When there is no internet connectivity or an environment is isolated with its own network definition, patching becomes a challenge. For such issues, solution mentioned will help in configuring and keeping the devices up to date. |
There are two ways to patch systems which does not have an Internet connection available. Option 1: This option involves setting up two Client Management (BCM) master installations, one which is connected to the Internet, and can download patches and patch definition updates, the other would be used to scan and patch the disconnected systems. Although this option requires two master installations, there is no need to purchase an additional master license to use this option. Contact Technical Support to obtain a license file for the 2nd server. Configuring the connected systems 1. Set up the environment which is a representative of the environment on the disconnected side. This will allow the Dynamic Downloader configured later in this article to download only the needed patches.
2. Verify that the BCM agent has been installed on these connected systems, and that the agents are pointed to the connected master. 3. In the BCM console, go to Patch Management > Patch Managers > _PATCH_MAN AGER_ > Configuration, and click the "Check for updates" button. If updates are available, then click the "Update" button on this same page. After this initial update, these definition files will be updated automatically at 11:00 PM each evening.
4. Also, in this configuration section on the connected server, set the "Archiving of Downloaded Patches after Publication" option to "Delete Downloaded patches": 5. After a couple of minutes, once the Patch KB updated (point 3) the sample devices should upload a new patch inventory. 6. Configure the Dynamic Downloader. This will allow the connected system to automatically download patches which are missing from the representative systems described in step 1. i. In the BCM console, go to Patch Management > Patch Manager > _PATCH_MANAGER_ > Dynamic Downloading
ii. Right click in the right side of the console window, and select Create Dynamic Downloader:
iii. Click the newly created dynamic downloader in the left side of the console window.
iv. It is recommended to select the "Only select patches that currently affect at least one device" option under the "Filters patches based on affected devices" section. This will download only patches which are needed, rather than downloading all available patches. For example, Dynamic Downloader for Windows 11 patches is shown in the screenshot below:
v. Once these download is completed, collect the patch files from the ..\Master\Data\Vision64Database\Patches\ folder. These will need to be copied to the disconnected server, as described later in this article.
Configuring the disconnected systems Before scanning for missing patches, the patch definition files on the disconnected side must be updated using the steps below. NOTE: This process must be repeated each time patch definition files are to be updated. If this process is not followed, BCM will not be able to scan for patches released since the last definition files update. 1. Stop BCM Service
Deploying Patches
2. Copy file C:\Program Files\BMC Software\Client Management\Master\data\Vision64Database\pmupdates\current\Update.bin from Connected system to C:\Program Files\BMC Software\Client Management\Master\data\Vision64Database\pmupdates\pending directory on Disconnected system. 3. Start BCM Service. Update.bin file contains new patch definitions, at start up BCM service automatically import them in database. 4. Enter a path for the "Path to Local Patch Repository" parameter. To do so, go to BCM Console > Patch Management > Patch Manager > _PATCH_MANAGER_ > Configuration > Path for Local patch repository. This path will be where the patch files downloaded from the Connected Master will be placed. 1. On the Master - Connected side, copy the contents of the ..\Program Files\BMC Software\Client Management\Master\data\Vision64Database\Patches\ folder to a media which can be transported to the disconnected side (USB drive, CD, etc.) 2. On the patch manager on the disconnected side, copy the patch files from the removable media to the path defined in the Path for Local Patch Repository in step 4 of the Configuring the disconnected systems instructions above. 3. Patch Group and Patch Job features can now be used to deploy patches on the disconnected network. Option 2 This option requires only one installation of the BCM Master server components, and does not require the representative environment on the connected side. However, in this scenario, the required patches would need to be downloaded from the vendor manually, and must be placed in the Local Repository path on the disconnected Patch Manager. Configuring the disconnected systems Before scanning for missing patches, the patch definition files on the disconnected side must be updated using the steps below. NOTE: This process must be repeated each time patch definition files must be updated.. If this process is not followed, BCM will not be able to scan for patches released since the last definition files update. 1. Download and update the definition file using procedure from Manually updating Patch Knowledge Base - Documentation 2. Enter a path for the "Path to Local Patch Repository" parameter. In BCM Console > Patch Management > Patch Manager > _PATCH_MANAGER_ > Configuration > Path for Local patch repository. This will be the path where the patch files which are manually downloaded will be placed. 3. After a couple of minutes, once the Patch KB is updated (point 1) devices will start uploading their new patch inventories. Deploying Patches 1. After downloading the required patch files from the vendor, copy these patch files to the Path to Local Patch Repository directory described in step 2 of the Configuring the disconnected systems instructions above. 2. Patch Group and Patch Job features can now be used to deploy patches on the disconnected network. |