Providing Patch Management with N-central Version 10.0 N-central 10.0 Providing Patch Management with N-central
Contents
Patch Management Overview 3
N-central Patch Management Architecture 4
Monitoring for Missing Patches 7
Viewing Installed Patches 7
Limitations and Restrictions Affecting Patch Management 8
Microsoft Patch Management 8
Third Party Patch Management 9
Configuring Devices for Patch Management 11
Caching Patch Installers 14
Patch Management Profiles 15
More about Patch Management: 15
Recommended Best Practices 15
Patch Management Profile Settings 17
Configuration Settings for Profiles 18
Approving and Declining Patches 22
Automatically Approving Patches 28
Patch Management Reporting 33
N-central Reports 33
Report Manager Reports 34
- 2 - N-central 10.0 Providing Patch Management with N-central
Patch Management Overview
N-central offers a very flexible and powerful patch Setting up Patch Management in N- distribution and management solution by providing central different features for specific patch management l Configuring Devices for Patch Man- functions. agement on page 11 l Caching Patch Installers on page 14
This allows you to tailor your services offerings to the l Patch Management Profiles on page 15
needs of your clients by organizing patch l Approving and Declining Patches on management functions into the following: page 22
License Feature Description
Patch Monitoring Identifies any software patches that are missing on devices. This feature is available at no extra cost on both Essentials and Professional nodes.
Microsoft Patch Allows for the approval or declining of Microsoft software patches on devices Management for with Essential licenses. Essential Mode devices
Microsoft Patch Allows for the approval or declining of Microsoft software patches on devices Management for with Professional licenses. This feature is not a separate license and is included Professional Mode with the Professional license. devices
Third Party Patch Allows for the approval or declining of the following non-Microsoft software Management patches:
l Adobe Acrobat X l Java 7 (32-bit/64-bit)
l Adobe Acrobat XI l Mozilla Firefox
l Adobe Air l Mozilla Thunderbird
l Adobe FlashActiveX l Notepad ++
l Adobe FlashPlugin l Opera (32-bit/64-bit)
l Adobe Reader l QuickTime
l Adobe Reader MUI l Safari
l Adobe Shockwave l SeaMonkey
l Foxit Reader Personal l Skype
l Google Chrome l VLC Media Player (32-bit/64-bit)
l Google Earth Free l WinRAR (32-bit/64-bit)
l iTunes (32-bit/64-bit) l WinZip (32-bit/64-bit)
l Java 6 (32-bit/64-bit)
Refer to the Limitations and Restrictions list below for specific information about Third Party software patches.
- 3 - N-central 10.0 Providing Patch Management with N-central
Note: For specific information about limitations on Patch Management, refer to "Limitations and Restrictions" in the N-central online help.
N-central Patch Management Architecture There are two aspects to N-central's patch management module: managing Microsoft Windows updates and managing Third Party software patches.
Managing Microsoft Windows Updates For Microsoft Windows updates, the process is as follows:
1. The Windows Agent communicates with Microsoft Windows Updates and requests the list of available updates.
2. The Windows Agent then transmits this metadata to the N-central server.
3. You, as the N-central administrator, then configure the approvals for the list of available updates. You can also configure the installation schedule for when updates will be applied.
4. The Windows Agent communicates with the Probe and requests the approved updates.
5. Upon receiving the request, the Probe downloads the updates from Microsoft Windows Updates.
6. The Windows Agents then downloads the updates from the Probe.
7. The Windows Agent then applies the schedule for installing Windows updates that you configured in step 3.
- 4 - N-central 10.0 Providing Patch Management with N-central
Managing Third Party Updates For Third Party software patches, the process is as follows:
1. The Windows Agent downloads a list of Third Party applications from the Probe and compares that list to the Third Party applications that are installed on the device.
2. The Windows Agent then transmits to N-central a list of the Third Party applications that could be updated on the device.
- 5 - N-central 10.0 Providing Patch Management with N-central
3. You, as the N-central administrator, then configure the approvals for the list of available patches. You can also configure the installation schedule for when patches will be applied.
4. The Windows Agent communicates with the Probe and requests the approved software patches.
5. Upon receiving the request, the Probe downloads the patch from the software producer (for example, from http://www.adobe.com for Adobe Reader patches).
6. The Windows Agents then downloads the patch from the Probe.
7. The Windows Agent then applies the schedule for installing software patches that you configured in step 3.
- 6 - N-central 10.0 Providing Patch Management with N-central
Monitoring for Missing Patches When an N-central 10.0 Windows Agent is installed on a device, the Patch Status service is automatically added to that device. The Patch Status service queries the Windows Update Agent (WUA) on the device to determine the Microsoft and Third Party application patches that are missing.
The Patch Status service returns key information including:
l the total number of missing patches
l the number of patches installed with errors
l missing patches by category (Security Updates, Critical Updates, Service Packs, Update Rollups, Feature Packs, Updates, and Software Driver Updates)
l missing patches (of specific categories) older than a user-specified number of days.
