Configuring Linux, UNIX, and Mac Endpoints

In this section:

You can use Ivanti Endpoint Security to deploy patch content to commonly used Linux, UNIX, and Mac endpoints.

This section includes information on how to:

  • Get started setting up a local repository to support Linux and UNIX endpoints, if necessary.
  • Configure your endpoints to support patching Linux and Unix endpoints.
  • Use commands for the Patch Agent on Linux, Unix, and Mac endpoints.

Configuring Your Enterprise for Linux and Unix Patching

There are two ways to configure Linux and Unix endpoints for patching: configuring your server, or configuring your individual endpoints. Depending on the platforms you are supporting in your enterprise, your may need configure your server, configure your individual endpoints, or both.

Server Configuration to Support Linux and Unix Platforms

If you support any of the following operating systems, you must configure your Ivanti Endpoint Security Server to function as a local repository.

  • CentOS 5.5-6.x
  • Novell SUSE Linux 10.x-11.x
  • Oracle Enterprise Linux 5.5-6.x
  • Oracle Solaris 10 Update 9
  • SUSE Linux Enterprise 10 SP2-12

Endpoint Configuration to Support Linux and Unix Platforms

If you support any of the following operating systems, you must register each individual Linux or Unix endpoint with its vendor, and then point it toward a repository available either over the Internet or locally.

  • Cent OS Linux 7.x

    CentOS Linux 5.5-7.x is a bit of an exception here. You do not have to register it with CentOS before it will work with Ivanti Endpoint Security. Skip Configuring Your Linux/Unix Endpoints for Patching for CentOS Linux 5.5-7.x endpoints.

  • IBM AIX 6.1- 7.1
  • Oracle Enterprise Linux 7.x
  • Oracle Solaris 11.x
  • Red Hat Enterprise Linux 5.5-7.x

Endpoint Configuration to Support Mac Platforms

Configuring Mac endpoints for Patch and Remediation is easy to do. All you need to do is install the agent. After that, the agent takes care of the rest. For more information on agent install, see Ivanti Endpoint Security: Agent Installation Guide.

Configuring Your Server for Linux/Unix Patching

If you are patching older versions of Linux and Unix, you must subscribe to vendor content and then configure you Ivanti Endpoint Security Server to function as a local repository. Afterwards, install agents and deploy content to your endpoints.

Perform this procedure on your Ivanti Endpoint Security Server if you are supporting Server Configuration to Support Linux and Unix Platforms.

  1. Subscribe to the Linux or Unix vendor subscription network for each platform you're supporting in your enterprise.
  2. Notify Ivanti that you have a Linux or Unix subscription, and that you want to use Ivanti Endpoint Security to deploy patch content these platforms. We will update your licensing so that you can access patch content for your platforms.
  3. Updating Ivanti Endpoint Security System Files and Content
    This action downloads new license information and the Content Credentials Manager, a utility you'll use in the next step.
  4. From the Ivanti Endpoint Security Server, use Content Credentials Manager to subscribe to a vendor subscription network. Enter credentials for each subscription you have.
    Use this command-line utility to enter your vendor subscription credentials in the Ivanti Endpoint Security Server. Once you enter your credentials, Ivanti Endpoint Security uses them to connect to your vendor subscription network and download patch content. Instructions for using Content Credentials Manager on each supported platform are included. Note that the instructions for CentOS are a little different; since that OS doesn't require a subscription, it uses a different utility to simply enter the address information for a content mirror.
  5. Updating Ivanti Endpoint Security System Files and Content
    Now that you have registered with your Linux/Unix vendors, complete a replication to download new patch content definitions.
  6. Install the Patch Agent on your Linux and Unix endpoints.
    Instructions for installing the Patch Agent are available in the Ivanti Endpoint Security: Agent Installation Guide.
  7. Using the Deployment Wizard
    This process is similar to deploying Windows patch content using the Deployment Wizard. The one discernible difference is setting content flags, a method used to set deployment behavior for a patch. Rather than using the regular options, you'll need to edit a text box to set deployment behavior.

Configuring Your Linux/Unix Endpoints for Patching

If you are working with newer Linux or Unix platforms, you must register your individual endpoints with the vendor before you can begin patching them. This registration is required because Linux/Unix vendors require entitlements on individual endpoints before they are eligible for content from the vendor's repository.

Attention: If you are supporting any of the platforms listed in Endpoint Configuration to Support Linux and Unix Platforms, you should consider creating a dedicated local repository to host patch content (if you don't have one already). Newer Linux and Unix platforms cannot use the Ivanti Endpoint Security Server as a local repository due to vendor endpoint registration requirements. Creating a dedicated repository can substantially shorten deployment times and reduce bandwidth consumption. If want to use a local repository, follow the vendor documentation referenced in Using Ivanti Endpoint Security with Local Repositories instead of completing Configuring Your Linux/Unix Endpoints for Patching.

Perform this procedure on all newer versions of Linux/Unix endpoints you are supporting (see Endpoint Configuration to Support Linux and Unix Platforms).

CentOS Linux 5.5-7.x is a bit of an exception here. You do not have to register it with CentOS before it will work with Ivanti Endpoint Security. Skip this procedure for CentOS Linux 5.5-7.x endpoints.

