Friday, December 2, 2011

(T3): Managing your Patch Management


Deploying patches successfully and efficiently across multiple clients can quickly turn from a simple maintenance task to a huge time-suck if you don't have a plan, flexibility, or the  right tools.



Managing/configuring Patch Management

With GFIMAX RemoteManagement's Patch Management feature, you can be as tight or loose as you want with how patches get deployed to systems throughout your client-base.  Whether you want to make sure all machines get the "latest-and-greatest" as soon as possible, or you want to meticulously monitor the importance, stability, and need of each patch, the flexibility is here.

The "White-listing" approach
You may want to strictly disseminate patches that you test prior to installing them on client computers.  Patches can and do effect both system performance and security, and you're the one being paid for your expertise in the balancing the two.

In this situation, you want to effectively halt the installation of everything.  Patch Management settings can do this in two ways.  Setting "Auto-Approval" to Approve but the schedule to Manual, or setting all "Auto-Approval" levels to Manual and the schedule to any - even every- day to install will effectively never install patches without user intervention.

Patch Management will inform you about new patches for each machine as usual, but they will remain under "Missing" status until you review them.  Use the Approval Policy dialogue to search through them and review their impact by clicking the link to the vendor's release-information page. (The left-hand column of the window is this link.)

While in this dialogue, you can select multiple patches using Shift+Click and/or Ctrl+Click and change their approval status on the right-hand side.

After approving across multiple machines, select the client or site view to show those computers where you just approved the patches.  Use Shift+Click and/or Ctrl+Click to select multiple devices in the list.  From the Edit, Server, or Workstation menu, select Patch Management > and you can install the patches now, or schedule it for later (given v8.10.1 or later is installed on the machine).

The "Latest and Greatest" approach
Conversely to the scenario above, MAX can be configured to push out patches and even reboot computers with zero intervention.  Instead of halting at the first step - approval - or second step - scheduled installation - you can auto-approve and set a scheduled time in the Dashboard Policy.  As part of the schedule, you can tell the computer to reboot if a patch requires it, or every time if you'd like.

Simply configure the Patch Management Dashboard Policy  to automatically approve everything.  In the Reboot option, set to  whichever option you prefer: "When Required" or "Always."

From here,  use the Monthly Report for servers and the Patch Overview Report to monitor the job that the system is doing.

Flexibility - everywhere in between
The good thing about MAX's system is that it is quite flexible. The scenario's above need not be the only ones that you use.  Work the system and don't let it work you.  Make it different for every client, depending on their needs.  Make all clients automatically install critical patches only, but then vet the rest carefully.  Turn everything on automatic in one of your own environments and turn it into a test bed. Automatically push out patches to all the workstations, but 'white list' all servers.  It's a tool designed to make the most of your expertise, not to tell you what your expertise "should" be.

In my own experience, I always worked with several very smart consultants, engineers and administrators.  We all had one thing in common: we did things differently than anyone elseNo need to squelch that diversity: embrace it!  Empower those that are there every day where the rubber meets the road.

I'd sure love to hear how you may want to do this task for your clients.  I'd also welcome questions about the effectiveness and efficiency of methods you'd like to propose.  A "different pair of eyes" on the picture often opens up a whole new world of possibility.  Bring it!