Patch Management Process
DSM Patch Management with DSM Advanced Patch Management or DSM PatchLink supports patching for Windows and Linux clients.
Windows clients
With Windows clients, DSM (more precisely: the respective BLS) downloads the required patch catalogs from the appropriate provider. The patch catalogs are needed to determine existing security vulnerabilities on the clients.
If the system detects any vulnerabilities, it downloads the deployment scripts and the mass data of the required patches from the provider. Then, the system packages the patches and assigns them to the clients according to the rollout rules. The DSM Installer installs the patch packages on the clients.
This image shows the schematic flow diagram:
LInux clients
With Linux clients, DSM (more precisely: the respective BLS) downloads the required patch catalogs from the appropriate provider. The patch catalogs are needed to determine existing security vulnerabilities on the clients.
If the system detects any vulnerabilities, it downloads the deployment scripts of the required patches from the provider.
Then, the system packages the patches and assigns them to the clients according to the rollout rules. The DSM Installer installs the patch packages on the clients. The Linux client downloads the mass data of the patch from the Linux network.
What's New?
Ivanti DSM 2017
PatchLink provides experimental support for CentOS 7 and Red Hat 6.
Ivanti DSM 2016.2
Select the operating systems and languages manually: With DSM 2016.2, the user can select the operating systems for creating the update catalogs. This speeds up the import of the catalogs and the scan process. The following options can also be included in the update catalog:
•Microsoft products
•Embedded platforms
•Tools
•Third-party products
•Linux
You can also select the operating system languages manually.
The option for letting the system select the operating system automatically is still available.
Patches and catalogs that do not match the current operating system selection are not deleted.
PatchLink distribution targets for patch templates: With DSM 2016.2, the Distribution Setup... option allows you to define the distribution setup for PatchLink patch templates. When a patch is downloaded, the distribution setup (JDF) from the template is applied to the patch.
This only affects newly downloaded patches, patches that have already been downloaded patches are not migrated.
Variable: Maximum allowed number of automatic patch reinstallations: This variable defines the maximum allowed automatic reinstallation count for each patch revision. The PatchLink Patch Management Configuration Wizard specifies 3 as default value. You can customize this value if required.
This variable implements a workaround which prevents looping patch installations.
The registry DWORD value MaxAutoReinstalls in DSM 2016.1 is no longer used.
Ivanti DSM 2016.1
DSM Patch Management with DSM PatchLink also supports patching computers with Red Hat or SUSE operating systems (currently Red Hat 7 and SUSE 12).
In general, Patch Management on Linux based computers is the same as on Windows based computers. However, some requirements and characteristics are different.
Note the following differences between Windows and Linux computers in DSM PatchLink:
•Windows: The Patch Management for Windows computers is based on Ivanti DSM. There are no additional system requirements.
•Windows computers get their patch catalogs, installation scripts and mass data from the DSM depot.
•The PM Execution Packages are in charge of controlling the scan for security vulnerabilities and the installation of the patch packages (Scan and Install).
•DSM PatchLink uses separate patch catalogs for each Windows operating system.
•Catalogs are assigned via software policies.
•Linux: DSM Patch Management for Linux computers is based on Ivanti DSM including Linux support. It is absolutely necessary to install and configure a Client Proxy.
•Linux computers receive the mass data of the patches directly from the Linux network (you need a license to connect to the Linux network). You can either connect directly to the Linux network or use a local Red Hat Satellite or the SUSE Manager to set up the connection.
•Same as with Windows computers, the DSM environment provides the patch catalogs and the required scripts for installing the patches.
•Only the scan for security vulnerabilities is controlled by PM Execution Packages (Scan).
•Patch Management for Linux uses separate patch catalogs depending on the different properties of the Linux computer. For this reason there are a lot more patch catalogs than for Windows computers.
•The different properties are:
•Manufacturer
•Major version
•Minor version (SUSE only)
•Type of operating system (server or desktop)
•CPU architecture (32-bit or 64-bit)
•Catalogs are assigned via software policies.
•Supported products: Supports all patches the respective Linux network provides.