Apple blocks older versions of Adobe Flash Player in web plug-in update - Page 2

Quote:

Originally Posted by digitalclips 


Out of curiosity ...do you / can you... use OS X Server or Apple Desktop Remote to push upgrades out to all Macs on the network from a single Mac?

Yes..I use ARD to push the Flash and Java updates out. However, it requires that all of the Macs be turned on and they're not all in one building. They're in separate buildings, 4 or 5 miles apart. You cannot use ARD to turn Macs on. This only works with the Xserve. This is part of the pain it the ass part...along with I just updated flash last week or the week before and now its blocked again. So I have to start all over again. I also just read someone found another exploit in Java so I assume that will be blocked again as well. As far as pushing the update out, it doesn't take very long. Its just a pain that I have to stop what I'm doing, try to get all of the Macs turned on in the entire district, and push the updates out one room at a time. Then you'll get someone who closes a lid of one of the MacBooks or something which puts the Mac to sleep, or they'll shut it off. 

The other pain in the ass part is I'm not in that school district everyday. For example, I wasn't in that district today and of course flash was blocked today. So it ruined someone's teaching plans for the Mac lab at the elementary school because they wanted to use something on the internet that required flash. For anyone that doesn't have clue what its like working in an educational environment its not fair to the teacher to do all of this planning and then have something go wrong so they have to change their plans on the fly. Not only does it ruin their plans, but also the students productivity. 

When updating flash you have to extract the pkg file out of the flash installer. Of course Adobe has to be a pain in the ass and go against standards for the Mac side when installing things. The installer for flash isn't a pkg file itself. You have to right click on the installer and Show Contents, then navigate to the Resources folder where you'll see the flashinstaller.pkg file. 

To my knowledge, ARD installers being pushed out only work with .pkg files. Sucks when you have someone still using InstallerVISE. Yes...lazy developers still use this believe it or not. 

So I think you can see where I'm coming from with this. It may seem like its simple, and doing it is...its just getting everything prepared and hope something doesn't happen in the meantime. Its just a hassle I'd rather not have to deal with.  In a home environment you don't have to worry about this. You just download and install it. 

Quote:

Originally Posted by John.B 

 

They use Flash for the same reason anyone else does: It's an easy way to deliver eye candy for people with no programming skills, vulnerabilities be damned.

I try not to post confrontational counter arguments but you sir have no idea what you are talking about.

Quote:

Originally Posted by macxpress 

 

You obviously have no idea what its like to work in an IT environment. Its not as simple as just upgrade the Macs all the time. Its a huge pain in the ass to do this. This isn't a consumer situation where sensitive tax data or whatever is stored on the Mac's HD.  There isn't any sensitive data on a workstation and any environment where there would be wouldn't have flash installed anyways, possibly Java as well. There's really no reason for a server to have flash installed which is where the real threat is. 

 

We have programs people depend on everyday for learning assessments and things like that. These are programs that HAVE to be up and running as both students and teachers are assessed based off these programs. To have to spend my day upgrading Macs is something I'd rather not be doing all the time. If the Mac doesn't work, then it gives the perception that this lab never works or is unreliable so it never gets used, thus wasting $40,000 worth of Macs which will never get upgraded because its never used. 

Ah yes, I like how you leaped to the conclusion that I must not work in an IT environment.  As a matter of fact, I do – for a corporation that has offices in Chicago and Atlanta, as well as dozens of remote telecommuters. I've been doing IT for a couple decades now (to give a hint at my age), at both the university and corporate level.  I've seen just about everything. And additionally have a RHCE certification, so I'm proficient on three major platforms.   Needless to say, I feel like I do have a handle on what I'm talking about. 

I will grant you that the tools for managing Windows computers are more mature and gives us more control, compared to the Mac counterpart tools.  And I understand the unique challenges a school district faces (additionally, my wife is a teacher in an elementary school district).  But that's really not an excuse when it comes to security.  If you're the roadblock that's preventing people from using their computers, then you need to develop a different strategy.

For example, if your teachers/students *need* Java, then use your firewall to block Java to all sites except the approved list.  Or, if you cannot keep up with all the Flash updates, let the laptops update themselves by setting the Flash control panel to "update automatically" (yes, I know... bandwidth issues).  Or hire a college or high school student to manage the push-updates to the classroom computers.  Or, if you're daring, block (at the firewall) your computers from connecting to Apple's Xprotect site (scary, but if you're managing push-updates, then you might as well manage that as well).

