landesk patch management best practices chris rawlings landesk sales engineer

LANDesk Patch Management Best practicesChris Rawlings

LANDesk Sales Engineer

LANDesk Software Confidential

LANDesk 9.5 SP1 Updates

• Mobility• Patch• Security Suite• FIPS 140-2• Cloud Service

Appliance• SmartVue• Linux/Unix• OS X

• HP Integration• Intel• Remote Control• Data Analytics• Agent• Provisioning• SWD• Inventory

• Printer Management• Auditing• Flexera

PATCH MANAGEMENT BEST PRACTICES

LANDesk Software Confidential6

Clean Up The Patch Management

• Disable Replaced Rules Wizard– Adobe Flash– Sun Java– Itunes



• Purge Distribution and Patch Definitions – Eliminates unnecessary

Operating Systems– Eliminates unnecessary

languages



• Delete Unnecessary Patches – Delete patches in Do Not Scan

and unassigned groups– Delete undetected patches


Patching – Application EOL Detection

9

• Application End Of Life Detection• Publish by Content• Leverage LANDesk Patch Manager

• Already support • MS Office 2000/XP• Adobe Acrobat Pro/Sta 6.x,

7.x, 8.x• Adobe Reader 6.x, 7.x, 8.x• Java SE 1.3, 1.4, 5.0


Prepare Patch Reports

10

• Gather Historical Information– Schedule to run on a daily basis


Avoid Impacting Users

11

• Configure CPU Utilization during scan for low impact


New Feature Do Not Disturb if…

• Maximize end-user productivity– Reduce unwanted disruptions

» Detect full screen apps» Dynamically hide scan

dialog


Configure Reboot options

13

• Change Defaults– Allow user to defer– Reboot if no one is logged – After Time out snooze– Increase Timeout


Patching – Application Interference

• Increased first pass success rate– Java– Browser plugins– Custom applications

• Close applications prior to patching– Prevent / block applications from

running during the patch process


• Configured to – Prompt– Don’t allow defer or cancel

• Shows apps that must close.– Dynamically updates list as

apps are closed by user.

15

What you see on the client…


Process to Kill are Definition Based

• Clone Vulnerability• Edit Detection Rule• Add Process to stop


• Supports Targeted Repairs • Fewer Scheduled Tasks to

manage

17

Autofix by Scope


• New right-click option

• The “IN” clause is not editable in the DAL query editor.

18

Create query for affected computersScenario: Administrator wants to quickly and easily create a vulnerability query to

represent affected computers.


New Feature 9.5 SP1Patching – Maintenance Windows

• Controlled and Predictable maintenance– Autofix policies are queued– Machine state detection– More aggressive reboot controls

become possible


Patching – Application Interference

• Increased first pass success rate– Java– Browser plugins– Custom applications

• Close applications prior to patching– Prevent / block applications from

running during the patch process


Patching – Application EOL Detection

21

• Application End Of Life Detection• Publish by Content• Leverage LANDesk Patch Manager

• Already support • MS Office 2000/XP• Adobe Acrobat Pro/Sta 6.x,

7.x, 8.x• Adobe Reader 6.x, 7.x, 8.x• Java SE 1.3, 1.4, 5.0


• Right-click multi-selected definitions is allowed. The “focused” definition’s current settings are displayed.

• For backward compatibility in the database, “Severity” still contains the current value.• “OrigSeverity” is null if no override has been specified. Otherwise, it stores the

LANDesk-supplied severity.

22

Vulnerability severity override

Scenario: Administrator disagrees with the predefined severity of a vulnerability definition and/or wants to “lock down” reviewed severities.


Software DistributionLANDesk Software

9.5.1


Desktop Manager

24

• New interface• Customizable branding• Deliver Links, Docs & Apps

• Packages and links can be placed in categories

• “Chrome-less” app launching

• WPF and EXE• Launchpad integrated• Task history of client

changes


• Package Bundles– Leverages groups in distribution packages– Set the installation order (one level)– Allows for packages to be grouped and ordered (one level)– Categories are supported

25

Software Distribution


• New Streamed Document package type– Link for any file type (.txt, .pdf, .docx, .msi, etc.)– Associated application– Streamed from the portal (new portal only), not downloaded to the client– Uses the current associated shell application (by file extension) defined for the client operating system

26



• Default Delivery Method– New shared control to select the delivery method– Global value– Only enabled for Administrators

27



• New package pre-cache feature– Only downloads package files to client machines, will not perform package

installation

28



• Task History– Task history is automatically gathered and stored in the client database

• Task History Maintenance– Enable automatic cleanup of task history in the client database– Configured in Agent settings and must be associated with each client (Agent configuration / Agent

settings)» Configurable by days to keep, a value of 0 will delete all task history from the client database» If not set, all task history will continue to be stored» Settings stored in each client machine registry under

LANDesk/ManagementSuite/WinClient/SoftwareDistribution/InventorySettings› ClientDatabaseHistoryDays: Specifies days to keep history, -1 or 0xffffffff if not set (all task history will be kept)

29



• Task History/Maintenance continued– Inventory scanner automatically sends client task history to the core database– Located in inventory under LANDesk Management / SWD / History

30



• Automatically run inventory scanner after package installation– Inventory settings located in Agent settings UI– Requires an Inventory setting to be associated with each client (Agent configuration / Agent Settings)– Creates a local scheduler task from the current time plus a delay

» If multiple packages are installed, the local scheduled task is added/updated with the new time. Always uses the same task id (779)

– Two delay settings» Initial delay, minimum of 5 minutes, maximum of 60 minutes, default 5 minutes» Additional random delay to help stagger scans (reduce the load on the core), minimum of 0 minutes and

maximum of 60 minutes, default 15 minutes (will randomize between 0 and the value set)» Settings stored in each client machine registry under

LANDesk/ManagementSuite/WinClient/SoftwareDistribution/InventorySettings› InventoryScanDelayAfterPackageInstall: High word is the initial delay, low word is the additional random delay, -1 or

0xffffffff if not set (inventory scanner will not run after package install)

31


QUESTIONS

landesk patch management best practices chris rawlings landesk sales engineer

Documents

software distribution

client slide

patch process slide

possible slide

scope slide

landesksupplied severity

java itunes slide

scan dialog slide