5 Replies Latest reply on Mar 1, 2017 6:46 AM by RobinK.

    DSM PatchLink/APM: Patch Black-listing possible?

    RobinK. Rookie

      The question:

      Is it possible to do patch black-listing (for single clients) with HEAT DSM PatchLink?
      (Question should be suitable for Advanced Patch Management too as patch rules and patch handling approach are the same)

       

      Currently HEAT DSM PatchLink is structured like former Advanced Patch Management, it is designed to do patch white-listing to clients/systems (just how I would call this approach). So I can choose one or more vendors or products from the Lumension Patch Catalog to be part of a patch category and assign it to a target group of clients.

      When looking from the client/system or client group perspective and NOT from the single patch perspective I can only do patch white-listing to clients.

      Is the client in multiple groups, it gets more and more patches added from that groups and assigned patch categories. However, what is with the other way around and "substract" patches from the list for this client? E.g. if I want "All Patches" except "Adobe Flash Player" and except "Java" assigned to a client.

      (And I don't want to create a category for each exception constellation that would be possible, just a "minus" or "substract" instead of an "add")

       

      White-listing (possible with DSM APM and PatchLink):

      Currently I'm able to assign an "All Patches" category (with the help of a patch rule) to one dedicated client group OR

      1. e.g. "PatchCat1 and PatchCat2 and without PatchCat3" to one dedicated client group.

       

      Black-listing approach:

      But it seems to me that I'm not able to do something like this:

      Assign "All Patches" except (or minus) patches from category "Patches 1" and except from "Patches 2".

       

      In the end, what I want is:

      • in general all patches are assigned to all clients
      • but I can do exceptions for single clients for specific software
      • by adding this clients to a predefined list or group (or adding a variable to the client object)

       

      So that I have an “All patches” client group with all clients in it and multiple “No …” groups to combine with, like “No Java” or “No Adobe Flash”.

       

       

      Hopefully I could explain it to you in a comprehensible way. If not please write me your question.

      It would be great for me just to get a feedback if this is correct or if there is a way with DSM to do black-listing of patches for single clients or a group of clients.

       

      Many thanks in advance!

      Robin

        • 1. Re: DSM PatchLink/APM: Patch Black-listing possible?
          Klaus Salger Expert

          Robin,

           

          Creation of deny policies for patches would solve your problem.

          Unfortunately there is no such thing in patchlink.

          There is a rollout rule action "assign" but no "deny".

          Deny patch policies may be created manually but that's not what you want.

           

          I think it's a reasonable idea to add a deny action to the patch management rules and it should be not too hard to implement.

          So I would suggest you create a feature request.

           

          I can see 2 workarounds:

           

          1. create an extra patch rule to assign the patches with or without specific excluded patch categories for each target.

          This results in a high number of additional patch policies because extra policies are added for each patch instead of having just 1 policy per patch with several targets if neccessary.

          As you said - you don't want that.

           

          2. expand the target list of patch policies on the standard patch group to the "No X" groups via a Powershell script leaving out the unwanted patches.

          You need to keep "No X"-Clients out of the standard patch group though.

          While being far from ideal that is the workaround I would use for now.

          This workaround requires the Powershell Extension for DSM and and some scripting effort to find and expand the relevant patch policies target lists excluding the unwanted patches.

          Of course you can replace the scripted actions by clickwork

           

          Cheers

            Klaus

          1 of 1 people found this helpful
          • 2. Re: DSM PatchLink/APM: Patch Black-listing possible?
            RobinK. Rookie

            Hi Klaus,

             

            many thanks for your invested time and answer!

            Just nice to hear that I'm not too dumb to understand the tool and its functions.

             

            "Feature request" sounds very good to me. Do you know where to place/submit something like this?

            Hopefully there are some more people that evaluate the situation in the same way as you and me, see that a "deny" rollout rule action for patches is a missing feature and should be easy to implement as there is a similar thing existing for the usual software/package policies.

