Ring Deployments

Ring deployment is a strategic method used to roll out updates or patches in a controlled and phased manner. The patch rollout is sequential, first deployed on selected internal test devices. Depending on the success percentage, the patch is rolled out to additional rings until fully deployed on target devices. This approach minimizes risks by identifying and addressing patch issues before deploying to a broad number of production endpoints. You can pause or roll back the patches at any stage if a problem is detected.

This method ensures higher quality, improved user experiences, and reliability of updates while proactively reducing the chances of widespread disruptions.

Patch configuration under routine maintenance can be enabled for ring deployment, including options for manual and automated promotion along with the ability to continuously track the progress of a rollout.

This topic describes how to assign devices to rings and how to track the progress of a rollout. For information about enabling ring deployments for a patch configuration, see Configuration Behavior.

Watch a related video (5:29)

The Ring Deployments page is accessed from the main menu by selecting Patch Management > Ring Deployments. The page includes a table of ring deployments that shows the associated patch configuration, its version, the number of rings, when it was last updated, and its current status. The ring deployments in the table can be filtered based on the number of rings, last updated date, and current status. The following list provides a description for the current status displayed:

•Not Configured: The patch configuration is created without an associated ring deployment configuration.

•Running: A ring deployment configuration is in the Scheduled or Running state. Both states signify that the ring deployment configuration is active.

•Paused: A patch promotion for the rollout linked to the ring deployment configuration is paused.

•Archived: The patch configuration associated with the ring deployment configuration is archived following the required actions or steps.

•Deleted: The patch configuration associated with the ring deployment configuration is deleted.

At the top of the table are buttons that enable you to Pause automatic promotions and Resume automatic promotions for selected rollouts.

Viewing and configuring the rings

To configure the devices in each ring and to monitor the deployment of patches in a rollout, navigate to Patch Management > Ring Deployment and click the required name in the Configuration column. The deployment page for the ring appears. To view the main page, click Close. The deployment page for the ring has the following sections.

Rollout

The Rollout drop-down menu at the top of the page enables the selection of the ring deployment execution instance for status visibility and the performance of administration actions. Rollouts are identified by their defined windows of execution. Ensure you select the appropriate rollout as multiple rollouts may be active at any given time. For each rollout, status information is also displayed, indicating one of the following:

• Aborted: When a user modifies the schedule of an active Patch Configuration, the adjustment is propagated to the patch engine through the agent, potentially disrupting the consistency of the ongoing (running) rollout.
• Completed: When one of the following actions takes place:
  • When the rollout has gone through successive rings and reached an endpoint.

  • Manual Pause and Resume: If the user pauses the patch promotion manually and resumes it within a few days, the rollout picks up where it left off and continues to completion within the target timeline.

  • Indefinite Pause with Time Limit Reached: If the user pauses the rollout indefinitely and the target completion time expires, the system automatically transitions the rollout to a "completed" state, reflecting that the rollout is no longer active despite the pause.

• Paused: When a user pauses the patch promotion manually. This status applies to both manual and automated promotion.
• Running: When the rollout is in progress, it continues through successive rings until the target completion days are reached.
• Scheduled: When the rollout is scheduled to kick off at the specified local time on the configured day of the month, accounting for any delays.

• Ring Deployment Disabled: When a user creates the patch configuration but the ring deployment configuration is disabled.

Device Groups

At the top of the page, the Device Groups field enables the selection or omission of specific device groups to the page view. Once applied, charts and tables are filtered to align with the selection criteria.

Click on Device groups bar, in the panel select Use this selection across all Neurons Patch Management option to apply the same set of device groups across Neurons Patch Management. Once applied, the Device groups bar displays and lists the number of selected groups. You can toggle the filtered device groups off by clicking the icon directly, and changing it to .

The Device groups bar displays when you select device groups from the list to filter the page view. Click on Device groups to clear the device group filter locally.

For information about managing device groups, see Devices.

Ring assignments

At the top of the page, clicking the Ring assignments opens a page where you can allocate device groups to the Ring Configuration. To enable or disable the dynamic assignment of device groups to rings, toggle the Device group allocation.

By adding a device group to a target ring, all devices within that group are immediately added to that ring. Any future devices added to that device group will be automatically added to the associated ring. However, removing a device from a device group will NOT automatically remove it from the assigned ring.

To add one or more device groups to a ring, choose them in the table and select the Move device groups to identify the appropriate ring. Select Clear ring allocation to remove device groups from a ring allocation. Click Apply to activate device group allocations.

When device group allocation is activated, any devices not assigned to a device group are automatically assigned to the final ring in the sequence (for example, to the Production ring). If a device is a member of multiple groups, the device is assigned to associated ring furthest in the sequence. For example, if a device belongs to a patch group assigned to the test ring and a patch group assigned to the production ring, the device is added to the production ring.

Ring Deployment analytics

Tiles at the top of the Ring Configuration page display the number of devices currently assigned and the percentage of devices allocated to each ring. It is recommended that 1% of devices be maintained in the Test ring, 9% in the Early Adopter ring, and 90% in the Production ring. These tiles assists with appropriately balancing ring device allocations.

Configuration summary

Configuration summary section provides information about each of the rings in the rollout, including the Success rate, Soak time, Delay time, projected start and end date/time, and whether the Promote content is Automatic or Manual for each ring. The date and time reflects the local time of the endpoints.

For the rollout, the summary includes Deployed By and Patch configuration details.

Survey summary

Survey summary section provides information about each of the rings in the rollout, including the User surveys enabled, Promote on results, Survey name, Survey responses, Min response, and Sentiment threshold for each ring.

