In Nebula, the Patch Management module allows you to install updates on software applications such as Adobe Acrobat, Mozilla Firefox and Zoom by retrieving the latest installers from the vendors.
Third-party vendors may require reboots to complete the installation of updates, so installing or scheduling software updates on your endpoints during non-operating hours is recommended.
TIP - Keep the software update information in Nebula accurate by running or scheduling an Inventory & Vulnerability scan. This will ensure that any third-party software updates you install from Nebula are the latest versions available. For more information, see Enable Patch Management in Nebula.
If a software application is included in an ignore rule, it cannot be installed manually or automatically through schedules. For more information on ignored software updates, see Manage ignore rules for Patch Management in Nebula.
If the Vulnerability Assessment module identifies any vulnerabilities on the endpoint's applications, update them with Patch Management. Use the Investigate > Events page to confirm the software update applied successfully.
Scheduled software updates
Create a schedule to install third-party software updates regularly. This schedule installs all third-party software updates found when the schedule is run. Updating your software programs provides you with the latest features and covers any security holes or vulnerabilities. To create a schedule:
- On the left navigation menu, go to Configure > Schedules.
- Click New.
- Enter a schedule name and choose Software updates for Type.
- Optionally, specify which supported third-party applications to update or exclude from updating.
- Configure endpoint reboot settings with the options in the table below.
- On the Schedule groups tab, select target groups for the schedule.
- On the Schedule frequency tab, set the frequency, start date, and start time. The schedule runs using the endpoint's locally configured time.
- Toggle on Run missed scans as soon as possible to allow the schedule to run if the endpoint was offline during the configured schedule time.
Note: To avoid unexpected updates after a powered-off endpoint comes online, toggle this setting off. - Click Save.
Reboot settings
| Setting | Description |
|---|---|
| Don't reboot servers | Prevent servers from rebooting after an application update. |
| Use existing reboot settings | Follow the policy reboot settings. |
| Override existing reboot settings | Override the policy and customize the reboot settings. |
Note: A user can postpone a reboot indefinitely unless the reboot delay time is reached. Subsequent popups will wait 1 minute for additional postponement; otherwise, the endpoint will reboot. If a user postpones a reboot, the Events screen shows an Audit event.
Patch Management page
Navigate to the Patch Management page to view available software updates across your environment. Use this page to manually apply patches to endpoints if they are outside of patch schedule time frames or if critical patches are required.
- On the left navigation menu, go to Manage > Patch Management.
- On the top-left, click Software Updates.
To install an update:
- Check the boxes for applications on endpoints you wish to update.
- Click Actions > Update Software.
- A confirmation window displays the selected applications to update on the endpoints. Any applications covered by an ignore rule are listed under the Ineligible for software update section.
- In the confirmation window, click Update.
A task is sent to the endpoints and is attempted within 72 hours once the endpoint is online. After the software update is complete, the item is removed from the Patch Management page with the next scheduled Inventory & Vulnerability scan. You can also manually update the Patch Management page by issuing an Inventory & Vulnerability scan task from the Endpoints page.
Software Inventory page
On the left navigation menu, go to Monitor > Software Inventory to navigate to the Software Inventory page. This page provides an overview of all installed software across your environment and update them.
To install an update:
- Check the boxes for applications on endpoints you wish to update.
- Click Actions > Update Software.
- A confirmation window displays the selected applications to update on the endpoints. Any applications without an available update or those covered by an ignore rule are listed under the Ineligible for software update section.
- In the confirmation window, click Update.
A task is sent to the endpoints and is attempted within 72 hours once the endpoint is online. After the software update is finished, the update is removed from the Software Inventory page with the next scheduled Inventory & Vulnerability scan. You can also manually update the software inventory page by issuing an Inventory & Vulnerability scan task from the Endpoints page.
Software update information
View the following information for each available software update:
| Column | Description |
|---|---|
| Application | Name of the application requiring an update. |
| Application version | Application information of the installed version. |
| CVE count | Number of CVE's available to update. |
| CVEs by Severity | Number of CVE's separated by their severity. Hover over the line in Nebula for more details. |
| Domain name | The corresponding domain of the endpoint. |
| Endpoint | Host name of the endpoint. |
| Group | The corresponding group of the endpoint. |
| Identified date | Date the available update was detected on the endpoint. |
| Ignore Rules Status |
Indicates whether the software is excluded from updates.
|
| Installed date | Date the update was installed on the endpoint. |
| OS platform | Windows or macOS. |
| OS release name | The public release name of the operating system. |
| OS type | Workstation or server. |
| OS version | The operating system version. |
| Uninstall available | This application can be uninstalled from Nebula. |
| Vendor | Vendor name of the software requiring a patch update. |
| Version available | The latest version available for this software application. |
Software updates that are ignored by an ignore rule are hidden by default. Toggle on Show Ignored Patches to reveal them.
Endpoints page
Individual endpoints have a details page which includes the Software tab. This tab displays all available software updates for installed applications on the selected endpoint. This tab is useful if a specific endpoint requires multiple software application updates and you want to patch a single machine.
To locate the Software tab:
- On the left navigation menu, click Manage > Endpoints.
- Click an endpoint name to view the endpoint's properties.
- Click Software.
To install an update:
- Select all or check specific boxes for applications on endpoints you wish to update.
- At the top-left of the Software tab, click Update Software.
- A confirmation window displays the selected applications to update on the endpoints. Any applications without an available update or those covered by an ignore rule are listed under the Ineligible for software update section.
- In the confirmation window, click Update.
Vulnerabilities page
On the Vulnerabilities page, use the Actions > Update Software button to update vulnerable 3rd-party applications. For more information, see Manage vulnerabilities in Nebula.
Return to Patch Management guide.