Hopefully this news should not come as a surprise to anyone but at the end of this year (December 31, 2020), Adobe and all mainstream web browsers will remove Flash functionality preventing users from interacting with any Flash-based web applications. This will also impact usage of VMware products that still uses Flash such as older versions of vSphere with the vSphere Flash Web Client or vCloud Director with their Flash-based Tenant UI as an example.
The large majority of VMware customers have already migrated off to newer versions of VMware products that no longer rely on Flash and this announcement will be a no-op for them. However, the reality is that not every customer has been able to meet this deadline for one reason or another will still have VMware products running in their Production environment that uses Flash even after the official end of life.
For these customers, it is really important to understand what are some of the implications and considerations to be aware of leading up to end of the year.
For some background, since I have not met or spoken to a single person who will actually miss Flash nor is it a technology I tend to talk about 🙂 A few weeks back, I was talking to both Emad Younis and Simon Long about updating and rebuilding our internal VMware lab environment. It has been around for 3-4 years now and it was originally setup with NSX-V and while it has served us well over the years, it was time for an upgrade and to move to NSX-T. We had been holding off due to various projects and honestly, we just did not have the time. With VMworld now behind us, it was time to really get serious about the upgrade and have Simon (new guy) rebuild the setup 😉 While Simon was getting familiar with the environment, I realized that he still needed to use the vSphere Flash Web Client to access some of the NSX-V specific configurations to better understand the existing setup.
This actually got me thinking, what if we actually had waited until after the holidays to upgrade? Would it even be possible, would we run into any issues given the impending deadline? What affect would this have on the end users who may rely on a Flash-based UI interface? Well, it could mean some major fire drills and impact to your users if your organization is not ready and prepared.
Not only are the mainstream web browsers removing Flash functionality, some of this has already been implemented by automatically "blocking" flash websites and if you wish to override that behavior, you must explicitly acknowledge and allow the content to be rendered. After 2020, this user override behavior will simply not exists. In addition, older version of web browsers that support Flash will be removed and no longer be made available and Adobe itself will also stop the distribution of older releases of Flash all together.
In fact, just yesterday I came across an article where an upcoming Windows 10 update will completely remove Flash from the operating system and this change can NOT be reversed outside of restoring your Windows OS. I suspect other operating systems including Apple MacOS may follow a similiar path in getting rid of Flash.
- Do you have an IT or an End User Computing team that manages your desktop image, updates and applications? If so, definitely reach out to understand what the Flash EOL will mean for your organization
- Will they be applying the latest Windows updates which removes Flash from operating system?
- Will they be applying the latest browser updates which will also remove Flash functionality?
- If so, when are these changes coming as they are usually managed through some type of group policies and can roll out at any given time, so it could even disable your access to your VMware environment before the end of the year
- When talking about VMware-based UIs, we generally think about it from an Administrator point of view but in many organizations, that is just one of the many potential consumers of the UI
- Take vSphere as an example, I know many organizations which provide direct vSphere UI access their end customers and that means, the impact is more than just the VI Admin, Network, Storage and Operators but it is the actual end users. What policies govern their desktop and are they the same or different from the administrators? This means the number of affected users can grow quite significantly depending on your overall base
- vCloud Director is another interesting solution because it has two different UIs, one of which is designed for Tenant users. This means, the ownership and the access is a completely different set of users than the folks managing the solution. This is certainly true when you look at a Managed Service Provider, you can have hundreds or thousands of end users relying on that UI.
- Are you able to ensure that their desktops will not be remediated which could affect their access?
Impacted VMware Products
If you have not already inventory which VMware products you are still using which rely on Adobe Flash, the following table can help which was also recently added to VMware KB 78589. I also recommend subscribing to this KB for future additions and updates.
|vSphere 6.7 GA or older||6.7 Update 3 or newer|
|Horizon 7.8 or older||7.10 or newer|
|vCloud Director 10 or older||10.1 or newer|
|NSX for vSphere 6.4.7 or older||6.4.8 or newer|
|Site Recovery Manager 6.5 or older||8.1 or newer|
|vSAN 6.5 or older||6.7 Update 3 or newer|
|vRealize Orchestrator 7.5 or older||7.6 or newer|
|vRealize Automation 7.6 or older||8.0 or newer|
|vRealize Operations 6.5 or older||6.6 or newer|
Obviously, the best workaround is to ensure that you are running at least the recommended VMware product version noted above which no longer uses Adobe Flash for its UI, but in case that is not possible, here are few options.
Starting with Adobe Flash Player June 2020 update, a set of Enterprise Enablement features were added to help Enterprises manage the Flash EOL. Users can update the mms.cfg configuration file which is based on the operating system and the web browser that you are using allowing all/or a specific set of URLs to still access the Flash site by using the AllowListUrlPattern parameter. For more details, please refer to the Adobe Flash Player Admin Guide (Page 37).
Here is an example of what the mms.cfg could look like:
Where FQDN can be your vCenter Server, vCloud Director or any other hostname which is serving up Flash content. You do not have to specify the full path of the application URL for this to work.
Here is the location of the mms.cfg for the various operating system and browser combination. This was also recently added to VMware KB 78589 and definitely recommend subscribing to this KB for future additions and updates.
|Google Chrome on Windows||%localappdata%\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\System\mms.cfg|
|Edge Chromium on Windows||%localappdata%\Microsoft\Edge\User Data\Default\Pepper Data\Shockwave Flash\System\mms.cfg|
|Google Chrome On MacOS||/Users/<username>/Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/System|
Leverage VMware Automation tools such as PowerCLI, VMware SDKs/CLIs, etc. to perform specific tasks which require a Flash-based UI. Some customers have taken this approach to remove the need to have their admins or end users directly interact with a VMware product and provide an end-user portal for these common operations. Web Commander is just one example, where PowerShell/PowerCLI scripts can be executed from centralized portal and you can certainly build your own or leverage other VMware solutions like vRealize Orchestrator or vRealize Automation providing similiar functionality. This does require some level of development but for those who are already automating their infrastructure, this could be a nice short term workaround for the cases where you may need the Flash UI.
Browser Support Statements:
- Microsoft: https://support.microsoft.com/en-us/help/4520411/adobe-flash-end-of-support
- Google: https://www.blog.google/products/chrome/saying-goodbye-flash-chrome/
- Mozilla: https://blog.mozilla.org/futurereleases/2017/07/25/firefox-roadmap-flash-end-life/