Articles in this section

Patch Compliance Rules (Prevent Unauthorized Patches)

Overview

JetPatch supports custom compliance calculations using Compliance Rules, defined by the user. Custom compliance supports business needs while accounting for enforcement and technological limitations.

The purpose of Patch Compliance Rules is to ensure that endpoints patch only what is required, enabling accurate compliance reporting and better control over your patching process. Compliance calculations are generated in the Endpoints Management tab and are based on the patches your endpoints actually need.

Scenarios for using Custom Compliance can be:

  • The environment has Windows endpoints running a . NET-based application, and you do not want to update the .NET software to eliminate potential application failures and downtimes.
  • The environment is running Docker-based applications on Linux endpoints, and you do not want to update the Docker application because it is not supported by your application.

By defining relevant Compliance rules, you can configure JetPatch to ignore/exclude .NET/Docker patches from compliance calculations and patching operations on specific endpoints.

Enabling Compliance Calculation

Before using Compliance Rules, make sure the compliance calculation setting is enabled:

  1. Click the Gear Icon at the top of the page.
  2. Enable Calculate Endpoint Compliance based on your rules.
  3. This setting should always be turned on when using Patch Compliance Rules.
Tip: It is highly recommended to pause and try each step yourself during the setup process to reinforce understanding.

Compliance Rule

To define a Compliance Rule, navigate to Rules > Compliance Rules.

In the Compliance table, you will see the configured Compliance rules with the following columns:

Column Description
Name Compliance rule name.
Description Compliance rule description (explains the reason it is recommended).
Smart Group / Tags The relevant Server Smart Group or Tag to specify the affected endpoints.
Patch Filters List of patch filters (clickable) representing the patches to exclude from the endpoints.
Status (Enabled/Disabled) Determines if JetPatch should consider the rule in Compliance calculations and patch actions, or not.
Last Modified Date of last modification.
Affected Endpoints The number of affected endpoints (clickable). Clicking reveals each endpoint individually.
Note: When clicking on the Affected Endpoint count, it will redirect to the Management page with the Smart Group applied. The Management page shown will not necessarily consider whether the endpoints are affected by the Compliance Rule, but rather it will show all endpoints that are assigned to the relevant Smart Group.

 

Adding a new Compliance Rule

Clicking the 'Add' button will open a window for adding the requested Compliance rule. The rule has the same properties as described in the Compliance table above.

For any Compliance rule, you can find the following information:

  • Name
  • Description
  • Smart Group – Clicking on a Smart Group will filter the Table results accordingly.
  • Patch Bundle – Clicking on a Patch Bundle will navigate the user to the ‘Patches Catalog’ screen filtered by the clicked Bundle.
  • Status
  • Last Modified
  • Affected Endpoints – Number of endpoints that are affected by this Rule.

Understanding the Compliance Table

  • Enable/Disable: Rules can be disabled via Edit → Disable, visible in the Status column.
  • Affected Endpoints: The Affected Endpoints column shows how many endpoints are impacted. Clicking the number reveals each endpoint individually.
  • Compliance Impact Example:
    • EP4 with setting off: 92 patches available.
    • EP4 with setting on: 89 patches available; endpoint compliance increases because excluded patches (.NET) are not counted.

Creating a Patch Bundle

A Saved Patch Filter defines which patches will be excluded by a Compliance Rule. Follow these steps to create one:

  1. Navigate to Patches → Patches Catalog.
  2. Identify the patches you want to exclude from endpoint patching (e.g., .NET patches from Windows machines).
  3. Search for the desired patches (e.g., type “.NET” in the search bar).
  4. Select Saved Filters → Save As.
  5. Provide a descriptive name for the filter.
  6. Click Save Filter.
Note: The patches defined in the Saved Filter are the patches that will be excluded from your endpoints when the Compliance Rule is active.

More Info : Here
 

Configure Views based on Compliance Rules

When reviewing the Patches Catalog and the Endpoints Management table, you can decide whether to display compliance details based on the Compliance Rules.

Note: The following setting affects only the UI and does not relate to the actual JetPatch action that will be performed. In the JetPatch remediation operation, it will always be aligned with the Compliance Rules, regardless of the settings below.
  1. Go to the User Settings configuration button located in the top-right menu of JetPatch.
  2. Under the “Compliance” section, disable/enable “Use custom compliance rules for compliance calculation.”

Enabling the setting will affect the following components:

Patches Catalog:

  • Needed On – The “Needed On” counter will reflect the number of servers that need this patch after filtering out the servers that are not allowed to deploy this patch.

Management Table:

  • Patching Status – The number of “Not Installed” patches (grey part in the bar) will reflect the number of patches after considering the Compliance Rules.
  • Endpoint Compliance – Will show the Compliance percentage based on the Compliance Rules.

 

Use Case – See excluded patches for a specific endpoint (disable UI toggle)

  1. Go to User Settings (top-right), under the “Compliance” section, disable “Use custom compliance rules for compliance calculation.”
Note: This affects the UI only; actual remediation still respects the rules.
  1. Navigate to Patches → Patches Catalog.
  2. For each Compliance Rule that may apply to the endpoint:
    1. Apply the rule’s Patch Bundle or Patch Filter.
    2. Apply the rule’s Smart Group filter (or optionally narrow further to the specific endpoint).
    3. Review the result: these entries represent patches that the rule would exclude for that endpoint.
    4. Download the CSV (Patches Compliance) using the export option in the lower left.
  3. Repeat steps 3–4 for each applicable Compliance Rule.
  4. Re-enable “Use custom compliance rules for compliance calculation” by following step 1 and enabling the toggle.

Result:

  • With the UI toggle off, you will view all updates (including those excluded by rules).
  • By applying the bundle/filter + Smart Group, you isolate the excluded patches for the relevant endpoints.
  • The Patches Compliance CSV gives you a full export of the excluded patches.

Example - Exclude .NET from Servers

All servers in the environment should ignore .NET patches. Below is a full walkthrough of how to configure this.

Step 1 – Create a Saved Patch Filter

  1. Navigate to Patches → Patches Catalog.
  2. Search for “.NET” patches.
  3. Select Saved Filters → Save As, name it (e.g., “DOTNET_Filter”), and click Save Filter.

Step 2 – Tag Endpoints

  1. Navigate to Platform Configuration (top right).
  2. Filter endpoints by OS → Windows.
  3. Create a new tag (e.g., “Windows”) and assign it to all relevant endpoints.

Step 3 – Create the Compliance Rule

  1. Click the 'Add' button to create a new Compliance Rule.
  2. Assign the Smart Group or Tag created in Step 2.
  3. Assign the Patch Filter created in Step 1.
  4. Click Create.

Result:

  • When Compliance View is OFF, all updates will be shown.
  • When Compliance View is ON, only relevant updates (excluding .NET) will be shown, and endpoint compliance reflects the adjusted count.

Summary Workflow

The overall process for setting up Patch Compliance Rules follows this sequence:

Step Action Description
1 Create Saved Filter Navigate to Patches → Patches Catalog and identify patches to exclude. Save as a named filter.
2 Create Compliance Rule Navigate to System Compliance → Add Exclusion Rule. Combine saved filters and tags/smart groups to enforce patch compliance.
3 Enable Compliance Calculation Click the Gear Icon and enable “Calculate Endpoint Compliance based on your rules.” This should always be on.
Tip: The process is straightforward: Filter → Rule → Enable Compliance Calculation.

Known Issue

  • Performance issues may occur if you include multiple saved filters in one rule.  As a workaround, create one rule per filter.

Example, instead of one rule with two filters ❌

Create two rules with one filter each ✔️

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.