3 Replies Latest reply on Apr 25, 2017 2:58 PM by cwinning

    Automated, staged patch deployments?

    JohnTee Rookie

      Below is my ideal scenario for patching our systems. I thought this was a fairly standard way to test patches and updates, but I am having a very difficult time figuring out how to set this up in Shavlik.

       

      Deploy patches to test group on Monday. If there are no problems, deploy those exact patches to the production group on Friday.

       

      All I can figure out how to do is run a scan on the test Machine Group on Monday, then run another scan on Friday to the production group. The problem is that between Monday and Friday new patches are released. These  new patches cannot be deployed to production because they are not yet tested.

       

      If this cannot be automated, that is fine. I am honestly not even sure how to do this manually, though. Would this require building a patch template every week and assigning it to my two Agent policies? Can someone point me in the right direction? I am not seeing anything about this in the best practices guide, other than it suggesting that I should test patches first.

       

      Thanks,

       

      John

        • 1. Re: Automated, staged patch deployments?
          cwinning CommunityTeam

          Hello,

           

          I think the new 9.3 version will help you accomplish this easier than 9.2.  The Ivanti Patch for Servers 9.3 early release (Protect) was launched today after a successful beta.  I'll refer to it as PWS

           

          The basic flow of an method would be:  (this would work best when not using an agent)

           

          1. Change PWS to a disconnected mode where new definitions are not automatically download.  Tools > Un-check Auto-update definitions.  This means, you would need to perform a Help > Refresh Files when you want to see new patches.
          2. Schedule a scan with auto deployment against your test machines for Monday night.
          3. Schedule a scan with auto deployment against your production machines for Friday night.  (make sure to use the same Scan and Deployment Template used for the Monday job)
          4. Schedule automatic download in Tools > Options > Downloads > Scheduled automatic downloads.  Set it to run Saturday or Sunday.  This download new content day and make it available for the Monday scan and deployment against your test machines.

           

          The basic flow of a Patch Group method would be:  (This CAN work with an agent)

           

          1. Create a Patch Group that contains the patches you OK to deploy.
          2. You would use 2 Agent policies, one for Monday and one for Friday.  The tasks would use the same Scan Template with Patch Group selected as the baseline.  This way it doesn't matter when the content updates since the scan and deployment would be based on the Patch Group you create and updated.
          3. You would need to update the Patch Group with newer patches when you are ready to include them.  You would also need to make sure the agents gets the updates before the Monday jobs run.

           

          There could be more options with the new API commandlets in 9.3, but that would require scripting on your side. ☺

           

          Let me know if you have any questions.

           

          Ivanti Patch for Servers 9.3 early release can be download from here:  http://content.ivanti.com/products/Protect/v9/93/4379/IvantiPatchForServers_9.3.4397.exe

          We consider this a full release, just not communicated yet.  This will happen some time this week.

          It can be installed or the top of 9.1 and 9.2.

           

          Thanks,

          Charles

          • 2. Re: Automated, staged patch deployments?
            JohnTee Rookie

            Thank you for the Reply. We are using Protect, but only for Workstations. This sounds like it should be pretty much the same process though? I assume the applications (Protect, and Patch for Servers) are pretty much the same?

            • 3. Re: Automated, staged patch deployments?
              cwinning CommunityTeam

              Hello,

               

              Ivanti Patch for Servers is the latest version of Protect.  Don't let the 'for Servers' scare you, we fully support Servers and Workstations.

               

              Same look and feel, new features too.

               

              Charles