Is it possible to do patch black-listing (for single clients) with HEAT DSM PatchLink?
(Question should be suitable for Advanced Patch Management too as patch rules and patch handling approach are the same)
Currently HEAT DSM PatchLink is structured like former Advanced Patch Management, it is designed to do patch white-listing to clients/systems (just how I would call this approach). So I can choose one or more vendors or products from the Lumension Patch Catalog to be part of a patch category and assign it to a target group of clients.
When looking from the client/system or client group perspective and NOT from the single patch perspective I can only do patch white-listing to clients.
Is the client in multiple groups, it gets more and more patches added from that groups and assigned patch categories. However, what is with the other way around and "substract" patches from the list for this client? E.g. if I want "All Patches" except "Adobe Flash Player" and except "Java" assigned to a client.
(And I don't want to create a category for each exception constellation that would be possible, just a "minus" or "substract" instead of an "add")
White-listing (possible with DSM APM and PatchLink):
Currently I'm able to assign an "All Patches" category (with the help of a patch rule) to one dedicated client group OR
- e.g. "PatchCat1 and PatchCat2 and without PatchCat3" to one dedicated client group.
But it seems to me that I'm not able to do something like this:
Assign "All Patches" except (or minus) patches from category "Patches 1" and except from "Patches 2".
In the end, what I want is:
- in general all patches are assigned to all clients
- but I can do exceptions for single clients for specific software
- by adding this clients to a predefined list or group (or adding a variable to the client object)
So that I have an “All patches” client group with all clients in it and multiple “No …” groups to combine with, like “No Java” or “No Adobe Flash”.
Hopefully I could explain it to you in a comprehensible way. If not please write me your question.
It would be great for me just to get a feedback if this is correct or if there is a way with DSM to do black-listing of patches for single clients or a group of clients.
Many thanks in advance!