Patch Policies Overview

Patch policies in Level allow you to define when and how updates are applied to your endpoints. You can create separate policies for each operating system to cater to their specific needs, and also by department (e.g., Internal IT), location, or company (for MSPs) to ensure tailored management across different segments.

This guide will cover:

  1. Creating a Windows Patch Policy
  2. Creating a macOS Patch Policy
  3. Creating a Linux Patch Policy
  4. Creating a Security Policy
  5. Viewing and Managing Device Policies

Creating a Windows Patch Policy

Step 1: Define Your Policy

When creating a Windows patch policy, start by naming your policy. The name should reflect its purpose, such as "Windows Endpoints" or "Windows Critical Updates."

Step 2: Configure the Policy Options

  • Reboot Devices After Updates: Enable this option if you want devices to automatically reboot after updates are installed. This is crucial for updates that require a restart to take effect. Pro Tip: Manage reboots through an Automation with User Approval
  • Retry Install on Offline Devices: If this is enabled, updates will be queued and installed as soon as the device comes back online. Note: If a device is updated outside of the scheduled patch window, it won’t be rebooted, regardless of the reboot setting above.
  • Send Notifications: Add email addresses of those who should receive summaries of the patch updates.

Step 3: Schedule the Patches

  • Choose specific days and times for when patches should be installed. It’s common to schedule updates during off-hours to minimize disruption.
  • Time Zone Considerations: The time reflected on patch policies is shown in your browsers local time zone, not the agent's time zone. This means that all scheduled updates are aligned with the time zone of the user viewing or editing the policy.

Step 4: Select Patch Categories and Delay Options

  • Windows Patch Management: Here, you can choose which categories of patches to apply, such as critical updates, security updates, and feature packs. Each category can either be installed immediately or with a delay. Delaying installation can help avoid potential issues from newly released patches.

Step 5: Assign Devices Using Tags

  • Use tags to assign this policy to the relevant Windows devices. For example, we use the Windows tag to target Windows endpoints.

 

Creating a macOS Patch Policy

Step 1: Define Your Policy

Name your macOS policy similarly, like "macOS Endpoints."

Step 2: Configure the Policy Options

  • Reboot Devices After Updates: Similar to Windows, ensure devices are rebooted after patch installation if required. Pro Tip: Manage reboots through an Automation with User Approval
  • Retry Install on Offline Devices: Mac devices will also receive updates once they come back online if this is enabled.
  • Send Notifications: Enter the relevant email addresses for patch summaries.

Step 3: Schedule the Patches

  • Set up a schedule that works best for your macOS devices. This could align with your Windows schedule or be tailored separately.

Step 4: Select Patch Categories and Delay Options

  • macOS Patch Management: Enable or disable specific types of patches and choose whether to apply them immediately or with a delay. Delaying updates can provide a buffer to test patches on non-critical devices first.

Step 5: Assign Devices Using Tags

  • Apply the policy to the appropriate macOS devices using tags like "macOS."

 

Creating a Linux Patch Policy

Step 1: Define Your Policy

For Linux systems, naming conventions might include "Linux Endpoints."

Step 2: Configure the Policy Options

  • Reboot Devices After Updates: Decide whether to reboot Linux devices after updates.
  • Retry Install on Offline Devices: Ensure updates are applied once the device reconnects to the network.
  • Send Notifications: Add the necessary email addresses to receive updates on patch statuses.

Step 3: Schedule the Patches

  • As Linux updates are typically more frequent, you might schedule them more regularly or even immediately upon release.

Step 4: Select Patch Categories

  • Linux Patch Management: Unlike Windows and macOS, Linux patches are installed immediately without the option to delay, ensuring your Linux systems are always up to date with the latest security and stability updates.

Step 5: Assign Devices Using Tags

  • Use tags to target the correct Linux devices, such as "Linux" or "Production Servers."

 

Creating a Security Policy

Security policies are crucial for maintaining a strong security posture. These policies typically apply updates without delay to ensure all security vulnerabilities are patched as soon as possible.

Step 1: Define Your Policy

Name the policy something straightforward like "Critical Security Updates."

Step 2: Configure the Policy Options

  • Reboot Devices After Updates: Enable this option if you want devices to automatically reboot after updates are installed. This is crucial for updates that require a restart to take effect. Pro Tip: Manage reboots through an Automation with User Approval
  • Retry Install on Offline Devices: This option is crucial for security policies to make sure that as soon as a device reconnects, it receives all necessary patches.
  • Send Notifications: Add relevant email addresses to keep your security team informed.

Step 3: Schedule the Patches

  • Daily Schedule: Set this policy to apply updates daily to ensure no time is lost in patching critical vulnerabilities.

Step 4: Select Security-Related Categories

  • Security Patches: Enable only security-related patches with no delay.

Step 5: Assign Devices Using Tags

  • Assign this policy to all critical devices using tags like "Workstation" and "Server."

 

Viewing and Managing Device Policies

Once your policies are in place, you can view and manage them from the device details screen. Here, you’ll see all applied policies and understand how they stack, ensuring there are no conflicts and that all devices are covered comprehensively.