In this article, you will learn everything you need to know about the Patch & Asset Management - 3rd Party Patch Management module. 3rd Party Patch Management allows you to define policies for software management and automated patching and installation, schedule updates with our HEIMDAL Unified Threat Dashboard (UTD), blacklist applications and allow your users to click and install only the software approved by you.
1. Description
2. How does work?
3. HEIMDAL Agent - 3rd Party Patch Management
4. 3rd Party Patch Management view
5. 3rd Party Patch Management settings
DESCRIPTION
Our 3rd Party Patch Management Management solution will automatically install updates on the 3rd Party Applications HEIMDAL manages (120+ applications) based on your configured policies, without the need for manual input. As soon as 3rd Party vendors release new patches, our technology silently deploys them to your endpoints, without the need for reboots or user interruption. HEIMDAL provisions you with fully tested, repackaged, and ad-free updates using encrypted packages inside encrypted HTTPS transfers locally to your endpoints. Our distribution is further optimized through a local P2P network only between your machines. This gives you the powerful option to tailor your entire IT environment. You can create policies that meet your exact needs across the Active Directory groups within your organization. Once configured, the deployment is easy and simple.
HOW DOES 3RD PARTY PATCH MANAGEMENT WORK?
When the Patch & Asset Management - 3rd Party Patch Management module is enabled, the HEIMDAL Agent checks the Windows Registries paths (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall) to see what are the 3rd Party Applications installed on the endpoint(s) and reports their status in the HEIMDAL Dashboard (it identifies an application using the DisplayName and DisplayVersion properties from the application's GUID registries). When a new version of a 3rd Party Application is available, the HEIMDAL Agent will securely download it from the HEIMDAL Security cloud, will decrypt it, and will run the installer with the specified install arguments.
3rd Party Applications can be installed or updated by the HEIMDAL Agent using one of the 3 methods below:
A. Automatic (force) install - the application is automatically installed on the first Group Policy check in case the application is not already present on the endpoint. If the application is already installed on the endpoint, the HEIMDAL Agent will bypass the automatic install;
B. Automatic update - the application is automatically patched (updated) by the HEIMDAL Agent when a newer version is available on the HEIMDAL Patching server;
C. Manual install - the application can be manually installed by the end-user from the HEIMDAL Agent in case the application is not already present on the endpoint.
The Application Blacklist feature allows you to uninstall specific applications that are installed on the endpoints inside your organization (in order for the feature to work, the application in question needs to have an UninstallString property defined in the Windows Registries in the case of MSI Installers and a QuietUninstallString in the case of non-MSI Installers).
HEIMDAL Agent - 3rd Party Patch Management
The HEIMDAL Agent displays information about the Monitored Applications, the Vulnerable Applications, the Version number, and the Status of each application. From the HEIMDAL Agent.
The HEIMDAL Agent allows the end-user to manually install any of the 3rd Party Applications that are configured to be allowed for installation from the HEIMDAL Dashboard.
3RD PARTY PATCH MANAGEMENT view
The Patch & Asset Management - 3rd Party Patch Management view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the 3rd Party Applications that are installed or monitored by the HEIMDAL Agent and is divided between the 3rd Party Applications monitored on Windows endpoints and the 3rd Party Applications monitored on Linux endpoints.
Windows OS
On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.
The collected information is placed in the following views: Standard view, Patches per Endpoint view, and Assets view.
- Standard view
This view displays a table with the following details: Hostname, Username, Software, Version, CVE, CVS, Date, and Status.
