Chat now with support
Tchattez avec un ingénieur du support

KACE Systems Management Appliance 9.1 Common Documents - Administrator Guide

About the KACE Systems Management Appliance (SMA) Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Provisioning the KACE SMA Agent Manually deploying the KACE SMA Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the KACE SMA
Appendixes Glossary About us Legal notices

Configure Deploy-only patch schedules

Configure Deploy-only patch schedules

You can create and edit patch schedules that perform Deploy-only actions. Doing so is useful when you know that specific patches need to be deployed to managed devices.

A final Detect job runs either after the patch is deployed or, if a reboot is required, after the device reboots and the Agent reconnects to the appliance.

1.
Go to the Patch Schedule Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Patch Management panel, click Schedules.
d.
Display the Patch Schedule Detail page by doing one of the following:
Select Choose Action > New.
2.
In the Configure section, specify options for the Deploy-only schedule.

Option

Description

Name

A name that identifies the schedule. This name appears on the Patch Schedules page.

Action

Select Detect. The page updates to the appropriate options.

The patch action behavior is dependent on the combination of reboot, detect, deploy, and rollback selections you make. Whenever a patch action does both a Detect pass and something else, as is the case with Detect and Deploy and Detect and Rollback, the action is repeated cyclically until the Detect action finds no further patches to deploy or roll back. This behavior might result in multiple Reboot actions for a single scheduled run. In addition, the type of device you are patching affects the type of patch action to use.

Device Labels

Restrict the patch actions to the devices in the labels that you select. Limiting the run to labels, especially Smart Labels, helps to ensure that patches are applied appropriately.

For example, some application patches have the ability to install applications as well as update applications that are already installed. To prevent the appliance from installing the application on devices that do not already have the application installed, you can create a Smart Label to identify devices that have the application. You can then limit the patch action to devices that have that label. The patch is then applied only to devices that already have the application installed.

To use this option, you must already have created labels or Smart Labels. See Using Smart Labels for patching.

Any labels that you select in this section only apply to the set of devices associated with the scoped user (if applicable). Scoped users can see only those devices that are associated with their role, when the role is assigned a label. For more information about user roles, see Add or edit User Roles.

Devices

Run detect and deploy patch actions on the devices that you select. To search for devices, begin typing in the field. Scoped users can see only those devices that are associated with their role, when the role is assigned a label. For more information about user roles, see Add or edit User Roles.

Operating Systems

Select the operating systems of the devices on which you want to run the actions. The default is all operating systems.

3.
In the Deploy section, specify options for the Deploy-only schedule.

Option

Description

All Patches

Deploy all patches to the selected devices.

Patch Labels

Restrict the action to the patches in the labels that you select. This option is the most commonly used patch detection option. To select labels, click Edit. To use this option, you must already have labels or Smart Labels for the patches you want to detect. See Using Smart Labels for patching.

Maximum Deploy Attempts

The maximum number of attempts the appliance deploys or rolls back the patch. Specify a number between one '1' and ten "10". If you specify zero '0', the deployment or rollback does not run. A value higher than ten "10" results in an error message.

As a last step in patch deployment or rollback, the appliance verifies whether the patch was deployed or rolled back successfully. If a deployment or rollback fails, the appliance attempts to deploy or rollback the patch again until one of the following occurs:

4.
In the Notify section, specify settings for the Deploy-only schedule.

Option

Description

Options

The options displayed to users when patch actions run. To perform the action without notifying the user, leave the Options field blank.

OK: Run immediately.
Cancel: Cancel until the next scheduled run.
Snooze: Prompt the user again after the Snooze Duration.

Timeout

The amount of time, in minutes, for the dialog to be displayed before an action is performed. If this time period elapses without the user pressing a button, the appliance performs the action specified in the Timeout drop-down list.

Timeout Action

The action to be performed when the Timeout period elapses without the user choosing an option.

Snooze Duration

The amount of time, in minutes, for the period after the user clicks Snooze. When this period elapses, the dialog appears again.

Snooze Until Limit

Select the Snooze Until Limit check box to enable the user to Snooze the patch action a specified number of times. Specify the number of Attempts.

Initial Message

The message to be displayed to users before the action runs. To customize the logo that appears in the dialog, see Configure appliance General Settings with the Organization component enabled.

