ZENworks Patch Management (ZPM) is a relatively easy product to architect and deploy, the main challenges are around best practices for using the product day to day. Questions that need to be answered include:
What is the best way to schedule my patch operations?
What is the best way to handle patches that require reboots?
What business processes should be in place to ensure effective patching?
Well, let's start with Mandatory Baselines. This functionality allows you to define a patch level, or list of vulnerabilities, that must be met by the targeted devices. ZPM automatically ensures that devices are patched to the desired level. I tend to avoid using Mandatory Baselines for production desktops as there is no easy way of scheduling when patching occurs. For example, if you install a product that back-revs a DLL and enables a previously patched vulnerability, on the next check-in the device could be patched again.
One approach is to use the "hours of operation" setting to prevent patching from occurring during normal working hours, this approach does minimise the impact on users but does have some drawbacks. Firstly, desktops and laptops are often not available outside of normal working hours, a lot of customers I visit encourage users to shutdown at the end of the day due to reduce energy consumption. More importantly, if I prevent patching during normal working hours, how do I deploy a patch in the event of a destructive virus?
Mandatory Baselines are useful in scenarios where you want to manage a standard build. Let's assume for a moment that you are using a standard desktop image that is deployed to multiple machines. Adding your source machine for the build to a mandatory baseline will allow the device to be patched automatically before you seal the image for distribution. In this scenario, availability of the device and the requirement for rebooting is not an issue.
Do you use mandatory baselines? What approach do you take?
Testing and documentation
As with any software delivery mechanism, testing and release management is critical to minimising the impact on your business. A summary for a typical approach to managing patch delivery is as follows:
- Identify new vulnerability
- Analyse risk and exposure to the enterprise
- Create deployment plan
- Test deployment
- Phase deployment to the enterprise
Each of these stages are normally documented to provide an audit trail.
Often I see customers deploying to test machines, then to the IT department and then phasing the deployment to the rest of the enterprise. What's your approach to testing and deploying patches?