A mandatory baseline is a user-defined compliance level for a group of devices. If a device falls out of compliance, a mandatory baseline ensures that the device is patched back into compliance.
IMPORTANT:Mandatory baselines are an automatic enforcement method based on the most recent discovery scan results, so there is no control over the deployment time or order for patches applied in this manner. Unless a stringent Content Blackout Schedule is in effect, do not apply mandatory baselines to groups of mission-critical servers or other devices where unscheduled patch deployments would disrupt daily operations.
The Content Blackout Schedule panel lets you define times when content (bundles, policies, configuration settings, etc.) will not be delivered to the devices.
When a mandatory baseline is created or modified:
The ZENworks Server automatically schedules a daily Discover Applicable Updates (DAU) task for all devices in that group.
Every few hours, depending on the results of the DAU task, the ZENworks Server determines the devices that are applicable and out of compliance (based upon the patches added to the baseline).
Necessary bundles, as defined in the baseline, are then deployed as soon as possible for each device.
After patches have been deployed, it might be necessary to reboot those devices for them to be detected as patched.
The baseline function does not auto-reboot devices that have been patched.
NOTE:Some patches, such as MDAC and IE, require both a reboot and an administrator level login to complete. If these or similar patches are added to a baseline, the deployment stops until the login occurs.
The following sections provide more information on mandatory baselines:
Click the
tab in the left panel.A page displaying the root folders for each type of device appears, as shown in the following figure:
The
folder is the root folder for all managed servers and the folder is the root folder for all managed workstations in the network.Click the
or s link.A list of server or workstation groups classified on the basis of their operating systems appears. The following figure shows a list of server groups:
On the Servers or Workstation page (in this case, it is the Servers page), select any group.
A page displaying the general details of the group and the members in the group appears. The following figure shows such a page that appears when a Dynamic Server Group called
is selected:Click the
tab.The patches applicable to the member devices of the selected group are displayed. If the selected group is
, the tab displays all the patches applicable to the member devices within the group , as shown in the following figure:A patch that has been assigned to the baseline (also called the mandatory baseline patch) has the icon displayed next to its name, as shown in the above figure.
Alternatively, you can view the baseline patches by using the
panel on the Patches page to search for mandatory baseline patches.For detailed information on Section 4.0, Using the Patch Management Tab.
and panels, refer toYou can use the
panel on the Mandatory Baseline page to view the baseline patches.The Figure 6-1, enables you to search for mandatory baseline patches. The panel also enables you to search for other patches based on the status and impact of the patches.
panel on the Device Group Patches page, as shown inFigure 6-1 Mandatory Baseline Search
You can search for the mandatory baseline patches based on the following filter options:
All Patches: Displays all patches, including mandatory baseline items.
Baseline Only: Displays only those patches that are marked as “mandatory baseline” for the group.