Version: 4.2.2 + Connector 4.1.2 - May 17, 2022
Note1: It is strongly recommended to snapshot your environment before upgrading to 4.2.2 as you will not be able to downgrade to previous versions. If you need to use the snapshot, we recommend new VM if existing VM does not work.
Note2: WSUS servers operating in Client Side Targeting mode is not supported in this version. Client side targeting is not necessary with the move to smart groups and the wsus group management mechanism enhancement.
Note3: After upgrade and auto-migration, any additional changes manually imposed to WSUS, i.e. not using JetPatch, will be reverted back to the settings as they appear in JetPatch. Once JetPatch is configured to WSUS it becomes the sole manager of WSUS.
What's New?
Patching by Smart Groups
Purpose: To manage endpoints in logical Smart Groups, that allow to unify endpoints with the same characteristics in one group, while any new end point with same characteristics is added automatically to the same group.
- Creating and activating Remediation Plans will now be done based on Smart Groups, for example, tagging all end points that belong to certain environments such as Staging will automatically put those endpoints into the same patching smart group.
- This change will also allow you to put endpoints, regardless of operating system, in as many groups as you like for patching and reporting purposes (multi-group patching and reporting)
- And because endpoints can be in multiple groups, you could also do single endpoint patching by quickly creating a smart group based on a single hostname, IP address, tag, etc
In previous JetPatch versions, we had two distinct entities: Smart Groups (created and managed in JetAgent) and Endpoint Groups (created and managed in JetPatch). In this new version, we unified and merged both the entities and now we have only Smart Groups, so the user experience is more intuitive.
More information can be found in Smart Group Management Article
Endpoint Groups will be auto migrated to smart groups on upgrade to any version 4.2.2 and above using the below method
-
- New tag is created for every Computer Group defined in the JP system, the tag name format is "[computer group name] group".
- Based on all this Computer groups tags JP system automatically creates new Smart Groups, this way all existing Computer Groups are converted to Smart Groups.
- Existing Intigua Filters migration
- Only the most common filters from the Intigua filters list are available on Jetpatch
- Existing Intigua Smart Groups migration
- All Smart groups that were defined on Intigua are now available in JetPatch, the limitation is that groups that are based on filters that are not available on JP UI are not "supporting patch activities" groups.
WSUS Group Management Mechanism
Purpose: Creation and update of WSUS groups directly from JetPatch with no need to do any activity on WSUS
- This feature eliminates any need to manage WSUS groups via WSUS, since all the group related activity performed on JetPatch will automatically synchronized with WSUS Server and Replicas.
- Thus, JetPatch is now able to create/read/update/delete any group of WSUS and also JetPatch can assign Endpoints to WSUS groups.
- This will greatly reduce setup and configuration time and will eliminate the need to log into the WSUS server for these purposes.
In the previous JetPatch versions, JetPatch could read and show the groups participating in the WSUS server that was imported to JetPatch. Now, JetPatch is fully integrated with WSUS, so that the user no longer needs to manage WSUS separately from JetPatch.
Please note that any changes manually imposed to WSUS, i.e. not using JetPatch, will be reverted back to the settings as they appear in JetPatch. Once JetPatch is configured to WSUS it becomes the sole manager of WSUS.
More information can be found in WSUS Group Management Article
Authentication and Authorization
- SSO with Azure Active Directory
Allow users defined in Azure Active Directory to Login to JetPatch using SSO
More information can be found in Authentication with Azure AD article - Patch Access Control by Smart Groups
Users with role (i.e. not admins) can now be authorized to patch only predefined Smart Groups.
For example, a user can be granted permissions to manage a specific group of Red Hat endpoints, but will not have access to any Windows endpoints.
Another example, a lab manager can have full access to the machines defined in the lab group. He can fully manage the patching cycle, or segment his endpoints in other private Smart Groups visible only to him, but cannot access any other endpoints out of his environment, while the admin has control over all the endpoints in the company.
Any private Smart Groups are accessible only to the user who created them, even the admin cannot see or access them. At the same time, any private Smart Group cannot be used for patching, and cannot be part of a Remediation Plan. Therefore private Smart Groups are mainly used for segmentation and customizable filtering of the endpoints that the user has access to.
If a user has access to endpoints that participate in Remediation Plans not owned by the user, he will have view-only access to those Remediation Plans. Any Remediation Plans created by a user are fully controlled by him.
A known limitation is that any Smart Group name in JetPatch has to be unique even if the specific user is not using that name.
More information can be found in RBAC: Overview of User Accounts and Permissions
Continuous Improvements
-
Group Management allows for creating a Smart Group that can hold endpoints of both Linux and Windows OS.
In the past, when creating a group, the user had to define whether it would be for Linux or Windows endpoints, and once fixed it could not change. Now the user is given the freedom to create Smart Groups that can hold endpoints of any OS, thus more flexibility is provided.
In addition, a single endpoint can belong to many Smart Groups. Only the default group named “Default for Patching” holds endpoints that are still not assigned to any Smart Group that is for patching. Once an endpoint is assigned to a Smart Group that is for patching, the endpoint will be removed from the “Default for Patching” group.
- Vulnerability Managers Integration - Correct CVE pursuing when importing CSV file from vulnerability manager
- SLES version now reflect the relevant SP in Endpoint readiness and Patches Catalog
- In Patch Catalog the "Failure Date" is empty and not "unknown" when a patch doesn't fail on the endpoint,
- Patching
- New script to create snapshot before patching VM(VM snapshot script article)
- Connector failure messages improvements
- Current Version number is presented on JetPatch Login Page
- Endpoint Readiness -> WSUS URL is not case-sensitive
Bug Fixes
- Endpoint Readiness
- Aligned end point readiness status in the Endpoint Readiness report to Endpoint readiness screen
-
- The checkbox “Exempt endpoint not matching any OS and CIDR combination from the list above" is now unchecked by default
- Patches Catalog - New Filter Value added to ‘Category’ - Updated (Windows)
- Server Type "Physical" used in Filters and Settings is now called Server Type "Standalone"
- Patch Compliance Report - in case the date of patch Install / Remove /Failure is not available it will be presented as Unknown Date in the report
- Remediation Plan->Compliance Report - added Exemption filter to Applicable Endpoints Compliance Status
Known issues
- WSUS servers operating in Client Side Targeting mode is not supported in this version. Client side targeting is not necessary with the move to smart groups and the wsus group management mechanism enhancement.
- An unnecessary "error occurred message" is presented to a non-admin user with no Server Scope defined
- Dashboard->Operating System filter drop down list is not aligned with user server scope
- Patches catalog allows to select Smart Group marked as “not supporting patching activities”, then to save a filter with it and include it into Auto Remediation Plans
Comments
0 comments
Please sign in to leave a comment.