Howto easily upgrade Client Security 12.31 to 13 on workstations

Agrar

Howto easily upgrade Client Security 12.31 to 13 on workstations? Can it be done automatically?

RC1

No, it cannot be done automatically.

Client Security 13 installation adds Browsing Protection extension to FireFox, Chrome, IE but not Edge yet.

 

This extension installation prompts users interactively to add the extension to each browser. It doesn't work for us as we don't have the resources to visit every machines to do mutiple manual clicks.

 

I opened a ticket with F-Secure Tech Support about this problem. They asked us to talk to sales people for this broken installation process, because it's a "feature request." So we cannot upgrade to 13 for now.

 

Rob-K

Hi @Agrar,

 

with an Policy Manager installed ... very easy and automatically!

 

You select your policy domain, go to the Installation tab - select the shown 12.31 and click on upgrade. The wizard starts, you enter the new key code for the V13.xx and click through the wizard. Then distribute the policy. That is all ... done that with our 1200 installations. 

 

@RC1 you are wrong! Browsing protection is part of the Client Security since some versions. BTW it will install automatically but the user needs to confirm the addin. There are no special rights needed for that. So why not send out a mail to the users, that they shall answer the F-Secure Addin Install prompt with a Yes? Besides that - as I stated above - an automatic upgrade to version 13 ist possible with just a few clicks on the management server

 

Best regards

Robert

 

 

RC1

Rob, you are correct that Browsing Protection has been part of FSC, but FSC 13 is the version whose installation inserts a browser extension and prompts for user interaction.

 

And you are also correct that one can send an email out and asks users to confirm the extension installation and that means it is a semi-auto install. A fully automated installation should not require user interactions. When one has a few users, it's fine with the email approach. When one has kiosks for the public or 30 to 50% email response rate in an enterprise environment ... 

Zoltar

Come on F-Secure this not what I would expect / hope from you. I agreed with RC1 – A fully automated installation should NOT require user interactions!! I have over 3000 systems using Client Security 12.31 – just about to go to 13.10. It seems a ridiculous concept for me to have to rely on my customers to accept the “enable“ for the F-Secure plug- in. We spent most of time drumming into our customers NOT to accept prompts they are not expecting, so I do not any expectations of a high successful rate on this (. Many of our systems are used 24 x 7 and over that period are used by multiple customers – and to further complicate matters the plug-in “enable” request is done at user level rather than system level – so each person who logs on to a machine will get the prompt. So it looks like I will have control these setting via Group Policy for Internet Explorer. Not sure what to do yet about other browsers. F-Secure please can you fix this ready for Client Security 13.11? Thanks Alan

Zoltar

Sorry for formatting problem in the above post - posted again.

 

Come on F-Secure this not what I would expect / hope from you.

 

I agreed with RC1 – A fully automated installation should NOT require user interactions!!

 

I have over 3000 systems using Client Security 12.31 – just about to go to 13.10.

 

It seems a ridiculous concept for me to have to rely on my customers to accept the “enable“ for the F-Secure plug- in. We spent most of time drumming into our customers NOT to accept prompts they are not expecting, so I do not any expectations of a high successful rate on this (.

 

Many of our systems are used 24 x 7 and over that period are used by multiple customers – and to further complicate matters the plug-in “enable” request is done at user level rather than system level – so each person who logs on to a machine will get the prompt.

 

So it looks like I will have control these setting via Group Policy for Internet Explorer.

Not sure what to do yet about other browsers.

 

F-Secure please can you fix this ready for Client Security 13.11?

 

Thanks

 

Alan

RC1

Don't know why this was marked "Solved"  even no fully automated solution was provided.

 

In fact, I opened a ticket with F-Secure Tech Support about this issue. I asked for status updates of my ticket many weeks ago and have not received any replies. Now I suspect it was marked solved and closed. 

 

Laksh

Hi RC1,

 

The reason why the post was marked as solved is because Rob-K provided the information on how to proceed with the upgrade of Client Security on the Workstations automatically and also mentioned that the installation of the add-on is automatic but the user has to confirm the add-on.

The prompt to the end user when a new add-on is installed is by design. It is a browser security feature to avoid malicious add-on from being added to the browser.

 

Thank you for voicing out your feedback regarding the BP extension. I brought this to the attention of the product team to look into it. The conclusion is it is not possible to take the BP extension without asking the user. We will check if it's possible to improve the extension installation scenario in future releases.

MJ-perComp

Hi,
@Laksh
a proposal to solve that  was made long ago:
Nag the user (everyday) until he installs the plugin.
This must be configurable by admin and must work even if I install a second or third browser.

 

@RC1
AFAIK even if the User does not install that plugin the protection is still there, the user only does not get a visual notification.

 

Zoltar

We used Group Policy to control the plugin for Internet Explorer.

You can enable / disable the BP plug in as required & then it removes the "nag" option for the customer.

