The Ivanti Patch and Remediation Workflow

To use Ivanti Patch and Remediation (Patch and Remediation), all Ivanti Endpoint Security components must be installed, along with the Patch and Remediation module. After installing all necessary components, review this chart to understand the Patch and Remediation work flow.

Refer to the following topic to determine tasks when using the Patch and Remediation module within Ivanti Endpoint Security.

Install Module Server Component

Install the Patch and Remediation module server component. This component is installed after initial Ivanti Endpoint Security installation. For additional information, refer to Installing the Patch and Remediation Module Server Component.

If you purchased a Patch and Remediation license during your initial Ivanti Endpoint Security purchase, Patch and Remediation is installed during the initial Ivanti Endpoint Security installation by default.

Install Module Endpoint Component

Install the Patch and Remediation module endpoint component on agents you want to support Patch and Remediation functions. Each agent you install the endpoint component on consumes a Patch and Remediation license. For additional information, refer to Installing the Patch and Remediation Module for Endpoints.

Create Groups

Create groups containing Patch and Remediation endpoints in preparation for deployment. A group associates similar endpoints for the purpose of deploying content to multiple endpoints. For additional information, refer to Creating New Groups.

Create Agent Policy Sets

Create new agent policy sets (or edit existing policy set for Patch and Remediation functions) and apply them to Patch and Remediation groups. Agent policy sets are a compilation of values that govern agent behavior. New settings for agent policy sets are added after installing Patch and Remediation. For additional information, refer to Apply Agent Policy Sets.

View Vulnerabilities and Deploy Content

View network vulnerabilities and then deploy content, which are patches and other software, to managed endpoints. First, view network vulnerabilities. Agents detect vulnerabilities by scanning endpoints for signatures that indicate a vulnerabilities are present. The, remediate vulnerabilities using a About Deployments, which triggers the agent to download selected content from the Ivanti Endpoint Security Server. For additional information, refer to Viewing and Remediating Vulnerabilities.

Add Content to Mandatory Baseline

After initial vulnerabilities are remediated, you can define a About Mandatory Baselines. This baseline is a selection of user-defined content that must always be installed on all group endpoints. If an endpoint falls out of compliance, the Mandatory Baseline ensures the endpoint is patched back into compliance via automatic deployment. For additional information, refer to Installing the Patch and Remediation Module for Endpoints.

Define Default Module Settings

Define default Patch and Remediation settings. New default settings are added to Ivanti Endpoint Security after Patch and Remediation is installed. New settings include new access roles, email notifications, and deployment options. For additional information, refer to the following topics:

Logging In

Get started with Ivanti Endpoint Security by logging in.
You can access the console from any endpoint within your network.

When accessing the Ivanti Endpoint Security console using a Web browser with high security settings enabled, the following message may display:
Scripting must be enabled to display this application properly.
In this event, Ivanti recommends adding the Ivanti Endpoint Security Web address as a trusted site in your browser settings to view the Web console.

  1. Open your Web browser.
  2. In your browser’s address bar, type the Ivanti Endpoint Security URL (http[s]://ServerURL) or IP address and press ENTER.
    A dialog prompting you for credentials opens.

  3. Type your user name in the User name field.
    When logging in for the first time, type the user name of the Windows user account used to install Ivanti Endpoint Security. You can use additional user names after adding new user profiles to Ivanti Endpoint Security. If logging in using a domain account, type the name in the following format: DOMAIN\Username.

  4. Type your password in the Password field.

  5. Click OK.

Installing the Patch and Remediation Module Server Component

After logging in to Ivanti Endpoint Security, the first step in implementing Patch and Remediation features and functions is to install the server module. Open the Installation Manager, then Install the Module Server Component.

Install the server module using Installation Manager.

  1. Select Tools > Launch Installation Manager.
    Installation Manager opens to the New/Update Components tab.
  2. Select the Ivanti Patch and Remediation check box for your version number of Ivanti Endpoint Security.
  3. Click Install.
    The Install/Update Components dialog opens.
  4. Click Next to dismiss the Database backup recommended notification. Ivanti recommends backing up your database before installing a module.
  5. Click Install.
    A dialog opens, notifying you that installing the module may cause logged in user to lost their work.
  6. Click OK.
    The installation begins.
  7. Click Finish.

    Select the Launch Ivanti Endpoint Security check box to relaunch Ivanti Endpoint Security after clicking Finish.

The Patch and Remediation server module is installed.

After Completing This Task:
Continue to Installing the Patch and Remediation Module for Endpoints below.

Installing the Patch and Remediation Module for Endpoints

After installing the Patch and Remediation server module, you must install the Patch and Remediation module for your network endpoints.

Prerequisite:

Complete Installing the Patch and Remediation Module Server Component.

Instructions:

Install the endpoint component from the Endpoints page.

