7.2 Working with Mandatory Baselines

The Action menu on the Device Group Patches page enables you to perform various actions concerning mandatory baseline patches. The Action menu options also assist you in managing and deploying patches in a consistent and uniform manner across groups. The following figure shows the various menu options that help you work with mandatory baselines:

Figure 7-2 Action Menu Items

The Deploy Remediation option enables you to deploy a patch. To use this option, select the check boxes for the patches you want to deploy and select Deploy Remediation from the Action menu options to open the Deploy Remediation Wizard.
The Enable option allows you to enable a disabled patch.
The Disable option enables you to disable a patch. To use this option, select the check box for the required patch and select Disable. The selected patch is removed from the list.
The Update Cache option initiates a download process for the bundles associated with a selected patch and caches those bundles on your ZENworks Server. See Using Update Cache.
The Assign to Baseline option enables you to assign a baseline to a patch. For more information, see Assigning or Managing a Mandatory Baseline.
The Remove from Baseline option enables you to remove a patch from a baseline. See Removing a Mandatory Baseline for more information.
The Export option enables you to export details such as the status and impact of selected patches into a comma-separated value (CSV) file. You can choose to save the file in a different file format after opening it from the download option.
The Recalculate Baseline option enables you to start the thread that normally runs automatically about every four hours, which, in turn, creates baseline deployments to the relevant devices without waiting for four hours.

The following sections provide more information on mandatory baselines:

7.2.1 Assigning or Managing a Mandatory Baseline

Mandatory baselines can be applied only to groups, and each group can have only one mandatory baseline applied to it. However, a single device can be a member of multiple groups, each of which could have a different mandatory baseline.

To create or manage a mandatory baseline:

Click the Devices tab in the left panel.

A page displaying the root folders for each type of device appears, as shown in the following figure:

The Servers folder is the root folder for all managed servers and the Workstations folder is the root folder for all managed workstations in the network.
Click the Servers or Workstations link.

A list of server or workstation groups classified on the basis of their operating systems appears. The following figure shows a list of server groups:
On the Servers or Workstation page (in this case, it is the Servers page), select any group.

A page displaying the general details of the group and the members in the group appears. The following figure shows such a page that appears when a Dynamic Server Group called Windows Server 2008 R2 is selected:
Select the required patch and choose Assign to Baseline from the Action menu. An icon appears next to the patch, indicating that it has been assigned to the baseline.

After a patch has been assigned to the baseline, the following process takes place:

The ZENworks Server automatically schedules a daily Discover Applicable Updates task for all devices in that group.
Every few hours, depending on the results of the Vulnerability Detection task, the ZENworks Server determines the devices that are applicable and out of compliance (based upon the patches added to the baseline).
Necessary bundles, as defined in the baseline, are deployed as soon as possible for each device.
After patches have been deployed, it might be necessary to reboot those devices for them to be detected as patched.

NOTE:The baseline function does not auto-reboot devices that have been patched.

7.2.2 Removing a Mandatory Baseline

Click the Devices tab in the left panel to display the Devices page, which shows the root folders for each type of device:

The Servers folder is the root folder for all managed servers and the Workstations folder is the root folder for all managed workstations in the network.
Click the Servers or Workstations link.

A list of server or workstation groups classified on the basis of their operating systems appears. The following figure shows a list of server groups:
On the Servers or Workstation page (in this case, it is the Servers page), select any group.

A page displaying the general details of the group and the members in the group appears. The following figure shows such a page that appears when a Dynamic Server Group called Windows Server 2008 R2 is selected:
Select the mandatory baseline item (the patch that has been assigned to baseline) and select the Remove from Baseline option from the Action menu.

The patch is removed from the baseline.

NOTE:The Remove from Baseline menu option is enabled for a patch only if the patch has been added to the baseline.

7.2.3 Using Update Cache

The Action menu Update Cache option (see Figure 7-2) initiates a download process for the bundles associated with a selected patch and caches those bundles on your ZENworks Server.

NOTE:The remediation bundles must be cached before they are installed on the target device.

To update caching of patch data:

In the Patches list, select one or more patches.
In the Action menu, click Update Cache.

The icon changes to . While the download is in progress, the icon changes to . When the caching is complete, the color of the patch icon changes to green. This indicates that the patch remediation is ready to be deployed.