Thanks

 

Alan

RC1

Agrar's orginal request was:

 

   Howto easily upgrade Client Security 12.31 to 13 on workstations? Can it be done automatically?

 

"Nag the user" means it is not done automatically. 

 

It is unfortunate that the F-Secure product team is not capable to automate the BP extension installation. It is technically possible years ago. Perhaps the team need more training. 

MJ-perComp

I doubt your claim that "it is technically possible", as according to this post the demand for automatic installation is common, but neither documented nor is a reliable way know.

Edit: https://support.mozilla.org/de/questions/1130750

Esp. with FF it is an anoyance to constantly change the plugin to adopt a new way how to integrate a plugin.

Also I feel it is a security/privacy issue if an admin can introduce any plugin without the users knowledge.

If you know a reliable way how to overcome both problems I am sure R&D would be interested. @Vadim

RC1

Mozilla explains how to package extension: https://developer.mozilla.org/en-US/Firefox/Enterprise_deployment#Packaging_Extensions AntiVirus clients do realtime and schedule scan of files and folders all the time. Does that mean every time before a scan there should be a pop-up to let users know because of security/privacy issue??

MJ-perComp

And I read there:
"...but this only works for profiles created after the extension is installed. "
and in the additonally referenced link:
" IMPORTANT: If you use this mechanism (which used to work pretty well), your add-ons will be disabled by default. To override this, you’ll need to set the preference extensions.autoDisableScopes to 0 via a config file or by creating a new prefs file in the defaults/preferences directory. Setting this value via distribution.ini will not work. "

So either it only works for newly created profiles or ends up with the add-on beeing disabled by default and you have to disable a Firefox security feature. Neither I like.

Feel free to modify your companies installation package as explained there, but I'd say F-Secure would be badly advised if they lowered Firefox's security settings.

my2ct
M.

RC1

Matthias, there is no need for us to take over the F-Secure development team's job here. Subscribers of the Mozilla Enterprise Working Group Mailing List ( https://mail.mozilla.org/listinfo/enterprise ) discuss the automation of extension deployment for years. We already established the fact that the default fsc 13.x installation generates pop-up message to prompt end-users. This means the installation is not "automatic" unfortunately. This does not work for a lot of business or enterprise scenarios. We have hundreds of kiosk computers in a college environment. It does not work for us either. We do not have resources to do the manual clicks on every kiosk machine. We do not have the resources to tape an explanation (not that we like this ugly solution) on every kiosk to let the public know what to do with pop-up messages. What's more unfortunate is that I submitted a ticket to F-Secure Tech Support formally and it was ignored. So the only solution for now is to disable Browsing Extension during the deployment.

MJ-perComp

IMHO it is not R&Ds job to adjust your rollout scenario.
For your environment do not forget, that the plugin does not decide about wether to block or not. The plugin "only" displays the decission to the enduser and gives him/her the ability to override the decission (if the admin allows to override).

Thus, for the time being, I recommend to activate browsing protection and not worry about the plugin. If the user decided to deny usage, the plugin will be disabled in his profile. He can re-enabled it at any time.

RC1

If the F-Secure development team has the same kind of thinking, that may explain why Gartner said "the majority of F-Secure clients are sub-500 seats" ( https://www.gartner.com/doc/reprints?id=1-4PGZC8G&ct=180126&st=sb ). 

 

 

In any enterprise environment, no one will deploy a software product that prompts for user interaction. I used to work for a company of 20,000+ seats. It's a big no-no. Any user interactions generate a lot of IT helpdesk tickets.  

 

 

As I mentioned multiple times in this discussion, the orginal question is about fully automatic deployment. It's not about what the end users think or feel.

 

 

Before our license renewal, we need to look for another product as F-Secure's small environment thinking does not work for us.

 

 

RC1

 

Pardon me, I made a typo on my last reply. It was " ... the majority of F-Secure clients are sub-5,000 seats" ; not 500.

 

Obataborsi

There are no special rights needed for that. So why not send out a mail to the users, that they shall answer the F-Secure Addin Install prompt with a Yes? Besides that - as I stated above - an automatic obat aborsi upgrade to version 13 cytotec ist possible with just a few clicks on the management server

PMSR

We too are delaying the upgrade to version 13 due to this. We're a large speciality veterinary hospital in the north of Europe with 150 seats of Client Security, and we made Google Chrome standard. Most of our personnel, like vets and animal carers, share computers. For the most part they are not IT skilled, and when they are in front of a computer they are frequently in a hurry and under life and death duress. We also been pushing the message to users to be careful out there and worry about what and where they click. The moment we deployed Client Security 13.x many would refuse to install it, others ignore it. A few would maybe say yes without blinking, of course. But we would receive dozens of support calls and requests wondering or warning us of the fact. So, as I said, we are now in wait and see mode.