Viewing Installed Patches The Agent will automatically discover all installed patches on the device when the Agent is first installed as well as when the Agent runs its daily asset discovery. This includes information such as patch details, installation date, and installation status. This information is then made available in the N-central UI on the device's Asset tab and is also included in the Missing Patches (Detailed) Report and Patch Installation Status Report.
- 7 - N-central 10.0 Providing Patch Management with N-central
Limitations and Restrictions Affecting Patch Management
The following limitations and restrictions may affect your Patch Management capabilities in N-central.
Warning! You must upgrade both your N-central server and your Windows Agents to a minimum of Version 9.2 or later in order to perform Patch Management through N-central. The Patch Status, CPU, Memory and Process services will report a Misconfigured status if you have not upgraded.
As Windows, Mac and Linux agents are automatically updated, the Patch Status, CPU, Memory and Process services will automatically transition from a Misconfigured state to a Normal/Warning/Failed state.
After you have upgraded to N-central 9.2 or later, please review any Patch Management Profiles (available under Configuration > Patch Management > Profiles) that you had previously configured, as there are new settings in those Profiles that must be configured before Patch Management will function properly.
If you absolutely need to approve or decline patches but the devices that you wish to target have not yet upgraded their Agents to Version 9.2 or later, please sign in directly to the appropriate WSUS server and approve or decline patches from that application.
Microsoft Patch Management N-central does not support uninstalling Microsoft patches for Windows Vista and Windows Server 2008.
For devices using either Microsoft Windows 8 or Microsoft Windows Server 2012 operating systems, Flash ActiveX is no longer treated as a Third Party software patch but is considered to be a Windows Feature Update. As a result, use Microsoft Patch Management to approve or decline Flash ActiveX updates for these devices.
If Internet Explorer updates and Windows Updates are not current on devices using Microsoft Windows XP Service Pack 3, the reporting of updates to N-central can take excessive amounts of time and system resources.
WinZip is no longer supported on devices using either Microsoft Windows XP or Microsoft Windows Server 2003 as their operating system. As a result, Third Party patch management will no longer be able to update WinZip on those devices.
- 8 - N-central 10.0 Providing Patch Management with N-central
Third Party Patch Management For Third Party Patch Management to function properly, your network firewall must be configured to allow access to the following web sites:
If a Probe has patch caching enabled When patch caching is enabled, the Probe must have full access to web sites so that it can download installation software. In this configuration, Agents only require access to the Server In The Sky.
Device Type Vendor - Web Site URL
Device with l Server In The Sky (SIS) - http://sis.n-able.com
Probe l Adobe Acrobat - http://ardownload.adobe.com
l Adobe Reader - ftp://ftp.adobe.com/
l Adobe Air - http://airdownload.adobe.com/
l Apple Products - https://secure-appldnld.apple.- com
l Flash - http://download.macromedia.com/
l Foxit - http://cdn01.foxitsoftware.com/
l Google Products - https://dl.google.com
l Java - http://javadl.sun.com/
l Mozilla Products - https://download-installer- .cdn.mozilla.net
l Notepad++ - http://download.tuxfamily.org/
l Opera - http://get.geo.opera.com/
l Shockwave - http://www.adobe.com/
l Skype - http://download.skype.com/
l WinRAR - http://www.rarlab.com/
l WinZip - http://download.winzip.com/
l VLC - http://download.videolan.org/
Device with l Server In The Sky (SIS) - http://sis.n-able.com Agent
- 9 - N-central 10.0 Providing Patch Management with N-central
If no Probes have patch caching enabled
Device Type Vendor - Web Site URL
Device with l Server In The Sky (SIS) - http://sis.n-able.com
Agent l Adobe Acrobat - http://ardownload.adobe.com
l Adobe Reader - ftp://ftp.adobe.com/
l Adobe Air - http://airdownload.adobe.com/
l Apple Products - https://secure-appldnld.apple.- com
l Flash - http://download.macromedia.com/
l Foxit - http://cdn01.foxitsoftware.com/
l Google Products - https://dl.google.com
l Java - http://javadl.sun.com/
l Mozilla Products - https://download-installer- .cdn.mozilla.net
l Notepad++ - http://download.tuxfamily.org/
l Opera - http://get.geo.opera.com/
l Shockwave - http://www.adobe.com/
l Skype - http://download.skype.com/
l WinRAR - http://www.rarlab.com/
l WinZip - http://download.winzip.com/
l VLC - http://download.videolan.org/
Third party software patches are not incremental which means that configuring a third party patch as Approved for Removal in N-central will remove the entire application from the device and not just the software patch itself.
Some software patches require that the target device be re-started in order to complete the installation of the patch. Until the target device is re-started, these patches will be reported as Approved but not installed even after the patch has been installed.
