- SmartDeploy: Rethinking software deployment to remote workers in times of a pandemic - Thu, Jul 30 2020
- Outlook attachments now blocked in Office 365 - Tue, Nov 19 2019
- PolicyPak MDM Edition: Group Policy and more for BYOD - Tue, Oct 29 2019
A very exciting change has been occurring in the Windows ecosystem. Application metadata, as a whole, are standardizing. The common *nix idea of a package repository is cropping up in our ecosystem. Instead of trying to manage the many flavors of an installation, you just abstract the installation process.
This means that you can easily deploy third-party patches with your existing SCCM infrastructure. The problem is how do you effectively unify these separate technologies without reinventing the wheel? ManageEngine’s Patch Connect Plus provides the technical glue to put these pieces into place.
SCCM Software Update Points are not enough
In a native SCCM environment, the Software Update Point role handles patch management. Updates are normally limited to Microsoft applications. Several years ago, there was an attempt to unify some common applications into SUP. For many, this solution proved cumbersome to manage and lacked necessary features.
To patch third-party applications, most administrators would leverage the application life cycle. Deploy an application and then deploy updates as an application. Uninstall and reinstall each time. Every iteration involves editing and testing unique applications against your environment. This is time consuming, to say the least. Package repositories eliminate many of the steps in this process.
How does Patch Connect Plus work?
The picture below shows the architecture of Patch Connect Plus when integrated with SCCM. It is important to note that this setup shows the separate roles. These roles do not necessitate separate servers though. In fact, Patch Connect Plus, WSUS, and SCCM can sit on the same box!
Like other ManageEngine products, Patch Connect Plus uses an intuitive web-based console. It is a 64-bit-only application though. That shouldn’t be a problem, as you will likely install it on your WSUS/SCCM primary site server. If you haven’t already, you will also need to enable the Software Update Point role. Other than the initial setup, you will spend most of your time in the SCCM console (which is a huge benefit to me). We will focus on the Patch Connect Plus setup and the hidden components though.
During the installation process, you will need to provide details to unify your infrastructure. Specifically, you will need to provide any proxy settings, primary WSUS server details, SCCM connection settings, and patch scheduling frequency. For multisite environments, your future advertisement times will be based off the Patch Connect Plus instance. Date and time settings will be relative to it.
If you wish to receive email updates and reports, you will also need to specify the mail server details. The initial configuration wizard handles all this information. You will also need to provide a self-signed certificate or import a third-party certificate. This certificate is used to sign the patches that will be delivered in your environment. This certificate should be trusted by your patch infrastructure and by your SCCM clients.
Finally, you will need to select the applications you wish to patch. Currently, Patch Connect Plus supports just over 250 separate applications. You can select applications by deployment family (all of Adobe Reader) or by specific versions (Adobe Reader 9.1). If you support any line of business apps with plugin requirements, patching specific version families can make updating very easy and prevent issues with a lack of support for major version upgrades.
Once you install and connect to your update infrastructure, Patch Connect Plus will contact its central repository. Like WSUS, this initial synchronization will take a bit longer than future software syncs. The Patch Connect Plus database will store the metadata for each application that you checked in the setup. This data contains the installation instructions for the patch.
When synchronization is complete, your Patch Connect Plus role will automatically download the patch content directly from the application vendor. It will then push the updates into your WSUS/SCCM infrastructure and manage them as normal updates.
This work occurs in the background. The SCCM console then handles the day-to-day administration. By using existing SCCM features, you don’t have to learn separate products to perform similar tasks. In fact, procedures that you use for application management align perfectly with Patch Connect Plus. Client application inventories and reporting provide patch installation information.
Scheduling and conditions improve application reliability by updating only when applications aren’t in use. Queries and alerts provide important information through the SCCM console or by email. Software update rings allows you to deploy updates to test collections before widespread installations.
The beauty of Patch Connect Plus is behind the scenes. By pairing their central repository, separate vendors, and your SCCM infrastructure, you can automatically patch most (or all) of your third-party applications! You can find out more about Patch Connect Plus here.