Dashboards and Wizards in the BigFix Console and in BigFix Web Reports.

As part of the continuous improvement and modernization of BigFix, changes will be made to address the End Of Life of Flash.

BigFix intends to remove the dependency on Flash Player or mitigate its presence before the End of Life date to ensure business continuity and guarantee appropriate attention to our BigFix security within customer environments.

The timeline for removal of the Flash elements will vary by module and component. A monthly update will be provided on the status and progress of the Flash replacement plan via this communication channel. When upgrades are required to remove Flash content, they will be specified within the updated removal plans. More information will also be provided on upgrade paths and deprecated/unsupported components.

NOTE: BigFix does not embed or distribute Flash Player. If Flash Player is disabled or uninstalled from computers running BigFix Console or BigFix Web Reports, Flash-dependent features in these tools will stop working until the replacement or mitigation is completed.

The following BigFix components contain Flash elements:

  • BES Support (Console content)
  • BES Inventory and License (Console content)
  • OS Deployment (Console content)
  • Software Distribution (Console content)
  • Virtual Endpoint Manager / Patches for ESXi (Console content)
  • Power Management (Console and Web Reports content)
  • Remote Control (Console and Web Reports content)
  • Patch (Console content)
  • Security Configuration Manager (Console and Web Reports content)
  • Client Manager for Endpoint Protection (Console content)

The following BigFix components are free of Flash content at their latest versions:

  • BigFix Platform components (exclusive of specified content sites)
  • BigFix Web Reports (exclusive of specific reports distributed via content sites)
  • WebUI
  • Server Automation
  • Self-Service Application
  • Inventory
  • Compliance Analytics

The BigFix replacement plan is as follows:

  • Module or component will deliver incremental content updates as soon as they are available, ensuring an upgrade process as seamless as possible.
  • Due to the nature of the content updates, customers running air-gapped deployments will have to plan on applying the site updates when available.
14 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.

Update on the BigFix Flash Removal Program

BigFix Console/Flash Content
Flash content distributed by BigFix is made available via content sites. Content site updates are gathered from the BigFix propagation servers and applied to customer deployments without explicit action by the end customer with the exception of air-gapped deployments. Flash content is gradually and incrementally being removed as the content sites are updated with content engineered to be free of Flash. BigFix will communicate the certified site version for each site once complete to facilitate the transition for customers running air-gapped deployments.

The BigFix console runs Flash content based on the Adobe Flash Player tool distributed as part of the underlying Windows operating system. As Microsoft changes their support of Flash Player, the BigFix console will reflect those changes and consequently customers will see Flash based content cease to work. BigFix capabilities will flow accordingly as noted in Microsoft’s announcement on their process for Flash removal https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/.

In fall 2020, Microsoft will publish content titled “Update for Removal of Adobe Flash Player.” This will be an Optional update. It will move to a Recommended update in early 2021, but installation will not be forced. Customers will see Flash removal rolled into Windows cumulative updates, and therefore installed without specific user interaction, no sooner than summer of 2021.

Please note that this update cannot be uninstalled. Once removed, Flash Player cannot be restored to functionality. BigFix therefore recommends that this update not be applied to any computer running the BigFix Console until we have certified the removal of all Flash based content.

Moreover, Microsoft plans to inhibit the execution of Adobe Flash Player where the installed version is earlier than the latest published available version. Customers should ensure they are running the latest version currently available based on Microsoft update https://support.microsoft.com/en-us/help/4561600/security-update-for-adobe-flash-player.

The BigFix Labs content sites (including Bitlocker Management, Client Manager Builder and Windows 7 Migration) are provided as-is, and are not maintained or supported by the BigFix team. Flash dashboards and wizards included in these sites will continue to function until Flash Player is disabled or uninstalled from computers running the BigFix Console.

In more general terms, BigFix team will not remove the Flash content from the not supported /not maintained sites. Recommendations will be provided to allow customers to continue running Flash content, when needed, mitigating the associated risks.

BigFix Web Reports

BigFix Web Reports may contain predefined reports based on Flash, delivered through the following sites: Power Management, Security Compliance Manager, Remote Control. This content will be transformed as part of the work in progress to make these sites Flash-free by the end of the year.

Reports from other sites, and custom reports, do not use Flash as of today.