Software patches cannot be installed on the following Third Party applications if the application is currently running:
l Chrome
l Java (both 32-bit and 64-bit)
l Opera
l Safari
l Skype
To avoid the failure of installing Third Party software patches because of this issue, log out the local users before attempting to install the patches. For example, you could use the "Log Off Current User" Automation Manager Policy. For more information, refer to "Log Off Current User" in the N-central online help.
- 10 - N-central 10.0 Providing Patch Management with N-central
Configuring Devices for Patch Management
Patch management for your managed devices is performed primarily through Probes and Agents. It can be configured by editing devices, or by configuring Patch Management options through a Rule.
To edit devices for Patch Management Note: The following procedure can only be performed at the Customer or Site-level. Select the appropriate Customer or Site in the View Selection Menu to continue.
1. Click All Devices view in the navigation pane.
2. In the All Devices view screen, perform the following:
l For a single device, click the device that you would like to edit in the Name column.
l For multiple devices, select the checkbox beside each of the device names you wish to edit and click Edit.
3. Under Patch Management, select Enable Patch Management.
4. From the Select Patch Management Configuration Profile drop-down list, select the profile that you want to be applied to the device (or devices).
Note: You can Add a new profile or View/Edit profiles to ensure that the correct one is selected.
5. Select Enable Third Party Patching to manage non-Microsoft software patches.
6. Click OK.
The device properties are updated and the All Devices view screen appears.
Note: You can click Save to apply the settings and remain on the current screen.
- 11 - N-central 10.0 Providing Patch Management with N-central
To enable Patch Management using Rules Note: The following procedure can only be performed at the Service Organization or Customer- level. Select the appropriate Service Organization or Customer in the View Selection Menu to continue.
1. In the navigation pane, click Configuration > Monitoring > Rules.
2. In the Name column of the Rules screen, click the Rule that you would like to edit.
3. In the Edit Rule screen, select the Network Device Configuration Options tab.
4. Under Patch Management, select Enable Patch Management.
5. From the Select Patch Management Configuration Profile drop-down list, select the profile that you want to be applied to the devices associated with the folder template.
6. Select Enable Third Party Patching to manage non-Microsoft software patches.
- 12 - N-central 10.0 Providing Patch Management with N-central
7. Click Save.
Note: This operation can also be carried out at the Customer level for individual Rules.
- 13 - N-central 10.0 Providing Patch Management with N-central
Caching Patch Installers
To display the patch caching properties of a Probe
1. In the navigation pane, click Configuration > Patch Management > Caching.
If a Probe has patch caching enabled, the icon will be displayed in the Patch Caching column.
2. To display the Maximum Patch Cache Size and Cache Location for a Probe, hover your
mouse pointer over the icon.
To enable or disable caching of software patch installation files on a Probe
1. In the navigation pane, click Configuration > Patch Management > Caching.
2. In the Probes list, select the check box of the individual Probes for which you want to enable or disable caching of patch installation files.
Tip: You can select the check box next to the column title to select all of the Probes.
3. Click Patch Caching.
4. Perform one of the following:
To disable patch To enable patch caching caching
1. Click Enable. 1. Click Disable. 2. Select the Maximum Patch 2. Click OK to con- Cache Size. firm. 3. Select the Cache Location. 4. If a Custom cache location is selected, you must type the path to where the software patch install- ation files will be stored. If the path is to a network shared drive, this must be configured as a UNC path (for example, \\Shared1_ svr\Shared1\cache). 5. Click Enable.
- 14 - N-central 10.0 Providing Patch Management with N-central
Patch Management Profiles
N-central's Patch Management is configured and enabled through Patch Profiles. Profiles can be More about Patch Management: applied to individual devices or can be applied and Patch Management Overview on page 3 controlled in bulk using a Rule. Configuring Devices for Patch Management on page 11 Recommended Best Practices Patch Management Profile Settings on page 17 l Create a minimum of three patch profiles: one for laptops, one for Workstations and Approving and Declining Patches on page 22 one for servers. Automatically Approving Patches on page 28 l Configure the default Patch Management Profile at the Service Organization level. Caching Patch Installers on page 14 l Disable any group policy objects that con- figure Windows Update as they will conflict Limitations and Restrictions Affecting Patch with the N-central settings. Management on page 8
l To avoid performance issues, do not asso- Editing a Patch Management Profile on page ciate individual Profiles with very large num- 16 bers of devices. Associating a Patch Management Profile with more than 1,000 devices, for example, will cause significant performance problems.
Adding a New Patch Management Profile N-central provides a default Patch Management profile. Depending on your needs, however, it may be necessary to create additional profiles.
1. In the navigation pane, click Configuration > Patch Management > Profiles.
2. Click Add in the Profiles screen.
3. Define the profile settings as required in the Add Profiles screen. For more information, refer to Patch Management Profile Settings on page 17.
