Patch Management
Overview
Ivanti Neurons for Patch Management is a cloud patching solution. It combines the real-time insights of the Ivanti Neurons Platform with the asset information of Ivanti Neurons for Discovery and the actionable intelligence for risk-based prioritization to drive an adaptive security strategy. Comprehensive patch management capabilities are provided for your Windows and macOS machines and includes the ability to patch products from both Microsoft, Apple and third-party vendors.
Ivanti Neurons for Patch Management macOS support is currently in Beta.
For customers not in the Beta program, patch management capabilities for your macOS machines are available via a hybrid approach that leverages the use of Ivanti Endpoint Manager and an Ivanti Endpoint Manager connector.
To access Ivanti Neurons for Patch Management, navigate to Patch Management in the Ivanti Neurons Platform.
Ivanti Neurons for Patch Management comprises the following components, depending on your license:
- Compliance Reporting: Enables you to determine your current compliance status and see how you are trending over time.
- Endpoint Vulnerability: Provides a central view of device patching for your environment with device health and risk-based metrics.
- Patch Intelligence: Gathers and aggregates data to help manage, prioritize and streamline patching in your environment. It provides a clear picture of your threat landscape with prioritized, risk-based metrics.
- Deployment History: Provides a way to view the status of recent deployment operations. You can zero in on exceptions and quickly troubleshoot any issues.
- Patch Settings: Enables you to configure patch configurations and patch groups for the cloud patch management workflow. A default configuration that remediates all critical security patches can be used to quickly get you started, or you can create a custom patch configuration to meet the unique compliance thresholds in your organization.
- Patch for Intune: Extends Microsoft Intune implementations to include third-party product management capabilities.
Be sure you have the permissions needed to use Patch Management.
Requirements
You must add a number of web URLs to your firewall, proxy and web filter exception lists. The URLs are used to download patch content from third-party vendors.
For the complete list of URLs that you should add, see this article on the Ivanti Community.
Cloud Workflow
This is the primary workflow for performing patch management functionality. All configuration and assessment activities are performed within the cloud, while the actual scans and deployments are performed by agents that are installed on the managed machines.
Items in Figure |
|
---|---|
A |
Agent machines |
Cloud Workflow |
|
1 |
Create a custom policy group. |
2 |
Create a patch configuration and associate it with your policy group. |
3 |
Wait for the changes to propagate to your agent machines. |
4 |
Agents scan for and deploy patches on the managed machines. |
5 |
Scan and deployment results are reported to Ivanti Neurons. |
Details of the Cloud Workflow
Conditional Steps
If your devices already contain an Ivanti Neurons agent, you can skip these conditional steps.
- Download an agent for the proper device type (Windows or Mac).
There are two files included in the download:- The agent executable file
- An options file that contains the tenant ID, activation key and cloudhost information that will be needed during the installation process
- Install the agent on the desired target machines.
- On the target machine, double-click the executable file to begin the installation process.
- Follow the instructions in the installation wizard.
- Wait for the agent to automatically do the following:
- Register and check in with Ivanti Neurons
- Download the default agent policy group
- Perform a scan of the target machine for all missing patches and report the results to Ivanti Neurons
- View information about the newly discovered target machines from Devices view within Ivanti Neurons.
Primary Steps
- Create a custom agent policy group.
The default policy group that is initially installed with an agent is only configured to perform patch scans. In order to perform patch deployments, you will need to create at least one custom policy group. The custom policy group must be enabled to perform patch management actions and it must be associated with a patch configuration that defines your deployment settings. You will use the Add Devices option within the policy to assign the policy to the desired agent machines.
Be sure to enable the Patch Management capability when creating the agent policy group. The policy group defines the rules that allow the agent to operate autonomously on a device, with or without human interaction.
Within the custom agent policy you can select to use peer-to-peer download. Peer-to-peer supports digitally signed and sideloaded patches. Patches automatically downloaded from the vendor that are not digitally signed, are not supported by peer-to-peer, for example, 7-Zip and Core FTP. - Configure your patch settings.