The Standard view allows you to view the information regarding the Latest Status, Latest Patch, Currently Vulnerable, Historically Vulnerable, Up-to-date, Uninstalled. You are also allowed to select one or multiple entries in the Standard view and Hide them from the view. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator. - Patches per Endpoint view
This view displays a table with the following details: Hostname, Username, and Patches per Endpoint. - Assets view
The Asset view displays a list of all the 3rd Party Applications that are installed on all the endpoints that run the HEIMDAL Agent in your organization (no matter if the 3rd Party Applications are monitored by the HEIMDAL Agent or not). The table includes the following information: Application Name, Version, GUID, Installed Endpoints, Hostname (visible in the Non-Stacked view), Installed Server, Username (visible in the Non-Stacked view), Machine Type (visible in the Non-Stacked view), Uninstallable (3rd Party Applications that can be uninstalled by the HEIMDAL Agent), Supported (3rd Party Applications that are installed and updated through the HEIMDAL Agent), and Date and Time (visible in the Non-Stacked view). The Hide Microsoft Products radio button allows you to hide the Microsoft products from the Assets view. The Filters functionality allows you to filter entries by Monitored and Not Monitored applications.
Selecting one or multiple 3rd Party Applications allows you to:
a. Add the selected application(s) to a Group Policy or all Group Policies to be automatically installed or be automatically updated (when a new version is available);
b. Uninstall the selected application(s) if the Uninstall is supported by the HEIMDAL Agent (the Uninstall is supported for the 3rd Party Applications that are installed using an MSI Installer that creates an UninstallString property or for the 3rd Party Applications that are installed using an EXE Installer that creates a QuietUninstallString property). - SAM view
The SAM view displays a list of all the software licenses that are detected on the endpoints in your organization. In this view, you get information about the Application Name, Publisher, Type, Quantity, Maximum number of Endpoint Licenses, Maximum number of Server Licenses, Total Price Endpoints, Total Price Servers, Discovered Endpoints, Discovered Servers, License Key, and the Expiration Date. Clicking the Application Name will redirect you to the SAM Details page where you can edit the license information. The primary properties of a SAM item are the Application Name and the Alias. The Alias property represents a list of expressions used for automatically discovering assets by their name. Since multiple assets may be part of the same license (only having different versions), multiple assets may match the same Software Assets Management item. Since the same software can be bought from multiple publishers in multiple ways, in the editor (SAM Details page) there is a “Details” tab granting the possibility to input multiple license details concerning multiple publishers. The Create New License functionality allows you to add a new license for a specific application. The SAM view is available if Software Asset Management and Infinity Management are enabled in the Group Policy settings.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
Linux OS
On the top, you see a statistic regarding the Number of current vulnerabilities, the Total number of applied patches, the Number of updated software, and the Number of monitored software.
The collected information is placed in the following views: Standard view, Patches per Endpoint view, and Assets view.
- Standard view
This view displays a table with the following details: Hostname, Username, Software, Package, Distribution, Version, Date, and Status.
The Standard view allows you to view the information regarding the Latest Status, Latest Patch, Currently Vulnerable, Historically Vulnerable, Up-to-date, Uninstalled. You are also allowed to select one or multiple entries in the Standard view and Hide them from the view. The Show Hidden Apps radio button allows you to display all the applications that were hidden by the HEIMDAL Dashboard Administrator. - Patches per Endpoint view
This view displays a table with the following details: Hostname, Username, and Patches per Endpoint.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
3RD PARTY PATCH MANAGEMENT settings
The Patch & Asset Management - 3rd Party Patch Management module allows the user(s) to install or update a specific 3rd Party Application from the list of applications managed by HEIMDAL Security.
Windows OS
3rd Party Patch Management - turn ON/OFF the 3rd Party Patch Management module;
General Settings
Infinity Management - turn on/off the Infinity Management module to deploy your own 3rd Party Applications/Patches (.msi, .exe, .bat files) from the stand-alone patch management system. The patches can be configured in the Infinity Management module and applied to any Group Policy;
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Patch Management list will be added to automatic update;
Assets View - allows you to track down and manage all the 3rd Party Applications installed on the devices in your organization, even if we do not offer patches for them (supports applications that are installed in the All Users context). The Assets View updates the list of applications every 24 hours, but it can be manually updated by restarting the computer (this one takes the Delay Patching on Start-up option into consideration).
