Ring Deployments

Ring deployment is a strategic method used to roll out updates or patches in a controlled and phased manner. The patch rollout is sequential, first deployed on selected internal test devices. Depending on the success percentage, the patch is rolled out to other rings and entire group. This approach minimizes risks by identifying and addressing issues early, before the update affects a broader device group. You can pause or roll back the patches at any stage if you see a problem.

This method ensures higher quality, improved user experience, and reliability of updates while reducing the chances of widespread disruptions.

Patch configuration under routine maintenance can be enabled for ring deployment, with the options for manual and automated promotion, along with the ability to continuously track a rollout.

This topic describes how to assign devices to rings and how to track the progress of a rollout. For information about enabling ring deployments for a patch configuration, see Configuration Behavior.

Watch a related video (5:29)

The Ring Deployments page is accessed from the main menu by selecting Patch Management > Ring Deployments. The page includes a table of ring deployments that shows the associated patch configuration, its version, the number of rings, when it was last updated, and its current status. The ring deployments in the table can be filtered based on the number of rings, last updated date, and current status. The following list provides description for the current status displayed:

Not Configured: The patch configuration is created without an associated ring deployment configuration.

Running: A ring deployment configuration is in the Scheduled or Running state. Both states signify that the ring deployment configuration is active.

Paused: A patch promotion for the rollout linked to the ring deployment configuration is paused.

Archived: The patch configuration associated with the ring deployment configuration is archived following the required actions or steps.

Deleted: The patch configuration associated with the ring deployment configuration is deleted.

At the top of the table are buttons that enable you to Pause automatic promotions and Resume automatic promotions for selected rollouts.

Viewing and configuring the rings

To configure the devices in each ring and to monitor the deployment of patches in a rollout, navigate to Patch Management > Ring Deployment and click the required name in the Configuration column. The deployment page for the ring appears and has the following sections.

Rollout

At the top you can search for and select the Rollout you are interested in. The rollouts are listed based on the dates and status. The following list provides description for the status displayed:

  • Aborted: When a user modifies the schedule of an active Patch Configuration, the adjustment is propagated to the patch engine through the agent, potentially disrupting the consistency of the ongoing (running) rollout.
  • Completed: When one of the following actions takes place:
    • When the rollout has gone through successive rings and reached an endpoint.

    • Manual Pause and Resume: If the user pauses the patch promotion manually and resumes it within a few days, the rollout picks up where it left off and continues to completion within the target timeline.

    • Indefinite Pause with Time Limit Reached: If the user pauses the rollout indefinitely and the target completion time expires, the system automatically transitions the rollout to a "completed" state, reflecting that the rollout is no longer active despite the pause.

  • Paused: When a user pauses the patch promotion manually. This status applies to both manual and automated promotion.
  • Running: When the rollout is in progress, it continues through successive rings until the target completion days are reached.
  • Scheduled: When the rollout is scheduled to kick off at the specified local time on the configured day of the month, accounting for any delays.

  • Ring Deployment Disabled: When a user creates the patch configuration but the ring deployment configuration is disabled.

If a ring deployment is paused indefinitely:

Rollouts that have already completed transitions from a paused state to completed state.

Rollouts that were scheduled to begin shifts to a paused state instead of running state.

Newly scheduled rollouts are incorporated into the ring deployment as usual.

Configuration summary

Configuration summary section provides information about each of the rings in the rollout, including the Success rate, Soak time, Delay time, projected start and end date/time, and whether the Promote content is Automatic or Manual for each ring.

For the rollout, the summary includes Deployed By and Patch configuration details.

Ring Filters

The filters allow to display only the devices or patches in the Test, Early Adopter, or Production rings, or display All rings applicable for the rollout. The selected filters are displayed in the filter bar. You can clear the filters as required.

The Patch state and Device state toggle enables you to see the current state of the rollout from the perspective either of the patches being rolled out or the devices that the patches are being rolled out to.

