Note: Only admins can see the compliance tab.
JetPatch supports custom compliance calculations using Compliance Rules, defined by the user.
Custom compliance supports the business needs along with the enforcement and technological limitations.
Scenarios for using Custom Compliance can be:
- The environment has Windows endpoints that are running a . Net-based application and you don't want to update the .Net software to eliminate potential application failures and downtimes.
- The environment is running Docker-based applications on Linux endpoints and you don't want to update the Docker application because they are not supported by your application.
By defining relevant Compliance rules, you can configure JetPatch to ignore/exclude .Net/Docker patches from compliance calculations and patching operations on specific endpoints.
To define a Compliance Rule, navigate to Rules > Compliance Rules.
In a Compliance rule, you can define which patches will be ignored/excluded on a set of endpoints.
- Patches list - defined by saved Patch Filters.
- Example #1: All kernel patches on CentOS 7
- Example #2 All "BugFix" patches for Linux
- Endpoints list - defined by Smart Group
- Example #1 - All servers that should not update kernel, using "No Kernel" Smart Group.
- Example #2 - All Production servers, using "Prod" Smart Group.
In the Compliance table you will see the configured Compliance rules:
- Name - Compliance rule name.
- Description - Compliance rule description (explain the rule reason is - recommended).
- Smart Group - The relevant Server Smart Group to specify the affected endpoints.
- Patch Filters - List of patches filters (clickable) representing the patches to exclude from the endpoints.
- Status (Enabled/Disabled) - will decide if JetPatch should consider the rule in the Compliance calculations and patches actions, or not.
- Last Modified - Date of last modification.
- Affected Endpoints - The number of affected endpoints (clickable).
Note - When clicking on the Affected Endpoint count it will redirect to the Management page with the Smart Group applied. The Management page shown will not necessarily consider whether the endpoints are affected by the Compliance Rule, but rather it will show all endpoints that are assigned to the relevant Smart Group.
Adding a new Compliance Rule
Clicking on the 'Add' Button will open a window for adding the requested Compliance rule (same properties as above).
For any Compliance rule, you can find the following information:
- Smart Group
- Clicking on a Smart Group will Filter Table results respectively
- Patch Bundle
- Clicking on a Patch Bundle will Navigate the user to the 'Patches catalog' Screen filtered by the clicked Bundle respectively
- Last Modified
- Affected Endpoints - Number of Endpoints that affected by this Rule
Configure Views based on Compliance Rules
When reviewing the Patches Catalog and the Endpoints Management table, you can decide whether to see the compliance detailed based on the Compliance rules.
Note - The following setting will affect only the UI and does not relate to the actual JetPatch action that will be made. In the JetPatch remediation operation, it will always related to the Compliance rules, regardless of the settings below.
- Go to the User Settings configuration button located In the top-right menu of JetPatch
- Under the "Compliance" section disable/enable "Use custom compliance rules for compliance calculation.". Enabling the feature will reflect the compliance information after considering the Compliance rules while disabling these settings will show total compliance regardless of the configured Compliance rules.
Enabling the setting will affect the following components:
- Needed On - The "Needed On" counter will reflect the number of servers that need this patch after filtering out the servers that are not allowed to deploy this patch.
- Patching Status - The number of "Not Installed" patches (grey part in the bar) will reflect the number of patches after considering the Compliance rules.
- Endpoint Compliance - Will show the Compliance percentage based on the Compliance rules.
Example - Exclude .Net from Servers
All of the servers in the environment should ignore .Net patches
Step 1 - Click on 'Add' Button to create a new Compliance Rule
Step 2 - Create a smart group if necessary (can use the 'Add' button in the window that opens up) and add the relevant endpoints to the Smart Group (example: All Windows Endpoints)
Step 3 - Create a Patch Filter that includes .Net updates only (see Patches Catalog)
Step 4 - Create the Compliance rule to include the selected Smart Group and the Patch Filter
- When Compliance View is OFF - all updates will be shown
- When Compliance View is ON - Only relevant updates will be shown
Note - You can download reports by going to endpoints > management, setting the view filters to the same properties as your Compliance Rule, and using the Download Report button () in the bottom left to download.
- Performance issues may occur if you include multiple saved filters in one rule. As a workaround, create one rule per filter.
Example, instead of one one rule with three filters ❌
Create three rules with one filter each ✔️
We are expecting to resolve this issue in the upcoming 4.3 release.