In this article:
Introduction - Overview of Patch Deployment Bots
General Settings - General bot settings
Patch Filter Settings - How to filter patches using patch filter conditions
Bot Settings - How to control the bot behaviour
Available Metadata Properties - Full list of properties available for patch filter conditions
Further Information - Where to go for further information
Introduction
A Patch Deployment Bot's primary function is to generate Patch Approvals for new patches, while filtering them in or out based on metadata properties. They also specify the patching process that will be executed to handle the Patch Approvals, the Deployment Channel to be used (if any), and can limit approvals to specific Business Units.
Bots are required by Patching Strategy objects, which are the only place they are used.
In the real world, Deployment Bots are used to apply different settings for different patches based on attributes of the patch. For example, you may wish to handle critical severity patches differently to normal or low severity patches. This could include an expedited schedule (or Deployment Channel), or different installation behaviour (optional install vs. mandatory install).
You may also use Deployment Bots to control which updates get installed, or uninstalled, and use them to prevent installation of prohibited software.
One thing to note, is that bots are NOT used to filter by Product. The Products are defined in the Patching Strategy, and the bots are used to determine whether updates should be processed by the strategy (by using filters) and to route them to the appropriate Patching Process and Deployment Channels.
General Settings
The general settings section is for basic identifiable information, Name and Description.
Name: The name used to identify this Deployment Bot
Description: (Optional) A description used to describe the purpose or functionality of the bot.
Patch Filter Settings
The purpose of patch filter settings is to filter patches based on associated properties, either including or excluding them from the processing by this bot. Patches that meet the filter criteria will be processed, while those that do not will be disregarded.
It's important to note that patch filter settings are not mandatory. If not specified, the bot will process all patches.
You have the option of specifying a single filter condition or grouping multiple filter conditions using AND, OR, and NOT logic, allowing for a high level of configurability.
To add a patch filter condition, simply click the ellipse button located on the right-hand side.
To add a single condition, click on "Add Operating Condition"
To add multiple conditions, select "Add Operator" and choose either "AND," "NOT," or "OR."
Choose "AND" if you want all conditions to be true. Choose "OR" if you want any condition to be true. Choose "NOT" if you do not want any condition to be true.
If you are adding multiple conditions, after choosing your operator, click on the ellipse button again and either add another operator or choose "Add Operating Condition."
In the overlay for "Creating Operating Condition," choose an appropriate data column. This is the metadata property field that will be compared with the incoming patch to determine whether it should be included or excluded.
Common metadata properties include the following:
- General.ExpiredByVendor -- indicates whether the patch has been retired by the vendor.
- General.IsBugfix -- indicates that the patch is a bug fix
- General.IsMajorFeature -- indicates that the patch is a new major version
- General.IsMinorFeature -- indicates that the patch is a new minor version
- General.IsSecurityUpdate -- indicates that the patch is considered a security update
- General.IsServicePack -- indicates that the patch is a service pack
- General.IsUpdateRollup -- indicates that the patch is an update rollup
- Install.InterferingProcesses -- if not null, shows the processes that would need to be terminated prior to installation
- Install.InternetRequired -- indicates whether an internet connection is required to install
- Install.LoggedOnUser -- indicates whether a user must be logged on to install
- Install.RequiresReboot -- indicates whether a reboot is required following installation
- Relationships.Supersedes -- if not null, shows the IDs of any software that this patch supersedes
- Risk.KnownExploitExists -- indicates whether there is a known exploit associated with this patch (e.g. ZeroDay)
- Risk.SecurityExposureLevel -- indicates the risk level associated with this patch
It's worth noting that there are built-in Deployment Bots available for all of the above common metadata properties. In many cases, it may be appropriate to either use these bots directly or create a copy and modify it to suit your needs.
For a comprehensive list of all available metadata properties, please refer to the bottom of this article.
Bot Settings
The Bot Settings are responsible for defining the bot's behaviour and controlling what occurs when the bot processes a patch that matches the filter.
The first aspect to consider is whether the bot settings should be manually provided or if a custom workflow should be utilized to dynamically configure the bot settings.
In most cases, the default setting (Deployment Settings) would be the most suitable and commonly used.
When the Bot Settings radio button is toggled, the available form options change accordingly.
Desired State
The Desired State option is used to specify the action that should be taken if a patch is received by the bot and matches the specified filter expression. The available options are:
- No Preference - Do nothing
- Optional Install - Show to the end-user in the user portal but do not force install
- Mandatory Install - Force install onto the end-user device
- Do Not Install - Do not install onto the end-user device
- Rollback - Roll back the patch to the last approved version
- Uninstall - Perform an uninstallation of the patch
Urgency
The Urgency option is used to assign an urgency level to all new patches that meet the patch filter criteria for the bot. This urgency level can be utilized by the Patching Process set in the subsequent field to govern the bot's behaviour.
Patching Process
The Patching Process option requires the selection of a Patching Process object. You can either choose an existing Patching Process object or create a new one from the "Add Patching Process" overlay by selecting "Create Patching Process".
The Patching Process object consists of a workflow that controls the approval and deployment logic for new patches that fulfill the patch filter criteria for this bot. The workflow will be executed from the Patching Cycle based on the schedule specified within the Patching Strategy.
Please note: that when using this bot in a Patching Strategy, the Patching Process specified here must also be added as a Patching Process Setting within the strategy.
Deployment Channel
You can optionally assign a Deployment Channel to the bot which would add any patches that match the Bot filter into the selected Channel.
Please note: that when using this bot in a Patching Strategy, the Deployment Channels specified here must also be added as Deployment Channels within the strategy.
