Technical Articles
How to keep Enterprise Flash Applications accessible in 2021
Introduction
Neither SAP nor I can give any warranty or support for Adobe Flash and if you repeat any steps described here, you do this on your own risk.
As Adobe announced, Flash player support will be dismissed end of 2020/beginning of 2021.
If enterprises are running applications based on Adobe Flash, it is strongly recommended to migrate them and disable Adobe Flash Player on all clients, as also security fixes will be discontinued.
For some cases though, there might be no migration options due to several reasons – and in order to continue operations, it will then be necessary to keep Flash Player active for a number of clients.
This blog post shall give an overview about findings and the impacts of the Flash Player End Of Life (EOL), in case you require to continue running Flash-based applications in 2021.
SAP has published Notes regarding different products on this topic covering official information, e.g.:
https://launchpad.support.sap.com/#/notes/2993618
https://launchpad.support.sap.com/#/notes/2905660
https://launchpad.support.sap.com/#/notes/2905488
The company HARMAN is taking over the official role of a distributor for enterprise customers and will deliver maintenance for Adobe Flash.
In case you are insecure, you should rather get in contact with HARMAN.
If you try to keep Flash running on your own, always keep in mind the security risk of running outdated or unpatched software – and secure it in other ways.
Announced facts about end of flash support
- Adobe will stop supporting Flash after December 31st, 2020
- Browser Vendors have announced to remove support for flash plugins and APIs starting early 2021.
- Chrome/Chromium: version 88+ will remove flash support January 2021
- Firefox: version 85 will remove flash support in January 2021
- Firefox Extended Support Release 78 (supported until June/October 2021) can further be used to run Flash
- Microsoft has announced to remove Flash with an optional Windows Update from installations and also shut down distribution sources
- Adobe Flash installations have a system-time-controlled “kill switch” that blocks functioning for most clients as of January 12th, 2021
- This can could be observed by setting a client’s time ahead to a later date prior to Flash EOL
- Technically the “kill switch” consists of an enforced allow-listing after EOL
- Adobe announced to shut down distribution sources beginning of 2021 which might stop online installers and referencing package distributions (e.g. on Linux) from working
Possible Mitigations
- Install Flash on your machines within year 2020
- In case you have problems installing flash on your machine, you can acquire full installers for your machine from help page, section “Still having problems”, at least until end of 2020.
- Update January 22, 2021: Adobe download pages seem inaccessible meanwhile, though I was still able to find trustworthy mirrors for the Flash Player installer
- Apply mms.cfg to disable the “kill switch” in client flash installations, according to Adobe Flash Admin Guide
- As of January 12th (after EOL), only allow-listed hosts are accessible as the Parameter “EnableAllowList=1” is enforced (page 31).
- Therefore, you will have to use the configuration file to allow flash usage specified hosts only with parameter “AllowListUrlPattern” – this also helps to reduce security risks of flash usage
- A Microsoft blog previews that a cumulative update or monthly rollup will remove policies regarding Flash Player as of summer 2021 for Internet Explorer and Microsoft Edge
- By blocking or not installing the optional KB for removal, it might be possible to continue running flash in Internet Explorer or Edge legacy mode until summer, blocking the announced cumulative update/rollup even further
- Install a browser version that still supports flash and disable automatic browser updates
- Update January 22, 2021: Firefox ESR 78.6.1 still plays Flash content and is downloadable at Mozilla
- The open source community heavily increased push frequency on flash support, e.g. in Lightspark or Ruffle and might be a solution for a rising number of use cases while not having 100% coverage yet
An example of a working mms.cfg file can e.g. contain the following (replace the AllowListUrlPattern parameters with hosts and ports matching for your scenario):
EOLUninstallDisable=1
SilentAutoUpdateEnable=0
EnableAllowList=1
AutoUpdateDisable=1
ErrorReportingEnable=1
AllowListUrlPattern=https://my-flash-host:8443
AllowListUrlPattern=https://my-flash-host2:8283
Remark: In some older versions of Flash Player, still the deprecated wording is recognised exclusively. Therefore, in case of problems e.g. with older versions of Internet Explorer, you might have to replace EnableAllowList, AllowlistPreview, AllowListUrlPattern by EnableWhitelist, WhitelistPreview, WhitelistUrlPattern.
Location of the file can be derived from Adobe Flash Admin Guide. Examples:
- MacOS: /Library/Application Support/Macromedia
- Windows x86: C:\Windows\System32\Macromed\Flash
- Windows x64: C:\Windows\SysWow64\Macromed\Flash
Update January 22, 2021: The AllowListUrlPattern entries are obligatory for further use. Make sure all your systems are entered here.