Flash content is still present in BigFix Web Reports 9.2 Overview page. A 9.2 update will be made available in Q4 to replace this content. Please plan to install this upgrade before uninstalling Adobe Flash Player or blocking Flash execution in your browser, or some of the information in the Overview page will not be available.

Flash content is still present in BigFix Web Reports 9.5 Overview page, for fixpacks prior to 9.5.13. Please plan to install 9.5.13 or later before uninstalling Adobe Flash Player or blocking Flash execution in your browser, or some of the information in the Overview page will not be available.

Flash content is not present in BigFix Web Reports 10.0 Overview page.

3 Likes

October Update on the BigFix Flash removal program

BigFix has delivered several Flash-free dashboards over the course of the last month, including elimination of Flash in the Patches for ESXi site commencing with version 112. All updated dashboards provide the same level of functionality and user experience as those they replaced.

Deployment of updated Flash-free content happens through regular site updates, with no intervention needed from the end user unless their BigFix deployment is running in an air-gapped configuration.

BigFix plans to continuously deliver Flash-free content, dashboards, wizards and web reports, through the end of the 2020 at which time Adobe Flash Player will reach its end of life.

Deprecated Content

Some BigFix content sites and dashboards are still available for gathering, even if they have been declared as deprecated, obsolete, no longer supported or replaced by more up to date or re-engineered content. This content is not removed but left in place to ensure customers have needed time to change their processes and procedures.

It is important to note that some of this deprecated content does include dashboards and wizards written in Flash. Given their nature, the BigFix team does not plan to perform any Flash removal activity on any deprecated content. As previously communicated, this content will be available and continue to function on the condition that Adobe Flash Player is still installed on the computer running the BigFix Console.

The BigFix team may work on Adobe Flash removal for parts of this content based on customer request but does not commit to doing so. If you have critical dependencies on any deprecated content, please reach out to us.

Sites Excluded from Adobe Flash Removal:

BigFix Labs (Unsupported) http://sync.bigfix.com/cgi-bin/bfgather/bigfixlabs
Bitlocker Management (Unsupported) http://sync.bigfix.com/cgi-bin/bfgather/bitlocker
Client Manager Builder (Unsupported) http://sync.bigfix.com/cgi-bin/bfgather/clientmanagerbuilder
Windows 7 Migration (Unsupported) http://sync.bigfix.com/cgi-bin/bfgather/win7migration
BigFix OS Deployment 1.x (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/bigfixosdeployment
Client Manager for Application Virtualization (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/clientappvirtualization
Client Manager for TPMfOSd (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/clientmanagerfortpmfosd
IBM Software Inventory (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/ibmsoftwareinventory
Linux RPM Patches (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/linuxrpmpatching
OS Deployment 2.x (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/osdeployment
Patches for ESX v3 (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/patchesforesx3
RHEL Patches (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/rhelpatches
Windows Remote Desktop (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/windowsremotedesktop

Deprecated Dashboards Included in Supported Sites:

Patching Support:
· Corrupt Patch Deployment Wizard (Deprecated)
· Microsoft Office Source Configuration Wizard (Deprecated)
Software Distribution:
· SWD Portal Setup Wizard (Deprecated)
· Self-Service Portal Registration management (Deprecated)

Sites Certified Adobe Flash Free
Patches for ESXi, site version 112

Sites with Remaining Flash Content
* All sites not explicitly mentioned in this post are certified Adobe Flash Free

BES Support
OS Deployment and Bare Metal Imaging
Software Distribution
Remote Control
Virtual Endpoint Manager
Power Management
Patching Support
Patches for Solaris Live Upgrade
Security Configuration Manager
Client Manager for Endpoint Protection
BES Inventory and License
MaaS360 Mobile Device Management

Recommendations

The BigFix console runs Flash content based on the Adobe Flash Player tool distributed as part of the underlying Windows operating system. As Microsoft changes their support of Flash Player, the BigFix console will reflect those changes and consequently customers will see Flash based content cease to work. BigFix capabilities will flow accordingly as noted in Microsoft’s announcement on their process for Flash removal https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/6.

In fall 2020, Microsoft will publish content titled “Update for Removal of Adobe Flash Player.” This will be an Optional update. It will move to a Recommended update in early 2021, but installation will not be forced. Customers will see Flash removal rolled into Windows cumulative updates, and therefore installed without specific user interaction, no sooner than summer of 2021.

