Help

Patch Policy Best Practices

gbunner
New Contributor III

Posted on ‎08-09-2018 09:10 AM

Greetings.

How is everyone handling Patch policies? Specifically, say that I have a patch policy to update MS Excel (could be any application) and I want to push it out to a test group before releasing it into the wild. I know that I can just scope it to that test group, and when I'm ready I can then go back in and then re-scope it to an "everyone else" group, but to me this seems tedious and a lot of work going in and scoping, and then re-scoping patch policies. Seem like there should be an easier way? especially if you have a large list of patches to manage. Am I missing the obvious? or is this a tedious process that I need to work with that will hopefully get better as time goes on? Thanks all!

Labels:
0 Kudos
3 REPLIES 3

Taylor_Armstron
Valued Contributor

Posted on ‎08-09-2018 10:56 AM

I keep two patch policies for each app. One test, one production. Scoped to "Test" and "Production" groups. "Test" is a static group, "Production" is a smart group that basically just says "not a member of Test" and "Not a server". Patch policies are smart enough to only include machines in the scope that have the app, so something like Excel will only upgrade machines that have Excel (usually installed at build time or via Self-Service), and won't force Excel onto machines that don't already have it.

Just go and adjust the version specified for each group as your test cycle finishes. Works fine. I don't ever touch the scopes themselves that way.

da9ac4da31824ebca0d7a03ec013a05d

gbunner
New Contributor III

Posted on ‎08-09-2018 12:01 PM

Excellent, thanks for the response! I knew I was missing the forrest for the trees. Essentially each group, test and production, could have different versions of the update attached to them until I'm ready to go to production. When I'm ready to roll out to production, I just need to go in and change the version applied to production.

Taylor_Armstron
Valued Contributor

Posted on ‎08-10-2018 06:17 AM

My pleasure. Took me a few weeks to get used to the "new way" of doing things, but once I adjusted, it makes moving from "Test" to "Production" status a piece of cake. Just go into the policy, hit edit, choose the new version from the drop-down, and save. Nice and fast.

Only real gripe I have with Patch Management right now is that it doesn't cover enough. I've added in a bunch of 3rd party apps, but the community-supplied ones often aren't updated frequently (Garage Band hasn't been on 10.2 for months, for example), and I haven't had time to set up my own server to keep them updated myself.

0 Kudos