4. Click Save.
Cloning a Patch Management Profile You can also copy a profile by using the Clone feature to create a new profile that has a similar configuration to an existing one but with minor differences. This can make the task of creating multiple profiles faster and easier.
Note: Cloning a profile will include both its settings and its associated devices.
- 15 - N-central 10.0 Providing Patch Management with N-central
1. In the navigation pane, click Configuration > Patch Management > Profiles.
2. Select the profile you want to duplicate in the Profiles screen.
3. Click Clone.
4. Type a descriptive Name to identify the profile.
5. In the Description field, type additional information about the profile.
6. Click Save.
Editing a Patch Management Profile Any Patch Management Profile (including the default profile provided by N-central) can be modified . When a Profile is modified, any changes made will be applied to all of the devices that use the Profile.
If you try to edit a Profile that was created at a higher account level, N-central will automatically create a copy of the Profile at the level that it is being edited (including the associated devices) and save it at that level. This will disconnect the association to the Profile that was created at a higher account level. For example, an SO Admin attempting to edit a Profile created at the System level will create a new copy of the Profile within their respective Service Organization.
1. In the navigation pane, click Configuration > Patch Management > Profiles.
2. Click the name of the profile that you would like to edit in the Name column of the Profiles screen.
3. Update the profile settings as required in the Edit Profiles screen. For more information, refer to Patch Management Profile Settings on page 17.
4. Click Save.
5. Click Save to confirm the modifications when prompted.
Viewing the Rules and Devices Associated to a Patch Management Profile You can view the associations a Patch Management Profile has to Rules.
1. In the navigation pane, click Configuration > Patch Management > Profiles.
2. Click the name of the profile for which you would like to view all associations in the Name column of the Profiles screen.
3. Click the Associated Rules tab in the Edit Profiles screen.
- 16 - N-central 10.0 Providing Patch Management with N-central
Note: At the Customer or Site level, a list of SO Level Rules is also displayed. Click Clone beside the appropriate Service Organization Rule to create a duplicate for your own use.
Deleting Patch Management Profiles You may want to delete one or more Patch Management Profiles as your patch deployment policies evolve. Be cautious when you do this as devices will need to use an existing Profile if they are to receive deployed patches. If you try to delete a Profile that is currently being used by one or more devices, you will be warned that it is an active Profile. You may then either cancel the deletion or specify a replacement Profile to be applied to those devices that are using the Profile.
Tip: You can delete multiple Patch Management Profiles simultaneously.
To delete a Patch Management Profile
1. In the navigation pane, click Configuration > Patch Management > Profiles.
2. Select the check box next to the profile (or profiles) that you want to delete in the Profiles screen.
Tip: You can select the check box next to the Name column to select all of the profiles.
3. Click Delete.
4. When prompted, click Delete to confirm the removal of the selected profiles.
Patch Management Profile Settings
Patch Management Profiles have a number of different properties that will affect how patches will be deployed.
1. Specify a descriptive Name for the Patch Profile.
2. If required, specify a Description that provides additional user-defined information about the Patch Profile which will be displayed in the Profiles table.
3. Configure the following settings for the Patch Profile.
4. Click Save.
- 17 - N-central 10.0 Providing Patch Management with N-central
Configuration Settings for Profiles General
Property Description
Pop-up Messages You can configure whether or not the Windows agent will display a message to the user to let them know that patches will be installed at a certain time. You have the options to not show a message at all, display only a message to Administrators or to display messages to all user accounts. You can also configure how much time before the patch is scheduled to show the message, and if the user dismisses the message, how often to repeat the message. This message will not delay the patch.
Show messages to Administrators Configures the Agent on the device to display messages related to patch management for logged-in users with Administrator privileges.
Show messages to Users Configures the Agent on the device to display messages related to patch management for logged-in users with standard user privileges. Installing updates - Installing
Show messages before the patch is Configures messages to be displayed prior to the scheduled to be installed scheduled installation date and time of software patches. The user will have the option to install the patches immediately instead of waiting for the scheduled date and time. New updates are ready to install - There are
Repeat messages if dismissed every Selects a time interval (in minutes) during which patch management pop-up messages will be displayed.
Communicate with Windows Update This feature is very useful for mobile devices like laptops that are frequently outside the corporate network and can't access the probe. Through this feature, you can ensure that roaming devices can still download and install patches. By default this is turned off.
- 18 - N-central 10.0 Providing Patch Management with N-central
Property Description
Communicate with Windows Update if the Configures the Agent on the device to download Windows Probe is inaccessible software patches directly from Windows Update if it is unable to connect to the Windows Probe. For example, if the device is a laptop computer and is in a different location.
Wait (minutes) before communicating with Selects a time interval (in minutes) before the Windows Update Agent will attempt to download software patches directly from Windows Update.