  1. Select Manage > Endpoints.
    The Endpoints page opens to the All tab.
  2. From the list, select the endpoints that you want to install the Patch and Remediation endpoint module on.
  3. Click Manage Modules
    The Add/Remove Modules dialog opens.
  4. Select the Patch check box for all endpoints you want to install the component on.
  5. Click OK.
    The Patch and Remediation endpoint module is installed on selected endpoints.

After Completing This Task:
Continue to Creating New Groups below.

Creating New Groups

After installing the Patch and Remediation components, create a new group for your Patch and Remediation endpoints. By placing your Patch and Remediation endpoints in a group (or multiple groups), you can manage them collectively. For example, you deploy content to all Patch and Remediation with one deployment by using groups.

Prerequisites:

Complete Installing the Patch and Remediation Module for Endpoints.

Instructions:

Create and configure groups from the Groups page.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the Browser tree, select Custom Groups.
    Groups are arranged within a tree structure. You can place your new group anywhere within the custom group hierarchy.
    The group you create is added as a child group to the group selected within the directory tree.
  3. Create a group.
    1. From the View list, select Group Membership.
    2. Click Create.
    3. In the Name field that displays, type a group name.
    4. In the Description field that displays, type a description.
    5. Click the Save icon.
  4. Add endpoints to the group.
    1. From the View list, select Endpoint Membership.
    2. Click Manage.
    3. Assign endpoints to the group.
      For more detailed information, refer to Adding Endpoints to a Group.
    4. Click OK.
  5. Define the group's settings.
    Group settings contain additional group controls.
    1. From the View list, select Settings.
    2. Define the settings.
      For more detailed information, refer to Editing Group Settings.
    3. Click Save.
      The group is created.

After Completing This Task:
Continue to Apply Agent Policy Sets below.

Apply Agent Policy Sets

After you create a group, create and assign an agent policy set to govern the group endpoint behavior. Agent policy sets can control endpoint communications, hours or operations, and so on.

Prerequisites:

Complete Creating New Groups.

Instructions:

Create agent policy sets using the Agent Policy Sets page, and then assign them to a group using the Groups page.

  1. From the Navigation Menu, select Manage > Agent Policy Sets.
  2. Click Create to create an agent policy set.
    For additional information, refer to Creating an Agent Policy Set.
  3. Select Manage > Groups.
  4. From the View list, select Agent Policy Sets.
    The Agent Policy Sets view opens.
  5. From the Browser tree, select the group you created.
  6. Click Assign to assign the agent policy set to your created group.
    For additional information, refer to Assigning an Agent Policy Set to a Group.
    The agent policy set is created and assigned.

After Completing This Task:
Continue to Viewing and Remediating Vulnerabilities below.

Viewing and Remediating Vulnerabilities

After installing the Patch and Remediation module server and endpoint components, your network endpoints complete their first Discover Applicable Updates task, which detect vulnerabilities. Following this task, you can then view vulnerabilities in your network and then deploy patches and other content to resolve them.

Prerequisites:

Complete Apply Agent Policy Sets.

Instructions:

View the network vulnerabilities, then schedule deployment to remediate them.

  1. View dashboard widgets, vulnerabilities, and reports to identify vulnerabilities in your network.
    Dashboard widgets and reports provide detailed graphs and statistics about the state of your network. Reviewing this information provides insight about the actions required to secure your network. For additional information, refer to the following documentation:
    • To see an overview of how many vulnerabilities are in your network, view The Dashboard. View the dashboard by click Home from the navigation menu.
    • To view the vulnerabilities on a specific endpoint, view The Endpoint Details Page. View the Endpoint Details page by selecting Manage > Endpoints and clicking an endpoint link.
    • To view the specific vulnerabilities in your network, view The Content Pages List. To view this page, select Manage > Vulnerabilities.
    • To view a report of vulnerabilities in your network, view Generating a Report. To generate reports, select Reports > All Reports, select a report, and click Generate Report.
  2. From the Navigation Menu, select Review > Vulnerabilities > --- All --- (or any of the other vulnerability options).
  3. From the list, select the vulnerabilities you want to deploy.

    Use the page filters to find vulnerabilities applicable to your endpoints.

  4. Click Deploy to remediate vulnerabilities.
    Remediate network vulnerabilities by deploying content that fix identified vulnerabilities.

The deployment is scheduled and will begin at the scheduled time. Completion time of the deployment varies dependent on size.

After Completing This Task:
Continue to Adding Content to a Mandatory Baseline below.

Adding Content to a Mandatory Baseline

Each group in Ivanti Endpoint Security has a Mandatory Baseline, which is a list of content that must be installed on the group's endpoints at all time. By default, this baseline is empty. However, you can add patches, software, and other content to this baseline. After adding content to the baseline, Ivanti Endpoint Security continually checks groups endpoints for the content's presence. If a group endpoint is found to not have content included in the Mandatory Baseline, Ivanti Endpoint Security automatically deploys that content to the endpoint.

