ManageEngine Patch Connect Plus

In all my years of experience working in IT, no matter the company size, be it small, medium or enterprise, the most requested feature by far is security; and that is to be expected, all customers want to have their data/network/infrastructure secured, especially in this day and age when each month there is a new hot-news about some virus, ransom-ware or exploit that is wreaking havoc.

Just last month there was a global ransom-ware by the name of WannaCry (get more details here) that caused such a high amount of damage due to poorly updated systems. According to some stats released by Kaspersky Lab they estimated that roughly 98 percent of the computers affected by the ransom-ware were running Windows 7, while other systems were also affected but in smaller numbers.

WannaCry target OS

Now the problem here in this case, as in many others is that security is directly related to Patch Management, and while in home use we rely on Microsoft and its monthly updates (that I must stress here, people should always choose to update the system and not deter the update) in an enterprise we use dedicated tools to keep systems updated like System Center Configuration Manager.

And while it provides most functionality from Microsoft side, it leaves a very big hole in the 3rd party provider update area; an area that is very dangerous if left un-patched.

Besides windows exploits, the most frequent ones that I can think of are Java Updates and Flash ones; these updates pop-up at an alarming rate and it’s very easy for a company to lose the grip on these updates and leave systems vulnerable to attacks and exploits.

This is why today I will review a solution for 3rd party patch management from a company called ManageEngine and one of their products apply named: Patch Connect Plus

You can download the product from here they have 2 versions for Microsoft SCUP and for System Center Configuration Manager (SCCM) offering a 30 day free trial for both versions.

You can see here more details

I downloaded the product and since I had 30 days of free trial I started to test out different scenarios to see how the product fairs with the SCCM environment.

Installation and Requirements

The install process is pretty straight forward; the file size of the install package is ~94 mb and the only thing that requires attention during install is selecting an open port for communication with the web.

And a final registration for support if you want it, its optional. The final install size comes up to 618 mb.

You can get a full documentation list here.

Once the original setup is completed you will be greeted with this web interface, where you will need to do the configuration for your Configuration Manager site server.

Configuration of Patch Connect Plus

I just followed the instructions on the video they provided and it was a very easy process:

Features and Vendors

During the configuration process you will see what makes such a software unique, the ability to have a direct link with a repository that is checked on a regular basis for updates and also has certificate authentication from vendors to avoid any unpleasantly when installing a new update, making sure that you have only signed software.

It is mandatory to import third-party certificates or self-signed certificates to ‘Trusted publishers’ and ‘Root certificate authority’ stores to all managed computers. This is needed to ensure that the updates are from an authentic source. If you have a third party certificate you can directly import it else, you may have to create a self-signed certificate.

The repository for software is quite big and has options for multiple language and different versions of the products.

I have compiled a full list here so you can have a look for your favorite vendor since I wasn’t able to find one on their site.

There are a total of 126 Vendors on this list, but when you add up all the variations (x86, x64 , languages, etc…) each vendor has, there are a lot of software updates out there.

Vendor Selection Menu

Patch Connect Plus Dashboard

Once you select the vendors you want updates from and finished the configuration process you will be greeted by the central Dashboard. It will look something like this:

Patch Connect Plus Dashboard

The central dashboard is the place where you can get an overview of all the elements in place, how many have been published, how many are available, published failed and download failed.

Information at a glance

The good part is that you get the necessary information at a glance, for example I always tend to ignore naming conventions for 3rd party since there are a lot of them and some with no honest meaning to them; I will always look for the Patch ID witch I can get here at a glance, and other information I need to know disk space requirements (especially important for Citrix environments and other TS where space it critical) and most important if that patch will require a server reboot or not.

Some patches can be applied outside during maintenance hours but for that you will need to be sure that production is not affected especially by a server reboot.

There are also in-depth sections where you can get more information about vendors and filter by your required fields.

Filter Information

Deploying published patches

Once the software has Published all your vendors to your WSUS Server you can then start pushing out these updates.

The process is fairly easy if you are accustomed to SCCM.

Go to Software Library -> All Software Updates -> Search for your Vendor and locate the update

NOTE: all the selected updates that appear in the Patch Connect Plus dashboard as Published should appear now in your console in this location.

Deploy Updates using SCCM

Select the patch you want to deploy, right click and select Deploy.

The Deploy Software Wizard will open. Here you can specify the name for deployment, software update/ software update group and target.

After you done all click Next.

On the Deployment Setting page you will need to specify the type of deployment (Required/Available) and detail level for the deployment (All messages/Only Success and Error messages/Only error messages) and when you’re done click Next.

On the Scheduling page, select the details that you want to have based on your needs.

Once you configured the schedule details for the deployment press Next.

On the User Experience page, you will need to be careful in selection the options here since these will impact if the machine will reboot and when.

Specify the user experience that you want for the deployment and click Next.

On the Alerts page, be sure to have an alert in place so you can get notifications on how the install went and based on the severity of the patch you are installing I would recommend you have a strict deadline.

Once you specified the software update alert options for the deployment click Next.

At the Download Setting, you can quickly go back to the Patch Connect Plus Dashboard to check out the space requirements for the update you are deploying so you can make a call on what setting to use here.

And finally you have your deployment.

You can off course check for compliance of the deployment in the Monitoring tab and get more details on what failed and specific errors but these are SCCM functionalities.

When you pair that with a Reporting Server and run reports on these deployments you can than get endless possibilities, things like asset intelligence that will help you see if that software is actually being used all wrapped into a neat form so you can present to upper management and the security team to make them happy.

All in all, if you have a SCCM environment at work and struggle with 3rd party support, this tool is a nice one to have, especially if you can get it at a low cost.

I would however like to see more improvements in the future versions like: make it a standalone application instead of a web app, and maybe integrate this software with a packaging tool like the one I reviewed here some time ago.

I think that would greatly benefit the end user, having an all in one tool that you can automate deployments. Sure you can do a ADR now and automate some parts but ADR do not give most of the time the level of detail that you might want in an enterprise.

I am sure that if ManageEngine will continue development on this software and introduce an packaging software with it, when they do that, having all-in-one tool will mean they will have a golden product that no enterprise can refuse especially in this day of age when as I mention in the start dangers are at every corner.

Until the next time, be sure to patch everything to 0 day 🙂

Follow on Feedly