Chapter 7. Phase II: Patch Management design and implementation 283
bandwidths because of the light communications between the Agent and the
Tivoli Endpoint Manager Server.
When endpoints are offline, they can be switched on or messages can be cached
at their nearest Relay so that when the endpoints reconnect to the network, the
patching automatically begins.
Reboots during patching
For patches that sometimes require a reboot, the Agent contains a software
component known as the
action manager to cache all activity that must continue
during a patch. It is important to remember that if the users can choose when to
reboot their system, the patch that is being applied might not reply to the Tivoli
Endpoint Manager Server as “patched” until the endpoint is rebooted. The
financial accounting company might decide to force a reboot of the endpoints if
the endpoints are on for more than a week.
7.2.5 Implementation conclusion
During the implementation of the financial accounting company Tivoli Endpoint
Manager patch management solution, we incorporated a new process for
patching. The new process uses the current change ticket system of the
organization and the separation of duties by using a new approval process. We
also described how the financial accounting company can use the Tivoli Endpoint
Manager platform and patching content to patch workstations and servers,
solving the business and functional requirements.
The intention of this section is to document the considerations of the financial
accounting company about maintaining a Tivoli Endpoint Manager patch
management solution. We describe the following features of Tivoli Endpoint
Using Baseline updates
Handling corrupt patches
Minimize endpoint reboots
Patching overview dashboard
It is important to remember the business requirements of the patch management
solution for the financial accounting company. Tivoli Endpoint Manager provides
a central view of all the endpoints by using a single console, single server
284 Endpoint Security and Compliance Management Design Guide Using IBM Tivoli Endpoint Manager
solution, that is accessible by the individual operating countries. This centralized
tool works even with the hierarchical nature of the IT department. Tivoli Endpoint
Manager aims to automate many of the tasks involved with managing the large
number of endpoints. This automation ultimately reduces the load on the
department. Therefore, resources can be allocated to serve the business more
7.3.1 Baseline updates
A Baseline is used as the deployment container for Fixlet Messages for each
monthly patch cycle. The financial accounting company corporate patching
process defines that the patch administrator operator clones patches from the
external content site into the Custom Site before approval by the system
administrator. The content that is provided by Tivoli Endpoint Manager in the
form of Fixlet Messages contains an Action script designed for deployment that
uses the Tivoli Endpoint Manager platform. The vendor-released patches
packaged up into Fixlet Messages can undergo changes to modify the way that
they are deployed to systems. These changes are to the Relevance language
that is used for deployment. As a maintenance task for the financial accounting
company, the Baselines created for the monthly patch cycle need
to ensure that any constantly enforced patches are updated on the endpoint.
To synchronize a Baseline, locate it in the Baselines tab within the Console and
follow these steps:
1. Highlight the Baseline, right-click, and click Edit.
2. In the Edit Baseline dialog, go to the Components tab.
3. Baseline components whose source is modified display a Source differs
4. Click the [sync with source] link to synchronize the Baseline component with
its modified source.
Figure 7-29 on page 285 displays the contents of a Baseline and the option to
visit the source of the Fixlet message. In this case, there are no modifications to
the source Fixlet, so we are offered the option to see the Fixlet source only.