Progress Message

The message displayed to users during the patch action.

Completion Message

The message displayed to users when the patch action is complete.

5.
In the Reboot section, specify options for the Deploy-only schedule.

Option

Description

Options

The options for rebooting the managed device.

No Reboot

The device does not reboot even though a reboot might be required for the patch to take effect. When this option is selected, the following occurs according to the patching schedule:

No Reboot is not recommended because deploying patches without rebooting when required can leave systems unstable. Further, patches that require reboots are only shown as deployed after the reboot.

Prompt User

Wait for the user to accept the reboot before restarting the device. When this option is selected, the following occurs according to the patching schedule:

If the user clicks OK, the device reboots. The rollback process continues until another reboot is required and the user is prompted again. The pattern continues until the patch list is exhausted.

If the user snoozes or cancels the reboot, patching stops until a reboot occurs. When a reboot occurs, rollback continues until the next reboot is needed, and the user is prompted again. The pattern continues until the patch list is exhausted.

Force Reboot

Reboot as soon as a patch requiring it is deployed. Forced reboots cannot be canceled. Force Reboot works well for desktops and servers. You might not want to force reboot on laptops. When this option is selected, the following occurs according to the patching schedule:

Force Reboot works well with servers because they usually have no dedicated users. However, it is important to warn users that services will not be available when servers are being patched and rebooted. See Best practices for patching.

Automatically reboot when no one is logged in

Automatically reboot the managed device if no users are logged in.

Message

The message to be displayed to the user before the device reboots. For information about adding a custom logo to the message dialog, see Configure appliance General Settings with the Organization component enabled.

Timeout

The amount of time, in minutes, for the dialog to be displayed before an action is performed. If this time period elapses without the user pressing a button, the appliance performs the action specified in the Timeout drop-down list.

When Force Reboot is selected, the timeout behavior takes into consideration the KUSerAlert and global KACE SMA Agent process timeouts. The global timeout, set in amp.conf through the Agent Settings page, always determines how long any agent-launched processes can run for, including the KUserAlert timeout. For example, if the KUserAlert timeout is set to two hours, and you set the global timeout to one hour, the agent will stop the KUserAlert because it runs too long. Therefore the global timeout must be set to the desired timeout that is longer than the KUserAlert timeout. This value must be set accordingly.

Timeout Action

The action to be performed when the Timeout period elapses without the user choosing an option.

Reboot Delay (countdown)

Postpone the reboot using a countdown. The countdown is in minutes.

Reboot Now

Reboot the device immediately.

Reboot Later

Reboot the device later.

Number of prompts

The number of prompts the user receives before the device reboots. For example, if you enter a value of 5, the device automatically reboots the fifth time the user receives the reboot prompt. In other words, the user can delay the reboot only four times if the Number of prompts value is set to 5.

Reprompt Interval

The time that elapses before the user is reprompted to reboot.

6.
In the Schedule section, specify options for the Deploy-only schedule.

Option

Description

None

Run in combination with an event rather than on a specific date or at a specific time. This option is useful if you want to patch servers manually, or perform patch actions that you do not want to run on a schedule.

Every _ hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the nth day every month, (for example, the first or the second) day of every month, or a specific month, at the specified time.

Run on the nth weekday of every month/specific month at HH:MM

Run on the specific weekday of every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

View Task Schedule

Click to view the task schedule. The Task Schedule dialog box displays a list of scheduled. Click a task to review the task details. For more information, see View task schedules.

Timezone

The timezone to use when scheduling the action. Select Server to use the timezone of the appliance. Select Agent to use the timezone of the managed device.

Run on next connection if offline

Run the action the next time the managed device connects to the appliance, if the device is currently offline. This option is useful for laptops and other devices that are periodically offline. If this option is not selected, and the device is offline, the action does not run again until the next scheduled time.

Delay run after reconnect

Delay the schedule by a specified amount of time. The time delay period begins when the patch action is scheduled to run.

End after

The time limit for patching actions.

For example, if you schedule patches to run at 04:00, you might want all patching actions to stop at 07:00 to prevent bandwidth issues when users start work. To do so, you could specify 180 in the minutes box.

