just confirming, did you read this:
and you manually downloaded the JRE7u7 file from Oracle here:
I just downloaded it and I am starting to test deploy it today. I have noticed that my trending over the last 48 hours shows converging scanned/not scanned lines on the graph, but like you I don't see any affected computers listed. The first part makes sense because my patch definitions just updated mid-week, but I'm baffled by the 2nd part. I would expect to see affected machines but I don't.
One idea that I have is this: Landesk had my subscription screwed up and so none of my machines were scanning for vulnerabilities. I've gotten the subscription part fixed and while I have updated my scan settings to include vulnerability checks I am not sure whether or not my clients are looking for them.
Yes i did download the updates and put them in the patch folder.
I did have a similar issue to you where my subscription time ran up. So during that time all my computers were showing they needed no patches and since that has been resolved i havent had any issues other than java not updating.
1 of 1 people found this helpful
Whever you ould like to have deployed as a patch or update must be showing in the scan folder so that machines know th scan for that particular vulnverabilitty/patch/update/etc. After it's in the scan folder, have the machines do a patch and compliance scan so they look at what's in the scan folder and know to scan for that patch. ONce the machiens scan for it and see they don't have it. That patch should automatically be put in the detected folder... as in the managed devices have detectred that they need it. Then you can do a repair.
Let me know how that works out for you. I'm running into the issue of whne deploying java updates, it fails if a user has their web browser open. know of anywya around that?
The best way round the browser issue is to include a user intened message in the Scan and Repair setting. The message will inform the user that their Browser and/or any Java applications must be closed in order to be successfully remediated against the vulnerability.
The other option would be to remotely close the browser (via a script) prior to remediation but this will only lead to increased calls to the Service desk as users want to know why their browsing session was killed!
I and a few others here have been working with LANDesk on adding variables to some patches, Java is one of them, if you right click on the definition you will see a "Custom Variables" tab, in it you can choose to have the patching process force close browsers and also, to disable the Auto Update feature included in Java
Thank you that solves the auto update issue, but does not sole the issue of Java not being able to deploy when a user has their browser open. The description for force mode reads "the repair task will fail and an error will be reported and you will be prompted to close the Java application and/or browsers."
But that's not what happens in my case. the repair task does fail, but users are NOT prompted to close the Java application and/or browser.
Would it maybe be more efficient to set the Java update as a seperate repair policy task? Set it to try the install right after login with no delay? It may then be ableto catch the user before they open their browser?
Or does LANDesk have a way so we can do as Jhamill suggests "to include a user intened message in the Scan and Repair setting." ?
I threw this in the scan folder and it started adding machines in the Affected machines window.
This was also helpful. I will run another test tonight and see what happens.
If you change it to force mode (Yes), it should force the browser to close, it may or may not prompt the user, but it should force close
I can't force close any end-user's browsers or any other applications. I can't force them to reboot either. For certain windows updates, LANDesk prompts your for a reboot, and then completes those updates while the PC is shutting down and restarting. Why can't LANDesk include Java in those updates when shutting down and restarting. Because there is no way possible I'll ever get approval to just boot people out of their applications.
Ok, that clears up something, the product will force close, but your companies policy does not allow that.
In the wording that LANDesk uses in the description they should have stated it better, they do not notify the user, but do notify "you" in the results on the system, shown below... note, I customized the patch some, so the name is different...
What you might be able to do (company wise) is to set up your scan and repair setting to send a message to your users that they need to close all open applications, etc before the patching process begins. If you go into the scan and repair setting, go to "Repair Options" and on the top right you will see a drop down that gives you multiple options.
That may not be ideal, I know what you are asking for, to have the patches run at start up, but in reality, those MS patches that do so are being done by a process that exisits in those MS patches, not by LANDesk. There have been ER's on this, one here shows that MS will not release the API's they use:
You could get creative and create a script that calls the vulscan via the local (windows) task scheduler, but that would take some work and testing.
Where I work it took a while to convince management and the users that the computers belong to the comapny and IT dept., not the users and that the security risks outweigh the fact that users are bothered. We now have a monthly window of time where the users have been told that we can / will patch and reboot their computers as needed. We have 'special use' systems that this cannot be done to, so we have given them different agent names and use other methods to bypass them in our normal patching method, and deal with them differently.
I've been trying to test the deployment of the Java7update7 patch using a simple REPAIR task. I've noticed that 4/5 test machines took the patch from the perspective of the console, however they don't actually have the updated version of Java. I expected to see the 7_7 version listed in the installed PROGRAMS list but I'm still seeing the old version listed.
I deployed 7_5 in August. Do I need to go to 7_6 before trying to put on 7_7?
Java should deploy just fine in a test environment, it's the live environment where users are actively working thathte deployment will fail, because you can't just force their browsser to close. I don't want angry users kicking down my door.
I gave up. I've been beating my head against the wall over this for too long. I simply used GPO to deply the JRE 7u7
If you have an envrionment of desktops. deployment should be much easier for you. set the task to deply late in the evning and it should work just fine. but in my environment, we have 90% laptops so ALL patches have to be done during the day time. It's quite a nightmare.
I should clarify...
I am trying to roll out patch manager and it isn't going smoothly. I really need this Java update put out to my clients so I'm working on it right now with patch manager.
What I am seeing on the console is that a repair task for 7_7 via patch manager completes successfully for 4/5 machines with the 5th not even joining the task. Of the 4 successful machines, none of them are updated. I'm trying to figure out if patch manager is screwed up or the update/scheduled task is screwed up. A successful machine should report Java7_7, but so far I have not seen this happen.
I'm contemplating pushing a software distribution task with the new Java installer, which I should be able to get working, however that pretty much defeats the purpose of spending a bunch of dollars on patch manager.