Windows Update Access
Windows Update access is Select one of the following settings to restrict Windows Update access to the device during patch installation: Allowed for all User accounts and Applications—This setting is the default setting. It will allow device access to Windows Update for all account levels and applications. Limited to Administrators and Applications only—This setting will restrict device access to Administrator-level accounts and applications. Restricted to N-central activity only—This setting is the most restrictive. This blocks device access 97% of the time if you are using a typical weekly patch schedule. It opens for the following N-central activities:
l It will open briefly to allow access to Administrators and applications when N- central performs patch-related tasks such as installations and new patch detec- tions.
l It will also open during daily asset scans.
Depending on the activity, access to the device may be allowed for 5 minutes or up to an hour. Best practice: As much as possible, patch activity should be scheduled outside of customer core hours.
- 19 - N-central 10.0 Providing Patch Management with N-central
Property Description
Download Before Scheduled Installation
Download and wait for scheduled Configures the Profile to download software installation patches immediately but only install the patches according to the configured Patch Installation Schedule. This feature is only available when installation of software patches is scheduled to be performed at a specific date or time.
Installing Patches When the Device is Powered Off
Automatically wake up system for patch This option allows you to power on the machine if it installation is asleep or in hibernation in order to "wake up" a Windows device (even if it is in hibernation) in order to install software updates.
Patch Detection Schedule This allows you to detect what could be installed and report back to N-central.
This is where you can identify how often you want the device to talk to Windows Update or other third-party vendors and to figure out what patches can be installed.
Property Description
When to Configures the date and time interval when the Agent on the device will check for check For available software patches from one of the following:
patches l Custom
l Every {x} Minutes
l Hourly
l Monthly
Start Time Selects when the Agent will check for software patches. Use repeat every
Days of the The days in each week on which you would like the Agent to check for software Week patches.
Days of the The days in each month on which you would like the Agent to check for software Month patches.
Months of the The months in which you would like the Agent to check for software patches. Year
- 20 - N-central 10.0 Providing Patch Management with N-central
Patch Installation Schedule This feature allows you to specify when to install patches on the system.
Property Description
If a device must be restarted following the installation of a software patch, the Maintenance Windows configuration for the device will be applied. For more information, refer to "Maintenance Windows" in the N-central online help.
Enable Scheduled Patch Installation Configures the Agent on the device to install software patches from one of the following:
l Install the patches as soon as they are approved
l Install the patches only at a scheduled time
Patch Installation Schedule Configures the date and time interval when the Agent on the device will install available software patches from one of the following:
l Custom
l Every {x} Minutes
l Hourly
l Monthly
Start Time Selects when the Agent will install software patches. Use repeat every
Days of the Week The days in each week on which you would like the Agent to install software patches.
Days of the Month The days in each month on which you would like the Agent to install software patches.
Months of the Year The months in which you would like the Agent to install software patches.
- 21 - N-central 10.0 Providing Patch Management with N-central
Approving and Declining Patches
After enabling patch management on your devices and configuring Patch Management Profiles, you can begin approving software patches for deployment.
In N-central, patches can be deployed using one of two methods:
l automatically using Automatic Patch Approval rules (for more information, refer to Automatically Approving Patches on page 28), or
l the Patch Deployment Wizard.
Current Status and Approval Reported for Patches The list of available patches displayed during completion of the Patch Deployment Wizard includes specific information for each patch including:
l KB (Knowledge Base) Number
l Patch Name
l Date
l Classification
l Severity
l Status
l Approval
Clicking on the name of the patch will display additional information such as the Description, whether it has been Superseded or not, if the patch is Removable, the Restart Behavior, and other pieces of information that are relevant to the patch.
The Status of each patch will be a combination of the individual Status values of that patch across all applicable devices. The combined Status value can be one of the following (listed in order of importance):
1. Failed 2. Needed 3. Installed 4. Not Needed
The highest-ranked of these statuses found on any applicable device will be reported as the combined Status for the patch. For example, if one device had a status of Failed for this patch, while two other devices have a status of Needed for this patch, the patch would have an overall combined Status of Failed.
The Approval value of each patch will be a combination of the individual Approval values of that patch across all computer groups. The Approval values are combined as follows:
- 22 - N-central 10.0 Providing Patch Management with N-central
l Approved for Install + Approved for Removal = Mixed
l Approved for Install + Declined = Mixed
l Approved for Removal + Declined = Mixed
l Approved for Install + Not Approved = Approved for Install
l Approved for Removal + Not Approved = Approved for Removal
l Declined + Not Approved = Declined
Through the Patch Deployment Wizard, N-central allows you to efficiently deploy patches across a number of Windows devices (regardless of the Customer or Site to which they belong).
Note: Patch removal cannot be performed on Windows devices that use Windows XP, Windows Vista, Windows 2003, Windows 2008, or earlier versions of the Windows operating system. Patch removal can be performed on Windows devices using Windows 7, Windows 8, Windows 2008 R2, Windows 2012, or later versions of Windows.