When this time limit is reached, any patching tasks that are in progress are suspended, and their status on Security logs is Suspended.

These patching tasks do not resume on the next run and instead start from the beginning with each scheduled patching action.

7.
Click Save.

The Deploy-only schedule is created. If you add devices that match the Smart Label criteria, they are automatically included in the patching schedule.

Configure Detect and Rollback patch schedules

Configure Detect and Rollback patch schedules

You can create and edit patch schedules that find and remove unwanted patches. Rollback might not be available for some patches.

See Determine whether a patch can be rolled back.

1.
Go to the Patch Schedule Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Patch Management panel, click Schedules.
d.
Display the Patch Schedule Detail page by doing one of the following:
Select Choose Action > New.
2.
In the Configure section, specify options for the Detect and Rollback schedule.

Option

Description

Name

A name that identifies the schedule. This name appears on the Patch Schedules page.

Action

Select Detect. The page updates to the appropriate options.

The patch action behavior is dependent on the combination of reboot, detect, deploy, and rollback selections you make. Whenever a patch action does both a Detect pass and something else, as is the case with Detect and Deploy and Detect and Rollback, the action is repeated cyclically until the Detect action finds no further patches to deploy or roll back. This behavior might result in multiple Reboot actions for a single scheduled run. In addition, the type of device you are patching affects the type of patch action to use.

Device Labels

Restrict the patch actions to the devices in the labels that you select. Limiting the run to labels, especially Smart Labels, helps to ensure that patches are applied appropriately.

For example, some application patches have the ability to install applications as well as update applications that are already installed. To prevent the appliance from installing the application on devices that do not already have the application installed, you can create a Smart Label to identify devices that have the application. You can then limit the patch action to devices that have that label. The patch is then applied only to devices that already have the application installed.

To use this option, you must already have created labels or Smart Labels. See Using Smart Labels for patching.

Any labels that you select in this section only apply to the set of devices associated with the scoped user (if applicable). Scoped users can see only those devices that are associated with their role, when the role is assigned a label. For more information about user roles, see Add or edit User Roles.

Devices

Run detect and deploy patch actions on the devices that you select. To search for devices, begin typing in the field. Scoped users can see only those devices that are associated with their role, when the role is assigned a label. For more information about user roles, see Add or edit User Roles.

Operating Systems

Select the operating systems of the devices on which you want to run the actions. The default is all operating systems.

3.
In the Detect section, specify options for the Detect and Rollback schedule.

Option

Description

All Patches

Detect all available patches. This process can take a long time. Also, it might detect patches for software that is not installed on, or required by, managed devices. For example, if managed devices use anti-virus applications from only one vendor, you might not need to detect patches for all anti-virus vendors. All Patches, however, detects all missing patches regardless of whether they are required by managed devices. To refine patch detection, set up labels for the patches you want to detect, then use the Patch Labels option.

Patch Labels

Restrict the action to the patches in the labels that you select. This is the most commonly used patch detection option. To select labels, click Edit. To use this option, you must already have labels or Smart Labels for the patches you want to detect. See Using Smart Labels for patching.

4.
In the Rollback section, specify settings for the Detect and Rollback schedule.

Option

Description

All Patches

Roll back all patches on the selected devices.

Labels

Restrict the action to the patches in the labels that you select. This option is the most commonly used patch detection option. To select labels, click Edit. To use this option, you must already have labels or Smart Labels for the patches you want to detect. See Using Smart Labels for patching.

Maximum Rollback Attempts

The maximum number of attempts, between 0 and 99, to indicate the number of times the appliance tries to deploy or rollback the patch. If you specify 0, the appliance attempts to deploy or rollback the patch indefinitely.

As a last step in patch deployment or rollback, the appliance verifies whether the patch was deployed or rolled back successfully. If a deployment or rollback fails, the appliance attempts to deploy or rollback the patch again until one of the following occurs:

5.
In the Notify section, specify options for the Detect and Rollback schedule.

Option

Description

Options

The options displayed to users when patch actions run. To perform the action without notifying the user, leave the Options field blank.

OK: Run immediately.
Cancel: Cancel until the next scheduled run.
Snooze: Prompt the user again after the Snooze Duration.

