Chat now with support
Chat with Support

KACE Systems Management Appliance 9.1 Common Documents - Administrator Guide

About the KACE Systems Management Appliance (SMA) Getting started
Configuring the appliance
Requirements and specifications Power-on the appliance and log in to the Administrator Console Access the Command Line Console Tracking configuration changes Configuring System-level and Admin-level General Settings Configure appliance date and time settings Enable Two-Factor Authentication for all users Verifying port settings, NTP service, and website access Configuring network and security settings Configuring Agent settings Configuring session timeout and auto-refresh settings Configuring locale settings Configuring the default theme Configure data sharing preferences About DIACAP compliance requirements Configuring Mobile Device Access Enable fast switching for organizations and linked appliances Linking Quest KACE appliances Configuring history settings
Setting up and using labels to manage groups of items Configuring user accounts, LDAP authentication, and SSO Using Replication Shares Managing credentials Configuring assets
About the Asset Management component Using the Asset Management Dashboard About managing assets Adding and customizing Asset Types and maintaining asset information Managing Software assets Managing physical and logical assets Maintaining and using manual asset information Managing locations Managing contracts Managing licenses Managing purchase records
Setting up License Compliance Managing License Compliance Setting up Service Desk Configure the Cache Lifetime for Service Desk widgets Creating and managing organizations Importing and exporting appliance resources
Managing inventory
Using the Inventory Dashboard Using Device Discovery Managing device inventory
About managing devices Features available for each device management method About inventory information Tracking changes to inventory settings Managing inventory information Finding and managing devices Provisioning the KACE SMA Agent Manually deploying the KACE SMA Agent Using Agentless management Adding devices manually in the Administrator Console or by using the API Forcing inventory updates Managing MIA devices Obtaining Dell warranty information
Managing applications on the Software page Managing Software Catalog inventory
About the Software Catalog Viewing Software Catalog information Adding applications to the Software Catalog Managing License assets for Software Catalog applications Associate Managed Installations with Cataloged Software Using software metering Using Application Control Update or reinstall the Software Catalog
Managing process, startup program, and service inventory Writing custom inventory rules
Deploying packages to managed devices
Distributing software and using Wake-on-LAN Broadcasting alerts to managed devices Running scripts on managed devices Managing Mac profiles Using Task Chains
Patching devices and maintaining security
About patch management Subscribing to and downloading patches Creating and managing patch schedules Managing patch inventory Managing Dell devices and updates Maintaining device and appliance security
Using reports and scheduling notifications Monitoring servers
Getting started with server monitoring Working with monitoring profiles Managing monitoring for devices Working with alerts
Using the Service Desk
Configuring Service Desk Using the Service Desk Dashboard Managing Service Desk tickets, processes, and reports
Overview of Service Desk ticket lifecycle Creating tickets from the Administrator Console and User Console Creating and managing tickets by email Viewing tickets and managing comments, work, and attachments Merging tickets Using the ticket escalation process Using Service Desk processes Using Ticket Rules Run Service Desk reports Archiving, restoring, and deleting tickets Managing ticket deletion
Managing Service Desk ticket queues About User Downloads and Knowledge Base articles Customizing Service Desk ticket settings Configuring SMTP email servers
Maintenance and troubleshooting
Maintaining the appliance Troubleshooting the KACE SMA
Appendixes Glossary About us Legal notices

About the patch testing environment

About the patch testing environment

Built-in Lumension security uses VMware® ESX®, VMware® vCenter™ Lab Manager™, and custom hardware bench testing.

Testing methods include:

About the patch quality assurance process

About the patch quality assurance process

Quest partners with HEAT Software to provide Patch Management customers more value through the content development and quality assurance processes. The quality assurance teams verify the patch install and uninstall processes as well as the patch metadata produced by the content development team. Providing quality content to our customers is a high priority. To ensure successful delivery of content, HEAT Software executes test cases covering the following test components.

Testing environment

HEAT Software invests heavily in testing infrastructure. The content development and quality assurance teams have access to a virtual enterprise environment representing more than 1,500 nodes of various configurations. HEAT Software uses a mix of virtual desktops and servers in addition to custom physical bench testing to ensure that our testing infrastructure is state of the art.

Application testing

HEAT Software tests with various applications as necessary to ensure the requirements of the patch are satisfied.