             

            Yes, your workaround 1 would result in too many different patch rules for each different static constellations and in too many computer groups for each constellation and no ability of combining them in a useful way. So would be much effort to maintain and extend.

            If I understood your workaround 2 correctly, this would result in a way of static exclusion of single patches. So if the patch catalog gets some new patches that are unwanted by me, it will get assigned and I might come too late to disable them for this client group. (or the other way around, if the powershell script doesn’t run periodically, some wanted patches are not automatically assigned).

            However, I don’t really know the handling of the DSM Powershell scripts. Do you mean the “PowerShell Extensions for HEAT Client Management” from NWC Services? Are there free ones or are they just for available purchase?

             

            By the way, I’m NOT suffering a current issue or problem. I’m just thinking about a new concept of patching with DSM in PatchLink or APM.

            It should have a high level of automation in the vision of “Security before Functionality”. All available patches get assigned to suitable clients automatically (even if an admin installed software manually on his client). Only if a software/client is recognized that it is not working with the newest version of e.g. newest Flash Player, then this client will be added to a “deny” group for excluding this product patches.

             

            Thanks and cheers!

            Robin

            • 3. Re: DSM PatchLink/APM: Patch Black-listing possible?
              Klaus Salger Expert

              Hi Robin,

               

              If you want to submit a feature request you just open a low prio ticket with ivanti support. Give a short description of what and why you would like to see in the product. The ticket will then be handled as usual so that you'll get info about the status.

               

              Yes, I'm talking of NWC Services' Powershell Extension and yes, it's a commercial product.

              You may get a trial license for testing here: https://www.nwc-services.de/en/support-en/psx-trial-lizenz-beantragen5

               

              The idea of workaround 2 is that all patches would be asigned to a standard group as usual.

              But NOT to the "all but flashplayer" and other special groups.

              Clients would be put in just 1 of these groups - so that's obviously not a perfect solution...

              The assignment for these special groups would be done using a powershell script.

              The script might be started hourly using the task scheduler so that the new patches would be assigend with a 1 hour delay at max.

               

              The script might compare patch policies on the special target group with the ones on the standard target group and add the special target group to the patch policies target list IF the patch is NOT in a special patch category for the unwanted patches.

              The script might find special target groups and special categories if you use a certain naming convention or tags in the description property. Otherwise you might use something like an XML or INI file to configure where to add patch policies and exclude which category.

               

              Creating deny policies by script would be generally possible and far more flexible and elegant but as you mentioned, it would be too late to create it some time after patchlink created the standard policies.

              Somehow hooking the script to the patch management rules so that the deny policies are created directly before the standard assignments would allow for such a scenario but I'm not aware of a way to do that.

               

              Maybe it would even be possible to create deny policies before patches are downloaded and assigned - on or after a new catalog is being released. That would need some research to find out if it's possible and safe to do so - you can't do that using DSMC.

              But that would still require you to make sure that the deny policies are ALWAYS created before the standard ones. Maybe by always running the catalog sync several hours before the downloads.

               

              If you got enough time to wait for a feature in a future DSM version, just waiting might be the easiest solution though

              Otherwise it's definitively good to have a tool like Powershell at hand to create some custom add-ons if necessary.

               

              Cheers

                Klaus

              1 of 1 people found this helpful
              • 4. Re: DSM PatchLink/APM: Patch Black-listing possible?
                RobinK. Rookie

                Hi Klaus,

                 

                sorry for the delayed answer.

                 

                Very helpful your comments! Thank you! Much appreciated!

                Will try the Powershell Extension with the trial as soon as I can to get in touch with that and gain experience in there. Thanks for the link!

                Nevertheless I will raise a feature request via a low prio ticket with ivanti support, how you mentioned. Just for future Features.

                 

                For now I think I just evaluated (with your great support) that currently there is no good blacklisting patch management possible and I will stay with the designed way of Heat to whitelist Software patches.

                 

                Best Regards

                Robin

                • 5. Re: DSM PatchLink/APM: Patch Black-listing possible?
                  RobinK. Rookie

                  Feature request issued to Ivanti ...