Timeout

The amount of time, in minutes, for the dialog to be displayed before an action is performed. If this time period elapses without the user pressing a button, the appliance performs the action specified in the Timeout drop-down list.

Timeout Action

The action to be performed when the Timeout period elapses without the user choosing an option.

Snooze Duration

The amount of time, in minutes, for the period after the user clicks Snooze. When this period elapses, the dialog appears again.

Snooze Until Limit

Select the Snooze Until Limit check box to enable the user to Snooze the patch action a specified number of times. Specify the number of Attempts.

Initial Message

The message to be displayed to users before the action runs. To customize the logo that appears in the dialog, see Configure appliance General Settings with the Organization component enabled.

Progress Message

The message displayed to users during the patch action.

Completion Message

The message displayed to users when the patch action is complete.

6.
In the Reboot section, specify options for the Detect and Rollback schedule.

Option

Description

Options

The options for rebooting the managed device.

No Reboot

The device does not reboot even though a reboot might be required for the patch to take effect. When this option is selected, the following occurs according to the patching schedule:

No Reboot is not recommended because deploying patches without rebooting when required can leave systems unstable. Further, patches that require reboots are only shown as deployed after the reboot.

Prompt User

Wait for the user to accept the reboot before restarting the device. When this option is selected, the following occurs according to the patching schedule:

If the user clicks OK, the device reboots. The rollback process continues until another reboot is required and the user is prompted again. The pattern continues until the patch list is exhausted.

If the user snoozes or cancels the reboot, patching stops until a reboot occurs. When a reboot occurs, rollback continues until the next reboot is needed, and the user is prompted again. The pattern continues until the patch list is exhausted.

Force Reboot

Reboot as soon as a patch requiring it is deployed. Forced reboots cannot be canceled. Force Reboot works well for desktops and servers. You might not want to force reboot on laptops. When this option is selected, the following occurs according to the patching schedule:

Force Reboot works well with servers because they usually have no dedicated users. However, it is important to warn users that services will not be available when servers are being patched and rebooted. See Best practices for patching.

Automatically reboot when no one is logged in

Automatically reboot the managed device if no users are logged in.

Message

The message to be displayed to the user before the device reboots. For information about adding a custom logo to the message dialog, see Configure appliance General Settings with the Organization component enabled.

Timeout

The amount of time, in minutes, for the dialog to be displayed before an action is performed. If this time period elapses without the user pressing a button, the appliance performs the action specified in the Timeout drop-down list.

When Force Reboot is selected, the timeout behavior takes into consideration the KUSerAlert and global KACE SMA Agent process timeouts. The global timeout, set in amp.conf through the Agent Settings page, always determines how long any agent-launched processes can run for, including the KUserAlert timeout. For example, if the KUserAlert timeout is set to two hours, and you set the global timeout to one hour, the agent will stop the KUserAlert because it runs too long. Therefore the global timeout must be set to the desired timeout that is longer than the KUserAlert timeout. This value must be set accordingly.

Timeout Action

The action to be performed when the Timeout period elapses without the user choosing an option.

Reboot Delay (countdown)

Postpone the reboot using a countdown. The countdown is in minutes.

Reboot Now

Reboot the device immediately.

Reboot Later

Reboot the device later.

Number of prompts

The number of prompts the user receives before the device reboots. For example, if you enter a value of 5, the device automatically reboots the fifth time the user receives the reboot prompt. In other words, the user can delay the reboot only four times if the Number of prompts value is set to 5.

Reprompt Interval

The time that elapses before the user is reprompted to reboot.

7.
In the Schedule section, specify options for the Detect and Rollback schedule.

Option

Description

None

Run in combination with an event rather than on a specific date or at a specific time. This option is useful if you want to patch servers manually, or perform patch actions that you do not want to run on a schedule.

Every _ hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the nth day every month, (for example, the first or the second) day of every month, or a specific month, at the specified time.

Run on the nth weekday of every month/specific month at HH:MM

Run on the specific weekday of every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

View Task Schedule

Click to view the task schedule. The Task Schedule dialog box displays a list of scheduled. Click a task to review the task details. For more information, see View task schedules.

Timezone

The timezone to use when scheduling the action. Select Server to use the timezone of the appliance. Select Agent to use the timezone of the managed device.

