Patch Management - Third Party Application Updates

Objective

Patches for commonly used applications are deployed as they become available from the software vendor and have completed quality assurance testing. Application patching intends to provide security enhancements, not interrupt production with feature changes.

A detailed walk through for the update processes for Windows and macOS endpoints can be found below:

An application restart is frequently required to apply application updates. When possible, notifications will display for any applications that require a restart to update. Feature changes are evaluated before release and communicated to users when they may be disruptive to productivity. Application updates are managed in three categories:

  • Independent - Application updates are released onto all managed endpoints as they become available from the vendor. Examples of Independent applications include Firefox, Chrome, and Zoom.
  • Managed - Application updates undergo a pre-release pilot period on a subset of production endpoints before release onto all managed endpoints. Pre-release occurs 1 week before the full production release, allowing ITS time to identify issues with the latest release of the software, including version upgrades. Examples of Managed applications include Adobe products, SPSS, and Palo Alto Cortex XDR.
  • Service Dependent - Application updates install automatically following a service upgrade. Pre-release testing occurs as part of the release testing for the service itself. Examples of Service Dependent applications include SAP, BeyondTrust, and Palo Alto GlobalProtect.

Users

  • All University faculty, staff or students with a University-managed desktop, laptop or tablet
  • Users of University-managed shared endpoints - labs, classrooms, conference rooms or kiosks

Third-Party Application Deployment Cycle

Windows and macOS endpoints enrolled in Endpoint Management Services receive third-party updates through Patch My PC via Configuration Manager (SCCM / MECM) on Windows and Jamf Pro (Jamf) on macOS.

New third-party patches release on Mondays, Wednesdays, and Fridays. Applications silently update when they are not in use or will prompt the endpoint device user to close the application if necessary. A restart may be required for critical updates to install, notification and deferral will be provided to avoid loss of work.

 

Update Process - Windows

Private Endpoints (Faculty/Staff)

Application Updates will be automatically and silently installed when applications are closed or will prompt the endpoint device user to close the application if necessary. Endpoint device users may "Snooze" the update notification for up to 5 days in the event they are not able to install the update when prompted.

Prompt with the text "University of Nebraska System requires an update for *ApplicationName* To ensure files aren't in use during the update. *ApplicationName* needs to be closed. Please save your work and close the application to proceed with the update. You can postpone the update until 2/23/2022. If no action is taken before the timer expires the update for *ApplicationName* will be deferred."

While application updates are being installed, you may receive the following notice. Please wait a few minutes for the update to complete the installation and try opening the application again.

Dialog message with the text "Update in progress... An update is cumently being installed on your computer. Please. do not try to start 7fm.exe"

Installation Deadline

Application Updates are required to be installed within 5 days of being offered. Once this deadline is reached, endpoint device users will receive a notification to close the application within the specified time before the application is automatically closed for updates to occur.

Shared Endpoints (Lab/Classroom/Conference Rooms) or Kiosks (Digital Signage/Walk-up Stations)

Application Updates will be automatically and silently installed during established maintenance windows. Shared endpoint device users will not typically see third-party application patching notifications.

Maintenance Windows

Shared endpoint devices running Windows will have a maintenance window from 10:00 pm to 7:00 am daily by default. An alternate 12:00 am to 6:00 am daily maintenance window is available by request. Third-Party Application Updates will only be installed during this time window unless manually ran via Software Center.

 

Update Process - macOS

Third Party updates are applied on a weekly schedule. Application Updates will be automatically and silently installed when applications are closed. If an Application is open, users will receive a system notification that application updates are available.

At any time during the week a user can open Self Service to install the application update at a convenient time.

When open Applications need to quit for updates to Apply, you will see the following notification:

macOS Prompt with the text "The following Applications require an update. Please save your work before continuing."

This prompt will allow you to continue with the following options:

  • Update Now
  • Postpone

After selecting "Update Now", you will be given additional for Applications that need to be closed:

macOS Prompt with the text "Please save your work in the following Applications before they are automatically closed."

While an Application is updating, a prompt will stay on-screen until the update is complete:

macOS Prompt with the text "Mozilla Firefox is updating, please wait."

 

When postponing an update, you will receive a prompt with a multiple selection drop-down similar to the following:

macOS Prompt with the text "Please select a deferral period. You won't be notified again until after the deferral expires."
Print Article

Details

Article ID: 243
Created
Fri 4/12/24 2:57 PM
Modified
Thu 6/6/24 10:36 AM

Related Articles (4)

This article outlines the NU IT Risk Classifications of Low, Medium, and High. These configurations align with National Institute of Standards and Technology (NIST) frameworks (800-53, 800-171), and Center for Internet Security (CIS) Levels 1 & 2.
This will walk you through the process of logging in and install software from the MacOS Self Service application
This will walk end users through the process of installing something from the Software Center for Windows.
Operating system patch and security updates are software releases issued by OS developers to fix vulnerabilities, enhance performance, and add features. Operating System patches are frequently released to ensure systems remain resilient and protected against evolving cyber threats

Related Services / Offerings (2)

Patch Management ensures that University endpoints are consistently running the latest approved versions of operating systems, security patches, and common third-party applications. Protecting devices from vulnerabilities and ensuring compatibility with services.
Desktop Support is an area whose primary role is the direct support of end users with their hardware and software needs. Our mission is to provide professional and respectable support of hardware and software needs of Students/Faculty/Staff on each campus.