Patch Management 

LANDesk patches can be applied both to individual users and to broad groups. By using these features to patch computers in your group, you will ensure that vital software stays up-to-date. Below are two example workflows which outline the two main ways of administering patches. The first is a guide to targeted patches and the second is a guide to broad or group-wide patches. 

Overview

The following workflow is recommended for keeping the most vulnerable and important software up-to-date. Detailed instructions follow but at a high level:

1. Keep the most vulnerable applications up-to-date. This includes Adobe Reader, Adobe Acrobat, Adobe Flash Player, Adobe Shockwave, Adobe Air, Java and RealPlayer. These applications are known to be vulnerable to attacks so keeping them patched greatly decreases the risk of computers being infected.
2. Important and high applications, like internet browsers (Firefox, Internet Explorer, Opera, Safari, Google Chrome) and operating systems (for example, Mac OS X and Windows 7) should also be kept up-to-date. Since they are common and frequently used, these types of applications are frequent targets for attacks.

General information: Queries and scopes are dynamic and will pick up new computers as they are added into the system. Dragging and dropping individual devices or using "My Devices" in a task is not dynamic and will only patch those computers or devices that you have selected. 

Administering Targeted Patches

If you have not used the console before, see the Getting Started with LANDesk and Installing the LANDesk Console pages. Once you have the LANDesk console installed, log in using your Tufts credentials. 

To administer a targeted patch to a single user or small group of users, click "Tools", "Security and Compliance", and then "Patch."

Open the "Scan" folder to view all available patches. Here you can filter by type of patch or search for an individual patch by name. 

When you have located the patch you would like to administer, right click it and select "Repair." In this example, we have chosen to patch Adobe Photoshop.

A window will open where you can name and schedule your repair task. First enter a name in the "Name Task" window. Then select either "Repair as Scheduled", which will immediately push the patch to all the selected machines, or "Repair as Policy," which will administer the patch when the selected computers check for LANDesk policy updates, typically once a day or when a user first logs in. It is suggested that you use "Repair as Scheduled" if you know that the computers you are patching are currently online. If the selected computers are offline, they will not receive the patch. This option is good for administering patches for computer labs or targeted patches when you can determine the status of the target computers. "Repair as Policy" is best when targeting a large group of users, who may or may not be online. They will definitely receive the patch whenever their computer next checks for LANDesk policy updates.

If you select "Repair as Scheduled Task" also select "Don't add any computers." If you select "Repair as Policy," you may choose to add a query (these represent different groups of users within your scope). When you have finished, select OK.

You will be redirected to a window showing you "Scheduled Tasks." If you did not add a query in the last step, to add computers to this task you can drag and drop devices from those listed in your scope. Click "Scope," then double click the scope you wish to open, then select the computers from your scope that you would like to target. To highlight multiple names from your scope, click shift or control and then select the names. When you have selected the computers, drag them to the task. A yellow "Pending" bar should appear on the graph. Next, right click and select "Start Now." The yellow bar will change to a grey "Active" bar which will resolve into a "Successful" or "Failed" bar depending on the outcome of the repair.

The patch may take some time to resolve; you can check back later to make sure the task resolved to "Successful."

Administering Scheduled or Group Patching

Group patches are useful when administering patches to your entire scope or a large section of your scope. Once you have set up a custom group, you can add patches from the "Scan" folder to it at any time. In addition, you can schedule a periodic deployment of patches to the group. This allows you to add patches to the group's folder at any time and have them deployed on a regular basis.

To make a custom group, navigate to "Security and Patch Compliance," "Patch and Compliance," and then click on "Custom Groups" to expand the drop-down menu. Next, right click on "My Custom Groups" and select "New Group". This will generate the new group under the "My Custom Groups" heading which should name.

Next, click on "Scan" and highlight the patches you would like to administer. It is recommended that Adobe, RealPlayer, Flash, and Internet browsers be patched regularly as they are heavily utilized and vulnerable programs. When you have your patches selected, drag and drop them into your custom group folder.

To immediately administer these patches or schedule a deployment time, right click on your group's name. In this example, the group is "Test Group." Select "Repair."

In the window that opens, name your task and select "Repair as Policy," which will administer the patch when the selected computers check for LANDesk policy updates, typically once a day or when a user first logs in. This option is best when targeting a large group of users, who may or may not be online. They will definitely receive the patch whenever their computer next checks for LANDesk policy updates. Then select "Configure" under the "Scan and Repair Settings."

In the window that opens, select "New," then name your scan and repair settings. Choose "Show progress dialog: Never"

Next, click "Scan Options" and select "Group." Click the ellipsis to open a list of all available groups. Choose your group out of the "My Custom Groups" tab. In this example, we'll select "Test Group." When you have finished, select "Repair Options" from the left-hand menu bar. Here, you can choose to immediately begin your scan or set a time for the scan to begin. It is recommended that you un-check "Start repair even if user is running a presentation" and check "Start repair even if reboot is already pending."

Next you can configure the "Reboot Options." It is suggested that you select "Reboot only if needed" or "Never reboot." For the patches to be delivered silently without the user noticing, choose "never reboot." If you choose to "reboot only if needed," also select "Prompt user before rebooting" and "Allow user to defer reboot." Set the snooze time and max deferrals allowed as well.

Next open the "Network Settings" tab. Here, change "When downloading patches via the gateway" to "Download from manufacturer. Do not fall back on failure."

Finally, if you would like to schedule a routine deployment of patches, select the "Plot Configuration" tab. Check the "Periodically scan and repair" box and then click the ellipsis and select your group under the "My Custom Groups" tab. For this example, the group will be "Test Group." Next, click "Change Settings."

Here you can select the day and time that the scan will first run. To set the schedule, increase the number of days in the "Repeat After" box. You can choose the time of the day and day of the week that scans will run in the "Time Range" and "Weekly Between" boxes. When you are finished, click "Save" and then click "Save" in the "Scan and Repair Settings" window.

You have now created a scheduled group scan. As the FSP for this group, you will need to periodically add patches from the "Scan" folder to your custom group so that new patches are being administered each time it runs.