Run on next connection if offline

Run the action the next time the managed device connects to the appliance, if the device is currently offline. This option is useful for laptops and other devices that are periodically offline. If this option is not selected, and the device is offline, the action does not run again until the next scheduled time.

Delay run after reconnect

Delay the schedule by a specified amount of time. The time delay period begins when the patch action is scheduled to run.

End after

The time limit for patching actions.

For example, if you schedule patches to run at 04:00, you might want all patching actions to stop at 07:00 to prevent bandwidth issues when users start work. To do so, you could specify 180 in the minutes box.

When this time limit is reached, any patching tasks that are in progress are suspended, and their status on Security logs is Suspended.

These patching tasks do not resume on the next run and instead start from the beginning with each scheduled patching action.

8.
Click Save.

The Detect and Rollback schedule is created. If you add devices that match the Smart Label criteria, they are automatically included in the patching schedule.

Configure Rollback-only patch schedules

Configure Rollback-only patch schedules

You can create and edit patch schedules that roll back selected patches. Rollback might not be available for some patches.

See Determine whether a patch can be rolled back.

1.
Go to the Patch Schedule Detail page:
a.
Log in to the KACE SMA Administrator Console, http://KACE_SMA_hostname/admin. Or, if the Show organization menu in admin header option is enabled in the appliance General Settings, select an organization in the drop-down list in the top-right corner of the page next to the login information.
c.
On the Patch Management panel, click Schedules.
d.
Display the Patch Schedule Detail page by doing one of the following:
Select Choose Action > New.
2.
In the Configure section, specify options for the Rollback-only schedule.

Option

Description

Name

A name that identifies the schedule. This name appears on the Patch Schedules page.

Action

Select Detect. The page updates to the appropriate options.

The patch action behavior is dependent on the combination of reboot, detect, deploy, and rollback selections you make. Whenever a patch action does both a Detect pass and something else, as is the case with Detect and Deploy and Detect and Rollback, the action is repeated cyclically until the Detect action finds no further patches to deploy or roll back. This behavior might result in multiple Reboot actions for a single scheduled run. In addition, the type of device you are patching affects the type of patch action to use.

Device Labels

Restrict the patch actions to the devices in the labels that you select. Limiting the run to labels, especially Smart Labels, helps to ensure that patches are applied appropriately.

For example, some application patches have the ability to install applications as well as update applications that are already installed. To prevent the appliance from installing the application on devices that do not already have the application installed, you can create a Smart Label to identify devices that have the application. You can then limit the patch action to devices that have that label. The patch is then applied only to devices that already have the application installed.

To use this option, you must already have created labels or Smart Labels. See Using Smart Labels for patching.

Any labels that you select in this section only apply to the set of devices associated with the scoped user (if applicable). Scoped users can see only those devices that are associated with their role, when the role is assigned a label. For more information about user roles, see Add or edit User Roles.

Devices

Run detect and deploy patch actions on the devices that you select. To search for devices, begin typing in the field. Scoped users can see only those devices that are associated with their role, when the role is assigned a label. For more information about user roles, see Add or edit User Roles.

Operating Systems

Select the operating systems of the devices on which you want to run the actions. The default is all operating systems.

3.
In the Rollback section, specify options for the Rollback-only schedule.

Option

Description

All Patches

Roll back all patches on the selected devices.

Labels

Restrict the action to the patches in the labels that you select. This option is the most commonly used patch detection option. To select labels, click Edit. To use this option, you must already have labels or Smart Labels for the patches you want to detect. See Using Smart Labels for patching.

Maximum Rollback Attempts

The maximum number of attempts, between 0 and 99, to indicate the number of times the appliance tries to deploy or rollback the patch. If you specify 0, the appliance attempts to deploy or rollback the patch indefinitely.

As a last step in patch deployment or rollback, the appliance verifies whether the patch was deployed or rolled back successfully. If a deployment or rollback fails, the appliance attempts to deploy or rollback the patch again until one of the following occurs:

4.
In the Notify section, specify options for the Rollback-only schedule.

Option

Description

Options

The options displayed to users when patch actions run. To perform the action without notifying the user, leave the Options field blank.

OK: Run immediately.
Cancel: Cancel until the next scheduled run.
Snooze: Prompt the user again after the Snooze Duration.

