Patch Management

Overview

Ivanti Neurons for Patch Management is a cloud patching solution. It combines the real-time insights of the Ivanti Neurons Platform with the asset information of Ivanti Neurons for Discovery and the actionable intelligence for risk-based prioritization to drive an adaptive security strategy. Comprehensive patch management capabilities are provided for your Windows-based machines and includes the ability to patch products from both Microsoft and third-party vendors. Ivanti Neurons for Patch Management also provides patch management capabilities for your macOS machines utilizing a hybrid approach that leverages the use of Ivanti Endpoint Manager and an Ivanti Endpoint Manager connector.

To access Ivanti Neurons for Patch Management, navigate to Patch Management in the Ivanti Neurons Platform.

Ivanti Neurons for Patch Management comprises the following components:

  • Endpoint Vulnerability: Provides a central view of device patching for your environment with device health and risk-based metrics.
  • Patch Intelligence: Gathers and aggregates data to help manage, prioritize and streamline patching in your environment. It provides a clear picture of your threat landscape with prioritized, risk-based metrics.
  • Deployment History: Provides a way to view the status of recent deployment operations. You can zero in on exceptions and quickly troubleshoot any issues.
  • Patch Settings: Enables you to configure patch configurations and patch groups for the cloud patch management workflow. A default configuration that remediates all critical security patches can be used to quickly get you started, or you can create a custom patch configuration to meet the unique compliance thresholds in your organization.

Be sure you have the permissions needed to use Patch Management.

Requirements

You must add a number of web URLs to your firewall, proxy and web filter exception lists. The URLs are used to download patch content from third-party vendors.

For the complete list of URLs that you should add, see this article on the Ivanti Community.

Cloud Workflow

This is the primary workflow for performing patch management functionality. All configuration and assessment activities are performed within the cloud, while the actual scans and deployments are performed by agents that are installed on the managed machines.

1) Create a custom policy group 2) Create a patch configuration and associate it with you policy group 3) Wait for the changes to propagate to your agents 4) Agents scan for and deploy patches 5) Results are reported to Ivanti Neurons.

Items in Figure

A

Agent machines

Cloud Workflow

1

Create a custom policy group.

2

Create a patch configuration and associate it with your policy group.

3

Wait for the changes to propagate to your agent machines.

4

Agents scan for and deploy patches on the managed machines.

5

Scan and deployment results are reported to Ivanti Neurons.

Details of the Cloud Workflow

Conditional Steps

If your devices already contain an Ivanti Neurons agent, you can skip these conditional steps.

  1. Download an agent for the proper device type (Windows or Mac).
    There are two files included in the download:
    • The agent executable file
    • An options file that contains the tenant ID, activation key and cloudhost information that will be needed during the installation process
  2. Install the agent on the desired target machines.
    1. On the target machine, double-click the executable file to begin the installation process.
    2. Follow the instructions in the installation wizard.
  3. Wait for the agent to automatically do the following:
    • Register and check in with Ivanti Neurons
    • Download the default agent policy group
    • Perform a scan of the target machine for all missing patches and report the results to Ivanti Neurons
  4. View information about the newly discovered target machines from Devices view within Ivanti Neurons.

Primary Steps

  1. Create a custom agent policy group.
    The default policy group that is initially installed with an agent is only configured to perform patch scans. In order to perform patch deployments, you will need to create at least one custom policy group. The custom policy group must be enabled to perform patch management actions and it must be associated with a patch configuration that defines your deployment settings. You will use the Add Devices option within the policy to assign the policy to the desired agent machines.
    Be sure to enable the Patch Management capability when creating the agent policy group. The policy group defines the rules that allow the agent to operate autonomously on a device, with or without human interaction.
  2. Configure your patch settings.
    Your patch settings will consist of the following:
    • Patch configuration: The primary purpose of a patch configuration is to define how patches will be deployed to the agent machines. A default patch configuration is provided that will deploy all missing critical security patches on a weekly basis. You will likely want to create one or more custom patch configurations to define the unique patch deployment requirements of your organization.

      On the Associations tab, be sure to associate your patch configuration with a custom agent policy group that is enabled to perform patch management actions.

    • (Optional) Patch group: You may choose to reference a patch group in a patch configuration. A patch group contains a list of specific patches that you want to deploy. This is a good way to make sure that only approved patches are deployed. See the Deployment behavior section in the Patch Settings topic for information on how to properly configure this scenario.
  3. Wait for the changes to propagate to your devices.
    Your devices will receive the updated policy and patch configuration information the next time the agents check in with Ivanti Neurons.
  4. Deploy missing patches to the agent machine.
    The deployment can be accomplished two different ways:
    • Via an automatic, scheduled patch deployment that is defined by the patch configuration
    • By using the agent client on the agent machine to immediately initiate a patch deployment
    After a patch deployment, the agent machine will be automatically rescanned and the results sent to Ivanti Neurons. This will enable you to verify the deployment status and assess the current health of the agent machine.
  5. Use the Deployment History component to view the results of the deployment and quickly identify any issues.
  6. Use the Endpoint Vulnerability component to assess the patch health of the machines in your environment.
  7. Use the Patch Intelligence component to gain a deeper level of understanding about the vulnerabilities detected on your machines based on risk-based prioritization, patch reliability and patch compliance.

Hybrid Workflow

This workflow applies to current customers who are utilizing a connector to an on-premise patch management product such as Ivanti Endpoint Manager, Ivanti Patch for Microsoft Endpoint Manager (MEM), Ivanti Security Controls, Ivanti Endpoint Security or Ivanti Desktop and Server Management. These customers will begin the migration to the Cloud workflow by simultaneously utilizing both workflows. For example, existing customers might choose to transition the management of their workstations to the Cloud workflow, while continuing to provide patch management capabilities to disconnected workstations, servers and other high-profile or sensitive devices using their on-premise workflow. This strategy enables you to transition to the Cloud workflow at your own pace.

The on-premise console scans for and deploys patches to the managed machines. The results are reported to Ivanti Neurons.

Items in Figure

A

Agent machines

B

On-premise patch management console (Endpoint Manager, Security Controls, etc.)

C

Console-managed machines

Cloud Workflow

1

Create a custom policy group.

2

Create a patch configuration and associate it with your policy group.

3

Wait for the changes to propagate to your agent machines.

4

Agents scan for and deploy patches on the managed machines.

5

Scan and deployment results are reported to Ivanti Neurons.

Hybrid Workflow

i

Connector

ii

The console scans for and deploys patches to the managed machines.

iii

Console results are reported to Ivanti Neurons.

The result will be a combination of data in the Ivanti Neurons Platform for both cloud and on-premise managed devices. Patch deployments for endpoints governed by the Cloud workflow will be performed by the Ivanti Neurons agent. Deployments to devices governed by an on-premise solution will continue to be performed by the on-premise console.

It is possible that you may have devices that are managed by both the Ivanti Neurons Cloud and an on-premise solution. Both solutions will work effectively side by side. Actions performed from Ivanti Neurons Cloud will take precedence because they provide direct interaction with the devices.

While it is possible to have devices managed by both solutions, it probably is not desirable, as receiving multiple reports from different products can become confusing.

Related topics

Endpoint Vulnerability

Patch Intelligence

Deployment History

Patch Settings