12 Replies Latest reply on Jul 30, 2010 12:23 PM by PatGmac

    Mac Patching & Rebooting

    Apprentice

      I'm curious if others have found a way to handle rebooting when an installed patch requires it?

       

      LANDesk S&P Manager can detect and install the patches it has a definition for (usually), but it has no mechanism for handling reboots, or prompting the user to reboot or defer reboots like the Windows side can. Not only that, but Apple only QA's many of these patches (Leopard) on logged out systems, which LANDesk also does not do. This really needs to be able to do more than just throw an installer command at machines. There needs to be a GUI interface that can be presented to the user to delay updates, or delay/defer a reboot as permitted in the scan and repair settings. Therefore, the Mac patching system in LANDesk is for the most part, useless.

       

      While I'm on this subject, why does S&PM list each Office update for a machine that is not need each Office update?

       

      See screenshot below:

       

      Picture 2.png

      This shows that this machine is vulnerable for Office-2008-1214 through 12.1.9. But in fact, this machine has the latest 12.1.9 update installed. The inventory for the machine can even confirm it. And yes, it has been sending in vul scans (daily). This seems to be the case for

       

      Below is the LANDesk.log (filtered for "office-2008"):

       

      Wed Jun 17 12:27:20 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1201)
      Wed Jun 17 12:27:29 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1201): "File/OS version(s) verified".
      Wed Jun 17 12:27:29 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1201 is not detected.
      Wed Jun 17 12:27:29 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1210)
      Wed Jun 17 12:27:29 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1210): "File/OS version(s) verified".
      Wed Jun 17 12:27:29 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1210 is not detected.
      Wed Jun 17 12:27:29 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1211)
      Wed Jun 17 12:28:10 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1211): "File/OS version(s) verified".
      Wed Jun 17 12:28:10 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1211 is not detected.
      Wed Jun 17 12:28:10 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1212)
      Wed Jun 17 12:28:45 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1212): "File/OS version(s) verified".
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1212 is not detected.
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1213)
      Wed Jun 17 12:28:45 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1213): "File/OS version(s) verified".
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1213 is not detected.
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1214)
      Wed Jun 17 12:28:45 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1214): "File/OS version(s) verified".
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1214 is not detected.
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1215)
      Wed Jun 17 12:28:45 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1215): "File/OS version(s) verified".
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1215 is not detected.
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1217)
      Wed Jun 17 12:28:45 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1217): "File/OS version(s) verified".
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1217 is not detected.
      Wed Jun 17 12:28:45 2009 [58143] ldpatch : Processing the Vulnerability (OFFICE-2008-1219)
      Wed Jun 17 12:29:59 2009 [58143] ldpatch :     Detection result(Vul_ID=OFFICE-2008-1219): "File/OS version(s) verified".
      Wed Jun 17 12:29:59 2009 [58143] ldpatch : Reporting vulnerability OFFICE-2008-1219 is not detected.

       

      From what I can tell here, it knows that each of these versions are not vulnerable (which is correct), but why does this not get reflected in the vulscan data for the machines? So if I push out Office-2008-1219 to all vulnerable machines, it will include this one which is obviously not vulerable.

       

      Does LANDesk intend to bring Mac patch management and software deployment in line with the Windows counterpart? If so, when? I need to know if I need two desktop management systems going forward.

       

      </rant>

        • 1. Re: Mac Patching & Rebooting
          Employee

           

          Just wanted to give you a heads up on some of the efforts related to Mac Development in this area

           

          We have been working on, and will soon be releasing, an update to the Patch Management support in the 8.8 Mac Agent that will improve the handling of certain vulnerability definitions, including those that require the reboot handling you mention. In the future, we will be addressing the deficiencies in the Mac version of Patch Management, when compared to the Windows version, in addition to adding Application Blocking support.

           

          I'm working to firm up a date on when we intend to release this patch, I will post shortly after I have confirmation.

           

          -Coby (Product Manager on Mac Development @ LANDesk)

          • 2. Re: Mac Patching & Rebooting
            Rookie

            Hi Coby...

             

            I'm curious if there's any more info about the patch you mentioned here.

             

            Also, I'm new to the Mac LD client and would be interested to know if there are any technical references available, particularly for interacting with the client via command line -- perhaps a document detailing the various commands and their flags?


            Thanks!

            • 3. Re: Mac Patching & Rebooting
              Rookie

              Sorry to reply to my own post, but here's a little more specificity about one of the things I'd like to do...

               

              I want to initiate a patch scan remotely, via ssh.  I see under /Library/Application Support/LANDesk/bin the ldpatch and ldpatch.app items.  If I run ldpatch, I get several errors that seem to indicate that it needs a GUI, like "Untrusted apps are not allowed to connect to or launch Window Server before login".  I can't figure out a way to invoke it so that it will work.

               

              I can, of course, click 'Check Now' under the Patch Management section of the Landesk Agent GUI application, and that works. I'd like to find a way to do the same thing from the command line.

               

              One other oddity I've noticed as I try to get my bearings with the Mac client:  The version of ldpatch under /Library/Application Support/LANDesk/bin reports the following:

               

              # ./ldpatch -v

              8.70.5

               

              But the version of Patch Management shown in the Landesk Agent GUI app shows 8.80.0.291.  Not sure what to make of this discrepancy.

