Automating patch deployment
The GoTo Resolve MDM Patch management feature helps administrators automate the patch installation on managed macOS and Windows devices.
This article explains the steps for configuring the automated patch management. For details on the individual steps, see the subtopics in this article.
- Configure the patch installation rules (rule type, include and exclude patches) for Mac and Windows devices.
- Enable the automated patching for Windows and Mac devices (enable patch deployment, specify the device scope with tags, and set the installation delay).
Configuring the patch installation rules
On the
tab, configure the installation rules (rule type, include and exclude rules) for Mac and Windows devices.- Set the Rule type to Install all patches, or to customize which patches you want to install, choose Install patches using custom rules.
- (Optional) If you selected Install patches using custom rules, create include rules, exclude rules, or both. Specify which vendors and applications you want to include or exclude from the patch deployment.
Include rules: To limit the deployment of patches only to certain vendors and products, create include rules. If you create an include rule, patch deployment will include only patches from the specified vendors and products.
Exclude rules: If you want to block vendors, or specific products of vendors from the patch deployment, create an exclude rule.
To remove a rule, select the trashcan icon at the end of the row.
- If you don’t define a custom rule, GoTo Resolve MDM deploys all patches to the applicable devices.
- If there is a conflict between include and exclude rules, the exclude rules override the include rules. This means that if you include and exclude, for example, the same vendor, the vendor is excluded from the patch deployment.
Enabling the automated patching for Windows and Mac devices
On the
tab, configure the following:- (Optional but recommended) In the Devices in pilot group window, configure a pilot group to test the available patches in a smaller device group before deploying patches to all other devices.
- In the Devices not in the pilot group window, configure the patching options for the Windows and Mac devices that are not included in the pilot group and which will be your main group for the automatic patch deployment.
The following configuration options are available in both the pilot and the main groups:
- Install patches
To enable patch installation to the group of devices that you specify in the Tags field, select this option. This setting is common for both Mac and Windows devices.
- Tags
Add tags to restrict the patch installations to a specific group of devices.
The device is part of the group if either the device or the device user has the specified tag.
If you don’t specify any tags in this field, the patching applies to all devices.
If a device or its user has tags from the pilot and main group, the device is part of the pilot group.
Learn more about device tagging.
- Installation delay
The number of days GoTo Resolve MDM waits before it installs the patch to the devices. The delay is counted from the time the patch appears in the GoTo Resolve MDM patch feed.
Note: To have enough time to test the patches for correct functionality, set the installation delay for the pilot group to be smaller than the installation delay defined for the devices that are not in the pilot group.
Checking the patch installation method
To check the patch installation method, navigate to
tab and check the Installation method column.The patch installation method, which the software vendors define, can be one of the following:
- Automatic - The patch is installed automatically.
- Manual - The Miradore client cannot download and install the patch, so the device user must do it manually.
- Partly manual - Some language versions of the patch require manual installation.