  1. Subscribe to the Linux or Unix vendor subscription network for each platform you're supporting in your enterprise.
  2. Notify Ivanti that you have a Linux or subscription, and that you want to use Ivanti Endpoint Security to deploy patch content these platforms. We can update your licensing so that you can access this content.
  3. Updating Ivanti Endpoint Security System Files and Content
    This action downloads your newly available patch content licensing.
  4. Register your endpoints with your vendors and install entitlements on the endpoint.
    This process varies for each Linux/Unix platforms. The following links provide step-by-step instructions on how to complete this process for each supported platform.
  5. Updating Ivanti Endpoint Security System Files and Content
    Now that you have registered with your Linux or Unix vendor, complete a replication to download new patch content definitions.
  6. Install the Patch Agent on your Linux and Unix endpoints.
    Instructions for installing the Patch Agent are available in the Ivanti Endpoint Security: Agent Installation Guide.
  7. Using the Deployment Wizard
    This process is similar to deploying Windows patch content using the Deployment Wizard. The one discernible difference is setting content flags, a method used to set deployment behavior for a patch. Rather than using the regular options, you'll need to edit a text box to set deployment behavior.

If you have completed this workflow, you are likely using the default vendor repositories available on the Internet. When deploying patch content from a default repository to Red Hat Enterprise Linux 5.5-7.x, Oracle Enterprise Linux 5.5-7.x, SUSE Linux Enterprise 10 SP2-12, or CentOS Linux 5.5-7.x, deployments can exceed scheduled maintenance due to endpoints caching content from a remote location. To reduce likelihood of deployment that exceed maintenance schedules, Ivanti recommends splitting your deployment into two, smaller deployments using two new flags. These flags are only available for Red Hat Enterprise Linux 5.5-7.x, Oracle Enterprise Linux 5.5-7.x, SUSE Linux Enterprise 10 SP2-12, and CentOS Linux 5.5-7.x:

  1. Complete the first deployment using the -CACHEPACKAGES flag. This flag instructs endpoints to cache the patch content you've selected, but not install it.
  2. Complete the second deployment using the -INSTALLFROMCACHE flag. This flag instructs endpoints to install the patch content cached during the previous deployment.

Using Ivanti Endpoint Security with Local Repositories

If you are a Ivanti Endpoint Security administrator managing newer Linux platforms, creating a local repository and then pointing your endpoints toward them can substantially reduce deployment times.

When working with older releases of Linux and Unix, your Ivanti Endpoint Security Server functions as a local repository, which speeds deployment time by caching packages to your server.

If you only work with older release of Linux and Unix, don't read on any further; this doesn't apply to you. Refer to Configuring Your Server for Linux/Unix Patching.

However, if you are working with newer releases of Linux and Unix, you can substantially reduce deployment times by setting up a dedicated local repository, which is an on-premise mirror of the vendor repository. Because newer Linux and Unix platforms require each individual endpoint to register with the vendor, you cannot use your Ivanti Endpoint Security Server as a local repository. By setting up a dedicated local repository, you can maintain the deployment speeds while still conforming to Linux/ Unix endpoint registration requirements.

If you want to set up a local repository, complete the following workflow. If you elect to use a local repository, skip completion of Configuring Your Enterprise for Linux and Unix Patching; the vendor documentation includes this information.

To use local repositories in conjunction with Ivanti Endpoint Security:

  1. Set up a local repository for your vendor's patch content. Ivanti recommends following the vendor-provided documentation. This documentation includes information on how to set up local repositories and point your endpoints toward them.

    2. Red Hat Satellite 6.0 Documentation:

    You can set up a local repository for RHEL 7.x using Red Hat Satellite 6.0. Red Hat refers to local repositories as satellite servers.
    This documentation includes info on:

    • How to set up a satellite server
    • How to configure your endpoints (which Red Hat refers to as hosts) to point toward the satellite server.

    How to create a local Unbreakable Linux Network mirror:

    You can set up a local repository for Oracle Linux 7.x. Oracle Linux refers to local repositories as Unbreakable Linux Network Mirrors.
    This documentation includes info on:

    • How to setup an Unbreakable Linux Network Mirror.
    • How to configure endpoints (which oracle refers to as clients) to point toward the mirror.

    How to Create a Local Package Repository for Solaris 11:

    You can setup a local repository for Oracle Solaris 11.x. If you use this documentation, skip over the content for Oracle Linux 6. It isn't relevant.

    YaST: Setting up a local SUSE Linux update Server:

    You can set up a local repository for SUSE Linux Enterprise 12.x. SUSE refers to local repositories as local SUSE Linux update servers.
    This documentation includes info on:

    • How to setup a local SUSE Linux update server.
    • How to configure endpoints (which SUSE refers to as clients) to point toward the server.
  2. Configure your endpoints to point toward your local repository. Refer to the vendor documentation above.
  3. Install the Patch Agent on your Linux and Unix endpoints.
    Instructions for installing the Patch Agent are available in the Ivanti Endpoint Security: Agent Installation Guide.
  4. Using the Deployment Wizard
    This process is similar to deploying Windows patch content using the Deployment Wizard. The one discernible difference is setting content flags, a method used to set deployment behavior for a patch. Rather than using the regular options, you'll need to edit a text box to set deployment behavior.