Prerequisites:

Complete Editing Email Notifications.

Instructions:

Add content to a Mandatory Baseline from the Groups page.

  1. From the Navigation Menu, select Manage > Groups.
  2. From the Browser tree, select the group you created earlier.
  3. From the View list, select Mandatory Baseline.
  4. Click Manage to add content.
    For additional information, refer to Adding Content to Mandatory Baselines.
  5. Click OK.
    Content is added to the group Mandatory Baseline.

After Completing This Task:
Continue to Defining Default Deployment Options below.

Defining Default Deployment Options

After you install Patch and Remediation, a Deployments tab is added to the Options page. Configure this tab to define the default values for the Deployments Wizard.

Prerequisites:

Complete Adding Content to a Mandatory Baseline

Instructions:

Define default deployment options from the Options page.

  1. From the Navigation Menu, select Tools > Options.
  2. Select Tools > Options.
  3. Select the Deployments tab.
  4. Define the default deployment options.
    For additional information, refer to Configuring the Deployments Tab.
  5. Click Save.
    The default deployment options are defined.

After Completing This Task:
Continue to Editing Email Notifications below.

Editing Email Notifications

After installing Patch and Remediation, two new email notification types are added: New Vulnerabilities and Deployment Failure. To use these new notifications, edit your defined email addresses or create new ones.

Prerequisites:

Complete Defining Default Deployment Options.

Instructions:

Edit email notifications from the Email Notifications page.

  1. From the Navigation Menu, select Tools > Email Notifications.
  2. For each defined email address, select one or both of the following new notification types available after installation of Patch and Remediation.
    For more information on how to define a new address and email notifications, refer to Creating Email Notifications.

    3. Notification Type

    Description

    New Vulnerabilities

    Sends the defined address a notification email when new vulnerabilities are available.

    Deployment Failure

    Sends the defined address a notification email when a scheduled deployment fails.

    Additional options are available for the Ivanti Endpoint Security core features and other modules.

  3. Click Save.
  4. Click OK.

The email addresses you edited are configured to receive the new email notifications.

After Completing This Task:
Continue to Editing Custom Roles below.

Editing Custom Roles

After installing Patch and Remediation, new access rights are added for new features. To update custom roles for these features, edit your roles.

Prerequisites:

Complete Editing Email Notifications.

Instructions:

Edit custom roles from the Users and Roles page.

  1. From the Navigation Menu, select Tools > Users and Roles.
  2. Select the Roles tab.
  3. From the page list, click the edit icon for the custom role to which you want to add access rights.
    The Edit Role dialog opens.
  4. Select the Access Rights tab.
  5. Define the new Patch and Remediation access rights.

    6. Dashboard Access Rights

    Description

    View PR Widgets

    Access to select and view the Patch and Remediation Dashboard widgets.

    Vulnerabilities/Patch Content Access Rights

    Description

    View Content

    Access the vulnerability and other content data.

    Manage Content

    Enable and disable vulnerabilities and other content.

    Export Content

    Export vulnerability and other content data list.

    View Content Details

    Access the detailed information for vulnerabilities and other content.

    Endpoint Access Rights

    Description

    View PR Tab

    Access the Patch and Remediation tab.

    Manage PR Tab

    Install, uninstall, enable, and disable the Patch and Remediation module.

    Export PR Tab

    Export the Patch and Remediation tab endpoint list.

    Scan Now Discover Applicable Updates

    Scan endpoints using the DAU Scan Now Dropdown button.

    Reboot Endpoints

    Reboot endpoints using the Reboot Now button.

    Inventory Access Rights

    Description

    View Inventory

    View the endpoint inventory.

    Export Inventory

    Export the endpoint inventory list.

    Deployments and Tasks Access Rights

    Description

    Create Deployments

    Ability to create new deployments.

    View My Deployments and Tasks

    Access the deployments and tasks that this user has created.

    View All Deployments

    Access the deployments that all users have created.

    Deployments and Tasks Access Rights

    Description

    Manage Deployments and Tasks

    Deploy, enable, disable, abort, and delete deployments and tasks that the user has access to.

    Export Deployments and Tasks

    Export the deployments and tasks in the list that this user has access to.

    Packages Access Rights

    Description

    View Packages

    Access the package data.

    Manage Packages

    Create, edit, and delete packages.

    Export Packages

    Export the package data list.

    Cache Packages

    Ability to download packages from the Global Subscription Service onto the Ivanti Endpoint Security server.

    Email Notifications Access Rights

    Description

    Manage PR Email Notifications

    Create and edit Patch and Remediation notifications.
  6. Click OK.