Please note that this update cannot be uninstalled. Once removed, Flash Player cannot be restored to functionality. BigFix therefore recommends that this update not be applied to any computer running the BigFix Console until we have certified the removal of all Flash based content.

Moreover, Microsoft plans to inhibit the execution of Adobe Flash Player where the installed version is earlier than the latest published available version. Customers should ensure they are running the latest version currently available based on Microsoft update https://support.microsoft.com/en-us/help/4561600/security-update-for-adobe-flash-player.

2 Likes

November Update on the BigFix Flash removal program

BigFix has delivered many Flash-free dashboards over the course of the last month.
This includes elimination of Flash in the Virtual Endpoint Manager site commencing with version 60; it also includes dashboards in Patching Support, OS Deployment and Bare Metal Imaging, Client Manager for Endpoint Protection and Security Configuration Manager sites.
All updated dashboards provide the same level of functionality and user experience as those they replaced.
Deployment of updated Flash-free content happens through regular site updates, with no intervention needed from the end user unless their BigFix deployment is running in an air-gapped configuration.
BigFix plans to continuously deliver Flash-free content, dashboards, wizards and web reports until all supported sites are made Flash free.

Important: Update for Removal of Adobe Flash Player

Microsoft has published content titled “Update for Removal of Adobe Flash Player” on October, 27th.
https://support.microsoft.com/en-us/help/4577586/update-for-removal-of-adobe-flash-player

It is an Optional update. It will move to a Recommended update in early 2021, but installation will not be forced. Customers will see Flash removal rolled into Windows cumulative updates, and therefore installed without specific user interaction, no sooner than summer of 2021.
Please note that this update cannot be uninstalled. Once removed, Flash Player cannot be restored to functionality. BigFix therefore recommends that this update not be applied to any computer running the BigFix Console until we have certified the removal of all Flash based content.

Sites Excluded from Adobe Flash Removal:

BigFix Labs (Unsupported) http://sync.bigfix.com/cgi-bin/bfgather/bigfixlabs
Bitlocker Management (Unsupported) http://sync.bigfix.com/cgi-bin/bfgather/bitlocker
Client Manager Builder (Unsupported) http://sync.bigfix.com/cgi-bin/bfgather/clientmanagerbuilder
Windows 7 Migration (Unsupported) http://sync.bigfix.com/cgi-bin/bfgather/win7migration
BigFix OS Deployment 1.x (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/bigfixosdeployment
Client Manager for Application Virtualization (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/clientappvirtualization
Client Manager for TPMfOSd (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/clientmanagerfortpmfosd
IBM Software Inventory (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/ibmsoftwareinventory
Linux RPM Patches (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/linuxrpmpatching
OS Deployment 2.x (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/osdeployment
Patches for ESX v3 (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/patchesforesx3
RHEL Patches (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/rhelpatches
Windows Remote Desktop (Obsolete) http://sync.bigfix.com/cgi-bin/bfgather/windowsremotedesktop

Sites Certified Adobe Flash Free

Patches for ESXi, site version 112
Virtual Endpoint Manager, site version 60

Sites with Remaining Flash Content
* All sites not explicitly mentioned in this post are certified Adobe Flash Free

BES Support
OS Deployment and Bare Metal Imaging
Software Distribution
Remote Control
Power Management
Patching Support
Patches for Solaris Live Upgrade
Security Configuration Manager
Client Manager for Endpoint Protection
BES Inventory and License
MaaS360 Mobile Device Management

BigFix Web Reports and Flash

BigFix Web Reports may contain predefined reports based on Flash, delivered through the following sites: Power Management, Security Compliance Manager, Remote Control. This content will be transformed as part of the work in progress to make these sites Flash-free. Reports from other sites do not use Flash as of today.
Differently from what previously announced, custom reports, including the ones created with the older version of the product, are not using Flash code.
Flash content is still present in BigFix Web Reports 9.2 Overview page. A 9.2 update will be made available shortly to replace this content. Please plan to install this upgrade before uninstalling Adobe Flash Player or blocking Flash execution in your browser, or some of the information in the Overview page will not be available.
Flash content is still present in BigFix Web Reports 9.5 Overview page, for fixpacks prior to 9.5.13. Please plan to install 9.5.13 or later before uninstalling Adobe Flash Player or blocking Flash execution in your browser, or some of the information in the Overview page will not be available.
Flash content is not present in BigFix Web Reports 10.0 Overview page.

