Hierarchical policies in SuperOps has four distinct levels through which policies can be deployed:
Global
Client
Site
Asset
Policies can be differentiated based on:
who the client is
their usage
locations/sites the MSPs support for a client
What more? MSPs can have a unique policy for servers as opposed to a workstation.
Hierarchical policies in SuperOps are defined by the Patch Category and Patch Severity matrix.
The approval statuses include:
Approve, which automatically approves and executes patches
Manual, which executes patches after manual approval
Reject, which does not execute the patch
Defer, which delays the deployment of a patch for a period of time
How does deferred patching help?
If you have a new set of patches that you'd like to test for stability and performance, you can defer these patches before you're confident about deploying them on your client's assets at scale. Click here to learn how to set up deferred patching.
Here's how Windows patches are categorized in SuperOps:
Critical Updates
Definition Updates
Service Packs
Feature Packs
Update Rollups
Drivers
Security Updates
Others (Tool, security-only update, monthly rollup, SSU, additional information)
Learn more about what each category means and how Microsoft defines them here.
Reboot options for patch management
Select how you want to manage system reboots after the patches are installed. You have multiple reboot options here for when the user is logged in and logged out. Here are the reboot options you have:
When the user is logged in:
Repeatedly ask for permission: With this option, you can keep asking for permission to reboot the machine at regular intervals until the reboot
Reboot immediately, but allow the user to save their work: Users will be notified once about an upcoming mandatory reboot
Force reboot: Forcefully reboots the asset right away
Do nothing: Ignores the reboot for the asset, even if the patch mandates it
When the user is logged out:
Reboot immediately
Do nothing
You can force reboot the asset, or ask permission from the user based on prompts with time intervals and then force reboot at the end of it.
You can also customize the reboot message that will be displayed as a prompt on the asset. The reboot message consists of two sections, the heading and the body, that will be displayed on your client’s assets. Here’s what it looks like.
Once the patch policy has been set, a patch scan is triggered immediately to reflect the latest patch compliance status of the asset.
You’ll need the asset to be active if you want to install these patches. If an asset is asleep, you can use Wake on LAN to remotely wake the asset up and start the patch installation to increase the success rate of deployment. Check out this guide on using Wake on LAN to learn how you can use it in SuperOps.
You can view all the patches under the ‘All patches’ section in the Asset pane.
All patches seen under ‘All Patches’ view are the ones that were defined globally (i.e, without client, site or asset hierarchies).
If the global patches are set to be manually approved, the ‘Approval Status’ column in the ‘All patches’ section shows either Approve or Reject. This will help the technician decide what needs to be done.
If there's a site-level policy and the technician approves a policy from the ‘All Patches’ view, this manual override is carried forward to the site-level patches as well (even if the site-level policy is set to execute automatically). Simply put, you can manually override site-level policies.
In this case, an option to ‘Reject’ a patch is also shown although the patch is approved because that is a cue to not auto execute that patch in the future.
If the technician prefers to view site-level patches that are auto-approved, they can apply filters on the ‘All Patches’ view to see the respective approved patches.
💡SuperTip:
If you would like all patches to be auto-approved, make sure to set up the global policy to ‘Approve’ on all counts.
Patch window duration
You can now configure a window of time, during which the patch will be installed in your client’s asset.
📝Note:
All patch installation for assets under this policy will take place during this time period. Any patch that was not installed during this time period will be installed during the next active window.
This feature is currently available only for Windows devices.
To do that,
Navigate to Settings > Policy Management > Windows server/workstation
Select Patch management from the pane on the left.
Click on the Schedule button as shown below
4. In the schedule patch page, fill in the details of the patch, enable “Window for patch installation” and set the duration of the window. For example, the window will be active for 3 hours.
5. Once you are done, click Apply.
Auto-update settings for device OS updates:
When it comes to handling local updates, SuperOps provides you with the flexibility to choose between relying on your device's OS manager or utilizing the SuperOps agent. To configure your auto-update preferences, you can choose either of the following options from the drop-down menu:
1. Do Nothing: With this option, the default patch update settings of your OS Manager will be retained as is.
2. Disable: Choose this option if you prefer the SuperOps agent to exclusively handle patch updates, thereby disabling auto-updates by the local OS manager.
📝 Note: If you choose the Disable option, patch updates done by SuperOps will not show up in the Windows Update History on your device.
📝 Note: This is currently available only for Windows devices.
Managing patches on demand
Here's how you can install and manage patches for a device ad hoc:
From an asset's details page, click on the Patches tab.
Under the Approval Status column, hover over Take action and it will show you three options: Reject, Approve, Approve & Install.
Click on Approve & Install if you want to install a patch immediately. If you want to have the patch installed based on a schedule you've set, click on Approve and SuperOps will install this approved patch during the scheduled time/date.
You can also select multiple patches and take action on them in one go with the checkboxes on the left. Actions will be available at the top right when you want to do it for multiple patches.