Your patch settings will consist of the following:- Patch configuration: The primary purpose of a patch configuration is to define how patches will be deployed to the agent machines. A default patch configuration is provided that will deploy all missing critical security patches on a weekly basis. You will likely want to create one or more custom patch configurations to define the unique patch deployment requirements of your organization.
On the Associations tab, be sure to associate your patch configuration with a custom agent policy group that is enabled to perform patch management actions.
- (Optional) Patch group: You may choose to reference a patch group in a patch configuration. A patch group contains a list of specific patches that you want to deploy. This is a good way to make sure that only approved patches are deployed. See the Deployment behavior section in the Patch Settings topic for information on how to properly configure this scenario.
- Patch configuration: The primary purpose of a patch configuration is to define how patches will be deployed to the agent machines. A default patch configuration is provided that will deploy all missing critical security patches on a weekly basis. You will likely want to create one or more custom patch configurations to define the unique patch deployment requirements of your organization.
- Wait for the changes to propagate to your devices.
Your devices will receive the updated policy and patch configuration information the next time the agents check in with Ivanti Neurons. - Deploy missing patches to the agent machine.
The deployment can be accomplished four different ways:- Via an automatic, scheduled patch deployment that is defined by the patch configuration.
- From the Endpoint Vulnerability component within Ivanti Neurons for Patch Management. You can use this component to deploy all patches that were identified as missing during the most recent patch scan.
Be sure you have the Patch Management permissions needed to deploy patches from Endpoint Vulnerabillity.
- From the Patches tab of the Device Details page. You can select individual patches for deployment from this page.
- By using the agent client on the agent machine to immediately initiate a patch deployment.
- Use the Deployment History component to view the results of the deployment and quickly identify any issues.
- Use the Endpoint Vulnerability component to assess the patch health of the machines in your environment.
- Use the Patch Intelligence component to gain a deeper level of understanding about the vulnerabilities detected on your machines based on risk-based prioritization, patch reliability and patch compliance.
Hybrid Workflow
This workflow applies to current customers who are utilizing a connector to an on-premise patch management product such as Ivanti Endpoint Manager, Ivanti Patch for Configuration Manager, Ivanti Security Controls, Ivanti Endpoint Security or Ivanti Desktop and Server Management. These customers will begin the migration to the Cloud workflow by simultaneously utilizing both workflows. For example, existing customers might choose to transition the management of their workstations to the Cloud workflow, while continuing to provide patch management capabilities to disconnected workstations, servers and other high-profile or sensitive devices using their on-premise workflow. This strategy enables you to transition to the Cloud workflow at your own pace.
Items in Figure |
|
---|---|
A |
Agent machines |
B |
On-premise patch management console (Endpoint Manager, Security Controls, etc.) |
C |
Console-managed machines |
Cloud Workflow |
|
1 |
Create a custom policy group. |
2 |
Create a patch configuration and associate it with your policy group. |
3 |
Wait for the changes to propagate to your agent machines. |
4 |
Agents scan for and deploy patches on the managed machines. |
5 |
Scan and deployment results are reported to Ivanti Neurons. |
Hybrid Workflow |
|
i |
Connector |
ii |
The console scans for and deploys patches to the managed machines. |
iii |
Console results are reported to Ivanti Neurons. |
The result will be a combination of data in the Ivanti Neurons Platform for both cloud and on-premise managed devices. Patch deployments for endpoints governed by the Cloud workflow will be performed by the Ivanti Neurons agent. Deployments to devices governed by an on-premise solution will continue to be performed by the on-premise console.
It is possible that you may have devices that are managed by both the Ivanti Neurons Cloud and an on-premise solution. Both solutions will work effectively side by side. Actions performed from Ivanti Neurons Cloud will take precedence because they provide direct interaction with the devices.
While it is possible to have devices managed by both solutions, it probably is not desirable, as receiving multiple reports from different products can become confusing.
The deployments can be initiated by an Ivanti Neurons agent, by an Ivanti Endpoint Manager or Ivanti Security Controls on-premise console, or from within the cloud using either the Device Details or Endpoint Vulnerability components.