By default, the table displays with filters All rings in Device state.

Switching between Patch state and Device state

Switching between Patch state and Device state also switches the table at the bottom of the page between showing information about each patch and displays information about each device.

Device State

The table displays the list of devices the rollout applies to. You can select the devices in the table and use Move selected devices to switch the devices between the rings. Search helps to find the devices from the list. Use the to display the required columns in the table.

The device state table can be filtered based on the current ring of the device, deployment start timeline, and current device status. The following list provides description for the status displayed:

  • Not Started: Devices that have not displayed any patching activity according to the patch configuration for the associated ring and rollout.
  • Staging: Devices that have initiated the staging of patches (prior to deployment) as per the patch configuration for the associated ring and rollout.
  • Executing: Devices that have begun deploying patches based on the patch configuration for the associated ring and rollout.
  • Failed: Devices that were unsuccessful in deploying patches as per the patch configuration for the associated ring and rollout.
  • Success: Devices that successfully completed the deployment of patches in line with the patch configuration for the associated ring and rollout.

Patch State

The Patch state table enables you to view the progress of a rollout. The table lists all the patches in the current ring of the patch, platform, success rate, and current patch status and so on.

You can choose to promote specific patches to the next ring by selecting the check box alongside them, then clicking Promote. For more information about a patch, click its entry in the Patch name column to open the corresponding patch page in Patch Intelligence. Click the value in the CVE count column to open the patch page in Patch Intelligence with the CVE tab displayed.
For more information about Patch Intelligence, see Patch Intelligence.

Use Success rate filter to display the All patches, patches with over ring success rate (patches exceeding the set success rate), or under ring success rate (patches below the set success rate) for the rollout.

The following list provides the status displayed for the rollout:

  • To be assessed
  • Promoted out of previous ring
  • Not Promoted out of previous ring
  • Not seen in previous ring
  • Soaking
  • Promotion Waiting
  • Promoted Manually
  • Promoted
  • Not promoted
  • Demoted
  • In deployment

Switching devices between rings

When you create a set of rings, the rings will be empty. You can allocate the devices in your IT estate to three separate rings:

  • Test Ring
  • Early Adopter Ring
  • Production

You can choose to merge the Early Adopter Ring and Production into a single ring as part of the patch configuration.

When you add a new ring, the ring will be empty. When you allocate the devices for the first time, be default the devices are in Production ring. Manually select devices to switch to other rings.

Typically, you can add 1% of your devices to the Test Ring, 9% to the Early Adopter Ring, and the remaining 90% to the Production ring. If new devices are discovered, they are added to the Production ring.

Ivanti recommends that business-critical devices and devices allocated to senior members of the organization are added to the Production ring. Devices in the Test Ring should be limited to test devices and devices allocated to people who know that they have devices in the Test Ring and who are comfortable being involved in this stage of a rollout.

If you choose Automatic under Promote content on the patch configuration (see Ring deployment), only patches that meet the Success threshold (%) at the end of the Soak time specified in the patch configuration will be automatically promoted to the next ring. For this reason, make sure that each ring contains sufficient devices running each of the applications that you want to patch so that patches for each of these applications can be appropriately tested by the rollout. If a ring has no devices with an application that you want to patch installed, then that patch cannot meet the Success threshold (%), and so cannot be automatically promoted to the next ring. You can, however, manually promote any patch to the next ring.

To move devices between rings:

  1. On the Ring deployments page, click the name of the ring deployment you want to update.
    The appropriate ring deployment page appears.
  2. Above the ring charts, select Device state.
    The page updates to display devices rather than patches. Under the charts, the table lists all known devices in your system, displays information that includes the Ring that the device is allocated to.
  3. Using the filter (filter icon) and sort (sort icon) controls at the top of the columns on the table and the Search field, find the devices that you want to move to a different ring.
  4. Select the check box alongside the required devices, then above the table click Test, Early Adopter, or Production as required.
    The devices are moved to the chosen ring.