patching software deployed by managed installation...
Hi!
I'm having difficulty figuring out an issue with automatic security patches on applications that were originally deployed via Managed Installation.
Example
Kbox installed Adobe Reader v9.3.0 via Managed Installation
Run Detect and Deploy for patching on k1000
Kbox applies this patch (Adobe APSB10-09 Reader 9.3.2)
On next Inventory, Adobe Reader v9.3.0 is not found, since it is now v9.3.2
Therefore, the Managed Install for v9.3.0 starts up again on the client machine (doh!)
Goal
I would like to keep the existing managed installation intact until the next major release of the software, letting the kbox apply patches as needed, without the original managed install starting up again after the patch has been applied.
Is there a recommended way to do this? Am I missing some key concept or functionality?
I'm having difficulty figuring out an issue with automatic security patches on applications that were originally deployed via Managed Installation.
Example
Kbox installed Adobe Reader v9.3.0 via Managed Installation
Run Detect and Deploy for patching on k1000
Kbox applies this patch (Adobe APSB10-09 Reader 9.3.2)
On next Inventory, Adobe Reader v9.3.0 is not found, since it is now v9.3.2
Therefore, the Managed Install for v9.3.0 starts up again on the client machine (doh!)
Goal
I would like to keep the existing managed installation intact until the next major release of the software, letting the kbox apply patches as needed, without the original managed install starting up again after the patch has been applied.
Is there a recommended way to do this? Am I missing some key concept or functionality?
0 Comments
[ + ] Show comments
Answers (7)
Please log in to answer
Posted by:
airwolf
14 years ago
Posted by:
itguymike
14 years ago
ahhh ok! Thank you, that makes sense!
I may go about it a bit differently since the automatic patching is working fine, i just was to prevent the MI for the old version from starting again; this kbox is like a swiss army knife!
Do you see any issues with the rough outline below? I'll get the labeling/de-labeling accomplished dynamically
1. Label new/fresh machines as "Newbie"
2. Set all the Managed Installs impacted by the kbox patching system to push to "Newbie" only.
3. After all MIs are complete, remove the "Newbie" label and add a "Patchable" label.
4. Major version upgrades are pushed manually/one-time to the label "Patchable" for existing machines, then put back to "Newbie" for future fresh deployments.
I may go about it a bit differently since the automatic patching is working fine, i just was to prevent the MI for the old version from starting again; this kbox is like a swiss army knife!
Do you see any issues with the rough outline below? I'll get the labeling/de-labeling accomplished dynamically
1. Label new/fresh machines as "Newbie"
2. Set all the Managed Installs impacted by the kbox patching system to push to "Newbie" only.
3. After all MIs are complete, remove the "Newbie" label and add a "Patchable" label.
4. Major version upgrades are pushed manually/one-time to the label "Patchable" for existing machines, then put back to "Newbie" for future fresh deployments.
Posted by:
darkhawktman
14 years ago
Here is what I do for applications that are patched via Kbox. For items like Office 2007 I make a custom software inventory item. In that custom inventory item, I wrote a Custom Inventory Rule that checks the registry for the version of the software you are running. This rule will check to see if the version matches certain parameters. In my example I am checking to see if the Office version is greater than 12 and less than 13. My custom string is below:
RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0011-0000-0000-0000000FF1CE}, DisplayVersion, 12) AND RegistryValueLessThan(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0011-0000-0000-0000000FF1CE}, DisplayVersion, 13)
Since my Office 2007 install includes SP1 the version number will always fall between 12 and 13 when installed via a MI. Now if the kbox patches office and installs SP2 my version number will change but will still fall between 12 and 13. This way if you have a computer in the office label it will push the software once and if you patch it to a new version the MI will not push the install again unless the patch takes the version beyond 13.
Just another way to accomplish your goal.
RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0011-0000-0000-0000000FF1CE}, DisplayVersion, 12) AND RegistryValueLessThan(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0011-0000-0000-0000000FF1CE}, DisplayVersion, 13)
Since my Office 2007 install includes SP1 the version number will always fall between 12 and 13 when installed via a MI. Now if the kbox patches office and installs SP2 my version number will change but will still fall between 12 and 13. This way if you have a computer in the office label it will push the software once and if you patch it to a new version the MI will not push the install again unless the patch takes the version beyond 13.
Just another way to accomplish your goal.
Posted by:
airwolf
14 years ago
ORIGINAL: itguymike
Do you see any issues with the rough outline below? I'll get the labeling/de-labeling accomplished dynamically
1. Label new/fresh machines as "Newbie"
2. Set all the Managed Installs impacted by the kbox patching system to push to "Newbie" only.
3. After all MIs are complete, remove the "Newbie" label and add a "Patchable" label.
4. Major version upgrades are pushed manually/one-time to the label "Patchable" for existing machines, then put back to "Newbie" for future fresh deployments.
You've got the general idea, but it's going to look a bit more like this:
1. Dynamic filter (Smart Label) will automatically add systems without the proper version of "SoftwareA"
2. Apply latest patch to Smart Label from Step #1
That's all there is to it. If a newer version is released, you simply modify the SQL filter attached to the Smart Label.
Posted by:
benmills
13 years ago
I'm completely new to KACE and I'm having this exact problem.
As slick as KACE is, I'm surprised that it doesn't have the option to not run a managed install if there's already a newer version of the application installed. That seems trivial based on version numbers.
I guess I will use the smart label solution to only install managed installs on new PCs.
As slick as KACE is, I'm surprised that it doesn't have the option to not run a managed install if there's already a newer version of the application installed. That seems trivial based on version numbers.
I guess I will use the smart label solution to only install managed installs on new PCs.
Posted by:
ms01ak
13 years ago
I'd use smart labels to isolate the affected systems. I'd make a smart label looking for computers running adobe reader and also running any version less then ( < ) the current version. As machines check into the label they'll get the managed installed and when they get patched they'll drop out of the label (because the version is higher then the smart label) and won't try to reinstall the older version.
Posted by:
cblake
13 years ago
@benmills
The root issue would be that vendors often dont follow any sort of conventions, and there's no reliable or good way for us to know if a "newer"version exists on a machine; but you can make a feature request to let engineering know to work harder to figure out something at http://kace.uservoice.com
The root issue would be that vendors often dont follow any sort of conventions, and there's no reliable or good way for us to know if a "newer"version exists on a machine; but you can make a feature request to let engineering know to work harder to figure out something at http://kace.uservoice.com
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.