Articles in this section

Patch Compliance Rules

Note: Only admins can see the compliance tab.

JetPatch supports custom compliance calculations using Compliance Rules, defined by the user.

Custom compliance supporting the business needs along with the enforcement and technological limitation.

Scenarios for using Custom Compliance can be:

  1. The environment has Windows endpoints that are running .Net based application and you don't want to update the .Net software to eliminate potential application failures and downtimes.
  2. The environment is running Docker based applications on Linux endpoints and you don't want to update the Docker application because they are not supported by your application.

By defining relevant Compliance rules, you can configure JetPatch to ignore/exclude .Net/Docker patches from compliance calculations and patching operations on specific endpoints.

Compliance Rule

To define a Compliance Rule, navigate to System > Compliance.

In a Compliance rule, you can define which patches will be ignored/excluded on a set of endpoints.

  • Patches list - defined by saved Patch Filters.
    • Example #1: All kernel patches on CentOS 7
    • Example #2 All "BugFix" patches for Linux
  • Endpoints list - defined by Servers Tags
    • Example #1 - All servers that should not update kernel, using "No Kernel" tag.
    • Example #2 - All Production servers, using "Prod" tag.

In the Compliance table you will see the configured Compliance rules:

  • Name - Compliance rule name.
  • Description - Compliance rule description (explain the rule reason in - recommended).
  • Tag - the relevant Server tag to specify the affected endpoints.
  • Patch Filters - List of patches filters (clickable) representing the patches to exclude from the endpoints.
  • Status (Enabled/Disabled) - will decide if JetPatch should consider the rule in the Compliance calculations and patches actions, or not.
  • Last Modified - Date of last modification.
  • Affected Endpoints - The number of affected endpoints (clickable).

Note - when clicking on the Affected Endpoint count it will redirect to the Management page with the Tag applied. It is likely that the table will show additional endpoints that are not affected from the rule, but are assigned to the relevant tag.

 

Adding a new Compliance Rule

Clicking on the Screen_Shot_2021-01-05_at_10.56.30_AM.png will open a window for adding the requested Compliance rule (same properties as above).

Note - The rule is disabled by default and can be enabled from the "Create Compliance Rule" screen (top left switch) or from the Compliance table by clicking on "enable/disable" action on the rule row.

mceclip0.png

Configure Views based on Compliance Rules

When reviewing the Patches Catalog and the Endpoints Management table, you can decide whether to see the compliance detailed based on the Compliance rules.

Note - The following setting will affect only on the UI and does not related to the actual JetPatch action that will be made. In the JetPatch remediation operation, it will always related to the Compliance rules, regardless of the settings below.

  1. Go to User Settings configuration button Screen_Shot_2021-01-05_at_11.09.51_AM.pnglocated In the top-right menu of JetPatch
  2. Under the "Compliance" section disable / enable  "View compliance information in Patches Catalog and Management based on Compliance Rules". Enabling the feature will reflect the compliance information after considering the Compliance rules while disabling these setting will show total compliance regardless the configured Compliance rules.

Enabling the setting will affect the following components:

Patches Catalog:

  • Needed On - the "Needed On" counter will reflect the number of servers that needs this patch after filtering out the servers that are not allowed to deploy this patch.

Management table:

  • Patching Status - the number of "Not Installed" patches (grey part in the bar) will reflect the number of patches after considering the Compliance rules.
  • Endpoint Compliance - Will show the Compliance percentage based on the Compliance rules.

Example - Exclude .Net from Servers

All of the servers in the environment should ignore .Net patches

Step 1 - Tag the relevant endpoints with the "Servers" Tag (top left in the diagram below)

Step 2 - Create a Saved Filter that includes .Net updates only (bottom left in the diagram below)

Step 3 - Create the Compliance rule to include the "Servers" tag (Endpoints list) and the Saved Filter (Patchs list) (middle )

Result

  • When Compliance View is OFF - all updates will be shown
  • When Compliance View is ON - Only relevant updates will be shown

Note - the affected endpoints may be less than the number of tagged endpoints. This is expected because the filter may not apply to all tagged endpoints.  Regardless, you can download reports either on the affected endpoints or go to endpoints > management report, filter on the tag, and download that way.

 

mceclip1.png

Known Issue

  • Performance issues may occur if you include multiple saved filters in one rule.  As a workaround, create one rule per filter.

Example, instead of one one rule with three filters ❌

mceclip0.png

Create three rules with one filter each ✔️

mceclip1.png

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.