All Collections
Policy Management
How Tos
Patch Management
How patching works in hierarchical policies
How patching works in hierarchical policies

Learn how you can use patch management to help keep your client assets secure and healthy at scale through policy sets

Manish Balaji avatar
Written by Manish Balaji
Updated over a week ago

Hierarchical policies in SuperOps.ai has four distinct levels through which policies can be deployed:

  1. Global

  2. Client

  3. Site

  4. Asset

Policies can be differentiated based on:

  • who the client is

  • their usage

  • locations/sites the MSPs support for a client

What more? MSPs can have a unique policy for servers as opposed to a workstation.

n9.png

Hierarchical policies in SuperOps.ai are defined by the Patch Category and Patch Severity matrix.

n10.png

The approval statuses include:

  • Approve, which automatically approves and executes patches

  • Manual, which executes patches after manual approval

  • Reject, which does not execute the patch

  • Defer, which delays the deployment of a patch for a period of time

How does deferred patching help?

If you have a new set of patches that you'd like to test for stability and performance, you can defer these patches before you're confident about deploying them on your client's assets at scale. Click here to learn how to set up deferred patching.

Reboot options for patch management

Select how you want to manage system reboots after the patches are installed. You have multiple reboot options here for when the user is logged in and logged out. Here are the reboot options you have:

When the user is logged in:

  • Repeatedly ask for permission: With this option, you can keep asking for permission to reboot the machine at regular intervals until the reboot

  • Reboot immediately, but allow the user to save their work: Users will be notified once about an upcoming mandatory reboot

  • Force reboot: Forcefully reboots the asset right away

  • Do nothing: Ignores the reboot for the asset, even if the patch mandates it

When the user is logged out:

  • Reboot immediately

  • Do nothing

You can force reboot the asset, or ask permission from the user based on prompts with time intervals and then force reboot at the end of it.

You can also customize the reboot message that will be displayed as a prompt on the asset. The reboot message consists of two sections, the heading and the body, that will be displayed on your client’s assets. Here’s what it looks like.

Once the patch policy has been set, a patch scan is triggered immediately to reflect the latest patch compliance status of the asset.

You’ll need the asset to be active if you want to install these patches. If an asset is asleep, you can use Wake on LAN to remotely wake the asset up and start the patch installation to increase the success rate of deployment. Check out this guide on using Wake on LAN to learn how you can use it in SuperOps.ai.

You can view all the patches under the ‘All patches’ section in the Asset pane.

n12.png

All patches seen under ‘All Patches’ view are the ones that were defined globally (i.e, without client, site or asset hierarchies).

  • If the global patches are set to be manually approved, the ‘Approval Status’ column in the ‘All patches’ section shows either Approve or Reject. This will help the technician decide what needs to be done.

  • If there's a site-level policy and the technician approves a policy from the ‘All Patches’ view, this manual override is carried forward to the site-level patches as well (even if the site-level policy is set to execute automatically). Simply put, you can manually override site-level policies.

  • In this case, an option to ‘Reject’ a patch is also shown although the patch is approved because that is a cue to not auto execute that patch in the future.

n13.png

If the technician prefers to view site-level patches that are auto-approved, they can apply filters on the ‘All Patches’ view to see the respective approved patches.

n14.png

💡SuperTip:
If you would like all patches to be auto-approved, make sure to set up the global policy to ‘Approve’ on all counts.

Patch window duration

You can now configure a window of time, during which the patch will be installed in your client’s asset.

📝Note:

  • All patch installation for assets under this policy will take place during this time period. Any patch that was not installed during this time period will be installed during the next active window.

  • This feature is currently available only for Windows devices.

To do that,

  1. Navigate to Settings > Policy Management > Windows server/workstation

  2. Select Patch management from the pane on the left.

  3. Click on the Schedule button as shown below

4. In the schedule patch page, fill in the details of the patch, enable “Window for patch installation” and set the duration of the window. For example, the window will be active for 3 hours.

5. Once you are done, click Apply.


Auto-update settings for device OS updates:

When it comes to handling local updates, SuperOps provides you with the flexibility to choose between relying on your device's OS manager or utilizing the SuperOps agent. To configure your auto-update preferences, you can choose either of the following options from the drop-down menu:

  1. Do Nothing: This option ensures that your system’s auto-updates are managed collaboratively by both the OS manager and SuperOps agent, aligning with your system settings.

  2. Disable: Choose this option if you prefer the SuperOps agent to exclusively handle asset updates, thereby disabling auto-updates by the local OS manager.

📝Note: This is currently available only for Windows devices.

Related Articles
How to use third-party software management in SuperOps.ai
Using macOS patch management in SuperOps.ai
How to defer patch deployment
Viewing an asset’s patch status
FAQs - RMM
Did this answer your question?