A mandatory baseline is a user-defined compliance level for a group of devices. If a device falls out of compliance, a mandatory baseline ensures that the device is patched back into compliance.
IMPORTANT:Mandatory baselines are an automatic enforcement method based on the most recent discovery scan results, so there is no control over the deployment time or order for patches applied in this manner. Unless a stringent Content Blackout Schedule is in effect, do not apply mandatory baselines to groups of mission-critical servers or other devices where unscheduled patch deployments would disrupt daily operations.
The Content Blackout Schedule panel lets you define times when content (bundles, policies, configuration settings, etc.) will not be delivered to the devices.
When a mandatory baseline is created or modified:
The ZENworks Server automatically schedules a daily Vulnerability Detection task for all devices in that group.
Every few hours, depending on the results of the Vulnerability Detection task, the ZENworks Server determines the devices that are applicable and out of compliance (based upon the patches added to the baseline).
Necessary bundles, as defined in the baseline, are then deployed as soon as possible for each device.
After patches have been deployed, it might be necessary to reboot those devices for them to be detected as patched.
The baseline function does not auto-reboot devices that have been patched.
NOTE:Some patches, such as MDAC and IE, require both a reboot and an administrator level login to complete. If these or similar patches are added to a baseline, the deployment stops until the login occurs.
The following sections provide more information on mandatory baselines:
Click thetab in the left panel.
A page displaying the root folders for each type of device appears, as shown in the following figure:
Thefolder is the root folder for all managed servers and the folder is the root folder for all managed workstations in the network.
Click theor s link.
A list of server or workstation groups classified on the basis of their operating systems appears. The following figure shows a list of server groups:
On the Servers or Workstation page (in this case, it is the Servers page), select any group.
A page displaying the general details of the group and the members in the group appears. The following figure shows such a page that appears when a Dynamic Server Group calledis selected:
The patches applicable to the member devices of the selected group are displayed. If the selected group is, the tab displays all the patches applicable to the member devices within the group , as shown in the following figure:
A patch that has been assigned to the baseline (also called the mandatory baseline patch) has the icon displayed next to its name, as shown in the above figure.
Alternatively, you can view the baseline patches by using thepanel on the Patches page to search for mandatory baseline patches.
For detailed information on Section 5.0, Using the Patch Management Tab.and panels, refer to
You can use thepanel on the Mandatory Baseline page to view the baseline patches.
The Figure 7-1, enables you to search for mandatory baseline patches. The panel also enables you to search for other patches based on the status and impact of the patches.panel on the Device Group Patches page, as shown in
Figure 7-1 Mandatory Baseline Search
You can search for the mandatory baseline patches based on the following filter options:
All Patches: Displays all patches, including mandatory baseline items.
Baseline Only: Displays only those patches that are marked as “mandatory baseline” for the group.