Drive more efficient patching with flexible patch deployment policies

You're adaptable. Your patching tool should be, too. With Patch Manager Plus, tailor your patching policies to meet specific industry needs. Select the deployment features you want most with native OS and third party application patching. In simpler words, Patch Manager Plus will work the way you do.

From build version 10.1.2121.1, the deployment policy workflow has been enhanced to include pre and post deployment settings like options to add custom scripts and a lot more. To know more about it, refer to this document.

Patch Manager Plus lets you create patching policies to enable patching across all your enterprise's endpoints irrespective of their location and despite them being mobile, remote, or asleep.

Device a deployment policy for your organization

One deployment doesn't fit all, because enterprises vary with different sizes and different patching needs. Create a Deployment Policy to specify the installation and reboot options to be performed on the client computers while deploying a patch, software or a service pack. The multiple deployment settings will help decide when to deploy a patch to the operational environment, to plan how and when that deployment will take place, in order to ensure that it does not compromise business critical systems and applications.

• You can determine the best time to deploy patches to networks of different sizes by specifying the start and end time in 'Deployment window.' Deployment will happen within the time limit specified here. If deployment is not completed, it will be continued during subsequent deployment window.
• You can specify the preferred days for deployment by selecting on which weeks and which all days you want the patches to be deployed. For example, if you want to patch during weekends, you can select 'Saturday' and 'Sunday' and select 'All weeks'.

  

• If you wish to schedule the deployment based on Patch Tuesday of that month, you can pick 'Based on patch Tuesday' as your preferred week split. Doing so, you will get the options in 'Preferred week(s) of deployment', based on Patch Tuesday. You can either choose the Patch Tuesday week or any consecutive week after Patch Tuesday as per your requirement.

  

• You can also have multiple deployment windows for the same deployment policy by selecting "Add more schedules". This creates an additional deployment window and will come in handy in scenarios where a single deployment window won't suffice. For example, as an IT administrator, you can choose to have one deployment window post 8 pm on weekdays, and a second deployment window throughout the day on weekends.
• Device policies that will meet the patching needs of different time zones. The User can set the time interval according to their time zone. The deployment will happen within the time limit specified by the User.
• This policy based approach allows set-and-forget simplicity. Any policy can be marked as default patching policy so that it will be applied by default for all subsequent patch tasks created.

Notify the user about the deployment

• Enables administrators to set a consistent time frame when a device can be patched and maintained.
• Notify users about patch deployment via a notification message window. Users can also skip deployment if its seems to be a disturbance during their work-hours. This limits the impact on the end-user and their overall productivity.
• Once you click on the checkbox of 'Notify Users about Deployment' you can customize your notification settings. You've to fill in the Deployment message title, Notification message during deployment, Notification Timeout in minutes, etc. The User can skip deployment. There's another checkbox which when enabled will show the Deployment Progress on the client computers.

Notifications can be configured for Windows and Linux endpoints.

• Patch systems at the right time and under the right circumstances to avoid disrupting business operations.

Turn ON computers before deployment

If you wanted the updates to be deployed to the computers, which are turned off, then you can enable the check box to "Turn On Computers before deployment". Enabling this option, will allow the administrators to deploy the configuration to the target computers, which are within the network but turned off. If the target computers are available in the Corporate LAN/WAN network, then those computers will be turned on using Patch Manager Plus 's Wake On LAN feature and the configuration will be deployed. This feature will not work for computers which are not available in the corporate LAN/WAN.

Download Patches/Software during subsequent Refresh Cycle

This feature will download the binaries to the client computers prior to the deployment window. The binaries will be downloaded during the subsequent refresh cycle, system startup or deployment window whichever is earlier and the installation will be initiated only during the specified deployment window. For instance, say a deployment policy has been created at 2pm, and the deployment window is from 4pm to 10pm. The missing patches are downloaded during the subsequent refresh cycle, which is at 3:30pm. This makes patches ready to be installed in client machines when the deployment window starts at 4pm

Choice of reboot policy

Deployment of certain patches that are related to OS components, may force an immediate reboot; a critical operation for many environments especially when production servers are involved. Business-critical computers may have specific times at which changes and computer restarts are permitted. Here, the deployment of a software patch or any system restarts that are required should not be scheduled. Patch Manager Plus lets you customize reboot policies post deployment. Patch Manager Plus offers a choice of the following reboot options:

• Force reboot when user has logged in
• Force shutdown when user is logged in
• Allow user to skip reboot/postpone reboot
• Allow user to skip shutdown/postpone shutdown

For version 10.0.405 and above the reboot policy has been enhanced the following way.

