View Source

The introductory article on patch management can be found here.

Around the beginning of August 2014, all college-owned computers will be migrated from the old K1000 5.4 to the new K1000 version 5.5, possibly receiving a newer version of the Dell KACE Agent. For a few months, Windows computers on a KBOX patch schedule will receive application patches from a different, temporary, K1000 process, one based on K1000 scripts, not on KBOX patching. This does not affect computers running Mac OS X, only Windows.

What you see during patching will look different, and may work a bit differently than before, but it will run at exactly the same time as the patch schedule you subscribed to (the deploy step). The applications that will be included in this process are marked with § in the list below. It is very likely that any Web browsers running at that time will be terminated without warning. ITS plans to have a better, permanent, solution in place by the end of the calendar year, if Dell KACE fixes some bugs.

Here is a restricted, more technical, explanation of the temporary patching process, meant for ITS staff and student workers.

KBOX Patch Management

The KBOX is only for Carleton-owned computers.
You must be ON CAMPUS to log into the K1000, as described below.

Please contact the ITS HelpDesk if you would like help using the K1000.
You can reach them at x 5999 or by email at: helpdesk@carleton.edu

The KBOX 1000 (K1000) receives patches from Lumension , a security company. These patches are then delivered to campus computers. Patches in the K1000 are security related patches only. Feature related patches and upgrades are not available from KBOX patch management.

What patches are delivered by the K1000?

The K1000 delivers security-based patches for the following applications:

Adobe AIR
Adobe Acrobat
Adobe Reader§
Adobe Flash Player (on Windows, ActiveX and plugin)§
Adobe Shockwave Player
Some Adobe CS3-CS6 patches
Audacity (Windows, coming)
Citrix Receiver and XenApp
Foxit Reader (Windows, coming)
Google Chrome (Windows)
ImgBurn (Windows, coming)
Apple iCloud (Windows, coming)
Apple iTunes (Windows)
Apple QuickTime (Windows)
Apple Safari web browser (Windows)
Microsoft Silverlight and Remote Desktop (Mac)
Microsoft Office (Mac)
Mozilla Firefox (consumer version)
Mozilla Firefox ESR§
Notepad++ (Windows, coming)
Oracle Java (Java Runtime Engine, or JRE)§
TeamViewer (Windows, coming)
VideoLAN VLC media player (Windows)
VMWare Fusion, Player, Workstation
WinZip and 7-Zip (Windows)
WireShark and WinPCap (Windows, coming)

When are patches delivered by the K1000?

When software vendors release patches, Lumension and KACE test them before making them available to the K1000. This provides more levels of review to catch any potential problems. The K1000 downloads new patch signatures and patch package files for selected operating systems nightly. Then, Carleton computers use the available patches based on the patch schedule to which each computer is assigned. Some patch schedules check for ("detect") patches at one time, and then apply ("deploy") the detected patches at a different later time. Other patch schedules check for ("detect") patches and then apply them ("deploy") immediately thereafter.

There are 10 different patch schedules to which a computer can be assigned. Each computer, virtual machine (VM), and booting operating system (e.g., dual boot), should be assigned to one and only one patch schedule. Any VM or booting operating system on a computer should be assigned to a different schedule than the computer itself, so you can make sure the correct environment is running at the time of each schedule.

Note: We have found it is very difficult to explain these different patch schedules in writing, so please be patient in reviewing this section, and contact the ITS HelpDesk (x5999) when you have questions.

Here is a list of the different patch schedules each with a different color, and next to that is a picture of when the different steps (detect or deploy) of each patch schedule runs:

ITS > All About K1000 (KBOX) Patch Management > KBOXpatchscheduleColors.JPG

ITS > All About K1000 (KBOX) Patch Management > KBOXpatchschedules.JPG

ITS > All About K1000 (KBOX) Patch Management > KBOXpatchscheduleKey.JPG

What do I see when the patch schedule steps run?

When a patch schedule Detect only step runs, nothing is displayed. The computer may seem a bit sluggish, but you can keep working.

