Kaseya Community

You need to make Multiple patch policies usable

  • OK Kaseya guys, just got this news from your support teams (e-mail exchange below). Apparently there is no functional way to use multiple patch policies.

    You are in effect forcing everyone to either have ONLY ONE policy per device (a management Headache and it makes patch policies useless)– OR – forcing them to APPROVE ALL patches (another headache and asking for patch trouble, not to mention messing up reporting) and then specifically DENY those they don’t want (another management headache).

    You need to fix this as soon as possible by giving us another category that allows something like “not configured” so the policy will ignore it. Otherwise, what’s the point of using your solution?

    Respectfully,

    Rick Jensen | Senior Network Engineer, Network Operations Center |
    Axonus Technology Group | 155 108th Avenue NE, Suite 300 | Bellevue, WA 98004 |
    Phone: 425.283-5550 | Cell: 206.854.0723


    From: support@kaseya.com [mailto:support@kaseya.com]
    Sent: Tuesday, June 30, 2009 9:13 PM
    To: Rick Jensen
    Subject: patch policies and patch scores

    [Ticket Notes ~ticId='186614']
    Ticket ID: 186614
    ---------------------------------------------------------
    Author: Balaji.T
    Date: 07:41:04 1-Jul-09
    Hi Rick,

    Yes. "Pending approval" for one policy take precedence over an "approve" in another policy.

    As per your example In exchange patches are denied (pending approval) in windows 2003 policy (including exchange) and in windows 2003 patches are denied in exchange policy.

    So as per the patch policies all the patches are denied for this machine.

    You have to approve the required patches in both the policy.

    Regards
    Kaseya Support
    _____________________________________________________
    Author: RJensen@Axonus.com
    Date: 21:22:49 30-Jun-09

    On the patch approval, it states the most restrictive takes precedence when you have multiple patch policies in place on a machine.

    Does the "pending approval" for one policy take precedence over an "approve" in another policy?

    For instance:
    A Windows Server 2003 which also runs Exchange 2003.
    We create 2 policies;

    - one for Windows Server 2003, with default approval for high priority for Windows server 2003 patches, and leave everything else at pending approval

    - The second for Exchange 2003 patches, with default approval for all Exchange 2003 patches, and leave all others at �pending approval�

    What patches will get applied to this server?

    Thanks!

    Legacy Forum Name: You need to make Multiple patch policies usable,
    Legacy Posted By Username: rbjsea
  • I agree with this.

    Legacy Forum Name: Virtual Systems Administrator Core Functionality,
    Legacy Posted By Username: JMS01
  • Yes, PM would benefit GREATLY if were designed more like Active Directory Group Policy settings, which include a "not defined" setting. As it is now, PM is useless for multiple policies applied to same machine(s) Sad

    Legacy Forum Name: Virtual Systems Administrator Core Functionality,
    Legacy Posted By Username: ReedMikel
  • I agree the group membership would be nice as well, or the current setup could be edited:

    Just give patch policies an inheritence structure. There are many features in Kaseya that would benefit greatly from an inheritence structure. Example:

    Root Policy - either blacklist or whitelist (all approved/all denied)
    Child Policy - approve some/deny some
    Child of Child, etc.

    if your Root Policy is to blacklist (approve all) then your precedence will be the same, Approved > Denied

    This allows an admin to decide how they want patches deployed. I would prefer a whitelist (Deny All) and then apply policie "groups" that allow certain patches, such as all patches for "Windows 2003 Server". If multiple policies are applied, then precedence will be to Allow the patch, sicne one of the policies has allowed it. On the flipside, if you're running a blacklist(All approved) then any "denied" in a policy will take precedence.

    Legacy Forum Name: Virtual Systems Administrator Core Functionality,
    Legacy Posted By Username: boostmr2