This may be a dumb question, but does patch management only apply to devices with the particular software title installed or will it apply to all devices? For instance, we have a policy running to install Flash on every device and Im considering using Patch Management to keep it up to date instead of packaging it each time, cloning my policy, modifying the policy to have the new version, flushing the policy logs and disabling the old policy. If I simply scope the definition of the version I want installed, will that install on every single device if I set it to all devices, all users?
Does Flash get uninstalled on these devices? Patch Management works great to keep software up to date. We have policies set to install required software onto a machine if it gets uninstalled then patch management policies to keep that software up to date. When new versions of that software come out we update the packages for the smart group polices and we never have to change the scope.
For applications like Flash that need to be present on everyone's system, we deploy it during the imaging process (or via a once-per-computer deploy policy) and then let Patch Management handle the rest. On major version upgrades (e.g. 5.x to 6.x) we'll update the package selected in our imaging Configuration.
I think you'd still benefit from using it, if for nothing else than consistent versioning and an overview of which devices are lagging behind. If you have a Policy that installs it on everyone's system anyway, it'll get updated for everyone as well (unless you limit the Patch Policy Scope).
Tony - No, it doesn't get uninstalled. Im not a fan of installing outdated software on new devices, so we apply install policies post imaging. That way, we don't have to modify our configuration every time a piece of software comes out and the only thing we have to maintain is the individual policies themselves.
Allan - But then you have the issue where a device is loaded with an old, possibly vulnerable, version of flash. If the device doesn't get the policy right away to upgrade flash or if there is another issue, you're stuck with a device that has a vulnerability. We try to mitigate those as much as possible by always pushing the most recent version after performing our testing. Luckily we can still use the patch management overview to see who has the most recent version and who is lagging behind.
The whole point of patch management should be to make life easier for the jamf admin. Without it being able to install without an app already existing makes it so that the jamf admin now needs to keep a policy and keep the current version in that as well. You could of course leave that policy that was created with an old version of the application, by why would you want to have to have the application download twice (old and new). With that no real point of the patch management other than it gives you a pretty graph. So close seems to be the jamf motto.