Ring Filters

•The filters allow to display only the devices or patches in the Test, Early Adopter, or Production rings, or display All rings applicable for the rollout. The selected filters are displayed in the filter bar. You can clear the filters as required.

•The Patch state and Device state toggle enables you to see the current state of the rollout from the perspective either of the patches being rolled out or the devices that the patches are being rolled out to.

•By default, the table displays with filters All rings in Device state.

Switching between Patch state and Device state

Switching between Patch state and Device state also switches the table at the bottom of the page between showing information about each patch and displays information about each device.

Device State

The table displays the list of devices the rollout applies to. Search helps to find the devices from the list. Use the to display the required columns in the table. The column chooser allows to include various columns for Device, Ring, and User Survey details for the devices listed in the table.

Use the Clear assignment method to remove manual ring assignments from devices. If dynamic ring assignment is disabled, the devices remain in the current ring. If dynamic ring assignment is enabled, the system automatically reassigns the devices based on the defined device group rules. for more information see, Ring assignments.

You can select the devices and use Survey Users to include or remove the devices from the user survey.

The list of devices is determined by the scopes assigned to members by administrators. For more information on scope assignment, see Access Control: Scopes.

After a device is patch scanned during a ring rollout, the system continues to display its existing ring status in the Device state view. This happens because the system displays the status associated with the current rollout-ring pair. The backend honors the updated ring status but does not display in the table immediately. To reflect the new ring status in the device view, perform a scan or deployment on the device after reassignment. The column displays the assignment status as long as the target ring rollout is not complete.

In all cases of patch ring reassignment, the device is immediately considered as part of the newly assigned ring. The device participates in all subsequent patch deployment operations on the endpoint by the Ivanti Neurons Patch Engine. Reassigning devices in the Test or Early Adopter ring affects the automatic patch promotion process under the following conditions:

• Device ring is changed before the automatic promotion: The system excludes the device results from the original ring promotion and includes the results in the new ring promotion process.
• Device ring is changed after the automatic promotion: The system does not revise any previous promotion results even if excluding the device would have changed the outcome. If the new ring is not completed its promotion, the system may count the device results twice.

The device state table can be filtered based on the current ring of the device, deployment start timeline, and current device status. The following list provides description for the status displayed:

• Not Started: Devices that have not displayed any patching activity according to the patch configuration for the associated ring and rollout.
• Assessed: Devices that have initiated the staging of patches (prior to deployment) as per the patch configuration for the associated ring and rollout.
• Up to date: Devices that have begun deploying patches based on the patch configuration for the associated ring and rollout.
• Failed: Devices that were unsuccessful in deploying patches as per the patch configuration for the associated ring and rollout.
• Success: Devices that successfully completed the deployment of patches in line with the patch configuration for the associated ring and rollout.

Patch State

The Patch state table enables you to view the progress of a rollout. The table lists all the patches in the current ring of the patch, platform, success rate, and current patch status and so on.

You can choose to promote specific patches to the next ring by selecting the check box alongside them, then clicking Promote. For more information about a patch, click its entry in the Patch name column to open the corresponding patch page in Patch Intelligence. Click the value in the CVE count column to open the patch page in Patch Intelligence with the CVE tab displayed.
For more information about Patch Intelligence, see Patch Intelligence.

Use the to display the required columns in the table. The column chooser allows to include various columns for Summary, Threat & Risk, and User Survey details for the patches listed in the table.

Use Success rate filter to display the All patches, patches with over ring success rate (patches exceeding the set success rate), or under ring success rate (patches below the set success rate) for the rollout.

The following list provides the status displayed for the rollout:

• To be assessed
• Promoted out of previous ring
• Not Promoted out of previous ring
• Not seen in previous ring
• Soaking
• Promotion Waiting
• Promoted Manually
• Promoted
• Not promoted
• Demoted
• In deployment

Switching devices between rings

When you create a set of rings, the rings will be empty. You can allocate the devices in your IT estate to three separate rings:

• Test Ring
• Early Adopter Ring
• Production

You can choose to merge the Early Adopter Ring and Production into a single ring as part of the patch configuration.

When you add a new ring, the ring will be empty. When you allocate the devices for the first time, be default the devices are in Production ring. Manually select devices to switch to other rings.

Typically, you can add 1% of your devices to the Test Ring, 9% to the Early Adopter Ring, and the remaining 90% to the Production ring. If new devices are discovered, they are added to the Production ring.

Ivanti recommends that business-critical devices and devices allocated to senior members of the organization are added to the Production ring. Devices in the Test Ring should be limited to test devices and devices allocated to people who know that they have devices in the Test Ring and who are comfortable being involved in this stage of a rollout.

If you choose Automatic under Promote content on the patch configuration (see Ring deployment), only patches that meet the Success threshold (%) at the end of the Soak time specified in the patch configuration will be automatically promoted to the next ring. For this reason, make sure that each ring contains sufficient devices running each of the applications that you want to patch so that patches for each of these applications can be appropriately tested by the rollout. If a ring has no devices with an application that you want to patch installed, then that patch cannot meet the Success threshold (%), and so cannot be automatically promoted to the next ring. You can, however, manually promote any patch to the next ring.

To move devices between rings:

1. On the Ring deployments page, click the name of the ring deployment you want to update.
   The appropriate ring deployment page appears.
2. Above the ring charts, select Device state.
   The page updates to display devices rather than patches. Under the charts, the table lists all known devices in your system, displays information that includes the Ring that the device is allocated to.
3. Using the filter () and sort () controls at the top of the columns on the table and the Search field, find the devices that you want to move to a different ring.
4. Select the check box alongside the required devices, then above the table click Test, Early Adopter, or Production as required.
   The devices are moved to the chosen ring.