               

              Thanks for any pointers.

              • 4. Re: Mac Patching & Rebooting
                Apprentice

                shodges wrote:

                 

                Sorry to reply to my own post, but here's a little more specificity about one of the things I'd like to do...

                 

                I want to initiate a patch scan remotely, via ssh.  I see under /Library/Application Support/LANDesk/bin the ldpatch and ldpatch.app items.  If I run ldpatch, I get several errors that seem to indicate that it needs a GUI, like "Untrusted apps are not allowed to connect to or launch Window Server before login".  I can't figure out a way to invoke it so that it will work.

                 

                I can, of course, click 'Check Now' under the Patch Management section of the Landesk Agent GUI application, and that works. I'd like to find a way to do the same thing from the command line.

                 

                One other oddity I've noticed as I try to get my bearings with the Mac client:  The version of ldpatch under /Library/Application Support/LANDesk/bin reports the following:

                 

                # ./ldpatch -v

                8.70.5

                 

                But the version of Patch Management shown in the Landesk Agent GUI app shows 8.80.0.291.  Not sure what to make of this discrepancy.

                 

                Thanks for any pointers.

                 

                Are you aware the agent config can be configured to automatically scan for patches at the interval you set? But you should be able to run "/Library/Application\ Support/LANDesk/bin/ldpatch" at the login window, that doesn't require a GUI, but ldpatch.app does. If you have ARD, you can send the command with that as well.

                 

                The version shown by -v has not been correct for as long as I've been using LD. The correct version is in the inventory though, I would go by that.

                • 5. Re: Mac Patching & Rebooting
                  Rookie

                  Thanks Patrick...

                   

                  Yes, I know the client can be configured to run scans periodically -- right now I'm just trying to get my bearings and would like to be able to do things manually to verify that they work or see how they work.

                   

                  I can only run ldpatch if there's someone logged into the machine's GUI, but not if no one is currently logged on.  (Ideally I'd like to be able to ssh to the machine and run commands that way.)

                  • 6. Re: Mac Patching & Rebooting
                    mrspike SSMMVPGroup

                    Corey,

                     

                    As a company that has a large Mac base I sure hope you guys get the Mac stuff working soon.  We have been told "in the next release...." Since 8.6 and have not seen a lot of improvment.

                    • 7. Re: Mac Patching & Rebooting
                      Apprentice

                      CobyG wrote:

                       

                       

                      Just wanted to give you a heads up on some of the efforts related to Mac Development in this area

                       

                      We have been working on, and will soon be releasing, an update to the Patch Management support in the 8.8 Mac Agent that will improve the handling of certain vulnerability definitions, including those that require the reboot handling you mention. In the future, we will be addressing the deficiencies in the Mac version of Patch Management, when compared to the Windows version, in addition to adding Application Blocking support.

                       

                      I'm working to firm up a date on when we intend to release this patch, I will post shortly after I have confirmation.

                       

                      -Coby (Product Manager on Mac Development @ LANDesk)

                      Hi CobyG,

                       

                      I'm wondering if there has been any movement in this area.

                       

                      I'm also just starting to bring our macs on board and I'm very disappointed that the first thing that a user gets is a "shutdown/reboot" prompt with no option to cancel or delay the reboot before a patch is installed.

                      • 8. Re: Mac Patching & Rebooting
                        Apprentice

                        shodges wrote:

                         

                        Sorry to reply to my own post, but here's a little more specificity about one of the things I'd like to do...

                         

                        I want to initiate a patch scan remotely, via ssh.  I see under /Library/Application Support/LANDesk/bin the ldpatch and ldpatch.app items.  If I run ldpatch, I get several errors that seem to indicate that it needs a GUI, like "Untrusted apps are not allowed to connect to or launch Window Server before login".  I can't figure out a way to invoke it so that it will work.

                         

                        I can, of course, click 'Check Now' under the Patch Management section of the Landesk Agent GUI application, and that works. I'd like to find a way to do the same thing from the command line.

                         

                        One other oddity I've noticed as I try to get my bearings with the Mac client:  The version of ldpatch under /Library/Application Support/LANDesk/bin reports the following:

                         

                        # ./ldpatch -v

                        8.70.5

                         

                        But the version of Patch Management shown in the Landesk Agent GUI app shows 8.80.0.291.  Not sure what to make of this discrepancy.

                         

                        Thanks for any pointers.

                         

                        Try this instead to get the version:

                         

                        # ./ldpatch -v3

                         

                        You should get back the correct version. Mine currently is reporting: 8.80.0.297

                        In my experience, -v3 should work correctly for nearly all the LANDesk binaries.

                         

                         

                        To initiate the patch over ssh make sure you start it with sudo privileges:

                         

                        # sudo ./ldpatch

                         

                         

                        • 9. Re: Mac Patching & Rebooting
                          Rookie

                          Just adding to this thread.

                          I've got about 200 MACs that I'd like to start patching but can't because there's no defer, or enhanced configuration that handles reboots.

                          • 11. Re: Mac Patching & Rebooting
                            Rookie

                            I'm "Unauthorized" and I don't even know why..Strange

                            • 12. Re: Mac Patching & Rebooting
                              Apprentice

                              Not sure what the requirements are to gain acess but try sending an email to enhancementrequests@landesk.com.