Hopefully this news should not come as a surprise to anyone but at the end of this year (December 31, 2020), Adobe and all mainstream web browsers will remove Flash functionality preventing users from interacting with any Flash-based web applications. This will also impact usage of VMware products that still uses Flash such as older versions of vSphere with the vSphere Flash Web Client or vCloud Director with their Flash-based Tenant UI as an example.
The large majority of VMware customers have already migrated off to newer versions of VMware products that no longer rely on Flash and this announcement will be a no-op for them. However, the reality is that not every customer has been able to meet this deadline for one reason or another will still have VMware products running in their Production environment that uses Flash even after the official end of life.
For these customers, it is really important to understand what are some of the implications and considerations to be aware of leading up to end of the year.
Background
For some background, since I have not met or spoken to a single person who will actually miss Flash nor is it a technology I tend to talk about 🙂 A few weeks back, I was talking to both Emad Younis and Simon Long about updating and rebuilding our internal VMware lab environment. It has been around for 3-4 years now and it was originally setup with NSX-V and while it has served us well over the years, it was time for an upgrade and to move to NSX-T. We had been holding off due to various projects and honestly, we just did not have the time. With VMworld now behind us, it was time to really get serious about the upgrade and have Simon (new guy) rebuild the setup 😉 While Simon was getting familiar with the environment, I realized that he still needed to use the vSphere Flash Web Client to access some of the NSX-V specific configurations to better understand the existing setup.
This actually got me thinking, what if we actually had waited until after the holidays to upgrade? Would it even be possible, would we run into any issues given the impending deadline? What affect would this have on the end users who may rely on a Flash-based UI interface? Well, it could mean some major fire drills and impact to your users if your organization is not ready and prepared.
Not only are the mainstream web browsers removing Flash functionality, some of this has already been implemented by automatically "blocking" flash websites and if you wish to override that behavior, you must explicitly acknowledge and allow the content to be rendered. After 2020, this user override behavior will simply not exists. In addition, older version of web browsers that support Flash will be removed and no longer be made available and Adobe itself will also stop the distribution of older releases of Flash all together.
In fact, just yesterday I came across an article where an upcoming Windows 10 update will completely remove Flash from the operating system and this change can NOT be reversed outside of restoring your Windows OS. I suspect other operating systems including Apple MacOS may follow a similiar path in getting rid of Flash.
Considerations
- Do you have an IT or an End User Computing team that manages your desktop image, updates and applications? If so, definitely reach out to understand what the Flash EOL will mean for your organization
- Will they be applying the latest Windows updates which removes Flash from operating system?
- Will they be applying the latest browser updates which will also remove Flash functionality?
- If so, when are these changes coming as they are usually managed through some type of group policies and can roll out at any given time, so it could even disable your access to your VMware environment before the end of the year
- When talking about VMware-based UIs, we generally think about it from an Administrator point of view but in many organizations, that is just one of the many potential consumers of the UI
- Take vSphere as an example, I know many organizations which provide direct vSphere UI access their end customers and that means, the impact is more than just the VI Admin, Network, Storage and Operators but it is the actual end users. What policies govern their desktop and are they the same or different from the administrators? This means the number of affected users can grow quite significantly depending on your overall base
- vCloud Director is another interesting solution because it has two different UIs, one of which is designed for Tenant users. This means, the ownership and the access is a completely different set of users than the folks managing the solution. This is certainly true when you look at a Managed Service Provider, you can have hundreds or thousands of end users relying on that UI.
- Are you able to ensure that their desktops will not be remediated which could affect their access?
Impacted VMware Products
If you have not already inventory which VMware products you are still using which rely on Adobe Flash, the following table can help which was also recently added to VMware KB 78589. I also recommend subscribing to this KB for future additions and updates.
| Product | Recommendation |
|---|---|
| vSphere 6.7 GA or older | 6.7 Update 3 or newer |
| Horizon 7.8 or older | 7.10 or newer |
| vCloud Director 10 or older | 10.1 or newer |
| NSX for vSphere 6.4.7 or older | 6.4.8 or newer |
| Site Recovery Manager 6.5 or older | 8.1 or newer |
| vSAN 6.5 or older | 6.7 Update 3 or newer |
| vRealize Orchestrator 7.5 or older | 7.6 or newer |
| vRealize Automation 7.6 or older | 8.0 or newer |
| vRealize Operations 6.5 or older | 6.6 or newer |
Workarounds
Obviously, the best workaround is to ensure that you are running at least the recommended VMware product version noted above which no longer uses Adobe Flash for its UI, but in case that is not possible, here are few options.
Option 1:
Starting with Adobe Flash Player June 2020 update, a set of Enterprise Enablement features were added to help Enterprises manage the Flash EOL. Users can update the mms.cfg configuration file which is based on the operating system and the web browser that you are using allowing all/or a specific set of URLs to still access the Flash site by using the AllowListUrlPattern parameter. For more details, please refer to the Adobe Flash Player Admin Guide (Page 37).