To approve or decline patches
1. In the navigation pane, click Configuration > Patch Management > Approve/Decline Patches.
Note: This feature may also be accessed through the Actions menu.
2. Select whether you wish to approve patches By Device or By Patch.
- 23 - N-central 10.0 Providing Patch Management with N-central
3. If By Device was selected, select the check box beside each of the Device Names to which you want software patches deployed. If By Patch was selected, skip to step 4.
Tip: You can select the check box next to the Device Name column heading to select all of the devices.
4. Click Next (or Patches at the top of the screen).
5. If necessary, filter the list of displayed patches in the Select Patches screen as described below:
To filter the list of patches Depending on your configuration, the list of available patches can be quite long and may require filtering in order to provide a manageable amount of patch information.
a. Click the Show Filter tab at the right side of the screen to display the Filter panel.
b. Type the information to be used to filter the patch list in the Enter search cri- teria field (including the name of the patch, Knowledge Base number, or other criteria).
c. Click Search Patches.
Note: You can use Reset Filter to undo any selections you have made and display the entire list of available patches.
d. In the Patches screen, click Show Filter.
e. Select the classification of patches you want to display from the following in the Classification section:
l 3rd Party
l Critical Updates
- 24 - N-central 10.0 Providing Patch Management with N-central
l Update Rollups
l Updates
l Feature Packs
l Definition Updates
l Security Updates
l Service Packs
l Drivers
l Tools
f. Select the current status of patches you want to display from the following in the Status section:
l Failed
l Installed
l Needed
l Not Needed
g. Select the current approval setting of patches you want to display from the fol- lowing in the Approval section:
l Approved for Install
l Approved for Removal
l Declined
l Mixed
l Not Approved
h. Select the severity rating of patches you want to display from the following in the Severity section:
l Critical
l Important
l Low
l Moderate
l Unspecified
i. Select the relationship to previous patches for which you want to display patches in the Supersession section:
l Patches Superseding Others
l Patches Marked as Superseded
- 25 - N-central 10.0 Providing Patch Management with N-central
6. Select the check box next to the patch (or patches) that you would like to deploy.
Tip: You can select the check box next to the KB Number column to select all of the patches in the list that is currently displayed.
7. Click Next (or Approvals at the top of the screen).
8. Select Perform Action Immediately to have the configured action carried out for the soft- ware patches right away.
- 26 - N-central 10.0 Providing Patch Management with N-central
9. In the New Approval column, click the pencil icon ( ) or right-click the current approval property to select the new approval property from one of the following:
l No Approval
l Approved for Install
l Approved for Removal
l Declined
l Revert
l Revert Children
l Revert Current Node and Children
l Clear and Re-evaluate Device Level Approvals (only displayed if approving By Patch)
l Preserve Device Level Approvals (only displayed if approving By Patch)
l Apply to Children
l Same as Parent Note: Third party software patches are not incremental which means that configuring a third party patch as Approved for Removal in N-central will remove the entire application from the device and not just the software patch itself.
10. Click Next (or EULA at the top of the screen if applicable).
Note: If applicable, the EULA screen will appear. If no EULAs are provided for the accepted patches, skip to step 13.
11. In the EULA column, click Read to review the End User License Agreements for applicable software patches.
When the EULA is displayed, click Accept or Decline in the dialog box to indicate acceptance or refusal of the agreement. You can also select the check box next to the patch (or patches) to accept a EULA without displaying it.
Tip: You can select the check box next to Patch Name to indicate acceptance of the EULAs for all of the patches.
12. Click Next (or Confirmation at the top of the screen).
13. Review the list of approvals to confirm that the configuration is correct.
14. Click Finish in the Confirmation screen.
Note: At any time during the Patch Deployment Wizard, you can click Previous to review previous stages of the procedure. To start the wizard over again and remove all current settings, click Start Over.
- 27 - N-central 10.0 Providing Patch Management with N-central
Automatically Approving Patches
Creating Patch Approval Rules allows N-central to automatically approve patches for you that meet specific criteria – saving you and your technicians time and effort.
Automatic Patch Approval Rules can be created at the Product Administrator, Service Organization and Customer levels. Editing and deleting Rules is restricted by the level at which they are created:
l Rules created at a higher level can be used but not edited or deleted by lower level accounts.
l Rules created at a lower level can be edited or deleted by higher level accounts.
Software patches with End User License Agreements (EULAs) will now be approved automatically by Automatic Patch Approval Rules. In previous releases of N-central, patches that required EULA consent could not be approved using Automatic Patch Approval Rules but this has been changed with N-central 9.2.
Rules can be enabled or disabled to allow further temporary suspension. N-central also allows you to run a Rule on-demand. The Rule status will be indicated by one of the following icons:
Enabled
Disabled
Warning! Configuring automatic Third Party software patch approval for devices that use Windows XP® for their operating system may result in an excessive amount of time being taken before the patches are approved. This is due to an issue with how Microsoft® manages patch approval for Windows XP devices. For more information, refer to http://tech.slashdot.org/story/13/12/16/1959259/exponential-algorithm-in-windows- update-slowing-xp-machines.
