Before using Patch Automation

Patch Automation requires some initial configuration before it can work effectively. Note that changes to deployed agent settings will take effect on managed devices the next time they do a vulnerability scan.

For more information on this tool, see Patch Automation.

The Patch Automation tool provides a streamlined definition and patch download configuration interface. It has a subset of the full set of options available in the Security and Patch tool's Download updates dialog box. Changes you make here in Patch Automation are also made in the Security and Patch tool.

You should first configure what you want to download and then make the download a recurring task so Patch Automation can regularly scan for the most recent vulnerabilities. In each campaign, you can customize which detected vulnerabilities will be patched.

To configure what to download
  1. In Tools > Security and Compliance> Patch Automation, click the Configuration toolbar button.
  2. On the Definitions page, select the operating systems and languages you want to scan for vulnerabilities.
To schedule a recurring download
  1. Click the Schedule Download button at the bottom of the dialog box.
  2. Select Schedule for later and click Download.
  3. Enter a task name and verify the download options. All downloaded definitions will automatically be put in the "Scan (global)" group and patches for detected definitions will be downloaded. Click OK.
  4. The Schedule task dialog box will open. Select Schedule task on the left.
  5. Select Start later, pick a Date and Time, and select Repeat every with a value of 1 or more days.
  6. Click Save.

By scanning for vulnerabilities every day, you can easily monitor the progress of your patch campaign each month. This also helps you fine-tune the patches you want deployed for the current month's campaign.

To select the vulnerability types that will be scanned
  1. In Tools > Configuration > Agent settings, open your Distribution and Patch setting.
  2. Click Patch-only settings > Scan options. Select these options at a minimum under Type: Vulnerabilities, Ivanti updates, and Custom definitions. These are the default options.
    We recommend also selecting these types: Spyware, Security threats, Blocked applications, Antivirus updates, Software updates, and Driver updates [[Do we want all these?]]
  3. Click Save.
To adjust the vulnerability scan schedule
  1. In Tools > Configuration > Agent settings, open your Distribution and Patch setting.
  2. Click Patch-only settings > Scan options > Schedule. The defaults for Use recurring schedule are daily with a random delay. Click Changes settings if you need to adjust it.
  3. Click Save.

Good patch data collection isn't enabled by default, but it's an important part of Patch Automation and determining whether patches are deploying successfully. If you don't enable this option, the Patch Automation tool shows a banner reminding you to enable it.

To enable data collection for good patches
  1. In Tools > Configuration > Agent settings, open your Distribution and Patch setting.
  2. Click Patch-only settings > User feedback.
  3. Select Allow the user to report broken applications and Collect data on good patches.
  4. If necessary for your environment, adjust the number of hours the user feedback agent should collect data on each applied patch. After this interval, the results are reported to the core server. The default is 30 hours. The number of hours you set here should be shorter than the duration of your patch campaign steps.
  5. Click Save.