Skip to Content
Technical Articles
Author's profile photo Manuel Stampp

How to keep Enterprise Flash Applications accessible in 2021

Introduction

Neither SAP nor I can give any warranty or support for Adobe Flash and if you repeat any steps  described here, you do this on your own risk.

As Adobe announced, Flash player support will be dismissed end of 2020/beginning of 2021.

If enterprises are running applications based on Adobe Flash, it is strongly recommended to migrate them and disable Adobe Flash Player on all clients, as also security fixes will be discontinued.

For some cases though, there might be no migration options due to several reasons – and in order to continue operations, it will then be necessary to keep Flash Player active for a number of clients.

This blog post shall give an overview about findings and the impacts of the Flash Player End Of Life (EOL), in case you require to continue running Flash-based applications in 2021.

SAP has published Notes regarding different products on this topic covering official information, e.g.:

https://launchpad.support.sap.com/#/notes/2993618

https://launchpad.support.sap.com/#/notes/2905660

https://launchpad.support.sap.com/#/notes/2905488

 

The company HARMAN is taking over the official role of a distributor for enterprise customers and will deliver maintenance for Adobe Flash.

In case you are insecure, you should rather get in contact with HARMAN.

If you try to keep Flash running on your own, always keep in mind the security risk of running outdated or unpatched software – and secure it in other ways.

Announced facts about end of flash support

  • Adobe will stop supporting Flash after December 31st, 2020
  • Browser Vendors have announced to remove support for flash plugins and APIs starting early 2021.
  • Adobe Flash installations have a system-time-controlled “kill switch” that blocks functioning for most clients as of January 12th, 2021
    • This can could be observed by setting a client’s time ahead to a later date prior to Flash EOL
    • Technically the “kill switch” consists of an enforced allow-listing after EOL
  • Adobe announced to shut down distribution sources beginning of 2021 which might stop online installers and referencing package distributions (e.g. on Linux) from working

 

Possible Mitigations

  • Install Flash on your machines within year 2020
    • In case you have problems installing flash on your machine, you can acquire full installers for your machine from help page, section “Still having problems”, at least until end of 2020.
    • Update January 22, 2021: Adobe download pages seem inaccessible meanwhile, though I was still able to find trustworthy mirrors for the Flash Player installer
  • Apply mms.cfg to disable the “kill switch” in client flash installations, according to Adobe Flash Admin Guide
    • As of January 12th (after EOL), only allow-listed hosts are accessible as the Parameter “EnableAllowList=1” is enforced (page 31).
    • Therefore, you will have to use the configuration file to allow flash usage specified hosts only with parameter “AllowListUrlPattern” – this also helps to reduce security risks of flash usage
  •  A Microsoft blog previews that a cumulative update or monthly rollup will remove policies regarding Flash Player as of summer 2021 for Internet Explorer and Microsoft Edge
    • By blocking or not installing the optional KB for removal, it might be possible to continue running flash in Internet Explorer or Edge legacy mode until summer, blocking the announced cumulative update/rollup even further
  • Install a browser version that still supports flash and disable automatic browser updates
    • Update January 22, 2021: Firefox ESR 78.6.1 still plays Flash content and is downloadable at Mozilla
  • The open source community heavily increased push frequency on flash support, e.g. in Lightspark or Ruffle and might be a solution for a rising number of use cases while not having 100% coverage yet

 

An example of a working mms.cfg file can e.g. contain the following (replace the AllowListUrlPattern parameters with hosts and ports matching for your scenario):

EOLUninstallDisable=1
SilentAutoUpdateEnable=0
EnableAllowList=1
AutoUpdateDisable=1
ErrorReportingEnable=1
AllowListUrlPattern=https://my-flash-host:8443
AllowListUrlPattern=https://my-flash-host2:8283

Remark: In some older versions of Flash Player, still the deprecated wording is recognised exclusively. Therefore, in case of problems e.g. with older versions of Internet Explorer, you might have to replace EnableAllowList, AllowlistPreview, AllowListUrlPattern by EnableWhitelist, WhitelistPreview, WhitelistUrlPattern.

This is not documented in the Flash Admin Guide.

Location of the file can be derived from Adobe Flash Admin Guide. Examples:

  • MacOS: /Library/Application Support/Macromedia
  • Windows x86: C:\Windows\System32\Macromed\Flash
  • Windows x64: C:\Windows\SysWow64\Macromed\Flash

Update January 22, 2021: The AllowListUrlPattern entries are obligatory for further use. Make sure all your systems are entered here.

I personally tested MacOS and Windows Server 2016 on my machines using the config above with Firefox ESR (version 78.5.0esr) – I cannot guarantee it working in your environment, but I will keep testing and add further information to this blog post.

Internet Explorer still works for me as well – while Chrome and Chromium Edge updated in my environment and are not capable of running flash anymore.

Due to availability and support timeframes, I’d go for both Firefox ESR and Internet Explorer.

