3.12 Configuring Patch Policy Settings

Patch Policy Settings are used to define enforcement times and reboot behaviors for each patch policy.

NOTE:If you want to make changes to the schedule of a Patch Policy, you should configure it within the Patch Policy Settings page. If the schedule is configured within any other page of ZCC, such as Device's Assignments or the Bundle's Relationship page, under Assignment Details, it will not override the schedule that was previously defined in the Patch Policy Settings page. Instead, it will be run multiple times, based on the schedule configured within each page.

  • Schedule Enforcement: When configuring Schedule Enforcement, you can leave the default setting to manually apply patches on the agent device using the “zac pap” command in the Command Line Utility (zac), or you can define a schedule when patches will automatically be applied.

  • Patch Policy Reboot Behavior: When configuring Patch Policy Reboot Behavior, you can leave the system defaults in place (no reboots or prompts), or you can define how users are prompted and interact with device reboots when patches are applied.

3.12.1 Schedule Enforcement

You can schedule dates and times that your Patch Policies are pushed out. This feature is useful for distributing and enforcing Patch Policies during off hours, thus decreasing network traffic and strain. The idea is that a policy can be scheduled to be released at different times or outside of working hours. Using this configuration will affect all policies that are set up and will set the schedule for the deployment.

NOTE:Before you can schedule Patch Policy enforcement, a patch policy must be created. Click Security in the navigation menu, and select the Patch Policies page. Make sure a patch policy exists. If you have to create a new one, make sure the system has time to download the patches.

  • Default (Manually apply patches on the agent using “zac pap”): This configuration is the system default and requires manually implementing patch policies using the zac Command Line Utility.

  • Schedule patch policy application time: This configuration enables setting a schedule to automatically apply patches, which includes the option to limit the duration time of patch installation based on a specific date or a recurring schedule.

    • Restrict Duration: If you check the Restrict Duration check box, you can limit how long patches are applied by entering a time increment based on the number of hours, minutes, or a combination of both.

    • Date Specific: If you choose the Date Specific schedule type, you can schedule patch deployment using the following criteria:

      • Start Date(s): Enables you to pick the date when you need to start the deployment.

      • Run event every year: Ensures that the deployment starts on a selected date at selected time and repeats every year. If defined, ends on a specific date.

      • Process immediately if device unable to execute on schedule: Ensures that the deployment starts immediately if the device was unable to execute on the selected schedule.

      • Select When Schedule Execution Should Start: There are two options to enable you to select the start time of the schedule execution namely:

        • Start Immediately at Start Time: Deactivates the End Time panel and starts the deployment at the start time specified. In this option, you must set the start time in the Start Time panel.

        • Start at a random time between Start Time and End Times: Activates the End Time panel next to the Start Time panel. You can specify the end time and the start time so that the deployment occurs at any random time between them.

          NOTE:Selecting the Use Coordinated Universal Time check box enables you to schedule the deployment of all devices at the same time, regardless of time zone differences. Coordinated Universal Time (UTC), also known as World Time, Z Time, or Zulu Time, is a standardized measurement of time that is not dependent upon the local time zone. Deselecting UTC schedules the distribution at local time.

    • Recurring: If you choose the Recurring schedule type, you can schedule patch deployment using the following criteria:

      • When a device is refreshed: Enables you to schedule a recurring deployment whenever the device is refreshed. In this option, you can choose to delay the next deployment until after a specific time.

        To set the delay, select the Delay execution after refresh check box, and specify the days, hours, and minutes of the time by which you require delaying the deployment.

        By default, the patch bundle install frequency is set to Install once per device. For a recurring deployment, change it to Install always.

        1. Click the Actions page for the particular patch bundle assignment.

        2. Click Options. This opens the Install Options window.

        3. Select Install always and click OK.

        4. Click Apply.

        NOTE:The device is refreshed based on the settings in Configuration > Device Management menu > Device Refresh and Removal Schedule (Manual Refresh or Timed Refresh). Alternatively, you can refresh the device by selecting a device in the Devices page and clicking the Refresh Device option in the Quick Tasks menu.

