Block 3rd Party Updates (SUPrevent)
SUPrevent is a custom UT designed method to block specific 3rd party titles updated by Patch My PC from installing on specific endpoints. This is achieved by ITSOs placing the Active Directory computer object into a specially crafted ITSO controlled AD group. In Patch My PC software titles will be configured to have a script run prior to the update install that checks AD Group membership of the computer it’s running on, and if found in these groups, will fail causing the update to not install.
How to Request an Exception
EPM does NOT grant exceptions for any update. All Exceptions are requested to, reviewed, and approved/denied by the ISO.
To request an exception, please fill out a ISO Compliance Exception request with the following information:
Exception Request Type = Other
Why is this exception needed? First, note that this is a PMPC SUPrevent request. Provide the name of the specific software title(s) that need to be excluded and provide a business justification for the software title being excluded from using PMPC.
How is this risk being managed? Give a clear explanation of how the software title will be patched by ITSOs, and an internal process for either patching the software or mitigating associated risks when patching is not feasible.
Host information is not required for this exception type.
The PMPC SUPrevent exception process refers specifically to being excluded from PMPC patching, not from patching software altogether. If an ISO exception is approved, ITSOs will still be responsible for patching the software or filing separate exception requests for patching exceptions.
What happens next
If the ISO grants the exception, forward the ISO approved Exception Request to EPM (epm-requests@its.utexas.edu). EPM will contact the ITSO with further information on how to create an Active Directory Group named in a specific pattern that contains the correct SUTitle tag.
These memberships are collected by automation nightly, but that frequency can be adjusted as needed.
ITSOs retain access to their AD Group and can maintain membership to apply the block per device as needed.
How the Block works
Application title updates that have been configured in PMPC will run a script before attempting to install the update. This pre-script will query AD using LDAP for the endpoints' AD Computer object and find a list of AD Groups that the endpoint is a member of.
The pre-script has four result cases:
Pre-script failed due to no SUTitle pass through ==>
Check the PMPC pre-script configuration
LDAP query failed ==>
Do Not Update and Do Nothing. The App will try again. LDAP query failures are generally caused by lack of network connectivity.
LDAP query Success & NOT a member of the SUTitle groups. ==>
End pre-script with a “Success” code which allows the PMPC update to run.
LDAP query Success & IS a member of the SUTitle groups. ==>
End pre-script with a “Failure” code. This will cause the PMPC update to stop and will not attempt to install the update.
The pre-script will create a log in the C:\Windows\Temp Folder.
The log file name will be PMPC-SUTITLE-DATETIME.log and will contain a transcription of the script run.
Error codes 1111, 2222, and 3333 in the transcript log can be ignored. PMPC needs a generic code to block the update. A return code of 0 causes the pre-script to return “Success” and continue the update install.
Transcript Log Examples:
No SUTitle passed, improper configuration. AD groups and PMPC configurations need inspected
LDAP query failed, check network connectivity
LDAP query success but no group membership, update install proceeds
LDAP query and group membership success, update install blocked
SUPrevent Configured Titles
PMPC Update Title |
|
|---|---|
Nextcloud | EPM Testing |
DYMO |
|
Related Information
-
-
Creating a Custom ADR and deploying the SUG (Endpoint Management)
-