Just some ideas....

-Rick

Quote:

Originally Posted by _Rick_V_ 

 

 

Ah yes, I like how you leaped to the conclusion that I must not work in an IT environment.  As a matter of fact, I do – for a corporation that has offices in Chicago and Atlanta, as well as dozens of remote telecommuters. I've been doing IT for a couple decades now (to give a hint at my age), at both the university and corporate level.  I've seen just about everything. And additionally have a RHCE certification, so I'm proficient on three major platforms.   Needless to say, I feel like I do have a handle on what I'm talking about. 

 

I will grant you that the tools for managing Windows computers are more mature and gives us more control, compared to the Mac counterpart tools.  And I understand the unique challenges a school district faces (additionally, my wife is a teacher in an elementary school district).  But that's really not an excuse when it comes to security.  If you're the roadblock that's preventing people from using their computers, then you need to develop a different strategy.

 

For example, if your teachers/students *need* Java, then use your firewall to block Java to all sites except the approved list.  Or, if you cannot keep up with all the Flash updates, let the laptops update themselves by setting the Flash control panel to "update automatically" (yes, I know... bandwidth issues).  Or hire a college or high school student to manage the push-updates to the classroom computers.  Or, if you're daring, block (at the firewall) your computers from connecting to Apple's Xprotect site (scary, but if you're managing push-updates, then you might as well manage that as well).

 

Just some ideas....

 

-Rick

We don't control our firewall. Our ISP does and its not feasible to control websites based on that. Hard to explain here in a forum. Flash is set to update, but students don't have rights to install anything (and for good reason). Were are not going to give a student a right to install anything. Thats just not good policy. Teachers don't even have rights to install anything. Schools are hurting for money as it is, they aren't going to hire some kid to install stuff. Thats why were here. 

Working on corporate network is a hell of a lot different from working in an educational institution. Just because your wife is a teacher doesn't mean you know anything about how an educational system works. For one, every state is different and every district is different. 

The entire point is...these are OUR computers on OUR network. Let us make the decision, not Apple. In a consumer environment I'd say yes thats fine because a normal user probably wouldn't update it, but not in a corporate environment. There are reasons why companies and schools are sometimes slow to update things. You of all people should know this since you seem to be an "expert" in the IT field. All this is doing is inconveniencing everyone and its deterring people using the Macs. 

And I'll state again...what security issue is there? There is no sensitive data on a workstation. This is NOT a corporate environment where such things may have sensitive data. Nothing is saved on the actual computer. Everything is saved on the server which doesn't have Java or Flash installed because its not necessary. In my environment, the Macs save to Windows Servers anyways. We are a PC and Mac school district. All the Mac server in my school does is push preferences, printers, iOS device printing, and does the imaging for the Mac via DeployStudio. 

And as far as using Chrome as suggested by ThePixelDoc...well for one Google also has to be a pain in the ass and not follow Apple standards for installing things by not using a pkg file. And again, it would require the Macs to be turned on and hope they stay on to do a copy from ARD. The other issue is, Chrome isn't always supported for the sites we need to use so it makes it hard to get support for an unsupported browser. We like to keep to standards and using a non-standard application only opens doors to issues down the road. Chrome is also a pain in the ass with managing the preferences of the browser unlike Safari. 

Quote:

Originally Posted by macxpress 

The other issue is, Chrome isn't always supported for the sites we need to use so it makes it hard to get support for an unsupported browser. We like to keep to standards and using a non-standard application only opens doors to issues down the road.

I've never seen a site that was not compatible with Chrome unless it was a Windows IE only site. Safari on the other hand is incompatible with many sites. For example one particular area of Bank of America which for some reason breaks trying to add international wire recipient companies. I had to use Chrome in order to get it to work while on a customer support phone call with them. I have also had issues with Safari's SVG implementation where it jumbled up all the type but Chrome read the file perfectly. 

You say you want to use open standards but the entire topic at hand is about Flash which is 100% proprietary.

I still use Safari by default as well as Flash so I'm just going to be much more diligent to make sure I am up to date before I leave the office where I have high speed Internet because the last thing I want to do is eat up my 5 GB of cell data by downloading a big application that I was not expecting to need, not to mention the time it would take to do so.