Testing strategy

HEAT Software uses the following types of testing:

General testing verifies the following:
Assessment testing verifies the following:
Deployment testing verifies the following:

Trusted delivery and flexibility

The HEAT Software GSS is designed and implemented to maximize global availability through a secure content distribution network. All communications with the HEAT Software GSS are conducted through encrypted, secure channels to ensure the integrity of security content.

Using a best practice approach, critical security patches are automatically downloaded to customer locations, based on their subscription options. Additional security patches may be downloaded, as necessary, to create a customized version of the KACE Patch Content Repository within the customer’s own secure enterprise environment.

The patches (.pls) and its associated packages (.plp) are encrypted with a key. This key is part of our product (kace.plk). Hence these files cannot be opened and modified without the key and also a Lumension-specific library.

SCR is a Java-based tool used to download patches. It employs checksum verification during the download process.

Best practices for patching

Best practices for patching

Best practices for patching devices include testing patches, using labels to organize devices and patches, and notifying users when systems are being patched.

Test patches on selected devices before deploying them to all devices. This testing ensures that patches do not break anything before they are widely deployed.

When choosing test devices, look for these characteristics:

For a thorough test, devices should function normally for at least a week after being patched. If no problems are reported after a week, the patch can be deployed to the remaining devices on the network.

You can use Smart Labels to automatically group devices by type, such as laptop, desktop, and server. In addition, you can use Smart Labels to automatically group patches by importance, such as critical operating system patches and lower priority patches for other applications. You can then create patching schedules to match each type of device and patch.

See:

There are two options for patching Windows devices:

Use Windows Update: Windows Update is a Microsoft feature that downloads and installs updates to Windows operating systems. If you enable Windows Update on managed devices, use the KACE SMA Patch Management component only to detect Windows operating system patches, not to deploy them. Patches will be deployed by Windows Update.
Use the KACE SMA: You can download and deploy patches for Windows operating systems using the KACE SMA Patch Management component. If you use the KACE SMA, disable Windows Update on managed devices, because patches will be deployed by the KACE SMA.

Schedule patch deployment during periods when device use is lower to minimize downtime. Keep in mind that device use varies depending on the device type:

Servers: These require careful and well-publicized upgrades. When patching servers, you might need to plan ahead by several weeks.
Desktops: These have more flexible options for patching, because they are often left running when they are not in use.
Laptops: These are the most difficult to patch, because they are often only available to patch while being used.

For more information about creating patch schedules for each type of device, see:

Be sure to notify users when the devices they use are being patched. This is especially important if devices need to be restarted as part of the patching process. There are several ways to inform users of patching schedules:

Send email or use other messaging systems: Notify users in advance through email and other messaging systems outside the appliance Administrator Console. This notification is especially useful when patching might prevent access to critical systems, such as servers, for a time.
Send an alert message from the appliance: Use the appliance Administrator Console to create an alert and broadcast it to all devices or to selected devices. These broadcast alerts can be used to remind users that patching is about to start.

For more information on creating alerts, see Broadcasting alerts to managed devices.

Provide alerts during patching: When you schedule patching, choose to alert users before patching, and prompt users before rebooting their devices. You can also enable users to snooze or postpone reboots if necessary. See Configuring patch schedules.

For more information about scheduling patching for various devices, see:

Patching jobs can require extensive bandwidth and resources. To reduce the impact on users, you can set time limits on patching jobs. For example, you could configure patching jobs to start at 04:00 and stop at 07:00. Any patching jobs that are in progress at 07:00 are suspended. Jobs resume where they left off when the next scheduled patching job begins. See Configuring patch schedules.

Use Replication Shares to optimize network resource requirements and download time. Replication Shares are devices that keep copies of files for distribution, which can be useful for managed devices that are deployed across multiple geographic locations. For example, using a Replication Share, a device in New York could download patch files from another device at the same office, rather than downloading those files from a KACE SMA in Los Angeles.

For more information on setting up and using Replication Shares, see Using Replication Shares.

Quest Support has a Knowledge Base of articles about the KACE SMA, which you can access at https://support.quest.com/kace-systems-management-appliance/kb. The Knowledge Base is continually updated with solutions to real-world KACE SMA problems that administrators encounter. To view patching articles, go to the Knowledge Base and search for Security.

Sponsored by Quest KACE, ITNinja.com (formerly AppDeploy.com) is a product-agnostic IT-focused community website. It is the Internet’s leading destination for IT professionals to share information and ask questions about system-management related topics. See http://itninja.com.

Subscribing to and downloading patches

Subscribing to and downloading patches

To enable patching, you need to subscribe to patches and schedule patch downloads to the appliance.

Related Documents