Summary

If you need to continue using Browser-Flash applications in 2021, you have a few options to do so.

According to the announced information, for working environments there should not be an impact before January 12th.

  1. HARMAN can help you with a supported enterprise distribution of Flash Player as “Packaged Browser” solution
  2. If you have got Flash already installed on your machines, it might be sufficient to block updates for one specific browser such as Chrome, Chromium-based browsers (like e.g. the new Microsoft Edge) or Firefox (ESR) and apply an mms.cfg as in the example above
  3. If you are using Microsoft Internet Explorer or Edge Legacy mode, make sure to not install or block the Windows updates containing the removal of Flash as well as Flash integration components on the clients where you need to continue running flash. In any case you will have to add an mms.cfg as above

If you have got a working environment, it might be beneficial to save a backup/snapshot of it – in case you need to restore due to a failure or by error installed an update removing functionality.

I will update this blog post with findings that arise in the future, as the current situation is only a preview on the options available.

 

Changelog:

  • January 22, 2021: Added a few more findings and statuses across the guide, fixed allow-list-related statements
  • January 29, 2021: Added more precision explaining the “kill switch”
  • March 1, 2021: Added remark regarding non-documented, older wording for mms.cfg thanks to Marek’s comment

Assigned Tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Claudio Olave
      Claudio Olave

      Hello, I have been able to open BPC again, but I do not have the "Start" menu, where in the option "Planning and Consolidation Administration" you can check the states of the environments.

      Author's profile photo Manuel Stampp
      Manuel Stampp
      Blog Post Author

      Hello Claudio,

      sorry, I do not understand the context of your comment. Is this actually the blog post that you wanted to refer to?

      Kind regards

      Manuel

      Author's profile photo Claudio Olave
      Claudio Olave

      Hi Manuel, there I could attach the evidence, in the bpc image the entire menu appears, however in the bpc_2 image I no longer have the entire menu, since my user has sap_all, I need the option "Planning and Consolidation Administration" to be able manage environments.

      bpc

      bpc

       

       

      bpc_2

      bpc_2

      King regards

      Claudio

      Author's profile photo Manuel Stampp
      Manuel Stampp
      Blog Post Author

      Hello Claudio,

      this blog post is not for product specific support - if this problem is due to Flash Player, I ask you to go through the steps in the guide. Most important, besides having a valid installation, is the creation of an mms.cfg file with an allow-list for the host you are trying to access.

      This page might e.g. tell you if Flash is available on your system and browser: https://www.codegeek.net/services/resources/flash-player-test-page/

      Kind regards

      Manuel

      Author's profile photo Gino Vacca
      Gino Vacca

      Hi Manuel,

      There is another available permanent, inline solution at browsium.com that is being utilized by SAP clients now.

      Best Regards,

      Gino

       

      Author's profile photo Manuel Stampp
      Manuel Stampp
      Blog Post Author

      Thanks Gino,

      great to hear that possibilities are expanding.

      I also found a few other payed solutions, but finally decided to not mention those in the guide (besides the one officially referenced by Adobe), just to avoid any competition issues regarding the paths given in this guide.

      If you have good experience with browsium, please feel free to share them here in the comments.

      Best Regards

      Manuel

      Author's profile photo Marek Orzechowski
      Marek Orzechowski

      Manuel,

      thanks for helpful pieces of information included in your post.

      It is worth to add though in some cases another key words are valid:

      Instead of:

      EnableAllowList, AllowListPreview, AllowListUrlPattern

      the following key words should be used in mms.cfg file:

      EnableWhitelist, WhitelistPreview, WhitelistUrlPattern

      We have tested this in our environment and only (EnableWhitelist, WhitelistPreview, WhitelistUrlPattern) worked. Unfortunately this is not documented anywhere in official Adobe Flash Player admin guide. One of the Adobe employees has disclosed this on Adobe community website:

      https://community.adobe.com/t5/flash-player/ie-11-ignores-allowlisturlpattern-in-mms-cfg/m-p/11479083#M208384

      BR

      Marek

       

      Author's profile photo Manuel Stampp
      Manuel Stampp
      Blog Post Author

      Thanks Marek, I'll add a remark to this topic.

      BR

      Manuel

      Author's profile photo Pawel Konieczny
      Pawel Konieczny

      Hi Marek,

      we are having the same issue.

      Marek can you please tell me of what version on flash and FF you have it.

      I tried FF78esr and fp version 32 but still doesnt not work.

      could you please contact with me one the email below:

      pawelkonieczny83@gmail.com

       

      Thank you

      Author's profile photo Gino Vacca
      Gino Vacca

      Hello,

      The end date for the Allow List/mms.cfg workaround has been announced. We have an affordable solution that is invisible to the end user, secure, and can be deployed in less than a week. browsium.com 

      Windows 10 update will completely remove Adobe Flash Player in July - CNET

      Post | Feed | LinkedIn