LANDesk Patch Management Best practices Chris Rawlings LANDesk Sales Engineer
LANDesk 9.5 SP1 Updates Mobility OS X Inventory Patch HP Integration Printer Management Security Suite Intel Auditing FIPS 140-2 Remote Control Flexera Cloud Service Appliance Data Analytics Agent SmartVue Provisioning Linux/Unix SWD
Patch Management Best Practices
Clean Up The Patch Management Disable Replaced Rules Wizard Adobe Flash Sun Java Itunes
Clean Up The Patch Management Purge Distribution and Patch Definitions Eliminates unnecessary Operating Systems Eliminates unnecessary languages
Clean Up The Patch Management Delete Unnecessary Patches Delete patches in Do Not Scan and unassigned groups Delete undetected patches
Patching – Application EOL Detection Application End Of Life Detection Publish by Content Leverage LANDesk Patch Manager Already support MS Office 2000/XP Adobe Acrobat Pro/Sta 6.x, 7.x, 8.x Adobe Reader 6.x, 7.x, 8.x Java SE 1.3, 1.4, 5.0
Prepare Patch Reports Gather Historical Information Schedule to run on a daily basis
Avoid Impacting Users Configure CPU Utilization during scan for low impact
New Feature Do Not Disturb if… Maximize end-user productivity Reduce unwanted disruptions Detect full screen apps Dynamically hide scan dialog
Configure Reboot options Change Defaults Allow user to defer Reboot if no one is logged After Time out snooze Increase Timeout
Patching – Application Interference Increased first pass success rate Java Browser plugins Custom applications Close applications prior to patching Prevent / block applications from running during the patch process
What you see on the client… Configured to Prompt Don’t allow defer or cancel Shows apps that must close. Dynamically updates list as apps are closed by user.
Process to Kill are Definition Based Clone Vulnerability Edit Detection Rule Add Process to stop
Autofix by Scope Supports Targeted Repairs Fewer Scheduled Tasks to manage
Create query for affected computers Scenario: Administrator wants to quickly and easily create a vulnerability query to represent affected computers. New right-click option The “IN” clause is not editable in the DAL query editor.
New Feature 9.5 SP1 Patching – Maintenance Windows Controlled and Predictable maintenance Autofix policies are queued Machine state detection More aggressive reboot controls become possible
Patching – Application Interference Increased first pass success rate Java Browser plugins Custom applications Close applications prior to patching Prevent / block applications from running during the patch process
Patching – Application EOL Detection Application End Of Life Detection Publish by Content Leverage LANDesk Patch Manager Already support MS Office 2000/XP Adobe Acrobat Pro/Sta 6.x, 7.x, 8.x Adobe Reader 6.x, 7.x, 8.x Java SE 1.3, 1.4, 5.0
Vulnerability severity override Scenario: Administrator disagrees with the predefined severity of a vulnerability definition and/or wants to “lock down” reviewed severities. Right-click multi-selected definitions is allowed. The “focused” definition’s current settings are displayed. For backward compatibility in the database, “Severity” still contains the current value. “OrigSeverity” is null if no override has been specified. Otherwise, it stores the LANDesk-supplied severity.
9.5.1 Software Distribution LANDesk Software
Desktop Manager New interface Customizable branding Deliver Links, Docs & Apps Packages and links can be placed in categories “Chrome-less” app launching WPF and EXE Launchpad integrated Task history of client changes
Software Distribution Package Bundles Leverages groups in distribution packages Set the installation order (one level) Allows for packages to be grouped and ordered (one level) Categories are supported Group multiple packages or bundles Bundle within a bundle within a bundle. Schedule the bundle like you would custom groups. Internally what we do is the “My Packages” and “All”, are just bundles. Allows you to schedule one level deep. No circular bundles.
Software Distribution New Streamed Document package type Link for any file type (.txt, .pdf, .docx, .msi, etc.) Associated application Streamed from the portal (new portal only), not downloaded to the client Uses the current associated shell application (by file extension) defined for the client operating system Have to have an associated application with the extension. New portal only. You can point to any file you want. When it shows in the portal it streams to the source file. You need to have an associate application with the extension. You could point to an MSI as a stream share. Use case, say you want to deploy office with a text file for Outlook settings or instructions for your end users. Streaming from UNC, no cached copy from the client, uses all security settings within UNC. Credentials are not specified anywhere as we inherently get access based on the UNC Security.
Software Distribution Default Delivery Method New shared control to select the delivery method Global value Only enabled for Administrators One global default. Not a default within the sub categories, push, policy, etc..
Software Distribution New package pre-cache feature Only downloads package files to client machines, will not perform package installation Mac – 30 days PC – 7 days It just downloads files. Keep it simple image. Initially built for the MAC application installs but made available to all platforms.
Software Distribution Task History Task history is automatically gathered and stored in the client database Task History Maintenance Enable automatic cleanup of task history in the client database Configured in Agent settings and must be associated with each client (Agent configuration / Agent settings) Configurable by days to keep, a value of 0 will delete all task history from the client database If not set, all task history will continue to be stored Settings stored in each client machine registry under LANDesk/ManagementSuite/WinClient/SoftwareDistribution/InventorySettings ClientDatabaseHistoryDays: Specifies days to keep history, -1 or 0xffffffff if not set (all task history will be kept) See the history, what’s been installed, when, when attempted, failed, etc… Once it completes a package task it will then update it’s history agenda. Checked means it will maintain and keep for x days. Unchecked it does not maintain and everything is kept.
Software Distribution Task History/Maintenance continued Inventory scanner automatically sends client task history to the core database Located in inventory under LANDesk Management / SWD / History If you have a bundle it will show you the bundle and the suplemental packages. It’s gives task ID and package ID.
Software Distribution Automatically run inventory scanner after package installation Inventory settings located in Agent settings UI Requires an Inventory setting to be associated with each client (Agent configuration / Agent Settings) Creates a local scheduler task from the current time plus a delay If multiple packages are installed, the local scheduled task is added/updated with the new time. Always uses the same task id (779) Two delay settings Initial delay, minimum of 5 minutes, maximum of 60 minutes, default 5 minutes Additional random delay to help stagger scans (reduce the load on the core), minimum of 0 minutes and maximum of 60 minutes, default 15 minutes (will randomize between 0 and the value set) Settings stored in each client machine registry under LANDesk/ManagementSuite/WinClient/SoftwareDistribution/InventorySettings InventoryScanDelayAfterPackageInstall: High word is the initial delay, low word is the additional random delay, -1 or 0xffffffff if not set (inventory scanner will not run after package install) This was the #1 feature asked for at interchange. 3 packages chained, it will update the already created local scheduler task to update the time. You can’t hard code it past 60. It will just exit High Word: First 4 hex digits, Low Word: Last 4 hex digits, 0xffff / ffff
Questions