...
The introductory article on patch management can be found here.
Panel | ||||
---|---|---|---|---|
| ||||
Around the beginning of August 2014, all college-owned computers will be migrated from the old K1000 5.4 to the new K1000 version 5.5, possibly receiving a newer version of the Dell KACE Agent. For a few months, Windows computers on a KBOX patch schedule will receive application patches from a different, temporary, K1000 process, one based on KBOX scripts, not on KBOX patching. This does not affect computers running Mac OS X, only Windows. What you see during patching will look different, and may work a bit differently than before, but it will run at exactly the same time as the patch schedule you subscribed to (the deploy step). The applications that will be included in this process are marked with § in the list below. It is very likely that any Web browsers running at that time will be terminated without warning. ITS plans to have a better, permanent, solution in place by the end of the calendar year, if Dell KACE fixes some bugs. |
KBOX Patch Management
Panelbox | ||
---|---|---|
| ||
Panelbox | ||
| ||
The K1000 is only for Carleton-owned computers. |
The KBOX K1000 receives patches from Lumension , a security company. These patches which are then delivered to campus computers. Patches in the KBOX are security related patches only. Feature related patches and upgrades are not available from KBOX patch managementas Kpatches.
What patches are delivered by the
...
K1000?
The KBOX K1000 delivers security-based patches for the following applications:
Expand |
---|
|
...
|
...
|
...
|
...
|
...
|
...
|
When are patches delivered by the
...
K1000?
When software vendors release patches, Lumension and KACE test tests them before making them available to the KBOXK1000. This provides more levels of review to catch any potential problems. The KBOX K1000 downloads new patch signatures and patch package files for selected operating systems nightly. Then, Carleton computers use the available patches based on the patch schedule to which each computer is assigned. Some patch schedules check for ("detect") patches at one time, and then apply ("deploy") the detected patches at a different later time. Other patch schedules check for ("detect") patches and then apply them ("deploy") immediately thereafter.
There are 10 different patch schedules to which a computer can be assigned. Each computer, virtual machine (VM), and booting operating system (e.g., dual boot), should be assigned to one and only one patch schedule. Any VM or booting operating system on a computer should be assigned to a different schedule than the computer itself, so you can make sure the correct environment is running at the time of each schedule.
Panel |
---|
Note: We have found it is very difficult to explain these different patch schedules in writing, so please be patient in reviewing this section, and contact the ITS HelpDesk (x5999) when you have questions. |
Here is a list of the different patch schedules each with a different color, and next to that is a picture of when the different steps (detect or deploy) of each patch schedule runs:
...
Column | ||
---|---|---|
| ||
...
width | 60% |
---|
...
KPatching has two different phases
- Detect which patches a computer needs
- Deploy patches to a computer
KPatch Schedule | Detect Phase | Deploy Phase | Reboot |
---|---|---|---|
Monday End Of Day | M 5 p.m. | immediately after detect, runs until finished | automatically |
Tuesday Common Time | M 12:05 p.m. | Tu 12:05 p.m. -12:35 p.m. | prompt user |
Thursday Common Time | W 12:05 p.m. | Tr 12:05 p.m. - 12:35 p.m. | prompt user |
Thursday End Of Day | Tr 5 p.m. | immediately after detect, runs until finished | automatically |
Friday Convo | F 11:00 a.m. - 11:30 a.m. | prompt user | |
Next Check-in | F 6 p.m. or the next time a computer connects | Tr 11:05 or the next time a computer connects, ends 90 minutes later | prompt user |
What do I see when the patch schedule steps run?
When a patch schedule Detect only step runs, nothing is displayed. The computer may seem a bit sluggish, but you can keep working.Every
The patch schedule Deploy step has these characteristics:
- When starting, the KBOX K1000 displays an OK/Snooze choice to you for 15 minutes, then proceeds if there was no response.
- If you choose Snooze, the
- K1000 waits 5 minutes and asks again.
- The KBOX K1000 displays a Patching in Progress message continuously until this step is completed.
