Configuring Deployment Policies

Deployment Policy and its need

A Deployment Policy is an end-to-end customized policy configured by IT administrators to deploy patches according to the enterprise's needs. It helps design a user-specific patching policy, enabling an effective patching system across all endpoints managed by the enterprise, regardless of location.

When deploying software or a patch using Endpoint Central, you can specify various Deployment Settings such as installation timing, user permissions to skip deployments, and reboot policies. These settings can be created as Policies and used when defining configurations or tasks. Any policy can be marked as a default policy, so it applies by default to all subsequent configurations or tasks created.

There are several ways to create deployment policies: Policies can be created from the Deployment Policies page. You can access the Deployment Policies page by Navigating to Threats and Patches -> Deployment -> Deployment Policies

Deployment Schedule

Each enterprise has unique rules and regulations with a customized working pattern to maximize returns. Patch deployment might sometimes hinder system productivity due to high bandwidth consumption. To avoid this, the admin can customize the deployment schedule.

To do this,

1. Click Create Policy under Deployment Policy.
2. Specify a name for the policy.
3. Preferred week split offers two options: Regular Split and Patch Tuesday. Patch Tuesday operates from the second Tuesday of every month until the next Monday, while Regular Split follows the normal week schedule. Specify the deployment schedule to occur on any day or specific days of the week. For deployment only on weekends, select Saturdays and Sundays.
4. Specify the Deployment Window, which is the time interval for deployment on the client computer. You can specify an interval between 3 hours and 24 hours. It is recommended to provide a minimum of 3 hours to ensure the agent communicates with the product server at least once during this window to receive inputs for initiating the deployment.
5. The option to enable "Download patches from server to agent" can be configured during the deployment window or when the agent contacts the server.
6. Deployment can be initiated during the system startup or refresh cycle.
   

   Configuring Pre-Deployment Activities

   To deploy configurations to computers that are turned off, enable the "Automatically wake computers before deployment" checkbox. This option allows administrators to deploy configurations to target computers within the network but currently powered off. If the target computers are connected to the corporate LAN/WAN, they will be powered on using the Wake On LAN feature, and the configuration will be deployed. This feature is not applicable to computers outside the corporate LAN/WAN. The Wake On LAN functionality operates based on the local time zone of each computer.

   Pre-Deployment Reboot settings can be configured to suit specific requirements. Administrators can exclude servers from rebooting to minimize system downtime and skip reboots for machines that don't require them. Additionally, users can be notified about upcoming reboots through a customized notification message.

   

    

   The Pre-Deployment User Notification settings can be configured as follows:

   1. Provide the "Title of the Message" to be displayed on client computers before deployment begins.
   2. Enter the message content to inform users prior to deployment.
   3. The notification message will appear on client computers based on the duration specified in the Notification Timeout section.
   4. Specify whether users can skip the deployment by selecting the "Allow Users to Skip Deployment" option. If this option is not selected, deployment will proceed without user control.
   5. To display the deployment progress on client computers, enable the "Show deployment progress on the client systems" option.
   6. Define the number of days after which deployment will be forced. This allows users to skip deployment only for the specified period, after which it will automatically proceed.
   7. Set the time limit for deployment to begin if the system remains idle.

   

   Configuring Post-Deployment Activities

   1. As part of post-deployment activities, the Reboot/Shutdown settings for systems can be configured. Administrators can choose between a Force reboot/shutdown or a Delay reboot/shutdown option. Additionally, the reboot/shutdown time can be specified. Users can be notified about the reboot/shutdown through a customized notification message. An option to "Restart and then Shutdown" the systems is also available for configuration.
   2. Select Save to apply the changes.

   

   The deployment policy has been successfully created and can be applied to any configuration. To modify or delete the policy, use the Actions button.

   Notification displayed on the end-user's device.

   Windows

   

    

   Mac

   

   Role-based access

   The deployment process can be fine-tuned to meet specific requirements by configuring the deployment settings. Customizing these settings ensures that only authorized users with the necessary roles can modify deployment policies. These policies are linked to various configurations and deployment tasks, and restricting modifications to authorized roles helps maintain consistency in the endpoint deployment process. Roles such as Administrators, Policy Owners, and those with Patch Management Write or Software Deployment Write access are granted the privilege to modify deployment policies. Limiting this capability to authorized users ensures the integrity and reliability of the deployment process.

If you have any further questions, please refer to our Frequently Asked Questions section for more information.