Software Asset Management - allows you to manage the software license details for an application that is installed in your environment in a dedicated view found under Patch & Asset Management -> 3rd Party Patch Management. You can input Software Name, Version, Publisher, License Type, Quantity, Price, Expiration Date, etc.
Manage Applications
Show only Infinity Management applications - displays the 3rd Party Applications added in Infinity Management only;
Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Allow Install - make the selected 3rd Party Application(s) available for manual installation by displaying it in the HEIMDAL Agent - 3rd Party Patch Management list:
Delay - allows you to delay the automatic deployment of the selected 3rd Party Application(s) by 1 to 30 days;
Version - allows you to target the selected 3rd Party Application(s) to the Latest Version or to an older version (available in the Patching System). Targeting a version that is older than the Latest Version will downgrade the higher version to the targeted version. This means that Heimdal™ Patch & Assets will not update it anymore;
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Delay patching on startup - allows you to set the delay time interval applied on computer startup until the HEIMDAL Agent starts the patching operation;
Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module;
- You can select one or more days in a week when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can select one or more days in a month when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can also select a specific interval of any day to exclude the 3rd Party Application patching.
Applications Blacklist
This feature allows you to uninstall a specific 3rd Party Application(s) to restrict the usage of unwanted applications or to get applications removed from all endpoints that are applying the current Group Policy. This feature removes most of the applications that Patch & Asset Management is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoints but not managed by Patch & Asset Management module.
To uninstall a 3rd Party Application you need to specify the name of the application. You can also specify at least the first word of the name (in case the 3rd Party Application has a name composed of more than 1 word) to target multiple 3rd Party Applications that have their name starting with the same word and tick the Starts with a tickbox to be able to add the entry.
- The example below targets all Adobe applications that are installed on the endpoint(s) (Adobe Acrobat DC, Adobe Acrobat Reader DC, Adobe Audition 2019, and others);
- If you target a specific application you have to add the exact application name (like it is displayed in Control Panel - Programs and Features' list) to be uninstalled (like in the example below: Java 8 Update 291 (64-bit);
Example:
- If you want to uninstall a 3rd Party Application that is in the 3rd Party Patch Management list, you need to make sure that the tickboxes for Install and Update are unticked in order to be able to add the 3rd Party Application in the Application Blacklist.
Linux OS
3rd Party Patch Management - turn ON/OFF the 3rd Party Patch Management module;
General Settings
Infinity Management - turn on/off the Infinity Management module to deploy your own 3rd Party Applications/Patches (.msi, .exe, .bat files) from the stand-alone patch management system. The patches can be configured in the Infinity Management module and applied to any Group Policy;
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Patch Management list will be added to automatic update;
Update non-Heimdal supported packages - allows you to update non-Heimdal packages installed on the endpoint.
Manage Applications
Show only Infinity Management applications - displays the 3rd Party Applications added in Infinity Management only;
Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module;
- You can select one or more days in a week when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can select one or more days in a month when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can also select a specific interval of any day to exclude the 3rd Party Application patching.
Applications Blacklist
This feature allows you to uninstall a specific 3rd Party Application(s) to restrict the usage of unwanted applications or to get applications removed from all machines that are applying the current Group Policy. This feature removes most of the applications that Patch & Asset Management is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoints but not managed by Patch & Asset Management module.
To uninstall a 3rd Party Application you need to specify the name of the application.
- the example below targets all packages used by the VLC Media Player;
- the HEIMDAL Agent will uninstall the following packages: aVLCb, aVLC, VLCb;
- using the Starts with option will remove any package named: VLC, VLCb.
Example:
- If you want to uninstall a 3rd Party Application that is in the 3rd Party Patch Management list, you need to make sure that the tickboxes for Install and Update are unticked in order to be able to add the 3rd Party Application in the Application Blacklist.