Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The introductory article on patch management can be found here.

K1000 Patch Management

Panelbox
id1

The K1000 is only for Carleton-owned computers.
You must be ON CAMPUS to log into the K1000 or connected via the VPN

Please contact the ITS HelpDesk if you would like help using the K1000.
You can reach them at x 5999 or by email at: helpdesk@carleton.edu

The K1000 receives security patches which are then delivered to campus computers.  Feature related patches and upgrades are not available as Kpatches.

What patches are delivered by the K1000?

The K1000 delivers security-based patches for the following applications:

Expand
  • 7-Zip (Windows)
  • ABViewer (Windows)
  • Adobe AIR
  • Adobe Acrobat
  • Adobe Digital Editions
  • Adobe Reader
  • Adobe Flash Player (on Windows, ActiveX and plugin)
  • Apache OpenOffice (macOS)
  • Apple iCloud (Windows)
  • Apple iTunes (Windows)
  • Audacity
  • Box Sync (Windows)
  • Camtasia
  • CCleaner (Windows)
  • CDBurnerXP (Windows)
  • Citrix Receiver (Windows)
  • DatabaseSpy (Windows)
  • DiffDog (Windows)
  • Dropbox (Windows)
  • Evernote
  • Fetch (macOS)
  • FileZilla Client (Windows)
  • Foxit Reader and PhantomPDF (Windows)
  • Gimp
  • Google Chrome
  • Google Earth (Windows)
  • GoToMeeting (Windows)
  • HipChat (macOS)
  • ImgBurn (Windows)
  • Inkscape
  • join.me (Windows)
  • KeePass Password Safe (Windows)
  • LibreOffice
  • Microsoft Office (Mac)
  • MindManager (Windows)
  • Mozilla Firefox (consumer version)
  • Mozilla Firefox ESR (Windows only)
  • Notepad++ (Windows)
  • Opera 
  • Oracle Java (Java Runtime Engine, or JRE)
  • Paint.NET (Windows)
  • PDFCreator (Windows)
  • Pidgin (Windows)
  • Putty (Windows)
  • Python 3 (macOS)
  • RealPlayer (Windows)
  • RealVNC (Windows)
  • RingCentral Meetings (Windows)
  • SeaMonkey
  • Skype for Business (macOS)
  • Slack (macOS)
  • SnagIt (Windows)
  • TeamViewer
  • Thunderbird 
  • TightVNC (Windows)
  • TortoiseSVN (Windows)
  • UltraVNC (Windows)
  • VideoLAN VLC media player
  • VMWare Fusion (macOS)
  • VMWare Horizon Client (macOS)
  • VMWare Tools (Windows)
  • VMWare Player (Windows)
  • VMWare Workstation (Windows)
  • WinRAR (Windows)
  • WinSCP (Windows)
  • WinZip Courier (Windows)
  • WireShark(Windows)
  • Zoom Meetings (Windows)

When are patches delivered by the K1000?

When software vendors release patches, KACE tests them before making them available to the K1000. This provides more levels of review to catch any potential problems. The K1000 downloads new patch signatures and patch package files for selected operating systems nightly. Then, Carleton computers use the available patches based on the patch schedule to which each computer is assigned.  KPatching has two different partsphases

  1. Detect which patches a computer needs
  2. Deploy patches to a computer

...

Column
width40%

Image Removed

...

width60%

Image Removed

...

KPatch ScheduleDetect PhaseDeploy PhaseReboot
Monday End Of DayM 5 p.m.immediately after detect, runs until finishedautomatically

Tuesday Common Time

M 12:05 p.m.Tu 12:05 p.m. -12:35 p.m. prompt user
Thursday Common TimeW 12:05 p.m.Tr 12:05 p.m. - 12:35 p.m. prompt user

Thursday End Of Day

Tr 5 p.m.immediately after detect, runs until finishedautomatically
Friday Convo
F  11:00 a.m. - 11:30 a.m.prompt user
Next Check-inF 6 p.m. or the next time a computer connectsTr 11:05 or the next time a computer connects, ends 90 minutes laterprompt user


What do I see when the patch schedule steps run?

When a patch schedule Detect only step runs, nothing is displayed. The computer may seem a bit sluggish, but you can keep working.Every  

The patch schedule Deploy step has these characteristics:

  • When starting, the K1000 displays an OK/Snooze choice to you for 15 minutes, then proceeds if there was no response.
    • If you choose Snooze, the K1000 waits 5 minutes and asks again.
  • The K1000 displays a Patching in Progress message continuously until this step is completed.The actual patching process takes significant computer resources, so your other work may be noticeably affected.
    • Some applications (e.g.,
    Java
    • web browsers) will not patch successfully if the application is running at the time the patching is attempted, so during
    the Deploy step you should
    • close any
    applications and
    • Web browsers you are not actively using.
  • If a reboot is needed, the K1000 displays a Reboot prompt to you for 5 minutes, and re-prompts every hour (unless auto-reboots).

This table lists the different patch schedules again with more detailed information:

Image Removed

...

  • reboot is set to automatically).

Which patch schedule should I choose?

It depends on when the computer (or VM or booting operating system) is active and on the campus network, and whether you want patching to compete with your trying to get other work done. In general, if you don't want to be interrupted, choose an EndOfDay or Overnight schedule EndOfDay schedule Before you leave that day, close all open applications, and leave your computer powered on, not in sleep mode, and connected to the campus network.

