Ivanti Patch for Windows Servers Software Distribution Best Practices And Informational Guide

Version 15

    Purpose

     

    The purpose of this document is to provide information about the Software Distribution feature.

     

    Overview

     

    What is the Software Distribution feature?

     

    The Software Distribution feature enables you to scan for free third-party products that can be deployed by Shavlik Protect. If you enable the Software distribution check box in a custom scan template, the available third-party products will be included in the Patch Missing list of the scan results.

     

    There are two methods to setup the Software Distribution feature: (These methods will be explained below)

    • Use a custom scan template and patch group combination that includes specific Software Distribution installers (recommended).
    • Configure a custom scan template with Software Distribution enabled to scan for all possible products.


    Method 1 for setting up Software Distribution scanning and deployment (Recommended)

     

    1. Go to View > Patches.

     

    2. In the upper left hand section of View > Patches, make sure that Software Distribution is selected in order to view available software distributions in your search.

     

    Select Software Distribution Filter.PNG

     

    3. Type in the desired product that you would like to find a software distribution for then expand the product and, depending on the product, the version of the product. You will see that software distributions have a "N" beside the Q number and also have Patch Type "Software Distribution."

     

    Find Product.PNG

     

    4. Right click your desired software distribution then either add it to a new patch group, or an existing patch group. You can now view your selected software distribution in your patch group at the bottom right area of View > Patches.

     

    Add to Patch Group.PNG

    View Patch Group.PNG

     

    5. Go to New > Patch Scan Template to create a new patch scan template then name the template. It is recommended that you only use this template for software distributions.

    Select New Scan Template.PNG

     

    6. In your patch scan template, select to scan for your new patch group as the baseline in the bottom right hand corner of the template. This will disable all filters and scan only for the software distribution in your patch group. Then save your configuration.

     

    Select Baseline modified.png

     

    7. Scan with your new scan template.

     

    Scan with template.PNG

     

    8. After scanning, you should be able to deploy the software distribution like any other patch unless certain system requirements or prerequisites are required. For instance if you are installing Internet Explorer 11, you will want to follow the instructions in this document How to Install / Upgrade Internet Explorer with Protect 9.2.

     

    Scan Results.PNG

     

    This video describes the process for Method 1.

     

     

     

    Method 2 for setting up Software Distribution scanning and deployment

     

    1. Go to New > Patch Scan Template to create a new patch scan template then name the template. It is recommended that you only use this template for software distributions.

     

    Select New Scan Template.PNG

     

    2. On the Filtering tab, name your new Patch Scan Template appropriately and deselect any Patch Type Filters in the lower right section.  It is recommended that you don't rely on filtering when using software distribution.

     

    No Filter.PNG

     

    3. On the Software Distribution tab, make sure to check the 'Software Distribution' box to enable software distribution scanning for this template and save the configuration.

        The text box below is not interactive.  It only acts as a list of products that can be pushed out with software distribution.


    Software Distribution Check.PNG

     

    4. Select to scan your desired machines with the scan template that you just created.

     

    Run Operation.PNG

     

    5. View the scan result. Highlight any systems you want to deploy software to in the upper pane. Then in the lower pane (under missing patches) highlight any software that you wish to deploy. Protect shows software distribution scan results just as it shows security patch scan results - which can make it a little confusing. The easiest way to view what the products are is by the "Bulletin Title" column.

     

    a. You can use CTRL+Left Click to highlight multiple items. Then right click on any of the highlighted area, and choose Deploy > Selected Patches. The example below shows how it would appear if I wished to deploy the latest Java 8 Update 66 software.

     

    Best Practice: NEVER select Deploy > All Missing patches from a software distribution scan result. This will result in all software installing on target systems.  You cannot uninstall the software through Protect.

     

    Scan Results.PNG

     

    b. You may also want to add the software distribution product to a patch group. Right click the highlighted area, choose Add to Patch Group, then either select an existing patch group or create a new patch group. Once you have the product in a patch group, you can scan specifically for your product using the patch group as a baseline in your scan template as is mentioned in Method 1.

     

    Add Software Distribution to Patch Group.PNG

     

    Software Distribution in Patch Group.PNG

     

    Q&A

     

    When using a scan template with the Software Distribution feature enabled, is it OK to use Product or Patch Group filtering for Software Distributions?

     

    Yes, you can use filtering. However, the caveat is that if you use a Product Filter - not all software distribution items are linked to the main product you would assume that they would be. Example: In the images above you can see that Java 8 Update 66 is obviously a Java product, however, the Product listing in Protect shows Windows Server 2012 R2 Standard (x64). This is because of how we detect the software - which sometimes depends on what the operating system is.

     

    This means that if you select the 'Java' Product Filter in your scan template it will not necessarily offer Java in your scan result. You will need to select the applicable operating system in the Product Filter as well.

     

    Is it best practice to set up automation using recurring scheduled scan/deployment with software distribution?

     

    No, the best practice is to use the method laid out in the steps above and deploy software based on selected items from the scan result. If you plan to attempt to automate software distribution you will need to ensure that you at least use a patch group for filtering so that you are not accidentally pushing out unwanted software.

     

    Can Protect rollback or uninstall any software items I have accidentally deployed using software distribution?

     

    No. There is no rollback function for a deployment from Protect. Protect does have the ability to perform an uninstall of some patches, however, the majority of software distribution items have no uninstall function that can be run from Protect. This is why you need to be especially careful not to deploy all the software that Protect has the ability to push out when using the software distribution feature.

     

    Affected Product(s)

     

    Shavlik Protect 9.2

    Patch for Windows Server 9.3.x