Note: Patch removal cannot be performed on Windows devices that use Windows XP, Windows Vista, Windows 2003, Windows 2008, or earlier versions of the Windows operating system. Patch removal can be performed on Windows devices using Windows 7, Windows 8, Windows 2008 R2, Windows 2012, or later versions of Windows.
To add an Automatic Patch Approval Rule 1. In the navigation pane, click Configuration > Patch Management > Automatic Approvals.
2. Click Add in the Automatic Patch Approval Rules screen.
3. Configure the properties of the Rule in the Add Automatic Patch Approval Rule screen:
- 28 - N-central 10.0 Providing Patch Management with N-central
Name A unique identifier for the Rule.
Description A personalized summary of the Rule that should identify what it does.
Products Used to configure the patches that will be targeted by the Auto Approval Rule. and a. Under The following classifications, select the type of patch in the left- Classificatio hand column from one or more of the following: ns
l Third Party
l Critical Updates
l Definition Updates
l Drivers
l Feature Packs
l Security Updates
l Service Packs
l Tools
l Update Rollups
l Updates
b. Click > to move the selected classifications to the right-hand column.
Tip: Click >> to move all of the items from the left column to the right or << to move all of the items from the right column to the left. You can also use Ctrl-click to deselect an item from either column.
c. Under The following products, right-click on the property displayed in the Selected column for individual products within the publisher, product name and version categories.
d. In the drop-down menu, select:
l Select - the product will be associated with the Rule.
l Unselect - the product will not be associated with the Rule.
l Apply to Children - the product and all of its related subsidiary products will be associated with the Rule.
l Same as Parent - the product will either be associated with the Rule or not associated with the Rule depending on what the setting is for the parent application.
- 29 - N-central 10.0 Providing Patch Management with N-central
Targets Within the appropriate Customer or Site, select the Rule to be applied to associate devices with Automatic Patch Approval.
Select the Rule to be applied to associate devices with Automatic Patch Approval.
Select Perform Action Immediately to do the following:
l if a software patch is Approved for Install, it will be installed immediately, or
l if a software patch is Approved for Removal, it will be removed imme- diately.
The Patch Installation Schedule configured for the selected devices will be ignored if this option is selected.
If a software patch is Not Approved or Declined, it will not be installed.
4. Click Save.
5. Click Yes - Run the Rule Now or No - Do Not Run the Rule Now in the Do you Want to Run this Rule Now? prompt based on your current needs. If you select Yes, the Rule will be applied and software patches approved. If you select No, the Rule will not be applied.
Note: If you choose to run the new Rule immediately, it will be applied against all of the software patches that are currently managed as well as any new software patches received from this point on. If you choose not to run the new Rule immediately, it will only be applied to future software patches.
To delete an Automatic Patch Approval Rule 1. In the navigation pane, click Configuration > Patch Management > Automatic Approvals.
2. Select the check box next to the Rule that you would like to delete in the Automatic Patch Approval Rules screen.
Tip: Selecting the check box at the top of the column heading will select all of the Rules.
3. Click Delete.
4. Click Delete in the Confirm Delete prompt.
To edit an Automatic Patch Approval Rule Note: Modifications made to existing Rules will only be applied to new software patches that are downloaded after the changes have been made.
- 30 - N-central 10.0 Providing Patch Management with N-central
1. In the navigation pane, click Configuration > Patch Management > Automatic Approvals.
2. Click the Name of the Rule that you would like to modify in the Automatic Patch Approval Rules screen.
3. Modify the properties of the Rule as needed in the Edit Automatic Patch Approval Rule screen.
4. Click Save.
To enable an Automatic Patch Approval Rule 1. In the navigation pane, click Configuration > Patch Management > Automatic Approvals.
2. Select the check box beside each of the Rules that you want to enable in the Automatic Patch Approval Rules screen.
Tip: Selecting the check box at the top of the column will select all of the Rules.
3. Click Enable.
4. Click Enable in the Confirm Enable prompt.
Note: A will appear in the Enabled column beside the name of the Rule (or Rules) that has been enabled.
To disable an Automatic Patch Approval Rule 1. In the navigation pane, click Configuration > Patch Management > Automatic Approvals.
2. Select the check box beside each of the Rules that you want to disable in the Automatic Patch Approval Rules screen.
Tip: Selecting the check box at the top of the column will select all of the Rules.
3. Click Disable.
4. Click Disable in the Confirm Disable prompt.
Note: An will appear in the Enabled column beside the name of the Rule (or Rules) that has been disabled.