2 Likes

Good information thanks for sharing
vmware

Hello Team,

Do we have any update on flash free content release activity. By when we are expecting for release of rest modules.

Regards,
Janhavi

Hello, next update coming very shortly. Thanks

Important: December Update on the BigFix Flash removal program

BigFix has delivered Flash-free content in the BigFix Console across the portfolio to provide the same level of functionality and user experience as the content that was replaced.
Please see details on delivered sites below.

Deployment of updated Flash-free content happens through regular site updates, with no intervention needed from the end user unless their BigFix deployment is running in an air-gapped configuration.
In some cases, Flash dashboards are still delivered as part of the BigFix sites, even when the corresponding functionality has been made available in non-Flash content. This is meant to ease the transition. When BigFix claims a site is Flash free, it means all functionality can be achieved without Flash Player installed. The legacy Flash dashboards will stop working when Flash Player is uninstalled.

Important: Windows Update for Removal of Adobe Flash Player

Microsoft has published content titled “Update for Removal of Adobe Flash Player” on October, 27th.
https://support.microsoft.com/en-us/help/4577586/update-for-removal-of-adobe-flash-player

It is an Optional update. It will move to a Recommended update in early 2021, but installation will not be forced. Customers will see Flash removal rolled into Windows cumulative updates, and therefore installed without specific user interaction, no sooner than summer of 2021.
Please note that this update cannot be uninstalled. Once removed, Flash Player cannot be restored to functionality. BigFix therefore recommends that this update not be applied to any computer running the BigFix Console until you have verifies your needed content is available in Flash free format.

Important: Adobe Flash Player End of Life statement

Adobe has announced they will no longer provide security updates to Flash Player after Dec 31st, 2020. They also communicated Flash Player will stop working by default on or after Jan 12th, 2021.
See announcement here: https://www.adobe.com/products/flashplayer/end-of-life.html#

After Jan 12th remaining Flash dashboards in BigFix Console will stop working by default.
Up to the date when “Windows Update for Removal of Adobe Flash Player” is automatically installed (presumably in Q3 2021), it will still be possible to run Flash content in Allow List mode. Allow List mode will ensure only selected local Flash content certified by BigFix is allowed to run. This will mitigate the risk of keeping Adobe Flash installed for the needed timeframe. Additional mitigation entails firewall-protecting communication between the BigFix Server and the BigFix Console running Flash content.
For further detail on how to enable Allow List mode for Flash Player, see section below.

BigFix Web Reports and Flash

Flash content is still present in BigFix Web Reports 9.2 Overview page, for fixpacks prior to 9.2.21. Please plan to install 9.2.21 or later before uninstalling Adobe Flash Player or blocking Flash execution in your browser, or some of the information in the Overview page will not be available.
Flash content is still present in BigFix Web Reports 9.5 Overview page, for fixpacks prior to 9.5.13. Please plan to install 9.5.13 or later before uninstalling Adobe Flash Player or blocking Flash execution in your browser, or some of the information in the Overview page will not be available.
Flash content is not present in BigFix Web Reports 10.0 Overview page.

Custom reports, including the ones created with the older version of the product, are not using Flash code.
BigFix Web Reports predefined reports delivered through the following sites: Power Management, Security Compliance Manager, Remote Control have been made Flash free as part of the respective site updates.

Sites Certified Adobe Flash Free

The following site versions deliver the new Flash free dashboards:

BES Support, site version 1444
Software Distribution, site version 93
Remote Control, site version 68
Patching Support, site version 926
Patches for Solaris Live Upgrade, site version 223
Patches for Mac OS X, site version 482
Patches for ESXi, site version 112
Virtual Endpoint Manager, site version 60
Power Management, site version 73
SCM Reporting, site version 133
Client Manager for Endpoint Protection, site version 4522

Sites with Remaining Flash Content

A few sites still include Flash content that has not been replaced so far. BigFix team plans to complete the replacement work in the beginning of 2021. In the meantime, Flash content can be run after applying Allow List mode and other mitigations (see below).