...

If your laptop computer is seldom on campus at all, choose the NextCheckIn schedule which will try to run every time you are back on the campus network if you miss the scheduled times. But NextCheckIn can be very annoying, so choose it only if none of the other schedules works for you.A note about the NOJava schedules: The patch schedules whose names contain the phrase NOJava exclude any Java Runtime Engine (JRE) updates, because a few third-party applications run correctly only when their preferred version of Java is not changed. Only if you have such an application should you choose a NOJava schedule, and in those cases, you can enhance your computer security by disabling Java in Web browsers: Look for a Java Control Panel with a Security tab and a setting titled "Enabled Java content in the browser" that you can uncheck. If doing this causes the application Web site to fail, just reverse your actions.

...

id4
titleMore detailed information is available about each of these schedules.

When software vendors release patches, Lumension tests them before making them available to the KBOX.  This provides a second level of review to catch any potential problems.  The KBOX downloads patches on a nightly basis.  Carleton computers are set to check for patches on one of the following schedules:

...

.

...

...

  • no patches will be deployed at this time
  • the KBOX will suspend pending tasks after 50 minutes

...

  • based on the patch list compiled on Tuesdays
  • the KBOX will suspend pending tasks after 30 minutes
  • if a patch is actively being installed at the 30 minute mark, it will continue installing
  • if a reboot is required, users will be prompted to reboot but a reboot will not be forced

...

  • This schedule is recommended for highly-mobile computers, or computers that are rarely connected to the campus network
  • Friday at 4:00 am the KBOX will detect which patches need to be deployed
    • if the computer is not connected to the campus network at this time, a detect will run the next time it is connected
    • no patches will be deployed at this time
    • the KBOX will suspend pending tasks after 60 minutes
  • Thursday at 12:05 pm the KBOX will deploy patches
    • if the computer is not connected to the campus network at this time, a deploy will run the next time it is connected
    • based on the patch list compiled previously
    • the KBOX will suspend pending tasks after 30 minutes
    • if a patch is actively being installed at the 30 minute mark, it will continue installing
    • if a reboot is required, users will be prompted to reboot but a reboot will not be forced

...

  • this schedule is recommended for computers connected to the campus network at 5:00 pm
  • at 5:00 pm the KBOX will detect and deploy patches
    • the KBOX will suspend pending tasks after 5 hours
    • if a patch is actively being installed at the 5 hour mark, it will continue installing
    • if a reboot is required, users will be prompted to reboot.  After 5 minutes a reboot will be forced and patching will continue

...

  • This schedule is recommended for computers connected to the campus network on Thursday from 12-1 pm and Friday 11 am - 12 pm
  • Thursday at 12:05 pm the KBOX will detect which patches need to be deployed
    • no patches will be deployed at this time
    • the KBOX will suspend pending tasks after 50 minutes
  • Friday at 11:00 am the KBOX will deploy patches
    • based on the patch list compiled on Thursdays
    • the KBOX will suspend pending tasks after 30 minutes
    • if a patch is actively being installed at the 30 minute mark, it will continue installing
    • if a reboot is required, users will be prompted to reboot but a reboot will not be forced

How do I tell if my machine is on a patch schedule?

  1. Visit the K1000 user portal in your web browser
  2. Log in with your Carleton username and password
  3. Click the My Computer tab
  4. Scroll down the page to the Activities section
  5. Click on the Labels link
  6. If you have a Label beginning with PatchSelf, your machine is on a patch schedule
    1. Note: If you have a VM, multiple Operating Systems, or multiple computers, you'll need to repeat this process from each VM/OS/computer

How do I join a

...

Kpatch schedule?

  1. Visit the K1000 user portal in your web browser
  2. Log in with your Carleton username and password
  3. Click the Software Library tab
  4. In the Search field, type Patch and click Search, or scroll down the page until you see the entries beginning with Patch Schedule: 
  5. Click on the desired Patch Schedule. (If the Patch Schedule you want does not appear in the list, contact the ITS HelpDesk x5999.)
  6. Read the Installation Instructions and click Install Now
    1. Note: If you have a VM, multiple Operating Systems, or multiple computers, you'll need to repeat this process from each VM/OS/computer

...

K1000 patch management should not reinstall patches that are already applied, nor should it downgrade your applications. With regard to Mozilla Firefox, note that version 31.1esr was released at the same time as consumer version 32 (31+1=32), so ESR version numbers may appear old when they are actually up to date.

How do I keep my computer from sleeping when a patch schedule starts long after I leave?

K1000 patching cannot run if a computer is in sleep mode at the scheduled time. Most campus computers are configured to go into sleep mode after a period of inactivity, usually 4 hours. But if a patch schedule step runs at 6am, and you left your computer on at work at 6pm, the computer will be sleeping by 6am when patching is supposed to start.

There are 4 solutions to this problem:

  1. In the power management settings on your computer, disable the computer's sleep mode entirely (but this wastes energy).
  2. In the power management settings in your computer operating system or BIOS, schedule the computer to wake up about 20 minutes before patching is scheduled to start.
  3. Launch a "keep awake" utility on your computer when you leave, so it never becomes inactive and so never sleeps. For Windows, we have had good results with a free utility called Caffeine, from Zhorn Software.

The introductory article on patch management can be found here.