Patch Management
Ivanti Neurons for Patch Management is a cloud patching solution. It combines the real-time insights of the Ivanti Neurons Platform with the asset information of Ivanti Neurons for Discovery and the actionable intelligence for risk-based prioritization to drive an adaptive security strategy. Comprehensive patch management capabilities are provided for your Windows, macOS, and Linux devices and includes the ability to patch products from both Microsoft, Apple and third-party vendors.
For Apple Silicon Macs and Intel Macs with the Apple T2 chip, Ivanti Neurons for Patch Management needs a role account to manage operating system patches on the device. This means that when Ivanti Neurons for Patch Management first deploys an operating system patch to a device of this type, a dialog appears asking the local administrator to create an administrative role account for Ivanti Neurons to use on the device. Instructions are provided on screen. If you have FileVault enabled, the administrative role account you create will appear on the login screen after reboot.
To access Ivanti Neurons for Patch Management, navigate to Patch Management in the Ivanti Neurons Platform.
Ivanti Neurons for Patch Management comprises the following components, depending on your license:
- Compliance Reporting: Enables you to determine your current compliance status and see how you are trending over time.
- Endpoint Vulnerability: Provides a central view of device patching for your environment with device health and risk-based metrics.
- Patch Intelligence: Gathers and aggregates data to help manage, prioritize and streamline patching in your environment. It provides a clear picture of your threat landscape with prioritized, risk-based metrics.
- Deployment History: Provides a way to view the status of recent deployment operations. You can zero in on exceptions and quickly troubleshoot any issues.
- Patch Settings: Enables you to configure patch configurations and patch groups for the cloud patch management workflow. A default configuration that remediates all critical security patches can be used to quickly get you started, or you can create a custom patch configuration to meet the unique compliance thresholds in your organization.
- Patch for Intune: Extends Microsoft Intune implementations to include third-party product management capabilities.
Be sure you have the permissions needed to use Patch Management.
Requirements
You must add a number of web URLs to your firewall, proxy and web filter exception lists. The URLs are used to download patch content from third-party vendors.
For the complete list of URLs that you should add, see Required URLs, IP addresses and ports.
To successfully deploy patches with the Ivanti Neurons Agent to Windows devices, do not disable the Windows Update service, but set it to either Manual or Automatic. In addition, set the Windows Update setting on each target device (Control Panel > System and Security > Windows Update > Change settings) to Never check for updates. For more information, see this article on the Ivanti Community.
If you are patching Office 2019 or Office 365 that use Click-to-Run technology, see How Ivanti patches Office Click-to-Run installations on the Ivanti Community (opens in a new window) for information about how Patch for Neurons patches these installations.
Cloud Workflow
This is the primary workflow for performing patch management functionality. All configuration and assessment activities are performed within the cloud, while the actual scans and deployments are performed by agents that are installed on the managed devices.
|
Items in Figure |
|
|---|---|
|
A |
Agent devices |
|
Cloud Workflow |
|
|
1 |
Create a custom policy. |
|
2 |
Create a patch configuration and associate it with your policy. |
|
3 |
Wait for the changes to propagate to your agent devices. |
|
4 |
Agents scan for and deploy patches on the managed devices. |
|
5 |
Scan and deployment results are reported to Ivanti Neurons. |
Details of the Cloud Workflow
Conditional Steps
If your devices already contain an Ivanti Neurons agent, you can skip these conditional steps.
- Download an agent for the appropriate device type (Windows, Mac, or Linux).
There are two files included in the download:- The agent executable file
- An options file that contains the tenant ID, enrollment key, and cloudhost information that will be needed during the installation process
- Install the agent on the desired target devices.
- On the target device, double-click the executable file to begin the installation process.
- Follow the instructions in the installation wizard.
- Wait for the agent to automatically do the following:
- Register and check in with Ivanti Neurons
- Download the assigned agent policy
- Perform a scan of the target device for all missing patches and report the results to Ivanti Neurons
- View information about the newly discovered target devices from Devices view within Ivanti Neurons.
Primary Steps
- Create a custom agent policy.
The default policy that is initially installed with an agent is configured to perform only patch scans. In order to perform patch deployments, you need to create at least one custom policy. The custom policy must be enabled to perform patch management actions and it must be associated with a patch configuration that defines your deployment settings. You use the Add Devices option within the policy to assign the policy to the desired agent devices.
Be sure to enable the Patch Management capability when creating the agent policy. The policy defines the rules that allow the agent to operate autonomously on a device, with or without human interaction.
Within the custom agent policy you can select to use peer-to-peer download. Peer-to-peer supports digitally signed and sideloaded patches. Patches automatically downloaded from the vendor that are not digitally signed, are not supported by peer-to-peer, for example, 7-Zip and Core FTP. The server peer will share only OS applicable patches to the peer client, for example a Server 2019 will share only 2019 patches. - Configure your patch settings.