Business Units
You have the option to add Business Units to restrict the approval of new patches that satisfy the bot filters.
If no Business Units are added, patches will be approved for all Business Units in the Patching Strategy.
However, if one or more Business Units are added, patches will be approved for those specific Business Units providing they are referenced in the Patching Strategy.
Bot Workflow
If choosing the Bot Workflow option under Bot Settings, you are prompted to select an Adaptiva Workflow to use to retrieve the Bot settings.
For information on creating workflows, please see articles in this section.
When authoring a workflow to be used as a Patch Deployment Bot workflow, the WorkflowPurpose property must be set to PatchDeploymentBot.
On the Start node, a set of JAVA OBJECT properties named PatchingStrategy, Metadata, and DeploymentBot are exposed. These properties contain the data that gets passed into the workflow when a new patch gets processed.
On the End node, a JAVA OBJECT property named PatchApprovals is exposed. This property holds a PatchApprovals object that includes an array of SinglePatchApproval objects. Each SinglePatchApproval object contains the settings that can be specified manually, such as DesiredState, Urgency, Patching Process, Deployment Channel, and Business Units.
The workflow can include any desired logic to set these properties, and the resulting PatchApprovals object will include all of the specified settings.
Available Metadata Properties
Object ID | Version | Enabled |
Parent Folder ID | Name | Description |
Parent Object ID | Product | Content.ContentId |
Content.SourceType | Content.VendorUrl | Content.AdaptivaUrl |
Content.FileName | Content.Sha256Hash | Content.Size |
ContentForRepair.ContentId | ContentForRepair.SourceType | ContentForRepair.VendorUrl |
ContentForRepair.AdaptivaUrl | ContentForRepair.FileName | ContentForRepair.Sha256Hash |
ContentForRepair.Size | ContentForUninstallation.ContentId | ContentForUninstallation.SourceType |
ContentForUninstallation.VendorUrl | ContentForUninstallation.AdaptivaUrl | ContentForUninstallation.FileName |
ContentForUninstallation.Sha256Hash | ContentForUninstallation.Size | Extensions.PreInstallationActionSequence |
Extensions.PostInstallationActionSequence | Extensions.PreRepairActionSequence | Extensions.PostRepairActionSequence |
Extensions.PreUninstallationActionSequence | Extensions.PostUninstallationActionSequence | General.Schema |
General.ExpiredByVendor | General.Name | General.ShortName |
General.Description | General.VendorVersion | General.VendorName |
General.ReleaseDate | General.ReleaseNotes | General.AdditionalInformationUrl |
General.MsiGuid | General.IsSecurityRollup | General.IsUpdateRollup |
General.IsMinorFeature | General.IsMajorFeature | General.IsServicePack |
General.IsBugfix | General.TargetType | Icon.IconID |
Icon.CompressedData | Install.InstallerType | Install.PreActionSequence |
Install.ActionSequence | Install.CustomizerUI | Install.PostActionSequence |
Install.AutoItScript | Install.InterferingProcesses | Install.InterferingProcessesToWaitFor |
Install.InternetRequired | Install.LoggedOnUser | Install.RequiresReboot |
Install.DiskSpaceRequired | Install.MaxRunTime | Media.FileNamePattern |
Media.KeyFileName | Media.MediaDetectionSensorExpression | Realtime.RegistryIndicators |
Realtime.FolderIndicators | Relationships.Product | Relationships.PrerequisiteInstalls |
Relationships.FollowupInstalls | Relationships.Supersedes | Relationships.SupersedesRemovalRequired |
Relationships.SupersdedBy | Relationships.Parent | Relationships.Children |
Repair.InstallerType | Repair.PreActionSequence | Repair.ActionSequence |
Repair.CustomizerUI | Repair.PostActionSequence | Repair.AutoItScript |
Repair.InterferingProcesses | Repair.InterferingProcessesToWaitFor | Repair.InternetRequired |
Repair.LoggedOnUser | Repair.RequiresReboot | Repair.DiskSpaceRequired |
Repair.MaxRunTime | Risk.CveIds | Risk.CvssScores |
Risk.SecurityExposureLevel | Risk.KnownExploitExists | Risk.Criticality |
Rules.InstalledAuthoringRuleObject | Rules.InstallableAuthoringRuleObject | Rules.ApplicableAuthoringRuleObject |
Rules.InstallPathSensorExpression | Rules.InstalledVersion | Tracking.Method |
Tracking.WebScrapeURL | Tracking.WebScrapeDescription | Tracking.WebScrapeInterval |
Tracking.WebScrapeScanDate | Tracking.WebScrapeIdentificationAttributes | Tracking.WebScrapeMonitoringAttributes |
Uninstall.InstallerType | Uninstall.PreActionSequence | Uninstall.ActionSequence |
Uninstall.CustomizerUI | Uninstall.PostActionSequence | Uninstall.AutoItScript |
Uninstall.InterferingProcesses | Uninstall.InterferingProcessesToWaitFor | Uninstall.InternetRequired |
Uninstall.LoggedOnUser | Uninstall.RequiresReboot | Uninstall.DiskSpaceRequired |
Uninstall.MaxRunTime | UserPortal.Name | UserPortal.Description |
UserPortal.Version | UserPortal.VendorName | UserPortal.Categories |
UserPortal.Keywords |
Further Information
For further information, please see the other resources in the Technical Reference Library or speak to a member of Adaptiva Support.
If you experience any issues or suspect there is a bug in Patch Deployment Bots, please log a support ticket and a member of the Adaptiva support team will be touch as soon as possible.
Comments
0 comments
Please sign in to leave a comment.