Versions Compared

Old Version 17

changes.mady.by.user Sande Nissen

Saved on

compared with

New Version 18

changes.mady.by.user Rebecca Barkmeier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The introductory article on patch management can be found here.

KBOX Patch Management

Panelbox
namegrey

The KBOX is only for Carleton-owned computers.
You must be ON CAMPUS to log into the K1000, as described below.

Please contact the ITS HelpDesk if you would like help using the K1000.
You can reach them at x 5999 or by email at: helpdesk@carleton.edu

The KBOX 1000 ( K1000 ) receives patches from Lumension , a security company. These patches are then delivered to campus computers. Patches in the K1000 are security related patches only.  Feature related patches and upgrades are not available from KBOX K1000 patch management.

What patches are delivered by the K1000?

The K1000 delivers security-based patches for the following applications:

...

(§ are frequently exploited, and so are considered critical)

When are patches delivered by the K1000?

When software vendors release patches, Lumension and KACE test them before making them available to the K1000. This provides more levels of review to catch any potential problems. The K1000 downloads new patch signatures and patch package files for selected operating systems nightly. Then, Carleton computers use the available patches based on the patch schedule to which each computer is assigned. Some patch schedules check for ("detect") patches at one time, and then apply ("deploy") the detected patches at a different later time. Other patch schedules check for ("detect") patches and then apply them ("deploy") immediately thereafter.

...

Section
Column
width40%

Column
width60%

What do I see when the patch schedule steps run?

When a patch schedule Detect only step runs, nothing is displayed. The computer may seem a bit sluggish, but you can keep working.

...

Again, we know this information is hard to interpret. Please contact the ITS HelpDesk (x5999) for help.

Which patch schedule should I choose?

It depends on when the computer (or VM or booting operating system) is active and on the campus network, and whether you want patching to compete with your trying to get other work done. In general, if you don't want to be interrupted, choose an EndOfDay or Overnight schedule, and leave your computer powered on, not in sleep mode, and connected to the campus network.

...

A note about the NOJava schedules: The patch schedules whose names contain the phrase NOJava exclude any Java Runtime Engine (JRE) updates, because a few third-party applications run correctly only when their preferred version of Java is not changed. Only if you have such an application should you choose a NOJava schedule, and in those cases, you can enhance your computer security by disabling Java in Web browsers: Look for a Java Control Panel with a Security tab and a setting titled "Enabled Java content in the browser" that you can uncheck. If doing this causes the application Web site to fail, just reverse your actions.

How do I tell if my machine is on a patch schedule?

  1. Visit the KBOX K1000 user portal in your web browser
  2. Log in with your Carleton username and password
  3. Click the My Computer tab
  4. Scroll down the page to the Activities section
  5. Click on the Labels link
  6. If you have a Label beginning with PatchSelf, your machine is on a patch schedule
    1. Note: If you have a VM, multiple Operating Systems, or multiple computers, you'll need to repeat this process from each VM/OS/computer

How do I join a KBOX patch schedule?

  1. Visit the KBOX K1000 user portal in your web browser
  2. Log in with your Carleton username and password
  3. Click the Software Library tab
  4. In the Search field, type Patch and click Search, or scroll down the page until you see the entries beginning with Patch Schedule: 
  5. Click on the desired Patch Schedule. (If the Patch Schedule you want does not appear in the list, contact the ITS HelpDesk x5999.)
  6. Read the Installation Instructions and click Install Now
    1. Note: If you have a VM, multiple Operating Systems, or multiple computers, you'll need to repeat this process from each VM/OS/computer

What if my software is already up-to-date?

KBOX K1000 patch management should not reinstall patches that are already applied, nor should it downgrade your applications. With regard to Mozilla Firefox, note that version 31.1esr was released at the same time as consumer version 32 (31+1=32), so ESR version numbers may appear old when they are actually up to date.

How do I keep my computer from sleeping when a patch schedule starts long after I leave?

KBOX K1000 patching cannot run if a computer is in sleep mode at the scheduled time. Most campus computers are configured to go into sleep mode after a period of inactivity, usually 4 hours. But if a patch schedule step runs at 6am, and you left your computer on at work at 6pm, the computer will be sleeping by 6am when patching is supposed to start.

...