Timeout

The amount of time, in minutes, for the dialog to be displayed before an action is performed. If this time period elapses without the user pressing a button, the appliance performs the action specified in the Timeout drop-down list.

Timeout Action

The action to be performed when the Timeout period elapses without the user choosing an option.

Snooze Duration

The amount of time, in minutes, for the period after the user clicks Snooze. When this period elapses, the dialog appears again.

Snooze Until Limit

Select the Snooze Until Limit check box to enable the user to Snooze the patch action a specified number of times. Specify the number of Attempts.

Initial Message

The message to be displayed to users before the action runs. To customize the logo that appears in the dialog, see Configure appliance General Settings with the Organization component enabled.

Progress Message

The message displayed to users during the patch action.

Completion Message

The message displayed to users when the patch action is complete.

5.
In the Reboot section, specify options for the Rollback-only schedule.

Option

Description

Options

The options for rebooting the managed device.

No Reboot

The device does not reboot even though a reboot might be required for the patch to take effect. When this option is selected, the following occurs according to the patching schedule:

No Reboot is not recommended because deploying patches without rebooting when required can leave systems unstable. Further, patches that require reboots are only shown as deployed after the reboot.

Prompt User

Wait for the user to accept the reboot before restarting the device. When this option is selected, the following occurs according to the patching schedule:

If the user clicks OK, the device reboots. The rollback process continues until another reboot is required and the user is prompted again. The pattern continues until the patch list is exhausted.

If the user snoozes or cancels the reboot, patching stops until a reboot occurs. When a reboot occurs, rollback continues until the next reboot is needed, and the user is prompted again. The pattern continues until the patch list is exhausted.

Force Reboot

Reboot as soon as a patch requiring it is deployed. Forced reboots cannot be canceled. Force Reboot works well for desktops and servers. You might not want to force reboot on laptops. When this option is selected, the following occurs according to the patching schedule:

Force Reboot works well with servers because they usually have no dedicated users. However, it is important to warn users that services will not be available when servers are being patched and rebooted. See Best practices for patching.

Automatically reboot when no one is logged in

Automatically reboot the managed device if no users are logged in.

Message

The message to be displayed to the user before the device reboots. For information about adding a custom logo to the message dialog, see Configure appliance General Settings with the Organization component enabled.

Timeout

The amount of time, in minutes, for the dialog to be displayed before an action is performed. If this time period elapses without the user pressing a button, the appliance performs the action specified in the Timeout drop-down list.

When Force Reboot is selected, the timeout behavior takes into consideration the KUSerAlert and global KACE SMA Agent process timeouts. The global timeout, set in amp.conf through the Agent Settings page, always determines how long any agent-launched processes can run for, including the KUserAlert timeout. For example, if the KUserAlert timeout is set to two hours, and you set the global timeout to one hour, the agent will stop the KUserAlert because it runs too long. Therefore the global timeout must be set to the desired timeout that is longer than the KUserAlert timeout. This value must be set accordingly.

Timeout Action

The action to be performed when the Timeout period elapses without the user choosing an option.

Reboot Delay (countdown)

Postpone the reboot using a countdown. The countdown is in minutes.

Reboot Now

Reboot the device immediately.

Reboot Later

Reboot the device later.

Number of prompts

The number of prompts the user receives before the device reboots. For example, if you enter a value of 5, the device automatically reboots the fifth time the user receives the reboot prompt. In other words, the user can delay the reboot only four times if the Number of prompts value is set to 5.

Reprompt Interval

The time that elapses before the user is reprompted to reboot.

6.
In the Schedule section, specify options for the Rollback-only schedule.

Option

Description

None

Run in combination with an event rather than on a specific date or at a specific time. This option is useful if you want to patch servers manually, or perform patch actions that you do not want to run on a schedule.

Every _ hours

Run at a specified interval.

Every day/specific day at HH:MM

Run daily at a specified time, or run on a designated day of the week at a specified time.

Run on the nth of every month/specific month at HH:MM

Run on the nth day every month, (for example, the first or the second) day of every month, or a specific month, at the specified time.

Run on the nth weekday of every month/specific month at HH:MM

Run on the specific weekday of every month, or a specific month, at the specified time.

