Version: 4.2.2 + Connector 4.1.2 - May 17, 2022
Note: It is strongly recommended to snapshot your environment before upgrading to 4.2.2 as you will not be able to downgrade to previous versions.
What's New?
Patching by Smart Groups
Purpose: To manage endpoints in logical Smart Groups, that allow to unify endpoints with the same characteristics in one group, while any new end point with same characteristics is added automatically to the same group.
- Creating and activating Remediation Plans will now be done based on Smart Groups, for example, tagging all end points that belong to certain environments such as Staging will automatically put those endpoints into the same patching smart group.
- This change will also allow you to put endpoints, regardless of operating system, in as many groups as you like for patching and reporting purposes (multi-group patching and reporting)
- And because endpoints can be in multiple groups, you could also do single endpoint patching by quickly creating a smart group based on a single hostname, IP address, tag, etc
In previous JetPatch versions, we had two distinct entities: Smart Groups (created and managed in JetAgent) and Endpoint Groups (created and managed in JetPatch). In this new version, we unified and merged both the entities and now we have only Smart Groups, so the user experience is more intuitive.
Smart Groups in JetPatch can be created using different filters that are relevant to patching only. Also, a new filter was added named: “Operating Systems (text)” which allows for free text input, in addition to the old filter “Operating Systems” that offers a fixed list.
More information can be found in Smart Group Management Article
WSUS Group Management Mechanism
Purpose: Creation and update of WSUS groups directly from JetPatch with no need to do any activity on WSUS
- This feature eliminates any need to manage WSUS groups via WSUS, since all the group related activity performed on JetPatch will automatically synchronized with WSUS Server and Replicas.
- Thus, JetPatch is now able to create/read/update/delete any group of WSUS and also JetPatch can assign Endpoints to WSUS groups.
- This will greatly reduce setup and configuration time and will eliminate the need to log into the WSUS server for these purposes.
In the previous JetPatch versions, JetPatch could read and show the groups participating in the WSUS server that was imported to JetPatch. Now, for the first time, JetPatch is fully integrated with WSUS, so that the user no longer needs to manage WSUS separately from JetPatch.
Once JetPatch is configured to a specific WSUS, JetPatch imports all the WSUS groups and creates relevant Smart Groups in JetPatch. From that moment all the control of WSUS is transferred to JetPatch, thus the user doesn’t have to use different platforms to manage the patching process of Windows OS endpoints.
Please note that any changes manually imposed to WSUS, i.e. not using JetPatch, will be reverted back to the settings as they appear in JetPatch. Once JetPatch is configured to WSUS it becomes the sole manager of WSUS.
If the WSUS has replicas, JetPatch currently can manage up to one level of depth (i.e. Replicas of Replicas are not supported) and only if the replicas are configured in Server Targeting Mode (i.e. Client targeting mode currently is not supported).
More information can be found in WSUS Group Management Article
Authentication and Authorization
- SSO with Azure Active Directory
Allow users defined in Azure Active Directory to Login to JetPatch using SSO
More information can be found in Authentication with Azure AD article - Patch Access Control by Smart Groups
Users with role (i.e. not admins) can now be authorized to patch only predefined Smart Groups.
For example, a user can be granted permissions to manage a specific group of Red Hat endpoints, but will not have access to any Windows endpoints.
Another example, a lab manager can have full access to the machines defined in the lab group. He can fully manage the patching cycle, or segment his endpoints in other private Smart Groups visible only to him, but cannot access any other endpoints out of his environment, while the admin has control over all the endpoints in the company.
Any private Smart Groups are accessible only to the user who created them, even the admin cannot see or access them. At the same time, any private Smart Group cannot be used for patching, and cannot be part of a Remediation Plan. Therefore private Smart Groups are mainly used for segmentation and customizable filtering of the endpoints that the user has access to.
If a user has access to endpoints that participate in Remediation Plans not owned by the user, he will have view-only access to those Remediation Plans. Any Remediation Plans created by a user are fully controlled by him.
A known limitation is that any Smart Group name in JetPatch has to be unique even if the specific user is not using that name.
More information can be found in RBAC: Overview of User Accounts and Permissions
Continuous Improvements
-
Group Management allows for creating a Smart Group that can hold endpoints of both Linux and Windows OS.
In the past, when creating a group, the user had to define whether it would be for Linux or Windows endpoints, and once fixed it could not change. Now the user is given the freedom to create Smart Groups that can hold endpoints of any OS, thus more flexibility is provided.
In addition, a single endpoint can belong to many Smart Groups. Only the default group named “Default for Patching” holds endpoints that are still not assigned to any Smart Group that is for patching. Once an endpoint is assigned to a Smart Group that is for patching, the endpoint will be removed from the “Default for Patching” group.
- Vulnerability Managers Integration - Correct CVE pursuing when importing CSV file from vulnerability manager
- SLES version now reflect the relevant SP in Endpoint readiness and Patches Catalog
- In Patch Catalog the "Failure Date" is empty and not "unknown" when a patch doesn't fail on the endpoint,
- Patching
- New script to create snapshot before patching VM(VM snapshot script article)
- Connector failure messages improvements
- Current Version number is presented on JetPatch Login Page
- Endpoint Readiness -> WSUS URL is not case-sensitive
Bug Fixes
Every JetPatch release (including Update Rollups) has several bug fixes.
Notable bugs:
- Endpoint Readiness
- Aligned end point readiness status in the Endpoint Readiness report to Endpoint readiness screen
-
- The checkbox “Exempt endpoint not matching any OS and CIDR combination from the list above" is now unchecked by default
- Patches Catalog - New Filter Value added to ‘Category’ - Updated (Windows)
- Server Type "Physical" used in Filters and Settings is now called Server Type "Standalone"
- Patch Compliance Report - in case the date of patch Install / Remove /Failure is not available it will be presented as Unknown Date in the report
- Remediation Plan->Compliance Report - added Exemption filter to Applicable Endpoints Compliance Status
Known issues
- WSUS servers operating in Client Side Targeting mode is not supported in this version
- An unnecessary "error occurred message" is presented to a non-admin user with no Server Scope defined
- Dashboard->Operating System filter drop down list is not aligned with user server scope
- Smart Group - a smart group name is unique in the system. User will not be able to create a Smart Group in case it has been already used by another user.
- Patches catalog allows to select Smart Group marked as “not supporting patching activities”, then to save a filter with it and include it into Auto Remediation Plans
Comments
0 comments
Please sign in to leave a comment.