This article recommends some best practices for ensuring optimal performance and service delivery when using Miradore Management Suite's Patch Management module.
If you're looking for the setup guide for the Patch Management Module, please refer to the Administrator's Guide in the product guide of Miradore Management Suite.
Configure the platform coverage carefully
During the implementation phase of Miradore's Patch Management module, administrators need to choose all languages and operating system versions for which patches are desired to be managed with Miradore Management Suite. For this phase, we give three recommendations:
1. In large environments with thousands of devices, it is recommended to add supported operating systems gradually, because choosing multiple options at once may cause immense impact to the performance when the system starts to process the patches. Choose some of the desired operating system versions first, and add more later when the patch manager component has successfully processed the patches for the previously selected operating system.
2. Don’t choose any unnecessary operating system versions because choosing more operating system versions quickly increases the amount of required disk space and network bandwidth needed for processing and storing the patch data.
3. If some application is used in a different language other than the operating system language, remember to add the application language to the scope of the patch management. For example, internet browsers often have a different language version than the operating system and if the browser language is not selected to be supported, the browser may not be patched correctly.
You should also know that only patches or updates categorized as security patches are automatically included in the patch feed by default. The release of missing non-security updates must be requested separately from Miradore support.
Pay attention to the scheduling settings
During the implementation phase, administrators can also configure the basic settings for patch scanning and deployment in your environment. These settings determine what computers (asset groups) are included in the scope of the patch management, and how often patch scans or installations are performed automatically on the devices.
We recommend to use the interval of 24 hours for the patch scan and installation profile. This ensures that the vulnerabilities are dealt with in a timely manner. Running the scans and installations more frequently is not recommended because it may cause high performance load unnecessarily often, thus disturbing the end-users.
We also recommend to set a carefully thought allowed time frame for the patch scan and install actions. The allowed time frame should be scheduled for off-peak hours when the computers are also most likely turned on. Otherwise, users may feel the patching actions disturbing, or performing the patching actions may not be possible. For servers, it is often best to set the allowed time frame for the nighttime. Also, make sure to not define a too narrow time frame because it may take some time to download and install the patches, especially if the network connection is slow.
With the Profile scope, you can choose what devices or device groups should be included in the scope of the patch management. Notice that you can create multiple Scheduled task profiles to set different scopes and schedules for different devices.
Use maintenance windows to control the time of patch installations
If you want to separately control when patch installations can take place, you can do that by defining the Patch maintenance window(s) in Miradore Management suite.
When creating the patch maintenance windows, make sure you configure the settings well in advance, because it may take a day or two before all managed clients start to follow the restrictions set by the patch maintenance window.
Notice that you can create multiple maintenance windows if necessary.
Bandwidth and storage considerations to keep in mind
In networks with low bandwidth capacity, you can control the bandwidth consumption of Miradore's Patch Management by using the Max bandwidth for file copying per distribution setting that is located in the Location item. This setting defines the maximum bandwidth consumption for assets that are assigned to the location. This setting applies to Miradore package distributions and to the downloading of the patch data.
In the System settings > Patch management > Patch management settings, you can define what and in which case patch installation packages should be downloaded to the Miradore media master installation point. The recommended setting is to download the approved non-installed patches. Downloading all non-installed patches is not recommended because that can easily consume very large amounts of disk space.
Besides that, you can also configure how many days of cached but unused patch data will be stored at the media master installation point and how quickly a patch becomes obsolete after it is omitted from the daily patch feed that is imported to the Miradore server.
Please send comments to [email protected].