Solved

Policy Creation

  • 7 December 2023
  • 2 replies
  • 104 views

Badge

Hi,

We are managing Windows OS, macOS & Linux OS so, can we use a single policy to install updates for all 3 OS?

What is the best practice to use either single policy and assigning Win OS, macOS & Linux OS groups or separate policy for Win OS, macOS & Linux OS is required? Also, which policy is the best to install updates for windows, macOS & Linux OS?

Thanks,

Shoaib

 

icon

Best answer by JohnG-Automox 11 December 2023, 15:10

View original

2 replies

Userlevel 3

Hi @MD Shoaib Pasha !

Depending on your environment and patching goals, the way in which you set up your patch policies may differ.


Typically though I recommend setting up a hybrid of individual First Party patching policies that cover each OS, and then set up parallel third party patching policies that just cover Automox Supported Third Party titles. For Windows and MacOS you can set up an additional Security Definition policy that runs in between your Primary First Party and Third Party policies to increase efficiency. Patching the Service Stack for Windows in advance of your primary first party policy is a great example, as typically you’ll need “SSU” patched before the rest of the updates can become available.


Here are some scenarios that I like to use:
 

Policy Name: Multi-OS (Linux, MacOS, Windows) - Primary First Party Updates
Policy Type: Patch Except or Advanced. You can exclude packages that you don’t want to update via Package Targeting.
Scope: Handles all first party updates for Windows, Mac, and Linux OS. Include all desired first party updates within Package Targeting.

Schedule: Less aggressive. Once a week, or once a month depending on your patching goals.
Install Notifications and Restarts: These packages typically require a reboot so I recommend enabling both.

Policy Name: Windows / MacOS - Security Definitions and Servicing Stack
Policy Type: Patch Only
Scope: Handles Windows SSU updates and Security Definitions. Package Targeting should scope Everything KB915597, KB2267602, Security Intelligence Update, Servicing Stack, XProtectPlistConfigData, XProtectPayloads, MRTConfigData

Schedule: Aggressive. A few days a week, or right before your primary first party policy

Install Notifications and Restarts: Both are disabled.
 

Policy Name: Multi-OS (Linux, MacOS, Windows) - Third Party Updates (no notification required)
Policy Type: Patch Only
Scope: Scope your desired Automox Supported Third Party titles that do not require a notification. These are applications under the “App is NOT shut down in order to patch” column in this article:
https://help.automox.com/hc/en-us/articles/5352033229076-Third-Party-Patching-Best-Practices

Schedule: Aggressive. A few days a week, or in between your other patch policies.

Install Notifications and Restarts: Both are disabled.
 

Policy Name: Multi-OS (Linux, MacOS, Windows) - Third Party Updates (notification required)
Policy Type: Patch Only
Scope: Scope your desired Automox Supported Third Party titles that require a notification. These are applications under the “App will NOT patch when running” and “App is shut down in order to patch” columns in this article:
https://help.automox.com/hc/en-us/articles/5352033229076-Third-Party-Patching-Best-Practices

Schedule: Aggressive. A few days a week, or in between your other patch policies.

Install Notifications and Restarts: Both are disabled.



More examples of our best practice policies can be found here: https://Automox Patching Best Practices

​​​​​​
I also highly recommend taking a look at our Automox University Courses for full overview of our Patch Policy Best Practices. These specifically should help get you started:



If you have any questions about setting these policies up or need a hand, let me know and I can get you in contact with your Customer Success Manager to schedule up a call.

Have a great day!

Badge

Hello John,

Thanks for the info!

Reply