I personally tested MacOS and Windows Server 2016 on my machines using the config above with Firefox ESR (version 78.5.0esr) – I cannot guarantee it working in your environment, but I will keep testing and add further information to this blog post.
Internet Explorer still works for me as well – while Chrome and Chromium Edge updated in my environment and are not capable of running flash anymore.
Due to availability and support timeframes, I’d go for both Firefox ESR and Internet Explorer.
Summary
If you need to continue using Browser-Flash applications in 2021, you have a few options to do so.
According to the announced information, for working environments there should not be an impact before January 12th.
- HARMAN can help you with a supported enterprise distribution of Flash Player as “Packaged Browser” solution
- If you have got Flash already installed on your machines, it might be sufficient to block updates for one specific browser such as Chrome, Chromium-based browsers (like e.g. the new Microsoft Edge) or Firefox (ESR) and apply an mms.cfg as in the example above
- If you are using Microsoft Internet Explorer or Edge Legacy mode, make sure to not install or block the Windows updates containing the removal of Flash as well as Flash integration components on the clients where you need to continue running flash. In any case you will have to add an mms.cfg as above
If you have got a working environment, it might be beneficial to save a backup/snapshot of it – in case you need to restore due to a failure or by error installed an update removing functionality.
I will update this blog post with findings that arise in the future, as the current situation is only a preview on the options available.
Changelog:
- January 22, 2021: Added a few more findings and statuses across the guide, fixed allow-list-related statements
- January 29, 2021: Added more precision explaining the “kill switch”
- March 1, 2021: Added remark regarding non-documented, older wording for mms.cfg thanks to Marek’s comment
Hello, I have been able to open BPC again, but I do not have the "Start" menu, where in the option "Planning and Consolidation Administration" you can check the states of the environments.
Hello Claudio,
sorry, I do not understand the context of your comment. Is this actually the blog post that you wanted to refer to?
Kind regards
Manuel
Hi Manuel, there I could attach the evidence, in the bpc image the entire menu appears, however in the bpc_2 image I no longer have the entire menu, since my user has sap_all, I need the option "Planning and Consolidation Administration" to be able manage environments.
bpc
bpc_2
King regards
Claudio
Hello Claudio,
this blog post is not for product specific support - if this problem is due to Flash Player, I ask you to go through the steps in the guide. Most important, besides having a valid installation, is the creation of an mms.cfg file with an allow-list for the host you are trying to access.
This page might e.g. tell you if Flash is available on your system and browser: https://www.codegeek.net/services/resources/flash-player-test-page/
Kind regards
Manuel
Hi Manuel,
There is another available permanent, inline solution at browsium.com that is being utilized by SAP clients now.
Best Regards,
Gino
Thanks Gino,
great to hear that possibilities are expanding.
I also found a few other payed solutions, but finally decided to not mention those in the guide (besides the one officially referenced by Adobe), just to avoid any competition issues regarding the paths given in this guide.
If you have good experience with browsium, please feel free to share them here in the comments.
Best Regards
Manuel
Manuel,
thanks for helpful pieces of information included in your post.
It is worth to add though in some cases another key words are valid:
Instead of:
EnableAllowList, AllowListPreview, AllowListUrlPattern
the following key words should be used in mms.cfg file:
EnableWhitelist, WhitelistPreview, WhitelistUrlPattern
We have tested this in our environment and only (EnableWhitelist, WhitelistPreview, WhitelistUrlPattern) worked. Unfortunately this is not documented anywhere in official Adobe Flash Player admin guide. One of the Adobe employees has disclosed this on Adobe community website:
https://community.adobe.com/t5/flash-player/ie-11-ignores-allowlisturlpattern-in-mms-cfg/m-p/11479083#M208384
BR
Marek
Thanks Marek, I'll add a remark to this topic.
BR
Manuel
Hi Marek,
we are having the same issue.
Marek can you please tell me of what version on flash and FF you have it.
I tried FF78esr and fp version 32 but still doesnt not work.
could you please contact with me one the email below:
pawelkonieczny83@gmail.com
Thank you
Hello,
The end date for the Allow List/mms.cfg workaround has been announced. We have an affordable solution that is invisible to the end user, secure, and can be deployed in less than a week. browsium.com
Windows 10 update will completely remove Adobe Flash Player in July - CNET
Post | Feed | LinkedIn