Patch Policy Overview
To open the Patch Policy application, from the BigFix WebUI Apps menu, select Patch Policies.
- Enter a name for the policy and select the types of patches it should include. For example, create a policy that includes important service packs for operating system updates.
- Create a roll out schedule for the policy, including deployment timing, frequency, and behavior.
- Select policy targets: the devices to be patched.
- Activate the policy.
The process is described in detail in Create a Patch Policy.
Keeping Policies Current
The Patch Policy app notifies you when new patches that meet policy criteria become available. The delta icon next to a policy name on the Policy List tells you patch content has been added or changed. Refresh a policy to include the new material. Refresh policies manually or use the Auto-refresh option to keep policies up-to-date.
Exclusions
You can exclude patches from a policy that otherwise meet its inclusion criteria. For example, manually exclude a patch you know causes problems in a custom application. Or set a dynamic exclusion to automatically exclude Microsoft Office updates from a policy that updates Windows. Once set, exclusions remain in effect until you remove them. Patch policies never include patches used for auditing, corrupt patches, or patches without a default action.
Use the WebUI Deployment views to monitor policy-based patching results. For more information, see Get Started with Deployments.
Permissions and Patch Policy
BigFix master operators (MOs) have full access to all Patch Policy functions. MOs can create, edit, delete, activate, and suspend polices, manage patch rollouts and schedules, and refresh policies when new patches are released. non-master operators (NMOs) can add, edit or delete a policy. NMOs can also add targets to an existing schedule, and remove targets from a schedule if they have relevant permissions.
Patch Policy Category
The following table shows the mapping between the Patch Policy external content categories and Fixlet categories:
WebUI Patch Policy category | Fixlet category |
---|---|
BUG FIX |
Bug Fix Bug Fix Advisory Bug |
ENHANCEMENT |
Definition Update Definition Updates Feature Pack Hotfix Update Updates Product Enhancement Advisory ENHANCEMENT Recommended Optional Upgrade |
SERVICE PACK |
Rollup Service Pack Update Rollup |
SECURITY |
Critical Update Critical Updates Security Security Advisory Security Hotfix Security Setting Security Update Security Updates SECURITY Mandatory |
Execution behavior
The following table shows the Patch Policy behavior when using Pre/Post contents and when not using Pre/Post contents:
Configuring Pre/Post contents | Execution of MAG order enforced in sequence (MAG1, MAG2, MAG3, and so on) | Using "Force Restart" option available when configuring the schedule | Execution Behavior |
---|---|---|---|
When using Pre/Post contents | Yes | The restart is only applied at the end of the last MAG execution. | Sequence of MAGs will be executed on all targeted devices, even when patch Fixlets are not relevant. This means any Pre/Post tasks or Post action restarts will also execute if they are relevant. |
When not using Pre/Post contents | No1 | The restart is applied after each MAG because it is unknown which MAG will be the last one to execute. | Each MAG will only execute on targeted devices if the device is applicable to at least one of the Fixlets in the MAG. |
A Fixlet is included in the MAG if it is relevant to at least one endpoint managed by the operator who defined the targets in the schedule.
- When not using pre/post content: MAGs do not necessarily execute in order on the endpoint. The MAGs will execute in order when they become relevant on the endpoint.
The MAG action issued in Patch Policies through Target by Property, Target by Group, or Target by Device will exclusively consist of fixlets that are relevant to the devices targeted at the time the MAG is issued. If there are no relevant fixlets available, then no MAG will be issued. For more details, see Server Settings.
Operating system updates
The following table shows the mapping between Fixlet sites and the selections available in Patch Policies:
- Amazon Linux
-
Table 2. OS Version and Fixlet site name for Amazon Linux OS Version Fixlet Site Name Amazon Linux 2 Patches for Amazon Linux 2 Amazon Linux 2 with Graviton Patches for Amazon Linux 2 Graviton - Rocky Linux
-
Table 3. OS Version and Fixlet site name for Rocky Linux OS Version Fixlet Site Name Rocky Linux 8 Patches for Rocky Linux 8 - CentOS
-
Table 4. OS Version and Fixlet site name for CentOS OS Version Fixlet Site Names CentOS 6 Patches for CentOS 6 Plugin R2 CentOS 7 Patches for CentOS 7 Plugin R2 CentOS 8 Patches for CentOS 8 - Debian
-
