What is OS & App Patch Management?

Patch Management is the process of becoming aware of, and applying, the latest software updates to your Operating System (OS) and Applications (Apps) across your organisation’s devices.

Why is Patch Management important?

The Operating System (OS) of your device, whether a smartphone, tablet or computer, is instrumental in keeping your device reliable and secure. As with all software, your OS must respond to the latest online threats and adapt to the changing usage patterns of its users, so an OS will routinely be updated several times per year, with a combination of new features and security fixes.

Similarly, the apps you use on your device will also receive similar, frequent updates. Commonly, these updates fix unreliable behaviour in the app or respond to security loopholes in the application’s code. As implied above, failure to keep the software on your devices updated exposes you to online security threats. This may lead to you becoming the victim of data loss, a customer data breach, ransomware, and financial or identity fraud.

Why is Patch Management difficult?

For organisations with even a relatively small number of devices, each one will have an OS and the majority will have around 10 to 20 apps in regular use. Even with just 10 devices deployed, that might well be 200 potential update points to manage. If those apps are updated by their developers a modest estimate of 6 times per year, that’s as many as 1200 updates that need to be executed in an organisation of just 10 devices.

So, volume is a problem. Secondly, awareness and oversight are a problem. Without a tool to report on the software your devices have installed, or a set of policies to define which apps are allowed in your organisation, it is very laborious if not practically impossible to work out which apps need updating and which ones have done so automatically (or not).

Finally, since many apps use their own bespoke update mechanism, there is no universal protocol for apps or operating systems to reliably send alerts about failed updates. Computer apps in particular can be installed in many different ways, some of which are better at automatically updating than others.

Don’t updates happen automatically?

Yes and no. On the whole, updates to many apps can and will happen automatically. However, there are numerous exceptions:

• Some apps require user-interaction to complete; often these get deferred by the user
• It is often advantageous to defer brand new OS releases until their reliability is proven
• Some updates need admin privileges, which not all users should be allowed to have
• Apps may fail to auto-update and require manual intervention to fix
• Occasionally the auto-update process itself can fail to detect an update that is due
• Some apps do not have an automatic update mechanism at all
• For legacy systems, you may want to manually control or block updates to older apps

With the number of updates per year typically in the thousands, even for the smallest organisations, it’s very likely that on a significant number of occasions, one of the above exceptions will arise.

How to deliver reliable Patch Management

To get around the lack of a universal protocol for app updates, particularly on computers, we recommend use of an MDM (Mobile Device Management) system for Patch Management. Your devices will routinely check-in with the MDM, which will ask them to report their current list of installed software and the version numbers. For software that is installed and managed using the MDM itself (typically as part of a Zero-Touch Setup environment), in most cases the MDM will automatically update the OS and its applications.

Our MDM solution can apply updates not only to App Store apps, but also to a large and growing number of additional third party apps as well. The MDM system hosts the installers and will keep your devices up-to-date whenever a new release becomes available.

For software which be directly managed by the MDM but is nonetheless distributed by the MDM, Purple will receive an alert for any new releases. Then, we will update the installer package within your MDM environment so that all devices receive the latest version of that app.

To implement Patch Management we will:

• Agree a major OS version for all your devices
• Set up an agreed maintenance window once per week when automatic OS updates will be attempted, then communicate this to your end users apps and set up a proactive update notification protocol
• Bring all device operating systems and apps up to date
• Agree a frequency of patch management checks
  • The stricter compliance standards will require checks as often as every 2 weeks
• Perform a manual check and provide a report at the desired frequency
  • Remediate any failed automatic updates
  • Where available, update and deploy the manually-managed installer packages