Here is an example of what the mms.cfg could look like:
EOLUninstallDisable=1
EnabledAllowList=1
AllowListPreview=1
AllowListUrlPattern=https://FQDN/
Where FQDN can be your vCenter Server, vCloud Director or any other hostname which is serving up Flash content. You do not have to specify the full path of the application URL for this to work.
Here is the location of the mms.cfg for the various operating system and browser combination. This was also recently added to VMware KB 78589 and definitely recommend subscribing to this KB for future additions and updates.
| Google Chrome on Windows | %localappdata%\Google\Chrome\User Data\Default\Pepper Data\Shockwave Flash\System\mms.cfg |
|---|---|
| Edge Chromium on Windows | %localappdata%\Microsoft\Edge\User Data\Default\Pepper Data\Shockwave Flash\System\mms.cfg |
| 32-bit Windows | %windir%System32\Macromed\Flash\mms.cfg |
| 64-bit Windows | %windir%\SysWOW64\Macromed\Flash\mms.cfg |
| MacOS | /Library/Application Support/Macromedia |
| Google Chrome On MacOS | /Users/<username>/Library/Application Support/Google/Chrome/Default/Pepper Data/Shockwave Flash/System |
Option 2:
Leverage VMware Automation tools such as PowerCLI, VMware SDKs/CLIs, etc. to perform specific tasks which require a Flash-based UI. Some customers have taken this approach to remove the need to have their admins or end users directly interact with a VMware product and provide an end-user portal for these common operations. Web Commander is just one example, where PowerShell/PowerCLI scripts can be executed from centralized portal and you can certainly build your own or leverage other VMware solutions like vRealize Orchestrator or vRealize Automation providing similiar functionality. This does require some level of development but for those who are already automating their infrastructure, this could be a nice short term workaround for the cases where you may need the Flash UI.
Additional References
Browser Support Statements:
- Microsoft: https://support.microsoft.com/en-us/help/4520411/adobe-flash-end-of-support
- Google: https://www.blog.google/products/chrome/saying-goodbye-flash-chrome/
- Mozilla: https://blog.mozilla.org/futurereleases/2017/07/25/firefox-roadmap-flash-end-life/
Not a VMware product, but if anyone out there is running RecoverPoint for VMs less than v. 5.3, you'll also need to upgrade to get the VMWare plugin that doesn't need Flash.
We'd be a lot more ready for it if there weren't still bugs in the HTML client for basic functionality like adding permissions for an AD domain user (searches that don't work right and UI functions that make it to where you HAVE to search instead of just allowing entry of a UPN or DOMAIN\groupid). We have workarounds for things, but some of this is just embarassingly bad missing basic functionality.
Workaround Option 3: Just ThinApp some browser of your choice including flash - just in Case.
You've not met anyone that'll miss native flash support?
Hi, I'm your first, I suppose. A good number of indie games were developed in flash, and I know a few that still are right now. Third party players are everywhere. Flash may be going away officially, but it's not going away anytime soon.
vSphere 6.5 supported until 2021/11/15 and the H5 client in this version doesn't cover even day-by-day operations like creating VMs with guest customizations and static IPs, so we stay with Firefox ESR + Flash Player for at least a year.
Running vSphere 6.5 (limited by hardware to this version). Upgraded our vCenter to 6.7 the other week to get around this flash issue. A very painless process.
Take backups first though 🙂
Since this day till dec we have freeze. There is no way we can do this. I'm thankful to you for writing this post.
vSAN 6.5 or older 6.7 Update 3 or newer How about if we are running vSAN 6.6.x?
just tried this on Chrome Version 87.0.4280.141 (Official Build) (64-bit) using Option 1 and it does not work.
It does re-enable the flash handling you get do you want to run flash prompt and then the out of date do you wish to update prompt but on saying no to both and attempting to load vsphere client you are presented with a single logo of a red lower case f and a blue logo lower case i . Clearly its about flash and wants to give you information. Clicking it takes you to https://www.adobe.com/products/flashplayer/end-of-life.html
Folks I have been looking for some way to filter more then one VM in the vcenter client (as I use to do in the flash vcenter client) without success. Is some one found any workaround that's work for that? Tks in advance!
Hi Gustavo,
I am assuming you have an older install of vSphere that still uses flash
If so then install a copy of Firefox ESR 78.6.1. and do not allow it to update
If you still have a download of the old stand alone Flash Installer run it to install flash
Use this to access the vSphere, do not accept the offer to upgrade flash because it is out of date.
click allow to use the older version of flash.
If I am wrong and you have a new vSphere that is just HTML 5 and want some of the old functionality of flash I am sorry I do not have an answer to that problem
A temporary solution with Basilisk Portable with Flash https://archive.org/details/basilisk-portable-with-flash#reviews