Bearing in mind how essential rebooting a system is , there’s always a pressure on the sysadmins to ensure the reboot occurs successfully but also during the most convenient time thus not interrupting the enterprise’s productivity. Patch Manager plus’s flexible reboot policy helps achieve this by offering the following options for reboot :

1. Force reboot/shutdown
2. Postpone reboot/shutdown
3. Do not reboot/shutdown

Force Reboot

Reboot/shutdown Immediately after deployment(within deployment window)

• If you want your system to reboot immediately after the deployment, you may enable 'Reboot Immediately after deployment'. On enabling this, the end user will receive a force reboot notification. Once the notification times out, the system reboots immediately. Hence, a system that's been configured to force reboot at 12PM with a notification time out of 5mins, will receive the prompt for the same at 12PM and hence reboot only at 12.05PM.

Specify Force Reboot Timings

• If rebooting system during business hours is not your choice or if you want to be more specific about the reboot timings, you many schedule the force reboot timings in the reboot window.
• Specify reboot timings works exactly same as the reboot immediately after the deployment except for the fact that you can decide the timing for reboot as per your choice.
• The reboot window allows you to choose the day(s) and the start and the end time within which you want the force reboot to take place. Sometimes, your system might miss a reboot as it might accidentally go into sleep/hibernate mode within the reboot window. Enabling the ' Immediately Reboot System When Next Active' allows your system to reboot immediately after it is awake. Else, the system waits for the next reboot window.

Postpone Reboot/shutdown

• As an admin you may want to leave it to the end users as to when their respective systems should reboot. Postpone reboot allows the end user to postpone the reboot until a specific time.
• You can simply specify the day(s) and time after which you want to show the first reboot prompt to the end user.
• As the end user receives the first reboot prompt he may either want to reboot at the moment or postpone the reboot according to his convenience. Hence, on choosing the postpone option, the end user can select one of the time intervals that appear on the agent window.
• Based on the chosen timing, the reboot prompt reappears. For example, if the end user chooses 15 minutes, he will receive a reboot prompt again after 15mins from when he received the first reboot prompt.
• Apart from the default time intervals shown on the server side window, you can also allow the end user to specify their time of convenience for reboot by enabling the 'end user defined time'.
• You can configure the reboot in such a way that if the reboot prompt is left unnoticed for 'x' mins since it appeared, the system will automatically reboot once the notification times out.

Reboot notifications are available on Windows and Linux endpoints.

Note : The customization in postpone time intervals is available only in Windows and Linux. For macOS, the postpone time intervals are set to 15 minutes, 1 hour, 2 hours and 4 hours by default. Also, the user alert before a force reboot is by default set to 5 mins for macOS, this customization is also allowed only in Windows.

Note: The postpone time intervals that are shown to the end user is dependent upon the force reboot timing (if configured by you). For eg. If you have configured force reboot on a system after 4 hours from when the first reboot prompt was shown, then, the end user will be shown options to postpone lesser than 4 hours.

Configuring Force Reboot ensures that your system is rebooted even if the end user fails to do so. The force reboot prompt appears exactly after 'x' hours from when the first reboot was shown and the system reboots immediately after the notification times out. Reflecting the correct status of the patches (post patching) is important. If you choose to shutdown your system post patching, you may enable the 'restart and shutdown' option. This ensures that your system reboots in order to reflect the exact status of the patches before the system shuts down.

Do not Reboot/shutdown

Admins can opt to exclude reboot/shutdown:

• For systems with patches that do not require a reboot (feature available only in Windows).
• For servers to prevent system downtime.

Restart and then Shutdown: If you choose to shutdown your system post patching, you may enable this option. This ensures that your system reboots in order to reflect the exact status of the patches before the system shuts down.

Role-based access

You can further fine-tune the deployment process to align with your specific needs by configuring the deployment settings. By customizing this setting, you can ensure that only authorized users with the necessary roles can modify the deployment policies. The deployment policies are associated with various configurations and tasks related to the deployment process and modifying these policies should be limited only to authorized users with the necessary roles and permissions. Users with the appropriate roles such as Administrators, Policy owners and Patch Management Write access are granted the privilege to modify deployment policies. The ability for only authorized users to modify the deployment policies helps in maintaining the consistency of the endpoint's deployment process.