- 31 - N-central 10.0 Providing Patch Management with N-central
To manually run an Automatic Patch Approval Rule Creating an Automatic Patch Approval Rule will affect all subsequent software patches but will not be applied to software patches received by N-central prior to the creation of the Rule. The Run Rule Now feature allows you to have the Rule applied to these existing patches so that those which meet the criteria configured in the Rule are approved.
1. In the navigation pane, click Configuration > Patch Management > Automatic Approvals.
2. Select the check box beside each of the Rules that you want to run in the Automatic Patch Approval Rules screen.
Tip: Selecting the check box at the top of the column will select all of the Rules.
3. Click Run Rule Now.
4. Click Run Rule Now in the Confirm Run Now prompt.
- 32 - N-central 10.0 Providing Patch Management with N-central
Patch Management Reporting
A key element of the Patch Management feature is the ability to provide effective reporting. N-central and Report Manager provide reports that are designed to be highly flexible in order to support a variety of use cases. Leveraging these reports, Report Manager and N-central can support a wide range of needs including:
l helping a technician understand the software patches that need to be deployed or the devices on which a bad patch needs to be rolled back,
l showing a customer their patch status,
l showing a customer the work that was done, needs to be done, or
l demonstrating to an auditor that patch management SLA’s are being met.
N-central Reports For high-level analysis commonly used for internal review, N-central provides the following reports.
Missing Patches (Summary) These reports are in N-central: This report provides a cross-customer summary of Missing Patches (Summary) Report how many devices are being monitored for patches per customer, as well as a count of how many Patch Approvals and Installations Report on devices are missing Security, Critical and Definition page 1 patches. For information, refer to Missing Patches Patch Installation Status Report (Summary) Report on page 1. Patch Status (Detailed) Report Patch Approvals and Installations This report shows the number of patches by installation Status for each Approval Status. A detailed list of patches associated with these counts can also be viewed in this report, if required. For information, refer to Patch Approvals and Installations Report on page 1.
Patch Installation Status This report allows you to see which devices are missing a specific patch, or which devices are missing patches that belong to a specific patch category. For information, refer to Patch Installation Status Report on page 1.
Patch Status (Detailed) This report provides a breakdown of the patches missing on one or more devices, as well as bar graphs that display missing patches by workstation/server and missing patches by patch classification. For information, refer to Patch Status (Detailed) Report on page 1.
- 33 - N-central 10.0 Providing Patch Management with N-central
Report Manager Reports For advanced reporting, Report Manager's brandable reports can be scheduled, exported and directly emailed to customers to provide details on patching status and the work you have done for them.
Patch Status Using Report Manager Reports This report provides a summary of patch status for If you have Report Manager (N-able's one or more customers as of a period end date. Run advanced reporting solution) you can fin it this report to determine if customer environments under "Reports" in the left pane of N-central. are up-to-date and see patch counts for each device. Within the search box in the top right, type the term "patch" and all reports that include Patch Details details about patch management will be This report provides detailed patch information for returned in a list. one or more customers within a specified time period. You can group the report to list patches for For more information, refer to About Report each device or devices associated with each patch. Manager.
Patch Approval and Installation This report provides a summary of patch counts, by approval and installation status for one or more customers. Run this report to show how patch installation statuses compares to what has been approved.
Executive Summary The Executive Summary report also includes patch information in its Security Monitoring.
- 34 - © 2015 N-able Technologies, Inc.
All rights reserved. No part of this document may be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the written consent of N-able Technologies, Inc. (“N-able Technologies”). All right, title, and interest in and to the software and documentation are and shall remain the exclusive property of N-able Technologies and its respective licensors.
N-ABLE TECHNOLOGIES DISCLAIMS ALL WARRANTIES, CONDITIONS OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON SOFTWARE AND DOCUMENTATION FURNISHED HEREUNDER INCLUDING WITHOUT LIMITATION THE WARRANTIES OF DESIGN, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT. IN NO EVENT SHALL N-ABLE TECHNOLOGIES, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The N-ABLE TECHNOLOGIES and N-CENTRAL marks are the exclusive property of N-able Technologies and its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other N- able Technologies trademarks, service marks, and logos may be common law marks, registered or pending registration in the United States or in other countries. All other trademarks mentioned herein are used for identification purposes only and may be or are trademarks or registered trademarks of their respective companies.
Feedback
SolarWinds N-able (formerly known as N-able Technologies) is a market driven organization that places importance on customer, partner and alliance feedback. All feedback is welcome at the following email address: [email protected].
About SolarWinds N-able
SolarWinds N-able is the global leader in remote monitoring and management software for managed service providers and IT departments. SolarWinds N-able’s award-winning N-central platform and complementary toolsets, backed by best-in-class business and technical services, are proven to reduce IT support costs, improve network performance and increase productivity through the proactive monitoring, management and optimization of IP-enabled devices and IT infrastructure. SolarWinds N-able is 100% channel-friendly and maintains operations in North America, the U.K., the Netherlands and Australia.