Hi!
I'm having difficulty figuring out an issue with automatic security patches on applications that were originally deployed via Managed Installation.

Example
Kbox installed Adobe Reader v9.3.0 via Managed Installation
Run Detect and Deploy for patching on k1000
Kbox applies this patch (Adobe APSB10-09 Reader 9.3.2)
On next Inventory, Adobe Reader v9.3.0 is not found, since it is now v9.3.2
Therefore, the Managed Install for v9.3.0 starts up again on the client machine (doh!)

Goal
I would like to keep the existing managed installation intact until the next major release of the software, letting the kbox apply patches as needed, without the original managed install starting up again after the patch has been applied.

Is there a recommended way to do this? Am I missing some key concept or functionality?
0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Answers

0
We don't use the patching capabilities at all - I update everything using software Distribution. However, based on my experience with the KBOX it sounds like you need to setup Smart Label filters to only apply the patch to systems not at the patch level or higher (hint: use REGEX).
Answered 06/11/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
ahhh ok! Thank you, that makes sense!

I may go about it a bit differently since the automatic patching is working fine, i just was to prevent the MI for the old version from starting again; this kbox is like a swiss army knife!

Do you see any issues with the rough outline below? I'll get the labeling/de-labeling accomplished dynamically

1. Label new/fresh machines as "Newbie"
2. Set all the Managed Installs impacted by the kbox patching system to push to "Newbie" only.
3. After all MIs are complete, remove the "Newbie" label and add a "Patchable" label.
4. Major version upgrades are pushed manually/one-time to the label "Patchable" for existing machines, then put back to "Newbie" for future fresh deployments.
Answered 06/11/2010 by: itguymike
Senior Yellow Belt

Please log in to comment
0
Here is what I do for applications that are patched via Kbox. For items like Office 2007 I make a custom software inventory item. In that custom inventory item, I wrote a Custom Inventory Rule that checks the registry for the version of the software you are running. This rule will check to see if the version matches certain parameters. In my example I am checking to see if the Office version is greater than 12 and less than 13. My custom string is below:

RegistryValueGreaterThan(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0011-0000-0000-0000000FF1CE}, DisplayVersion, 12) AND RegistryValueLessThan(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0011-0000-0000-0000000FF1CE}, DisplayVersion, 13)

Since my Office 2007 install includes SP1 the version number will always fall between 12 and 13 when installed via a MI. Now if the kbox patches office and installs SP2 my version number will change but will still fall between 12 and 13. This way if you have a computer in the office label it will push the software once and if you patch it to a new version the MI will not push the install again unless the patch takes the version beyond 13.

Just another way to accomplish your goal.
Answered 06/11/2010 by: darkhawktman
Green Belt

Please log in to comment
0
ORIGINAL: itguymike

Do you see any issues with the rough outline below?  I'll get the labeling/de-labeling accomplished dynamically

1. Label new/fresh machines as "Newbie"
2. Set all the Managed Installs impacted by the kbox patching system to push to "Newbie" only.
3. After all MIs are complete, remove the "Newbie" label and add a "Patchable" label.
4. Major version upgrades are pushed manually/one-time to the label "Patchable" for existing machines, then put back to "Newbie" for future fresh deployments.


You've got the general idea, but it's going to look a bit more like this:

1. Dynamic filter (Smart Label) will automatically add systems without the proper version of "SoftwareA"
2. Apply latest patch to Smart Label from Step #1

That's all there is to it. If a newer version is released, you simply modify the SQL filter attached to the Smart Label.
Answered 06/14/2010 by: airwolf
Tenth Degree Black Belt

Please log in to comment
0
I'm completely new to KACE and I'm having this exact problem.

As slick as KACE is, I'm surprised that it doesn't have the option to not run a managed install if there's already a newer version of the application installed. That seems trivial based on version numbers.

I guess I will use the smart label solution to only install managed installs on new PCs.
Answered 09/06/2011 by: benmills
Senior Yellow Belt

Please log in to comment
0
I'd use smart labels to isolate the affected systems. I'd make a smart label looking for computers running adobe reader and also running any version less then ( < ) the current version. As machines check into the label they'll get the managed installed and when they get patched they'll drop out of the label (because the version is higher then the smart label) and won't try to reinstall the older version.
Answered 09/06/2011 by: ms01ak
Tenth Degree Black Belt

Please log in to comment
0
@benmills
The root issue would be that vendors often dont follow any sort of conventions, and there's no reliable or good way for us to know if a "newer"version exists on a machine; but you can make a feature request to let engineering know to work harder to figure out something at http://kace.uservoice.com
Answered 09/06/2011 by: cblake
Red Belt

Please log in to comment
Answer this question or Comment on this question for clarity