- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
How do you keep your environment completely patched? You need to update not just the operating system but also patch the multitude of third-party products that exist in your organization. Patch Manager Plus is ManageEngine's answer to that question. This question bedevils all system administrators.
Sysadmins traditionally handle patch management as a one-off affair, updating one product a time. We manually load packages into Group Policy, SCCM, or another deployment solution. You might miss a few updates for that product in between your next scheduled rollout.
Personally, I used to bet on when a new Java update would come out. It always happened right when I finished deploying their last update. Environments that have to support Apple or Linux clients might end up repeating the same updating process three times!
The situation is so bad that some software manufacturers have taken on the process of patching their own software in a shadow IT manner. Google's self-updating feature and bundling Adobe Flash updates is one example. Microsoft running their Teams application from the current user's AppData is another notable example. You may agree or disagree with the decisions; either way, you still have applications to patch.
Oh yeah—you also need to keep your Windows 10 versions up to date and make sure all of your applications (along with their patches) play that game nicely.
A better way to patch programs ^
ManageEngine's Patch Manager Plus comes in two editions. The first is cloud-based. While slightly more expensive, you don't have to worry about the infrastructure, updating it, or Windows licensing costs. The cloud edition only supports Windows clients. The second edition is on premises. In my opinion, it is more feature rich and supports all main client types (Windows, Mac, and Linux). In this review, I used just the cloud edition though.
The interface for Patch Manager Plus is fairly intuitive and in line with other ManageEngine products. After setup and once clients report their application inventory, you get a bird's-eye view of your patching status. This single window graphs the update status of all clients and allows you to see any missing, unapproved, or failed patches.
On the right side of the above screenshot, you will notice the Latest Security News node. I found this node very useful! It centralizes update notifications for Windows and all third-party programs. At a glance, I could see that some of the Windows 10 1607 machines needed to upgrade and that an update for Chrome was ready to deploy.
In the Systems section, default collections show highly vulnerable systems down to healthy systems. This provides a very granular overview of patching progress.
If an update requires a reboot flagged on the system, the Systems Requiring Reboot node will display the machine. From this reboot view, you can restart or shut down individual machines. Optionally, you can also set the machine to skip the reboot if a user is actively using it. Right now, there's no ability to schedule a restart or establish a maintenance window-like schedule. Hopefully, they will add this in future updates.
Managing third-party software updates and installations ^
In the scenarios discussed, each administrator repackages the same update for an enterprise deployment. This is a tremendous waste of time and resources, as the packaging process provides little benefit to the organization and repeats thousands of times.
One of the immediate benefits to Patch Manager Plus is the ability to enroll prepackaged updates into your environment. When an update comes out for common software, ManageEngine imports this into an application warehouse for Patch Manager Plus. Below, you can see that the latest versions of Chrome, Dropbox, Java, and VLC are available automatically for deployment!
With many major updates imported for you, you now have a lot more time to test and schedule these deployments. This certainly beats the push and pray method many use.
If you still like to live dangerously, Patch Manager Plus can use automatic patch approval. With an automatic patch approval, the recommended approach is to create separate deployments so you can install updates in a staged rollout. You can configure patches that meet certain requirements (like those patching zero-day exploits) to install as soon as possible.
Overall, Patch Manager Plus is a solid framework that unifies the updating experience. It comes in at a reasonable price and is feature rich. If you already own (or are looking at) other ManageEngine products, it makes more sense, as the integration between products and common tools keeps the learning curve to a minimum.