Patching Managed Endpoints
Per University of Idaho APM 30.13 "Networked Computing Device Standards", managed endpoints are patched regularly. This policy is in place to ensure that University of Idaho Faculty and Staff are able to conduct their business without impact to their work due to software flaws, and also to ensure that the University of Idaho data is secured.
General Advice
ITS makes every attempt to minimize the impact to Faculty and Staff while applying updates to computers. Here are some things people can do to also reduce the impact to them when updates are released.
- Leave your computer powered on and attached to the network
- Especially on the Thursday evenings when Microsoft patches are released (more information below)
- Ensure laptops are left on with their screens open
- Closing the lid of a laptop sends the computer to "sleep" mode. In this mode it cannot receive updates
- Allow time for your laptop to be on the network and plugged into power for the updates to be fully installed, especially if you usually take your laptop home. Allow at least 2 hours on the network and plugged into power for updates to download and install
- Updates are interrupted when the screens are down and not on power; i.e. when the laptop is transported from one location to another
- Updates will continue the download and install where it left off. If constantly interrupted, the final installation and reboot, if required, will be unpredictable and can occur at inconvenient times
- Some updates allow the user to defer. If you have this option, you can defer but plan to allow the update to run at your earliest convenience
- The more an update is deferred, the more updates may get backlogged and will cause a longer interruption while the updates are applied
- Regularly reboot your computer to ensure your computer has all patches fully installed (see below for more information). It is recommended that you reboot at least weekly.
- Work with your local IT support or ITS Technology Solutions Partner to help us understand your unique needs
- Bring your concerns to your support personnel so that IT can find a solution that works for you
Microsoft Products
Microsoft releases patches for Windows operating systems and Office on the second Tuesday of the month. These updates are made available through Software Center at noon on the Thursday after the patches are released. Anybody can deploy or schedule deployment of the patches by launching software center, and selecting "Updates" from the menu on the left. Any patches not installed by the following Wednesday will be forced to be installed at 7pm (notifications for this update will begin appearing on qualified computers at 4pm).
Here is a sample schedule, for August 2019. The dates will obviously change month to month, but the days of the week will be the same.
- Tuesday Aug 13 - Microsoft releases patches, OEM begins to package and test
- Thursday Aug 15, 12:00 pm (noon) - Patches will begin to appear in Software Center on managed Windows computers. Customers can launch Software Center, then select "Updates" from the left menu to either install or schedule installation of the patches at their convenience
- Thursday Aug 15, 4:00 pm - People on ITS owned computers (those named ITS-*) will receive notifications on their desktops that their computers will be patched at 7 pm
- Thursday Aug 15, 7:00 pm - ITS owned computers are forced to patch
- Wednesday Aug 21, 4:00 pm - Customers who have not yet patched their computers will receive a "toaster" notification saying their computer will reboot at 7pm
- Wednesday Aug 21, 7:00 pm - Computers that are not patched yet will install the patches and reboot
- Following hours - Any computers that were not online will be patched as they are powered on, attached to the network, etc. This is the most disruptive, so users are encouraged to:
- Patch through Software Center before Aug 21, OR
- Leave their computers powered on, opened (if a laptop), and attached to the network when they leave work on August 21.
Note: Microsoft Critical, "zero-day" updates are evaluated as soon as ITS is notified of them. They may be pushed outside of the regular schedule depending on the severity of the flaws being patched. These types of updates are deemed a high security risk and require immediate attention.
Here is a graphic of an example of the Microsoft patch release cycle from August 2019.
Window 10 feature releases to the OS and Office are published 2 times a year, typically in March and September.
- Due to the disruptive nature of these feature updates, ITS actively offers only the Fall feature update to managed machines. ITS does not prevent end users from manually upgrading to the spring updates and machines with these versions of Windows will still be managed.
- The latest feature release will be offered once the update has been vetted by ITS, typically three months after release.
- The feature updates will not automatically install, instead, the computer will display prompts to the user to update the OS. The user can choose to
- proceed immediately
- defer (until the next day) or
- apply the update that evening.
Non-Microsoft Software Updates
The non-Microsoft software will only be patched if already installed. Software currently patched:
- 7-Zip
- Citrix Receiver/Workspace
- Google Chrome
- KeePass
- Microsoft Edge
- Mozilla Firefox
- Notepad++
- ThinkVantage System Update
- VLC
- Visual Studio Code
- WinSCP
- Zoom
The software listed above is updated within 10 business day of the updates being released
Apple MacOS
Apple releases minor and security updates for macOS, on average, every two months. These updates are made available through University of Idaho Self-Service at noon one day after the patches are released. Anybody can install the patches by launching University of Idaho Self Service and selecting "Updates" from the menu on the left, then click on “Update My Computer Now”. Any patches not installed 10 days after release will be forced to be installed.
Here is a sample schedule. The days are arbitrary, but the total number of days (10) from start to finish will be the same.
- Monday (day 1) - Apple releases patches, OEM begins testing
- Tuesday 12:00 pm (noon) (day 2) - Patches will begin to appear in University of Idaho Self Service on managed macOS devices. Customers can launch Self-Service, then select "Updates" from the left menu, then click on “Update My Computer Now”
- Monday (day 7) between 10 am and 11 am – Customers who have not patched their computers will get a pop-up with the ability to install or to defer the updates. This pop-up will occur every 24 hours with the ability to install or defer until the 10th day
- Thursday (day 10) between 10am and 11 am – Customers that are not patched yet will get notification the computer is being patched and will reboot
- Any computers that were not online will be patched as they are powered on, attached to the network, etc and check-in with Jamf Pro.
Critical, "zero-day" patches are evaluated as soon as we are notified of them, and may be pushed outside of the regular schedule depending on the severity of the flaws being patched.
Apple releases major OS upgrades once per year, typically in September or October.
- Depending on Apple’s hardware requirements the macOS device may not be eligible to upgrade to the major release.
- The latest major release will be offered once the update has been vetted by ITS, typically three months after release.
- The major upgrade will not automatically install. Instead, the computer will display prompts to the user to upgrade the OS. The user can choose to
- Upgrade now
- Defer (until the next day)
Non-Apple Software Updates
Non-Apple software will only be patched if already installed. Software currently patched:
- Adobe Reader
- Mozilla Firefox
The software listed above is updated within 10 business days of the updates being released.