OS Deployment and Bare Metal Imaging
As of version 92, OS Deployment and Bare Metal Imaging provides most of the content in Flash free technology. All Flash dashboards are still available and can be used after having added the site to the Allow List. In addition, OS Deployment can be configured for running in air-gapped environment.
For further information on existing limitations please see New update in BigFix OS Deployment and Bare Metal Imaging site v92

BES Inventory and License
Flash dashboards in this site have not yet been replaced as of today. They will be accessible as the site is added to the Allow List.

MaaS360 Mobile Device Management
Flash dashboards in this site have not yet been replaced as of today. They will be accessible as the site is added to the Allow List.

How to enable Allow List mode for Adobe Flash Player

Allow List mode permits execution of restricted Flash content, thus greatly limiting the security attack surface.

It can be enabled by editing the configuration file, that must be created if non existing:
C:\Windows\SysWOW64\Macromed\Flash\mms.cfg

For allowing BigFix content you must add to the Allow List all the site folders that include Flash content still to be run, located in the BigFix Console cache.

AllowListUrlPattern=file:///c:/Users/[Windows User]/AppData/Local/BigFix/Enterprise%20Console/[Server Name or IP]/[Operator name]/Sites/[Site Name]

where any whitespace character must be replaced with “%20”. Path format may differ based on computer configuration. Verify existence of site folder before adding it to mms.cfg.

Example:

AllowListUrlPattern=file:///c:/Users/Administrator/AppData/Local/BigFix/Enterprise%20Console/10.11.12.13/BFAdmin/Sites/OS%20Deployment%20and%20Bare%20Metal%20Imaging

will allow all Flash content included in “OS Deployment and Bare Metal Imaging” site only.

Allow List mode will be enabled by default on or after Jan 12th. For testing the Allow List configuration in advance of that date, you can force the Allow List mode by adding the following line in mms.cfg:

EnableAllowList=1

For more information on Allow List mode and Adobe Flash Player administration , please see:

I’ve published an alpha version of a Fixlet to update the mms.cfg automatically.

If anyone would like to try out my fixlet, I’d appreciate any feedback you can give. It’s at https://bigfix.me/fixlet/details/26729

This checks whether there is an mms.cfg at \windows\syswow64\Macromed\Flash, whether it contains all of the BESConsole cache paths for the OS Deployment and Bare Metal Imaging site, and appends any missing lines to the mms.cfg.

It assumes the default BESConsole cache paths; if you’ve configured your console caches to a path other than \AppData\Local\BigFix\Enterprise Console, you would have to update to reference those paths; and the user path to be updated must have previously launched the BES Console (the fixlet needs to be re-run if a new user loads the console; if their operator account name changes; or if they connect to multiple BigFix root servers)

After updating the mms.cfg, the BigFix Console needs to be closed and re-launched for the change to take effect.

2 Likes

AWESOME JOB !!! This worked for me, i was about to pull my hair out and was attempting the manual fix myself with no luck. You saved me thanks a million.

1 Like

This post is to provide an update on Flash removal in BigFix.
OS Deployment and Bare Metal Imaging site version 97 has been published, with all functionality available in Flash-free format.
Flash dashboards in the site are still available as a backup, and can be accessed via the allow-listing described in a previous post.
Minor Flash content is still present in BES Inventory and License and MaaS360 Mobile Device Management sites. This is also still accessible thorough the aforementioend allow-listing procedure.
BigFix team reinforces that the presence of Flash code in BigFix sites is not a vulnerability in itself. Customers who disabled/uninstalled Flash at this point are not exposed to any risk by the presence of such dashboards. If Flash has not been removed and the Flash dashboards are still being accessed, the risk is mitigated by the allow-list procedure that restricts the Flash code that can be run to only the content provided by, and guaranteed for, by BigFix.
Please reach out for any enquiry you might have,

1 Like

As a final update on this subject, Flash content has been removed from all supported BigFix dashboards and wizards.
There is currently no plan to remove Flash from MaaS360 Mobile Device Management site, and from “Server Hypervisor Visibility Integration” within BES Inventory and License site, as that content is being deprecated. BigFix team reinforces that the presence of Flash code in BigFix sites is not a vulnerability in itself. Customers who disabled/uninstalled Flash at this point are not exposed to any risk by the presence of such dashboards.

2 Likes