Every patch schedule Deploy step has these characteristics:

When starting, the K1000 displays an OK/Snooze choice to you for 15 minutes, then proceeds if there was no response.
If you choose Snooze, the K1000 waits 5 minutes and asks again.
The K1000 displays a Patching in Progress message continuously until this step is completed.
The actual patching process takes significant computer resources, so your other work may be noticeably affected.
Some applications (e.g., Java) will not patch successfully if the application is running at the time the patching is attempted, so during the Deploy step you should close any applications and Web browsers you are not actively using.
If a reboot is needed, the K1000 displays a Reboot prompt to you for 5 minutes, and re-prompts every hour (unless auto-reboots).

This table lists the different patch schedules again with more detailed information:

ITS > All About K1000 (KBOX) Patch Management > KBOXpatchschedulesDetails.JPG

Again, we know this information is hard to interpret. Please contact the ITS HelpDesk (x5999) for help.

Which patch schedule should I choose?

It depends on when the computer (or VM or booting operating system) is active and on the campus network, and whether you want patching to compete with your trying to get other work done. In general, if you don't want to be interrupted, choose an EndOfDay or Overnight schedule, and leave your computer powered on, not in sleep mode, and connected to the campus network.

If you take your laptop computer home most nights, choose instead a schedule that runs during the day at a time when you may be away from your desk (e.g., Convo, CommonTime).

If your laptop computer is seldom on campus at all, choose the NextCheckIn schedule which will try to run every time you are back on the campus network if you miss the scheduled times. But NextCheckIn can be very annoying, so choose it only if none of the other schedules works for you.

A note about the NOJava schedules: The patch schedules whose names contain the phrase NOJava exclude any Java Runtime Engine (JRE) updates, because a few third-party applications run correctly only when their preferred version of Java is not changed. Only if you have such an application should you choose a NOJava schedule, and in those cases, you can enhance your computer security by disabling Java in Web browsers: Look for a Java Control Panel with a Security tab and a setting titled "Enabled Java content in the browser" that you can uncheck. If doing this causes the application Web site to fail, just reverse your actions.

How do I tell if my machine is on a patch schedule?

Visit the KBOX user portal in your web browser
Log in with your Carleton username and password
Click the My Computer tab
Scroll down the page to the Activities section
Click on the Labels link
If you have a Label beginning with PatchSelf, your machine is on a patch schedule
1. Note: If you have a VM, multiple Operating Systems, or multiple computers, you'll need to repeat this process from each VM/OS/computer

How do I join a KBOX patch schedule?

Visit the KBOX user portal in your web browser
Log in with your Carleton username and password
Click the Software Library tab
In the Search field, type Patch and click Search, or scroll down the page until you see the entries beginning with Patch Schedule:
Click on the desired Patch Schedule. (If the Patch Schedule you want does not appear in the list, contact the ITS HelpDesk x5999.)
Read the Installation Instructions and click Install Now
1. Note: If you have a VM, multiple Operating Systems, or multiple computers, you'll need to repeat this process from each VM/OS/computer

What if my software is already up-to-date?

KBOX patch management should not reinstall patches that are already applied, nor should it downgrade your applications. With regard to Mozilla Firefox, note that version 31.1esr was released at the same time as consumer version 32 (31+1=32), so ESR version numbers may appear old when they are actually up to date.

How do I keep my computer from sleeping when a patch schedule starts long after I leave?

KBOX patching cannot run if a computer is in sleep mode at the scheduled time. Most campus computers are configured to go into sleep mode after a period of inactivity, usually 4 hours. But if a patch schedule step runs at 6am, and you left your computer on at work at 6pm, the computer will be sleeping by 6am when patching is supposed to start.

There are 4 solutions to this problem:

In the power management settings on your computer, disable the computer's sleep mode entirely (but this wastes energy).
In the power management settings in your computer operating system or BIOS, schedule the computer to wake up about 20 minutes before patching is scheduled to start.
Have your computer configured to accept a Wake-on-LAN request when it is sleeping (which is not the default), and the K1000 will send a Wake-on-LAN packet about 10-15 minutes before patching is scheduled to start (ask the ITS HelpDesk x5999 for help with this).
Launch a "keep awake" utility on your computer when you leave, so it never becomes inactive and so never sleeps. For Windows, we have had good results with a free utility called Caffeine, from Zhorn Software.

The introductory article on patch management can be found here.