      • Days of the week: Enables you to schedule the deployment on selected days of the week. To set the day of deployment, select Days of the week, select the day of the week, and set the start time for the deployment.

      • Monthly: You can schedule the deployment on a specific day of the month, the last day of the month, or a specific day every week or month.

      • Fixed Interval: Enables you to schedule a recurring deployment that runs on a regular basis. You can choose the number of months, weeks, days, hours, and minutes of the interval and the start date for the deployment schedule.

3.12.2 Patch Policy Reboot Behavior

Some patches require their host to be rebooted after installation. You can leave the default of no reboots or prompts and handle these actions another way, or you can choose to notify users when a reboot is required and also give them some flexibility for when the reboot takes place.

Refer to the reboot options described below to better understand how to configure them:

  • Default Disabled (no reboots or prompts): The default option is typically used when zone administrators have other processes in place that handle reboots on a routine basis.

  • Enabled: Select this option to allow reboots when patching and to enable the Notify Users check box.

  • Notify Users: Select the check box to enable reboot notification and its configuration options.

    • Description text: Edit the text of the notification prompt when Notify Users is selected.

    • Options: Define how the user is notified of and interacts with the reboot. There are three options:

      • Suppress reboot: Select Yes to prevent the reboot.

        NOTE:Selecting Yes also prevents the notification prompt. However, the following system variable can be used to enable the prompt while still repressing the reboot:

        PATCH_ALWAYS_SHOW_REBOOT_PROMPT

        For more information about this variable and setting system variables in general, see Patch Management System Variables.

      • Allow User to cancel: Select Yes to enable a cancel option in the reboot notification prompt.

      • Allow User to snooze: Select Yes to enable a snooze option in the patch policy reboot notification prompt, which delays the reboot.

        • Snooze interval: The duration the reboot is delayed when the user clicks Snooze.

        • Reboot within: The deadline when the user can no longer delay the reboot.

        • Show tray notification: If you select this option, a notification for a pending reboot is displayed in the system tray. Notification options include the following:

          • Tray notification duration: Enter a value in hours, minutes or seconds for how long the system tray notification is displayed before being hidden.

          • Tray notification text: Edit the text you want to appear in the notification prompt.

IMPORTANT:

  • If you delete an old patch policy from an end point and then publish a new policy to replace it, the end point may list a Device-Assigned Bundle Status of Not Installed for an indefinite period of time. If you encounter this end point status, reboot the end point to complete publication of the patch policy.

  • If you enable Notify Users and force a reboot (Suppress Reboot = No), the reboot will occur after the Reboot within the interval has expired (2 hours by default), regardless of the other settings (Allow user to cancel, Allow user to snooze, and Snooze interval). If you want the reboot to occur sooner, you can set the Reboot within the interval to a shorter time such as 10 minutes. If you want the reboot to occur immediately, set it to 0 hours, although this is not recommended as it will not give users time to save their work.

3.12.3 Configure Patch Policy Settings at the Folder Level

Patch Policy Settings can also be set at the folder level which enables you to set patch enforcement and reboot behavior for the Server or Workstation estate. By configuring Patch Management settings at the folder lever you will override the System settings (configured in the Configuration page), however, you can return to the System settings at any time by using the Revert option.

To configure the Patch Policy Settings at the folder level:

  1. Click Devices in the ZENworks navigation menu.

  2. Click the Details link on the folder you would like to configure settings for.

  3. Go to Settings > Security > Patch Policy Settings.

  4. At the top of the page there is an option to Override the system settings, select this to begin making changes.

    NOTE:This option can be used to revert back to System settings if you need to change back.

  5. Configure Schedule Enforcement and Patch Policy Reboot Behavior sections for the folder.