7 Replies Latest reply on Apr 15, 2016 10:42 AM by swimber@emory.edu

    OS Patches through LANRev

    philcebutv Apprentice

      Hi,

       

      I was wondering if anyone here uses the OS patches through LANRev. How are you implementing it? How often are you releasing the patch? and are you doing it manually?

       

      would like to hear what others are doing in relation to OS patches (OSX and Win)

       

      Phil

        • 1. Re: OS Patches through LANRev
          sgillaspy Apprentice

          Yes, I've been pushing out Apple OS patches for years with little trouble overall.  Apple does a pretty good job of setting package requirements internally and these require somewhat less attention than the 3rd party patches where the requirements are up to you to set in LR.  I use LR for 3rd-party software as well, although I haven't gone with the built-in feature yet...I create my own with pkgbuild and deploy them out manually giving a greater degree of control.

           

          I usually try to release a new patch within a week or so of it being released to the wild, after I'm done with control-group testing.

          1 of 1 people found this helpful
          • 2. Re: OS Patches through LANRev
            philcebutv Apprentice

            Thanks for sharing your experience about OS patching Shawn.

             

            I am new to this OS patch servicing, I still have a few more questions..

             

            How do you go with patches that require a restart? Do you just pushed and configure them to restart later - I would assume there will be a setting like that.. Are your users logging out every end of the day? what happened if there are working some documents and patches are pushed that require a restart?  or Do you set your clients to auto logoff after X number of inactivities? or Do you set the package to be installed only while the clients are on the loginwindow?

             

            Thanks again...

            • 3. Re: OS Patches through LANRev
              sgillaspy Apprentice

              I manage computer labs, so if I can I try to have patches install during Logout, and not Login.  This might be a different approach from what might be used in your deployment if it is mostly supporting 1-to-1 users (who might even be admins).

               

              For me, most patches (with the exception of a couple of Adobe packages) install more cleanly if you specify them to install at Logout only.  It's interesting to note that the default on most patches is for them to install during Login, so I usually have to reverse that when preparing a new patch for a deployment to computer labs.

               

              Installing during Logout also helps with patches that might require reboot, and I even might specify overnight hours for some of the larger ones.  I'm a fan of monitoring the initial release of a new patch live, so the overnight approach will most likely only be used on a proven patch that I have pushed successfully for some time.

               

              I can't assume that users will remember to log out and often have to hunt down "abandoned" workstations.  Some labs have an automated kickoff timer, but this feature can be glitchy and isn't popular in every lab setting, so I have to pick and choose the areas where it might help.

              1 of 1 people found this helpful
              • 4. Re: OS Patches through LANRev
                sthon Apprentice

                I use the OS Patching feature for all our Windows PCs.

                Our rollout phase for OS Patches goes through three stages:

                - Initial testing at my own PC and three or for others from users of the IT-Dept.

                - Wait a day for any ill-effects

                - Rollout to a small group (about 40-50 Users)

                - Wait a day for any ill-effects

                - Rollout for all

                 

                As our users are somewhat "special" - they always wan't to know whats going on with LanRev - our patches are installed user controllable.

                 

                The settings are like this:

                - Allow user to Reschedule (max 24hrs)

                - Allow user to postpone restart (max 12hrs)

                 

                In the future I'd like to install them over night using wake-on-lan features, but I havent got time to implement it yet.

                1 of 1 people found this helpful
                • 5. Re: OS Patches through LANRev
                  labin Rookie

                  I've been using it occasionally, but managing both Labs and 1:1-Machines makes it difficult, as I can't define the same patch to install when nobody is logged in on a group and differently for 1:1-Machines (I usually let my users postpone the patch for a few days if it requires a reboot). And no, they never log out. Ever.

                   

                  So I ended up using only non-reboot patches through the OS Patch feature and uploading the Apple-Package for everything else.

                  I must say 3rd party patches go mostly unused as either they come too late or are not multilingual and break some of the applications we have to install in German.

                  1 of 1 people found this helpful
                  • 6. Re: OS Patches through LANRev
                    sgillaspy Apprentice

                    The way we addressed that dilemma here (supporting both labs and 1-to-1) is we have different servers/subnets managing each group.  That way the Apple and 3rd party patching can be targeted more accurately.  I prefer LANrev for Labs due to its feature set (and strong 3rd party patching support), and our 1-to-1 group prefers Casper for Macs and Altiris for Windows.

                     

                    Our Windows 3rd-party software is still managed by Secunia, but I believe they are entertaining options currently.

                    1 of 1 people found this helpful
                    • 7. Re: OS Patches through LANRev
                      swimber@emory.edu Apprentice

                      We would like patching to be completely silent, background task handled in the user's "off hours" with only a pop-up after install if a restart is needed, but we have not found the LANrev settings that really allow for this, especially with Windows 10.  Here is what I have attempted and I am always open to new ideas where improvements are available.  Like Stefan Thon above, we also roll these out one group at a time.  (I do wish we had scheduling options, where I could handle updates once a month and the update could hit each group on specified data/time.)

                       

                      I do use third party updates in this same fashion and that works well most of the time.

                       

                      I have seen three issues that I have not been able to overcome.  The missing patch report seems to contain patches that are indeed installed in some cases and when I approve patches for a particular group of computers with a scheduled availability date I often find that the patches applied several days later even though the machine was online during the availability window.  One user told me that the "restart later" doesn't seem to do anything but pop-up the restart/restart later box again.  I need to dig in to diagnose these but haven't, so take this with some salt.

                       

                      SETTINGS:

                      Patches that require restart:

                      Change Availability Date/Time to midnight on scheduled delivery date at midnight
                      Check: Only install between 12:00 AM and 6:00 AM

                      User Interaction: Allow to reschedule  (Only way I could get "Auto installation" option as we had an issue with some not installing.)
                      Auto installation after 10 minutes

                      Installation Deadline: Scheduled delivery date at 12:10 AM
                      After Installation: Restart
                      Check: Show notification
                      Restart after no more than 3 Days

                      Check: Allow user to postpone restart

                      Show dialog again every 1 Days

                       

                      Patches that do not require restart include the basics above with the following changes:

                      User Interaction: Install without asking

                      After installation: Do nothing

                      1 of 1 people found this helpful