Welcome to our new BMC Client Management (BCM) Blog for the month of August 2020. In this blog, we will provide detailed information about Patch Management. Below are the topics which we are going to cover:
- What is Patch Management and what we can do with it?
- Prerequisites of Patch Management
- How the patch management works
- Viewing the progress using the Reports
What is Patch Management and what we can do with it:
Patch Management is one of the most favorite modules of BMC Client Management for every BCM Customer. WIth Patch management, it provides an easy way to manage, update, and download all of the patches for Microsoft operating systems, and selected third-party applications, such as Firefox, 7Zip, and others which can be installed across the network for staying up-to-date.
In BCM Patch Management, Target/Client never requests for the patches. The BCM Administrator will have full control to deploy which patches and when to deploy them.
Patch Management allows you to:
- Identify which target devices need to be patched or contains a vulnerability
- Create a remote deployment of patches automatically or manually when required or at scheduled times
- Monitoring the deployment process and viewing the results using reports.
Prerequisites of Patch Management which need to be followed:
A) A valid BCM Patch Management License
- To be able to keep your patch knowledge base up to date and able to download the newer patches
B) A device (Patch Manager) which has internet access
This device should be able to download the patches from the internet and should have:
I) at least 20GB disk space or dedicated place for storing the patches
ii) one of the following operating systems:
- Windows 8 32 and 64 bit
- Windows 8.1 32 and 64 bit
- Windows 10
- Windows Server 2008 R2 64-bit
- Windows Server 2012 64-bit
- Windows Server 2012 R2 64-bit
- Windows Server 2016 64-bit
- Windows Server 2019 64-Bit (BCM 12.9 and above)
iii) patch manager should not use only an IPv6 address.
iv) the root certificate of the devices should be up to date. Bulletins MSRC-001 or MSRC-002 should be installed on the Patch Manager.
v) able to reach: https://content.ivanti.com/data/oem/BMC-Numara/data/925/manifest/partner.manifest.xml for downloading Patch Kb and should have access to download the patches from the internet
C) BCM version should be 12.8 patch 3 or above for supporting newer Ivanti SDK.
How does the Patch Management work:
Patch Management consists of 3 steps:
1) Patch Knowledge Base update:
Patch Manager checks-in for a new knowledge base (KB) once a day. Once a new patch KB obtained from the SDK vendor Ivanti/Shavlik, it will update the patch manager KB and send the new patch KB to the Master, Where it is stored for the distribution to BCM (BMC Client Management) clients.
- BCM Master will start notifying all the clients about the New Patch KB and will send them the new update upon the client request through the filestore module.
When the Patch KB Download is completed on the client, the patch Kb will evaluate and generate a new patch Inventory.
2) Patch Inventory Evaluation
Based on the default mechanism of Patch Management module each client devices scan itself for missing or installed patch inventory and upload the result to the master server. This patch inventory is generated against its operating system, installed applications, and third-party applications for assessing the result in missing patches or missing service packs. The Client sent the inventory via the Upstream module of each Client's parent Relay for processing on Master to integrate the inventory for this client into the BCM database, then this integration triggers an evaluation of the existing patch assignment.
How to view the Patch Inventory:
- Go to the device from BCM Console
- Expand it from the left-hand side Click on Inventory then from Patch.
- Click on Missing patches for Missing the patches to this device or click to view the missing service packs or installed patches or installed service packs
3) Patch Deployment Process
BCM Patch Management supports two methods of deployment of patches on clients.
a) Patch Group and
b) Patch Job
a) Patch Group also is known as Patch deployment on BCM Patch Management console. Patch groups are the manual patch selection method in which the administrator has to decide when to deploy and which specific patches or service packs need to be deployed.
How to create a patch group for deploying only specific patches like VC_Redist new update:
On the Patch group, it will download the patch and deploy it to the devices.
b) Patch Jobs is dynamic in nature and it adds the patches and deploy them automatically as per the patch job scheduler. The patch job is created based on patch criteria and types.
Once the patches are installed using Patch jobs or groups the clients will be sending the resulting patch inventory files using an upstream module of Clients parent relay to the Master server for inventory integration and reevaluation for the result.
We are going to see these deployments in the next Blog
Viewing the progress using the Reports:
BCM does have out of the box reports for the Patching. To view these reports from the BCM Console go to the Report node and out of the box folder.
From Patches folder
Here are some best practices for Patch management: https://communities.bmc.com/docs/DOC-127301
Patching devices in a disconnected environment: https://communities.bmc.com/docs/DOC-64375
Thank you for reading this Blog