Critical Vulnerability Patch Policy

Owned by Cummings, Antonino
Last updated: May 04, 2021
2 min read

Last Reviewed: April 30 2021 

In general, if a critical vulnerability has been identified by ISO, our objective is to patch the affected devices as soon as possible.

This policy supersedes the reboot policy given the potential impact.

This flowchart details our process for handling critical vulnerabilities. 

General

  • We have a similar level of control on both Windows and MacOS for timing reboots
  • We can control how long the update can be deferred for, and how long the user has before a reboot is forced
    • We can manually send reboot commands as needed
      • We want to avoid triggering manual reboots
      • SCCM and Nudge can handle this by and large 
    • If a computer is offline at the time the command or update is sent, it will receive it the next time it checks in

Windows

  • KBs are pushed via LANrev and SCCM
    • LANrev - send out patch with dialog window informing user of the update
    • SCCM will be configured to ignore maintenance windows during this procedure 
  • Reboot specific - we can configure these variables as needed 
    • Users are able to defer the patch by up to 4 hours
    • Once a reboot is required, users have 15 minutes to save their work. 
  • Reporting
    • Compliance Baselines in SCCM 
    • Smart groups based on last reboot and custom information items in LANrev

Mac 

  • All MacOS devices are prompted to patch via Nudge
    • nudge-python-screen1.png
    • The language of the popup may vary depending upon the severity of the vulnerability
    • Nudge will prompt users at 10AM, 12PM, 2PM, and 4PM until they update
      • Defer causes the window to disappear
    • After 3 days (based on a calendar date we set), the popup stays open and users are unable to defer any longer
      • Triggers at 4PM 
      • At this time, the window forces itself to be the active window
  • Reporting
    • JAMF groups and reports can be developed as needed
  • Phased approach 
    • Phase 1
      • LAITS without studio
      • Wait for 1 day
    • Phase 2
      • FRIT and SPAN
      • Wait for 3 days
    • Phase 3
      • Apply to all remaining units  

Confluence Documentation | Web Privacy Policy | Web Accessibility