Why did my third party application fail to patch?

Awesome Nic, can you also share what third party updates are hosted by Automox and what are pulled from the source? We notice that not everything is being send from Automox URL.

Can you clarify on this choice to not proxy everything through Automox?

I believe for most of the 3rd party apps, we pull from the source and then send to the endpoints via the agent. There may be some situations where we pull it directly on the agent side. Let me ping one of our engineers who works in that area to see if I can get more details.

Cached 3rd party udpates will be stored here:
https://api.automox.com/api/cache/*

If you upload files for Worklets or Required Software, the content will be stored here:
automox-policy-files.s3.us-west-2.amazonaws.com*

I did get confirmation that all of our third party patches do get downloaded to our console first, and then get pushed out to the agents. The one exception is Chrome where we make use of Chrome’s auto-update feature. We trigger the native Chrome update check so that the patch gets downloaded locally and installed via the Chrome process.

Why is that? I can’t really follow the logic behind this. From common security practice you want to limit access to the internet from servers within the infrastructure. Ofc you could argue that chrome should not be installed too but one of the reasons to go with a patch management solution is to control the network flow and update cycle. Don’t we try to reduce the attack surface?

That’s why we do most of them through us - for Chrome my guess is that there’s some technical issue that makes that not feasible, so we rely on the endpoint to get the download directly. If that’s something that you prefer not to make use of, then you can do a Patch All Except policy and exclude Chrome from inclusion in the Automox patching.

Fair enough i just try to understand the logic behind this.