Managing Flash is even worse than it first appears.
Recent Safari updates now disable older versions of the Flash plugin. It wasn’t clear how “old” a version had to be to be disabled. Today I got an unwelcome surprise.
Most of our managed machines have Flash Player version 11.3.200.257 installed. I was aware that version 11.3.200.271 was available, but due to the issues here, I had not yet widely deployed it.
Today Adobe released Flash Player 11.4.402.265, and we started getting calls that Safari was blocking the Flash Plugin as out of date. Most of our users do not have admin rights, so we needed to fix it for them. I imported the Adobe Flash Player.pkg from the 11.3.200.271 installer into Munki and tested an install on one machine. Flash was no longer blocked.
So I still don’t know exactly how old the Flash Player must be before Safari blocks it, but now we have to be even more proactive in keeping Flash up to date in our organizations.
All the more reason to hope that the issues with the auto-update feature have been addressed with the 11.4 release. The release notes are silent on this issue. More testing needed, apparently!
Managing OS X 
That sounds like a great name! I’ve got a simple setup of Munki in my school (just Apple’s updates) and I’m considering running my own repository for things like Flash/MS Office updates etc. By the sounds of it, that isn’t so easy any more!
Hey Greg,
Why not just use Apple’s PackageMaker to snap shot the before and after changes and use a regular PKG installer? That’s what I’ve been doing and so far it seems to work well.
I don’t want to do _any_ extra work. I want Adobe to ship Flash Player in Apple package format. But if I *do* have to do extra work, it seems like it would make sense to try to use Adobe’s supported installation method, if possible.
While I completely agree with you, the reality is that Adobe is the M$FT of creative publishing (a monopolist) which makes them a very sloppy vendor. Although it’s annoying, using PackageMaker to repackage Flash only takes about 2 minutes and it’s about the only way to distribute Flash reliably. I also have to use PackageMaker to repackage M$FT’s Office 2011 updates. M$FT’s normal installers, like Flash, are shit.
At least “releasenotes –silent” works.
Loool !…good one Greg
Found the culprit here:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
Today mine looks like:
LastModification
Thu, 30 Aug 2012 02:11:27 GMT
PlugInBlacklist
10
com.macromedia.Flash Player.plugin
MinimumPlugInBundleVersion
11.3.300.271
com.oracle.java.JavaAppletPlugin
BlockedPlugInBundleVersions
1.7.06.24
Version
1033
From the strings in /usr/libexec/XProtectUpdater, it fetches a plist from http://configuration.apple.com/configurations/macosx/xprotect/2/clientConfiguration.plist, which contains a ‘meta’ dict that matches the one on disk. The rest is all malware data identifiers.