Related Articles

Patch Approval Settings

What does it mean when a patch is approved?

An approved status for a patch means that, according to the network administrator, it is a valid and trusted update. The approved status also indicates that when a patch is deployed, it will be an optimal fit for the systems within that network and will also behave in the predictable manner as intended by the vendor.

Why does a patch need to be approved?

Patch Manager Plus has the capability of automating the entire patch deployment process, from identifying the missing patches to dispatching them to the relevant endpoints. It is a prerequisite that a patch is approved for it to be eligible for automated deployment.

For Enterprise Edition

What are the different patch approval methods?

There are three ways to approve patches in Patch Manager Plus and they are as follows:

  1. Manually mark as approved
  2. Automatic approval upon release (without testing) 
  3. Test and Approval

Manually mark as Approved

Follow the steps given below to manually approve specific patches:

  1. Navigate to Product console --> Patches
  2. Any number of individual patches can be selected from the following views:

    • Missing Patches
    • Applicable Patches
    • Supported Patches
    • Latest Patches
  3. Click the 'Mark as' icon and from the drop down menu, choose 'Approved'

Automatic Approval Upon Release

For all the newly released patches to be approved, immediately after their addition to the database, follow these steps  in order to configure the settings:

  1. Navigate to Product console --> Deployment --> Test and approve.
  2. Under the 'Approve Patches' section, choose the option 'Automatically without testing.'

By default, all newly released patches will then display as approved. However, if you want to ignore a specific patch, then you will have to decline the patch manually.

Test and Approval

Why is it important to test and approve patches?

It is best practice to choose the approval mode as 'Test and Approve' as it offers the following benefits:

  1. Ensure patch fit and compliance in network.
  2. Prevent any software malfunctions.
  3. Mitigate performance errors.

Automated Test and Approval

With Patch Manager Plus, the test and approval phase can be fully or semi-automated. Given below is a summary of the automated 'Test and Approve' process:

  1. Creation of test group for grouping of test machines.
  2. Automatic deployment of patches to test machines. Out of the newly released patches, the ones that match the criteria specified in the test group configuration will automatically be deployed to the endpoints of that corresponding test group.
  3.   : Since the approval method is 'Test and approve' all newly released patches will by default, be displayed as 'Unapproved'.

     

  4. Automatic or manual approval after testing. After automated testing, the patches can be approved automatically for a fully automated 'Test and Approve' process. Or after automated testing, the patches can be manually approved for a semi-automated process.
  5. The approved patches will be deployed via   Automated Patch Deployment Tasks.

In the next section, detailed steps will be provided on how to automatically test and approve patches, starting from creating a test group to approving the patches for deployment.

Automated Test and Approval Procedure

Creating a Test Group

With the Custom Groups feature, a group of client systems can be created for the purpose of testing patches.

For the testing method to be effective, it is recommended that the machines in the test groups have all the features that are present in the machines in the rest of the network to which the patches will be deployed. These features include OS versions, third-party applications as well as hardware components.

Follow these steps for formulating a test group:

  1. Navigate to Product console --> Admin --> Global settings --> Custom groups
  2. Select 'Create New Group' and assign the group a name.
  3. Form a group of test machines by adding computers from the list provided and assign the test group a name.

Configuring Test Group Deployment

After a test group has been created, follow the steps given below in order to create a test group deployment task:

  1. Navigate to Product Console --> Deployment -->Test and Approve -->Approval Settings -->Add Group
  2. Choose a platform. This is to ensure that only patches corresponding to that platform will be deployed.
  3.   : Separate test groups have to be created for each platform (Windows, Mac, Linux).

     

  4. Enter the name of your test group in the 'Choose Custom Group' section.
  5. Select the types of patches you would like to deploy, under the Deployment Option section.
  6. Choose a deployment policy. It can be a pre-built deployment policy or you can refer to the Deployment Policy document to create your own custom policy.
  7. Configure the notification settings. By enabling this option, a notification will be sent when a patch is approved or if a patch deployment has failed.
  8. Choose the approval mode as 'Automatically approve tested patches after _ days' and specify the number of days, for automatic approval of patches after a specific number of days after testing. Otherwise, you will have to manually approve or decline the patches that have been tested. The details regarding the automatic and manual approval methods will be elaborated in the next section.

Automatic Approval After Automated Testing

If a patch is successfully installed in at least one of the systems in test group and has not failed in any of the systems, then it satisfies the primary requirement for automatic approval.

In addition, you can configure the settings such that the automatic approval occurs either immediately or after a certain number of days. Patch Manager Plus only checks for successful installation. Therefore, postponing the automatic approval by a specific number of days after testing, can provide insight about the stability of the patch in the various production environments.

Manual Approval After Automated Testing

After the patches have been deployed to the systems within the test group, you can click the test group to view the details on the patches which are successfully tested and are waiting for approval. Then, you can choose to manually approve the patches. However, if the test results showed that certain patch is unfit for your network, you can also manually decline those patches.

How Patch Approval works in Professional Edition

The automated test and approval is only available in the Enterprise edition. The methods of patch approval in the Professional edition are:

  1. Manually marking as approved.
  2. Automatic approval upon release.
  3. Manual testing by deploying patches to a select number of systems before deploying to the rest of the network.