Table 5. OS Version and Fixlet site name for Debian OS Version Fixlet Site Names Debian 7 Patches for Debian 7 Debian 11 Patches for Debian 11 - Mac OS X
-
Table 6. OS Version and Fixlet site name for Mac OS X OS Version Fixlet Site Name Any, patches are dynamically filtered from sites Patches for Mac OS X - Oracle Linux
-
Table 7. OS Version and Fixlet site name for Oracle Linux OS Version Fixlet Site Names Oracle Linux 6 Patches for Oracle Linux 6 Oracle Linux 7 Patches for Oracle Linux 7 Oracle Linux 8 Patches for Oracle Linux 8 - Red Hat Enterprise Linux
-
Table 8. OS Version and Fixlet site name for Red Hat Enterprise Linux OS Version Fixlet Site Names Red Hat Enterprise 5 Patches for RHEL 5 ESU Red Hat Enterprise 6 - Patches for RHEL 6 Native Tools
- Patches for RHEL RHSM 6 on System Z
- Patches for RHEL 6 ESU
Red Hat Enterprise 7 - Patches for RHEL 7
- Patches for RHEL 7 ppc64le
- Patches for RHEL 7 ppc64be
- Patches for RHEL RHSM 7 on System Z
- Patches for RHEL 7 ESU
Red Hat Enterprise 8 - Patches for RHEL 8
- Patches for RHEL 8 ESU
- Patches for RHEL 8 ppc64le
Red Hat Enterprise 9 - Patches for RHEL 9
- SUSE Linux Enterprise
-
Table 9. OS Version and Fixlet site name for SUSE Linux Enterprise OS Version Fixlet Site Names SLE 11 Patches for SLE 11 Native Tools SLE 12 Patches for SLE 12 SLE 12 PPC64LE Patches for SLE 12 ppc64le SLE 12 System z Patches for SLE 12 on System z SLE 15 Patches for SLE 15 SLE 15 System z Patches for SLE 15 on System z - Ubuntu
-
Table 10. OS Version and Fixlet site name for Ubuntu OS Version Fixlet Site Names Ubuntu 14.04 Patches for Ubuntu 1404 Ubuntu 16.04 Patches for Ubuntu 1604 Ubuntu 18.04 Patches for Ubuntu 1804 Ubuntu 20.04 Patches for Ubuntu 2004 Ubuntu 22.04 Patches for Ubuntu 2204 - Windows
-
Table 11. OS Version and Fixlet site name for Windows OS Version Fixlet Site Name Any patches for OS versions selected are dynamically filtered from sites - Enterprise Security
- Patches for Windows (German)
- Patches for Windows (French)
- Patches for Windows (Polish)
- Patches for Windows (Italian)
- Patches for Windows (Spanish)
- Patches for Windows (Czech)
- Patches for Windows (Brazilian Portuguese)
- Patches for Windows (Japanese)
- Patches for Windows (Simplified Chinese)
- Patches for Windows (Korean)
- Patches for Windows (Turkish)
- Patches for Windows (Hungarian)
- Patches for Windows (NLD)
- Patches for Windows (CHT)
- Patches for Windows (Norwegian)
- Patches for Windows (Finnish)
- Patches for Windows (Swedish)
- Patches for Windows (Greek)
- Patches for Windows (Danish)
- Patches for Windows (Hebrew)
- Patches for Windows (Russian)
- Patches for Windows 7 ESU
- Patches for Windows 2008 ESU
Operating system application updates
The following table shows the Operating System application updates which includes OS, various site names, and applications:
- OS Application Updates for Mac OS X and Windows
-
Table 12. Fixlet site name and Application updates for Mac OS X and Windows OS Fixlet Site Names Applications Mac OS X Patches for Mac OS X - Java
- iTunes
- Safari
Windows - Enterprise Security
- Patches for Windows (German)
- Patches for Windows (French)
- Patches for Windows (Polish)
- Patches for Windows (Italian)
- Patches for Windows (Spanish)
- Patches for Windows (Czech)
- Patches for Windows (Brazilian Portuguese)
- Patches for Windows (Japanese)
- Patches for Windows (Simplified Chinese)
- Patches for Windows (Korean)
- Patches for Windows (Turkish)
- Patches for Windows (Hungarian)
- Patches for Windows (NLD)
- Patches for Windows (CHT)
- Patches for Windows (Norwegian)
- Patches for Windows (Finnish)
- Patches for Windows (Swedish)
- Patches for Windows (Greek)
- Patches for Windows (Danish)
- Patches for Windows (Hebrew)
- Patches for Windows (Russian)
- Patches for Windows 7 ESU
- Patches for Windows 2008 ESU
For more information, see System requirements.
Third-party updates
The following table shows the third-party updates which includes OS, various site names, and application/publisher:
- Third-party updates for Mac OS X and Windows
-
Table 13. Fixlet site name and Application/Publisher updates for Mac OS X and Windows OS Fixlet Site Names Applications/Publisher Mac OS X Updates for Mac Applications - Adobe Acrobat
- Adobe Air
- Adobe Flash
- Adobe Reader
- Adobe Shockwave
- Google Chrome
- GoToMeeting
- Microsoft
- Mozilla Firefox
- Webex
- Zoom
Windows - Updates for Windows Applications
- Advanced Patching
- Updates for Windows Applications Extended
See System requirements for more details.
Severity mapping
The following table shows the mapping between the Patch Policy Severity categories and Fixlet Severity Field categories:
Patch Policy Severity | Fixlet Severity Field |
---|---|
CRITICAL | Critical, Mandatory, High |
IMPORTANT | Important, Recommended |
MODERATE | Moderate, Medium |
LOW | Low, Optional, Negligible |
UNSPECIFIED | Unspecified, NA, and empty values |