Custom

Run according to a custom schedule.

Use standard 5-field cron format (extended cron format is not supported):

Use the following when specifying values:

Spaces ( ): Separate each field with a space.
Asterisks (*): Include the entire range of values in a field with an asterisk. For example, an asterisk in the hour field indicates every hour.
Commas (,): Separate multiple values in a field with a comma. For example, 0,6 in the day of the week field indicates Sunday and Saturday.
Hyphens (-): Indicate a range of values in a field with a hyphen. For example, 1-5 in the day of the week field is equivalent to 1,2,3,4,5, which indicates Monday through Friday.
Slashes (/): Specify the intervals at which to repeat an action with a slash. For example, */3 in the hour field is equivalent to 0,3,6,9,12,15,18,21. The asterisk (*) specifies every hour, but /3 restricts this to hours divisible by 3.

Examples:

View Task Schedule

Click to view the task schedule. The Task Schedule dialog box displays a list of scheduled. Click a task to review the task details. For more information, see View task schedules.

Timezone

The timezone to use when scheduling the action. Select Server to use the timezone of the appliance. Select Agent to use the timezone of the managed device.

Run on next connection if offline

Run the action the next time the managed device connects to the appliance, if the device is currently offline. This option is useful for laptops and other devices that are periodically offline. If this option is not selected, and the device is offline, the action does not run again until the next scheduled time.

Delay run after reconnect

Delay the schedule by a specified amount of time. The time delay period begins when the patch action is scheduled to run.

End after

The time limit for patching actions.

For example, if you schedule patches to run at 04:00, you might want all patching actions to stop at 07:00 to prevent bandwidth issues when users start work. To do so, you could specify 180 in the minutes box.

When this time limit is reached, any patching tasks that are in progress are suspended, and their status on Security logs is Suspended.

These patching tasks do not resume on the next run and instead start from the beginning with each scheduled patching action.

7.
Click Save.

The Rollback-only schedule is created. If you add devices that match the Smart Label criteria, they are automatically included in the patching schedule.

Error codes caused by patching and scripting

Error codes caused by patching and scripting

The following Fail error codes that can be encountered during patching (Detection or Deployment phase only) or scripting.

Table 29. Error codes encountered during patching or scripting

Error code

Description

1

Variable cache exhausted

2

Archive extraction error

3

Patch open failure

4

Bad patch GUID (Globally Unique Identifier)

5

Patch has too many applicable signatures

6

Package open failure

7

Bad package GUID

8

Package archive initialized

9

File info open failure

10

Bad file info GUID

11

Signature open failure

12

Bad signature info GUID

13

Pre-requisite signature cache exhausted

14

Fingerprint open failure

15

Bad fingerprint GUID

16

Fingerprint expression syntax error

17

Fingerprint file root unsupported

18

Fingerprint type unsupported

19

Bad script file handle

20

File extraction error

21

Invalid root hkey

22

WMI (Windows Management Instrumentation) fingerprint unsupported

23

Javascript unsupported

24

Out of memory

25

Missing pre-requisite signature

26

Invalid pre-requisite language

27

Expired license key

28

Entitled file missing

29

Entitled file bad checksum

30

Entitled file wrong size

31

Invalid system info fingerprint

32

Fingerprint expression missing a variable

33

Package mkdir failure

34

Fingerprint file scan unsupported

35

Fingerprint WMI error

36

Relevance script syntax error

37

Unknown

40

Package re-import error

80

Error in patch deploy script

84

Deployment failure: package file not found

89

Failed to download signature

90

Manual installation Required

91

No Patch Signature found on Agent

94

Invalid file download: checksum mismatch

95

Download failed: download URL not set

96

Invalid file download: file size mismatch

97

Patch language not supported

98

Detect or deploy data caused a crash

99

Unknown download error

100

Package is not a valid .cab file

101

Immediate reboot required

102

Reboot required

400

Download failure: bad request

401

Download failure: unauthorized

403

Download failure: forbidden

404

Download failure: file not found

502

Download failure: bad gateway

503

Download failure: service unavailable

504

Download failure: gateway timeout

1020

Download failure: file share login error

1022

Download failure: disk write error

1024

Download failure: file share unreachable

1025

Download stopped

Documents connexes