Best Practices Question

How do I set up the ability to patch systems when a user should not log into KACE? (Cannot use automatic patching)

05/24/2013 2282 views

So this is the predicament I am facing. We have some consultants at another site. My manager does not want them to have access to KACE, however, they want to control the patching on their servers because they have Dev, Test, Train, Stage, and Prod environments and must test the patches in each one before ultimately deploying them into Prod. My manager thought that we could set up an approval process where we remotely approve patches for the month. The consultants log into the first servers (Dev) and manipulate a file by either renaming it or adding info into it that alerts KACE that the servers are ready to be patched (kinda like taking a web front end offline from an F5 device by renaming a file that causes the F5 to temporarily remove the server from the pool) and once done, gives the consultants the option of rebooting the servers at their leisure.

Is there such a process as this and if so, how can it be achieved? If not, what other options do I have in setting up KACE to not allow them to have access but be able to patch each environment separately?

Answer Summary:
0 Comments   [ + ] Show comments


All Answers


The short answer is that you can't run patching without having access to the patch schedule in the K1000.  There isn't currently a way to force patching from the client side.

It's been suggested as a feature request here:  http://kace.uservoice.com/forums/82699-k1000/suggestions/3987437-allow-a-user-to-patch-on-demand

My suggestion for a work-around would be to set up an organization in your K1000 just for the consultants and give them access to just patching or whatever other features you want them to use.

Answered 05/24/2013 by: jknox
Red Belt

  • What about a custom inventory rule where you can ask KACE to look for a file or reg setting that kicks of a task to the patching side. I just checked with my manager and he has done CIRs from the software side and there looks like there could be a way to link a CIR to start a patching cycle.
    • That should be possible. You would use a custom inventory rule to look for your file or .reg key, then create a smart label based on that CIR to target a patch schedule.
  • I agree with jknox the custom inventory rule with a label would be the way to go.
  • So, this is pretty new to me but can you explain how a smart label would kick off a patching session? The reason I ask is because I don't use smart labels for my regular patching. So, what's the difference between a smart and a regular label and when the CIR interfaces with the smart label, how does it call the patching session? The disconnect for me is given the patch schedule would most likely not be scheduled, how does the smart label force it to kick off?
    • The patch schedule would have to be run on a schedule, there is no other option. But with the smart label, it will only run on machines that fit the criteria of the label.

      jverbosk has an excellent write-up here that covers patching and smart labels: http://www.itninja.com/blog/view/k1000-patching-setup-tips-things-i-have-learned-ldap-smart-labels-sql-reports
  • Thank you both. This gets me closer to figuring this out!
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