Quote:

Originally Posted by bdkennedy1 

I'm getting REALLY f***ing sick of updating Flash and Java every two days. There should be a class action lawsuit against Adobe and Oracle for making us keep the two most poorly written programs ever written on our computers.

Yes, Flash and Java updates have become a pain in the you know what.

More seriously these very frequent Flash and Java weaknesses being exposed, simply points out that those plugins need a major overall.  Frequent little patches aren't going to provide a lasting fix !

Quote:

Originally Posted by JoshA 

Yes, Flash and Java updates have become a pain in the you know what.

More seriously these very frequent Flash and Java weaknesses being exposed, simply points out that those plugins need a major overall.  Frequent little patches aren't going to provide a lasting fix !

Flash is updated with about the same frequency as OS X.

Quote:

Originally Posted by macxpress 

 

We don't control our firewall. Our ISP does and its not feasible to control websites based on that. Hard to explain here in a forum. Flash is set to update, but students don't have rights to install anything (and for good reason). Were are not going to give a student a right to install anything. Thats just not good policy. Teachers don't even have rights to install anything. Schools are hurting for money as it is, they aren't going to hire some kid to install stuff. Thats why were here. 

 

Working on corporate network is a hell of a lot different from working in an educational institution. Just because your wife is a teacher doesn't mean you know anything about how an educational system works. For one, every state is different and every district is different. 

 

The entire point is...these are OUR computers on OUR network. Let us make the decision, not Apple. In a consumer environment I'd say yes thats fine because a normal user probably wouldn't update it, but not in a corporate environment. There are reasons why companies and schools are sometimes slow to update things. You of all people should know this since you seem to be an "expert" in the IT field. All this is doing is inconveniencing everyone and its deterring people using the Macs. 

 

And I'll state again...what security issue is there? There is no sensitive data on a workstation. This is NOT a corporate environment where such things may have sensitive data. Nothing is saved on the actual computer. Everything is saved on the server which doesn't have Java or Flash installed because its not necessary. In my environment, the Macs save to Windows Servers anyways. We are a PC and Mac school district. All the Mac server in my school does is push preferences, printers, iOS device printing, and does the imaging for the Mac via DeployStudio. 

 

And as far as using Chrome as suggested by ThePixelDoc...well for one Google also has to be a pain in the ass and not follow Apple standards for installing things by not using a pkg file. And again, it would require the Macs to be turned on and hope they stay on to do a copy from ARD. The other issue is, Chrome isn't always supported for the sites we need to use so it makes it hard to get support for an unsupported browser. We like to keep to standards and using a non-standard application only opens doors to issues down the road. Chrome is also a pain in the ass with managing the preferences of the browser unlike Safari. 

I don't know why you think your network situation is so unique.   Yes, every individual school, or company, or organization is going to have their unique specific needs.  But just because you're a school district with remote schools and extremely tight budgets doesn't make your situation a whole lot different than what everyone else has to contend with.  Yes, of course you don't let students or teachers have install rights; but I don't know why you'd assume that companies do.  No user on my network has admin install rights either.

As you say, it's YOUR network and YOUR computers.  That's right, so take control of it.  It's not Apple's fault if you don't – they're only protecting the Mac platform at large.  Usually control starts at the firewall, but since you apparently don't have control of that, then learn and figure out other ways to do it.

For example, the firewall should only one tool that's part of your layered defense –  because it's going to be naturally limited to only what it can do.  I use DNS to set up bogus entries for sites you don't want computers going to.  This is not rocket science, it's not hard to figure out what Xprotect is trying to connect to.  I assume as a school you must do some sort of DNS-like filtering or proxy-servers, many of these things are open-source & free, so no money is spent.  And much of it can run on very modest hardware (i.e. old computers).


Yes, just being married to a teacher alone doesn't mean I understand a schools needs.  Except my teacher is also on the technology committee, so I frequently hear and advise on issues they're having. I've met with her districts IT director numerous times to swap 'from the trenches" stories as well as learn from each other how we've solved different problems.  I'm not trying to sound crass, but if you are not doing any of the above, then you really don't have control over your network. Then it's not Apple's fault when each computer phones home, picks up the latest naughty list and disables Flash or Java.