Patch management
IT-Man avatar
Written by IT-Man
Updated over a week ago

Come “Patch Tuesday” and a long list of new vulnerabilities and patches are announced by Microsoft and this month's Whack-a-Mole begins for Windows administrators. As a Mac OS X administrator you're not better off unless you've used magic and figured out how to configure the Software Update service included with OS X Server.

Table of contents

Why patch management is important

Patches fixes security holes in applications. Of course you already know what is required – apply all the critical patches to your IT environment.

Panorama9 can detect vulnerabilities and update vulnerable devices without you having to do anything, all managed directly from the Panorama9 Dashboard. Leaving you to do what matters most – provide an IT environment that helps your business achieve its goals.

Panorama9 can automatically update (including 3rd party applications) Microsoft Windows 7 or newer and Apple's Mac OS X 10.6 or newer.

Spot devices that should be updated

Monitored devices will at regular intervals report the locally installed software to the Panorama9 cloud. This information is then analyzed and issues are generated. You can at anytime view the detected issues using the Panorama9 dashboard or choose to be notified through email, text message, push notification or have a ticket created in your help desk solution.

Patch prioritizing and scheduling

Fixing detected issues simply consist of you configuring the Panorama9 system with the type of patches that should be automatically trusted and selecting a time slot when the updates may be applied. Maybe you wish to treat servers different from workstations, maybe only critical operating system patches are relevant – you decide.

Type of patches you can select:

  • Operating System patches

  • Microsoft application patches (such as Microsoft Office, Microsoft Exchange, Microsoft SQL etc).

You can select to apply the above types to either servers or workstations at a specified time and you can furthermore choose not to apply updates that will force a reboot on the device once the patch has been installed.

You can choose between 90+ 3rd party applications that should be updated, among these:

  • Mozilla Firefox

  • Adobe Flash

  • Adobe Reader

  • Oracle/Sun Java

  • 7-Zip

Once Patch Management is enabled Panorama9 will instruct devices with missing patches to start and the best is - you don't need to setup a local repository with the missing patches or download software that should be updated.

The patching progress is monitored and the result analyzed. In the event that some devices fail to complete the update you will be notified with detailed information on what is required to get the system up-to-date. Knowing where the problems is, is a lot easier than having to go through each and every machine to ensure they are patched.

You can exclude single devices, predefined groups like "Servers" and "Computers" or use your own custom defined groups to exclude machines that you do not wish to have patches applied to automatically.

Patch systems instantly

You can instruct a specific device to download and install all missing patches. You can also instantly update all devices missing that specific high threat vulnerability, you from time to time hear about in the media. In short you can quickly update devices and avoid waiting for the regular scheduled patch job.

To patch all devices missing a specific update navigate to "Vulnerability" -> "Software" and then filter the list to display the vulnerability you wish to apply.

To update a specific device navigate to "Assets" and then select the device. Use the "Remote tools" option to apply all missing patches or select from the vulnerability list what to install.

Integration with Microsoft WSUS

If you are using Microsoft WSUS and configured Windows Update on computers in your network to point to it, then the missing patch issues detected by Panorama9 will be based on the Microsoft updates you've approved using the WSUS management tool. While Panorama9 Patch Management will integrate with Microsoft WSUS it will also work without.

Making sure that patches are applied to both servers and workstations in your network are handled according to the configured options you've chosen using Panorama9 Patch Management. Using Microsoft WSUS together with Panorama9 gives you complete and detailed control over which Microsoft updates are to be deployed throughout your IT environment.

Integration with OS X Software Update service

Included with OS X Server is the Software Update service that Mac OS X clients in your network may use to download updates from. Panorama9 Patch Management will integrate with the configured Software Update service and apply updates to both servers and workstations according to the configured options. Using Software Update service together with Panorama9 gives you complete and detailed control over which OS X updates are to be deployed throughout your IT environment.

Rebooting device when required by an update

Rebooting servers and in use workstations is always inconvenient and patching a device may require just that if the vulnerability should be resolved. Conflicting interest; reboot now and be safe or continue to work on your machine knowing that you are vulnerable?

Panorama9 solves this by letting you choose if a required reboot should be allowed once updates has been applied. Running applications or services will be gently stopped and any logged on users will be warned through the Panorama9 tray icon that a restart is about to take place. If you wish to automatically reboot then enable the [Allow reboot, if required by OS after patching] option from the main menu "Patching" tab.

The reboot will take place when the patching is completed but only if the update process is finished within 2 hours since start. This to avoid a slow update process where a patch or many of them takes a long time to install isn't ended with a restart during e.g. work hours. If updating takes more than 2 hours to accomplish then restart is postponed. It is recommended that you schedule updating to occur during non-working hours so any restart disturbs as little as possible.

If you prefer not to allow a reboot, then patches that by Microsoft forces a restart will be skipped during the update process. The Panorama9 Patch Management system may still apply patches that require a reboot, but the user chooses when it's convenient. The Windows Update dialog will notify the user that a restart is needed. You may postpone it forever. Chances are that you won't when being reminded often enough.

The recommended setup is to enable the [Allow reboot, if needed] option on servers. You then don't have to login on each server to initiate the reboot. If you've got workstations that are never restarted and seldom have active users then it's recommended that you also enable it on workstations. Otherwise you may allow the user to choose a reboot when convenient.

Some updates may have dependencies, a specific upgrade path or require that applications are not in use. The Panorama9 Patch Management system will automatically handle this so you will in the end have a fully up-to-date system. It may require multiple reboots if the device is far behind latest security update, but you can always track and follow the progress through the Panorama9 dashboard.

Reporting - Tracking what has changed

The Panorama9 system will log every change made to each device being updated. You can anytime through the Panorama9 dashboard request a Vulnerability report listing when a vulnerability has been discovered and when it was fixed. This regardless of who applied the patch or updated installed software, e.g. Panorama9's Patch Management solution or you doing it manually. If something breaks it's important to know who and what has changed.

You can also any time lookup a specific device and see what and when the Panorama9 Patch Management system has applied one or multiple updates to the machine.

Did this answer your question?