Your patch settings will consist of the following:- Patch configuration: The primary purpose of a patch configuration is to define how patches will be deployed to the agent devices. A default patch configuration is provided that will deploy all missing critical security patches in your Windows environment on a weekly basis. You will likely want to create one or more custom patch configurations to define the unique patch deployment requirements of your organization.
On the Associations tab, be sure to associate your patch configuration with a custom agent policy that is enabled to perform patch management actions.
- (Optional) Patch group: You may choose to reference a patch group in a patch configuration. A patch group contains a list of specific patches that you want to deploy. This is a good way to make sure that only approved patches are deployed. See the Deployment behavior section in the Patch Settings topic for information on how to properly configure this scenario.
- Patch configuration: The primary purpose of a patch configuration is to define how patches will be deployed to the agent devices. A default patch configuration is provided that will deploy all missing critical security patches in your Windows environment on a weekly basis. You will likely want to create one or more custom patch configurations to define the unique patch deployment requirements of your organization.
- Wait for the changes to propagate to your devices.
Your devices will receive the updated policy and patch configuration information the next time the agents check in with Ivanti Neurons. - Deploy missing patches to the agent device.
The deployment can be accomplished four different ways:- Via an automatic, scheduled patch deployment that is defined by the patch configuration.
- From the Endpoint Vulnerability component within Ivanti Neurons for Patch Management. You can use this component to deploy all patches that were identified as missing during the most recent patch scan.
Be sure you have the Patch Management permissions needed to deploy patches from Endpoint Vulnerability.
- From the Patches tab of the Device Details page. You can select individual patches for deployment from this page.
- By using the Agent UI on the agent device to immediately initiate a patch deployment.
To install the Agent UI you must enable the capability in the assigned agent policy.
After a patch deployment, the agent device will be automatically rescanned and the results sent to Ivanti Neurons. This will enable you to verify the deployment status and assess the current health of the agent device.
- Use the Deployment History component to view the results of the deployment and quickly identify any issues.
- Use the Endpoint Vulnerability component to assess the patch health of the devices in your environment.
- Use the Patch Intelligence component to gain a deeper level of understanding about the vulnerabilities detected on your devices based on risk-based prioritization, patch reliability and patch compliance.
Hybrid Workflow
This workflow applies to current customers who are utilizing a connector to an on-premise patch management product such as Ivanti Endpoint Manager, Ivanti Patch for Configuration Manager, Ivanti Security Controls, Ivanti Endpoint Security or Ivanti Desktop and Server Management. These customers will begin the migration to the Cloud workflow by simultaneously utilizing both workflows. For example, existing customers might choose to transition the management of their workstations to the Cloud workflow, while continuing to provide patch management capabilities to disconnected workstations, servers and other high-profile or sensitive devices using their on-premise workflow. This strategy enables you to transition to the Cloud workflow at your own pace.
|
Items in Figure |
|
|---|---|
|
A |
Agent devices |
|
B |
On-premise patch management console (Endpoint Manager, Security Controls, etc.) |
|
C |
Console-managed devices |
|
Cloud Workflow |
|
|
1 |
Create a custom policy. |
|
2 |
Create a patch configuration and associate it with your policy. |
|
3 |
Wait for the changes to propagate to your agent devices. |
|
4 |
Agents scan for and deploy patches on the managed devices. |
|
5 |
Scan and deployment results are reported to Ivanti Neurons. |
|
Hybrid Workflow |
|
|
i |
Connector |
|
ii |
The console scans for and deploys patches to the managed devices. |
|
iii |
Console results are reported to Ivanti Neurons. |
The result will be a combination of data in the Ivanti Neurons Platform for both cloud and on-premise managed devices. Patch deployments for endpoints governed by the Cloud workflow will be performed by the Ivanti Neurons agent. Deployments to devices governed by an on-premise solution will continue to be performed by the on-premise console.
It is possible that you may have devices that are managed by both the Ivanti Neurons Cloud and an on-premise solution. Both solutions will work effectively side by side. Actions performed from Ivanti Neurons Cloud will take precedence because they provide direct interaction with the devices.
While it is possible to have devices managed by both solutions, it probably is not desirable, as receiving multiple reports from different products can become confusing.
The deployments can be initiated by an Ivanti Neurons agent, by an Ivanti Endpoint Manager or Ivanti Security Controls on-premise console, or from within the cloud using either the Device Details or Endpoint Vulnerability components.
If you are using a custom scan profile in Ivanti Security Controls, you may find when deploying a missing patch that you are told it is already installed on the device. To avoid this, add a regular scan of all devices using one of the predefined Security Patch Scan or All Patches templates. For more information, see this Ivanti Community Article (opens in a new window).