- The actual patching process takes significant computer resources, so your other work may be noticeably affected.
- Some applications (e.g.,
- web browsers) will not patch successfully if the application is running at the time the patching is attempted, so during
- close any
- Web browsers you are not actively using.
- If a reboot is needed, the KBOX K1000 displays a Reboot prompt to you for 5 minutes, and re-prompts every hour (unless auto-reboots).
This table lists the different patch schedules again with more detailed information:
...
- reboot is set to automatically).
Which patch schedule should I choose?
It depends on when the computer (or VM or booting operating system) is active and on the campus network, and whether you want patching to compete with your trying to get other work done. In general, if you don't want to be interrupted, choose an EndOfDay or Overnight schedule EndOfDay schedule Before you leave that day, close all open applications, and leave your computer powered on, not in sleep mode, and connected to the campus network.
...
If your laptop computer is seldom on campus at all, choose the NextCheckIn schedule which will try to run every time you are back on the campus network if you miss the scheduled times. But NextCheckIn can be very annoying, so choose it only if none of the other schedules works for you.
A note about the NOJava schedules: The patch schedules whose names contain the phrase NOJava exclude any Java Runtime Engine (JRE) updates, because a few third-party applications run correctly only when their preferred version of Java is not changed. Only if you have such an application should you choose a NOJava schedule, and in those cases, you can enhance your computer security by disabling Java in Web browsers: Look for a Java Control Panel with a Security tab and a setting titled "Enabled Java content in the browser" that you can uncheck. If doing this causes the application Web site to fail, just reverse your actions.
How do I tell if my machine is on a patch schedule?
- Visit the KBOX K1000 user portal in your web browser
- Log in with your Carleton username and password
- Click the My Computer tab
- Scroll down the page to the Activities section
- Click on the Labels link
- If you have a Label beginning with PatchSelf, your machine is on a patch schedule
- Note: If you have a VM, multiple Operating Systems, or multiple computers, you'll need to repeat this process from each VM/OS/computer
How do I join a
...
Kpatch schedule?
- Visit the KBOX K1000 user portal in your web browser
- Log in with your Carleton username and password
- Click the Software Library tab
- In the Search field, type Patch and click Search, or scroll down the page until you see the entries beginning with Patch Schedule:
- Click on the desired Patch Schedule. (If the Patch Schedule you want does not appear in the list, contact the ITS HelpDesk x5999.)
- Read the Installation Instructions and click Install Now
- Note: If you have a VM, multiple Operating Systems, or multiple computers, you'll need to repeat this process from each VM/OS/computer
What if my software is already up-to-date?
KBOX K1000 patch management should not reinstall patches that are already applied, nor should it downgrade your applications. With regard to Mozilla Firefox, note that version 31.2esr was released at the same time as consumer version 33 (31+2=33), so ESR versions may appear old when they are actually up to date.
How do I keep my computer from sleeping when a patch schedule starts long after I leave?
KBOX patching cannot run if a computer is in sleep mode at the scheduled time. Most campus computers are configured to go into sleep mode after a period of inactivity, usually 4 hours. But if a patch schedule step runs at 6am, and you left your computer on at work at 6pm, the computer will be sleeping by 6am when patching is supposed to start.
There are 4 solutions to this problem:
- In the power management settings on your computer, disable the computer's sleep mode entirely (but this wastes energy).
- In the power management settings in your computer operating system or BIOS, schedule the computer to wake up about 20 minutes before patching is scheduled to start.
- Have your computer configured to accept a Wake-on-LAN request when it is sleeping (which is not the default), and the KBOX will send a Wake-on-LAN packet about 10-15 minutes before patching is scheduled to start (ask the ITS HelpDesk x5999 for help with this).
- Launch a "keep awake" utility on your computer when you leave, so it never becomes inactive and so never sleeps. For Windows, we have had good results with a free utility called Caffeine, from Zhorn Software.
The introductory article on patch management can be found here.