LD 9.5 SP1 - Patch Management Best Practices
advertisement
LANDesk Patch Management Best practices Chris Rawlings LANDesk Sales Engineer 3 LANDesk 9.5 SP1 Updates • • • • • Mobility Patch Security Suite FIPS 140-2 Cloud Service Appliance • SmartVue • Linux/Unix • • • • • • • • OS X HP Integration Intel Remote Control Data Analytics Agent Provisioning SWD LANDesk Software Confidential • • • • Inventory Printer Management Auditing Flexera PATCH MANAGEMENT BEST PRACTICES Clean Up The Patch Management • Disable Replaced Rules Wizard – Adobe Flash – Sun Java – Itunes 6 LANDesk Software Confidential Clean Up The Patch Management • Purge Distribution and Patch Definitions – Eliminates unnecessary Operating Systems – Eliminates unnecessary languages 7 LANDesk Software Confidential Clean Up The Patch Management • Delete Unnecessary Patches – Delete patches in Do Not Scan and unassigned groups – Delete undetected patches 8 LANDesk Software Confidential Patching – Application EOL Detection • Application End Of Life Detection • Publish by Content • Leverage LANDesk Patch Manager • Already support • MS Office 2000/XP • Adobe Acrobat Pro/Sta 6.x, 7.x, 8.x • Adobe Reader 6.x, 7.x, 8.x • Java SE 1.3, 1.4, 5.0 9 LANDesk Software Confidential Prepare Patch Reports • Gather Historical Information – Schedule to run on a daily basis 10 LANDesk Software Confidential Avoid Impacting Users • Configure CPU Utilization during scan for low impact 11 LANDesk Software Confidential New Feature Do Not Disturb if… • Maximize end-user productivity – Reduce unwanted disruptions » Detect full screen apps » Dynamically hide scan dialog 12 LANDesk Software Confidential Configure Reboot options • Change Defaults – – – – 13 Allow user to defer Reboot if no one is logged After Time out snooze Increase Timeout LANDesk Software Confidential Patching – Application Interference • Increased first pass success rate – Java – Browser plugins – Custom applications • Close applications prior to patching – Prevent / block applications from running during the patch process 14 LANDesk Software Confidential What you see on the client… • Configured to – Prompt – Don’t allow defer or cancel • Shows apps that must close. – Dynamically updates list as apps are closed by user. 1 LANDesk Software Confidential Process to Kill are Definition Based • Clone Vulnerability • Edit Detection Rule • Add Process to stop 16 LANDesk Software Confidential Autofix by Scope • Supports Targeted Repairs • Fewer Scheduled Tasks to manage 1 LANDesk Software Confidential Create query for affected computers Scenario: Administrator wants to quickly and easily create a vulnerability query to represent affected computers. • New right-click option • The “IN” clause is not editable in the DAL query editor. 18 LANDesk Software Confidential New Feature 9.5 SP1 Patching – Maintenance Windows • Controlled and Predictable maintenance – Autofix policies are queued – Machine state detection – More aggressive reboot controls become possible 19 LANDesk Software Confidential Patching – Application Interference • Increased first pass success rate – Java – Browser plugins – Custom applications • Close applications prior to patching – Prevent / block applications from running during the patch process 20 LANDesk Software Confidential Patching – Application EOL Detection • Application End Of Life Detection • Publish by Content • Leverage LANDesk Patch Manager • Already support • MS Office 2000/XP • Adobe Acrobat Pro/Sta 6.x, 7.x, 8.x • Adobe Reader 6.x, 7.x, 8.x • Java SE 1.3, 1.4, 5.0 21 LANDesk Software Confidential Vulnerability severity override Scenario: Administrator disagrees with the predefined severity of a vulnerability definition and/or wants to “lock down” reviewed severities. • Right-click multi-selected definitions is allowed. The “focused” definition’s current settings are displayed. • For backward compatibility in the database, “Severity” still contains the current value. • “OrigSeverity” is null if no override has been specified. Otherwise, it stores the LANDesk-supplied severity. 2 LANDesk Software Confidential 9.5.1 Software Distribution LANDesk Software LANDesk Software Confidential Desktop Manager • • • • New interface Customizable branding Deliver Links, Docs & Apps • Packages and links can be placed in categories “Chrome-less” app launching • • • 24 LANDesk Software Confidential WPF and EXE Launchpad integrated Task history of client changes Software Distribution • Package Bundles – – – – 2 Leverages groups in distribution packages Set the installation order (one level) Allows for packages to be grouped and ordered (one level) Categories are supported LANDesk Software Confidential Software Distribution • New Streamed Document package type – – – – 2 Link for any file type (.txt, .pdf, .docx, .msi, etc.) Associated application Streamed from the portal (new portal only), not downloaded to the client Uses the current associated shell application (by file extension) defined for the client operating system LANDesk Software Confidential Software Distribution • Default Delivery Method – New shared control to select the delivery method – Global value – Only enabled for Administrators 2 LANDesk Software Confidential Software Distribution • New package pre-cache feature – Only downloads package files to client machines, will not perform package installation 2 LANDesk Software Confidential Software Distribution • Task History – Task history is automatically gathered and stored in the client database • Task History Maintenance – Enable automatic cleanup of task history in the client database – Configured in Agent settings and must be associated with each client (Agent configuration / Agent settings) » » » Configurable by days to keep, a value of 0 will delete all task history from the client database If not set, all task history will continue to be stored Settings stored in each client machine registry under LANDesk/ManagementSuite/WinClient/SoftwareDistribution/InventorySettings › 2 ClientDatabaseHistoryDays: Specifies days to keep history, -1 or 0xffffffff if not set (all task history will be kept) LANDesk Software Confidential Software Distribution • Task History/Maintenance continued – Inventory scanner automatically sends client task history to the core database – Located in inventory under LANDesk Management / SWD / History 3 LANDesk Software Confidential Software Distribution • Automatically run inventory scanner after package installation – Inventory settings located in Agent settings UI – Requires an Inventory setting to be associated with each client (Agent configuration / Agent Settings) – Creates a local scheduler task from the current time plus a delay » If multiple packages are installed, the local scheduled task is added/updated with the new time. Always uses the same task id (779) – Two delay settings » » » Initial delay, minimum of 5 minutes, maximum of 60 minutes, default 5 minutes Additional random delay to help stagger scans (reduce the load on the core), minimum of 0 minutes and maximum of 60 minutes, default 15 minutes (will randomize between 0 and the value set) Settings stored in each client machine registry under LANDesk/ManagementSuite/WinClient/SoftwareDistribution/InventorySettings › 3 InventoryScanDelayAfterPackageInstall: High word is the initial delay, low word is the additional random delay, -1 or 0xffffffff if not set (inventory scanner will not run after package install) LANDesk Software Confidential QUESTIONS
