Articles in this section

Patch Compliance Rules (Prevent Unauthorized Patches)

Note: Only admins can see the compliance tab.

JetPatch supports custom compliance calculations using Compliance Rules, defined by the user.

Custom compliance supports the business needs along with the enforcement and technological limitations.

Scenarios for using Custom Compliance can be:

  1. The environment has Windows endpoints that are running a . .NET-based application, and you don't want to update the .NET software to eliminate potential application failures and downtimes.
  2. The environment is running Docker-based applications on Linux endpoints, and you don't want to update the Docker application because they are not supported by your application.

By defining relevant Compliance rules, you can configure JetPatch to ignore/exclude .Net/Docker patches from compliance calculations and patching operations on specific endpoints.

Compliance Rule

To define a Compliance Rule, navigate to Rules > Compliance Rules.

In a Compliance rule, you can define which patches will be ignored/excluded on a set of endpoints.

  • Patches list - defined by saved Patch Filters.
    • Example #1: All kernel patches on CentOS 7
    • Example #2: All "BugFix" patches for Linux
  • Endpoints list - defined by Smart Group
    • Example #1 - All servers that should not update the kernel, using "No Kernel" Smart Group.
    • Example #2 - All Production servers, using "Prod" Smart Group.

In the Compliance table, you will see the configured Compliance rules:

  • Name - Compliance rule name.
  • Description - Compliance rule description (explain the reason it is recommended).
  • Smart Group - The relevant Server Smart Group to specify the affected endpoints.
  • Patch Filters - List of patch filters (clickable) representing the patches to exclude from the endpoints.
  • Status (Enabled/Disabled) - will decide if JetPatch should consider the rule in the Compliance calculations and patches actions, or not.
  • Last Modified - Date of last modification.
  • Affected Endpoints - The number of affected endpoints (clickable).

Note - When clicking on the Affected Endpoint count, it will redirect to the Management page with the Smart Group applied. The Management page shown will not necessarily consider whether the endpoints are affected by the Compliance Rule, but rather it will show all endpoints that are assigned to the relevant Smart Group.

 

Adding a new Compliance Rule

Clicking on the 'Add' Button will open a window for adding the requested Compliance rule (same properties as above).

 

For any Compliance rule, you can find the following information:

  1. Name
  2. Description
  3. Smart Group
    • Clicking on a Smart Group will filter the Table results accordingly
  4. Patch Bundle
    • Clicking on a Patch Bundle will navigate the user to the 'Patches catalog' Screen filtered by the clicked Bundle, respectively 
  5. Status
  6. Last Modified
  7. Affected Endpoints - Number of Endpoints that are affected by this Rule

Configure Views based on Compliance Rules

When reviewing the Patches Catalog and the Endpoints Management table, you can decide whether to see the compliance details based on the Compliance rules.

Note - The following setting will affect only the UI and does not relate to the actual JetPatch action that will be made. In the JetPatch remediation operation, it will always be aligned with the Compliance rules, regardless of the settings below.

  1. Go to the User Settings configuration button located In the top-right menu of JetPatch
  2. Under the "Compliance" section, disable/enable "Use custom compliance rules for compliance calculation.". Enabling the feature will reflect the compliance information after considering the Compliance rules, while disabling these settings will show total compliance regardless of the configured Compliance rules.

Enabling the setting will affect the following components:

Patches Catalog:

  • Needed On - The "Needed On" counter will reflect the number of servers that need this patch after filtering out the servers that are not allowed to deploy this patch.

Management table:

  • Patching Status - The number of "Not Installed" patches (grey part in the bar) will reflect the number of patches after considering the Compliance rules.
  • Endpoint Compliance - Will show the Compliance percentage based on the Compliance rules.

Use Case – See excluded patches for a specific endpoint (disable UI toggle)

  1. Go to User Settings (top-right) , under the “Compliance” section, disable “Use custom compliance rules for compliance calculation”.

    • Note: This affects the UI only; actual remediation still respect the rules.

  2. Navigate to Patches > Patches Catalog.

  3. For each Compliance Rule that may apply to the endpoint:

    • Apply the rule’s Patch Bundle or Patch Filter.

    • Apply the rule’s Smart Group filter (or optionally narrow further to the specific endpoint).

    • Review the result: these entries represent patches that the rule would exclude for that endpoint.

  4. Then download the CSV (Patches Compliance) in the lower left

  5. Repeat steps 3-4 for each applicable Compliance Rule.

  6. Re-enable “Use custom compliance rules for compliance calculation” by following step 1 and then enabling the check again.

Result:

  • With the UI toggle off, you will view all updates (including those excluded by rules).

  • By applying the bundle/filter + Smart Group, you isolate the excluded patches for the relevant endpoints.

  • The Patches Compliance CSV gives you a full export of the excluded patches.

Example - Exclude .NET from Servers

All of the servers in the environment should ignore .NET patches

Step 1 - Click on the 'Add' Button to create a new Compliance Rule

Step 2 - Create a smart group if necessary (can use the 'Add' button in the window that opens up) and add the relevant endpoints to the Smart Group (example: All Windows Endpoints)

Step 3 - Create a Patch Filter that includes .NET updates only (see Patches Catalog)

Step 4 - Create the Compliance rule to include the selected Smart Group and the Patch Filter

Result

  • When Compliance View is OFF, all updates will be shown
  • When Compliance View is ON - Only relevant updates will be shown

Known Issue

  • Performance issues may occur if you include multiple saved filters in one rule.  As a workaround, create one rule per filter.

Example, instead of one rule with two filters ❌

Create two rules with one filter each ✔️

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.