7.1 About Mandatory Baselines

A mandatory baseline is a user-defined compliance level for a group of devices. If a device falls out of compliance, a mandatory baseline ensures that the device is patched back into compliance.

IMPORTANT:Mandatory baselines are an automatic enforcement method based on the most recent discovery scan results, so there is no control over the deployment time or order for patches applied in this manner. Unless a stringent Content Blackout Schedule is in effect, do not apply mandatory baselines to groups of mission-critical servers or other devices where unscheduled patch deployments would disrupt daily operations.

The Content Blackout Schedule panel lets you define times when content (bundles, policies, configuration settings, etc.) will not be delivered to the devices.

When a mandatory baseline is created or modified:

  • The ZENworks Server automatically schedules a daily Vulnerability Detection task for all devices in that group.

  • Every few hours, depending on the results of the Vulnerability Detection task, the ZENworks Server determines the devices that are applicable and out of compliance (based upon the patches added to the baseline).

  • Necessary bundles, as defined in the baseline, are then deployed as soon as possible for each device.

  • After patches have been deployed, it might be necessary to reboot those devices for them to be detected as patched.

    The baseline function does not auto-reboot devices that have been patched.

NOTE:Some patches, such as MDAC and IE, require both a reboot and an administrator level login to complete. If these or similar patches are added to a baseline, the deployment stops until the login occurs.

The following sections provide more information on mandatory baselines:

7.1.1 Viewing Mandatory Baselines

  1. Click the Devices tab in the left panel.

    A page displaying the root folders for each type of device appears, as shown in the following figure:

    Root folders for each type of device

    The Servers folder is the root folder for all managed servers and the Workstations folder is the root folder for all managed workstations in the network.

  2. Click the Servers or Workstations link.

    A list of server or workstation groups classified on the basis of their operating systems appears. The following figure shows a list of server groups:

    List of server groups
  3. On the Servers or Workstation page (in this case, it is the Servers page), select any group.

    A page displaying the general details of the group and the members in the group appears. The following figure shows such a page that appears when a Dynamic Server Group called Windows Server 2008 R2 is selected:

    General details for Windows Server 2003
  4. Click the Patches tab.

    The patches applicable to the member devices of the selected group are displayed. If the selected group is Windows Server 2008 R2, the Patches tab displays all the patches applicable to the member devices within the group Windows Server 2008 R2, as shown in the following figure:

    Vulnerabilities applicable to Windows Server 2003

    A patch that has been assigned to the baseline (also called the mandatory baseline patch) has the icon Mandatory Baseline icon displayed next to its name, as shown in the above figure.

    Alternatively, you can view the baseline patches by using the Search panel on the Patches page to search for mandatory baseline patches.

    For detailed information on Patches and Patches Information panels, refer to Section 5.0, Using the Patch Management Tab.

7.1.2 Using the Mandatory Baseline Page

You can use the Search panel on the Mandatory Baseline page to view the baseline patches.

The Search panel on the Device Group Patches page, as shown in Figure 7-1, enables you to search for mandatory baseline patches. The Search panel also enables you to search for other patches based on the status and impact of the patches.

Figure 7-1 Mandatory Baseline Search

You can search for the mandatory baseline patches based on the following filter options:

  • All Patches: Displays all patches, including mandatory baseline items.

  • Baseline Only: Displays only those patches that are marked as “mandatory baseline” for the group.