After reviewing the documentation, talking to my consultants and looking over the community site, I found I was still unclear about what I thought were some pretty basic questions about patch policies in 9.0. I finally called support and they set me straight (or so I think). I'm posting what they told me both to help other newbies who find themselves as confused as I was and to make sure that what I was told matches with the experts' experiences.
Excuse the redundancy here. I wrote out a list of questions ahead of time and decided that although the answers overlapped, there was still value in approaching some of these points from multiple angles.
Please review and let me know if I got anything wrong. Bad information is almost certainly my fault for misunderstanding LD Support.
1. I am hoping to set up a policy that will tell the agents to run repairs only on Saturdays and Sundays. I had thought that I could limit that by limiting the agent configs’ vulscans to those days, but although the vulscans ran, nothing got patched.
It's not the vulscan, it's the policy. In the agent config, Software distribution | Policy options | schedule-driven update. If you limit the schedule-driven update to Saturdays and Sundays then the PCs will never check the core for policy updates except on the weekend. They will then see that they have at least one policy to deal with and will run a vulscan according to the S&R settings configured for that policy. They will then repair any unpatched vulnerabilities mentioned in the policy. BTW, if you have an event-driven update based on login, then the vulnerabilities might be repaired on Monday morning if the PC was turned off for the weekend.
2. How can I troubleshoot policy-based patches?
Client side
http://community.landesk.com/support/docs/DOC-5130
Server (core) side
http://community.landesk.com/support/docs/DOC-5156
3. If I have a Repair policy task (i.e., a scheduled task that sets up a policy for a specific group of machines) that I set to run at 5p on Friday, what happens at 5p on Friday?
At 5p the policy is made available to all the machines in the device group. The policy only needs to be run once for those machines and from that point on it is always live for them unless and until the policy is canceled. But the policy should be repeated weekly if the device group’s (or device query’s) membership changes. However, the agents won’t know about until their agent config tells them to check in (software distribution | policy options).
a. When do the machines start patching?
I'm told they start patching immediately as soon as the local policy is updated, but so far that doesn't jibe with my experience.
4. How often do devices check the core server for new policies, anyway?
It's defined by the agent config's Software distribution | Policy options.If the agent config is scheduled to update the policy every six hours on Saturdays and Sundays, it will check for new policies every six hours throughout the weekend.
5. If I want to continually refresh the list of machines that are in scope for a given patch policy that is based on a device group, do I need to schedule the Repair policy task to repeat weekly or can I just add more PCs to the target device group?
Yes. This is the only reason you would need to repeat the job weekly.
6. If I want to continually refresh the list of vulnerabilities that are in scope for a given patch policy , do I need to schedule the Repair policy task to repeat weekly or can I just add more PCs to the target vulnerability group?
No need to repeat the repair policy task weekly if the device group’s membership remains static. The PCs will contact the server according to their agent config (Policy options) and will discover new required patches on their own.
7. What’s the relationship between vulscans and repair jobs? Obviously the vulscan has to run before the machine knows that a patch is required, but let’s say a vulscan is run on Friday at 8p but the policy is applied on Friday at 6p. Would the patch not be applied? Would it be applied on Saturday?
I admit I'm still a little confused on this score.
Message was edited by: jkhill. My earlier information was that Security and compliance | Patch and compliance scan controlled both the policy and the vulscan. I updated my post to reflect the new (and hopefully now correct) info.