Managing Policies

You can create patch, software, and custom configuration policies (Worklets) that are enforced regardless of geographic location.

You can learn about the following topics here:

Viewing Policies

You can view a list of all policies in your organization from the System Management page.

  • Use the Filter Policies field to search for a specific policy.

  • Click Unused Policies to switch between all policies and the policies that are not assigned to any devices.

Creating a Policy

You can create new patch policies from the System Management page.

  1. Click Create Policy in the upper-right corner to create different types of policies.

  2. On the Create Policy page, click the type of policy you want to create. The types of policies are described in the following section.

Policy Types

Click the following headings for detailed descriptions about each type of policy.

Patch

These policies patch some or all of the software that Automox natively supports. The following categories of patching are available:

You can install and patch software packages that do not have native support from Automox.

Worklets

Worklets can perform any scriptable action on devices, including disabling a vulnerable process, managing native OS controls, mass rollback of patches, removing unwanted applications, and many other system configurations.

Managing End-User Notifications

User notification messages allow you to give end users notice of important updates or reboots on Windows and macOS devices. It is also possible to configure deferral options that allow users to control when an update or reboot will happen.

The following topics are described here:

Default User Notifications

When a patch policy is active and scheduled and uses default settings, Automox automatically sends notifications to users for updates and system reboots. These user notifications are configured on each patch policy page. Here is an example of the default view:

When you create a new policy, the default settings are as follows:

Default Settings

Enable automatic reboot after updates are installed

This means that after patching, the device will automatically reboot the operating system.

Install Notification Settings is on

The default notification messages will be issued. These can be edited.

Before installing any update is selected

The notification message is sent prior to any update install.

Hourly Deferral Options

A user can select to defer an update by 1 hour, 4 hours, or 8 hours.

Max number of Deferrals

This is by default 3. This indicates the number of times a user can delay that a patch is installed. This default setting can be configured between 1 and 10 deferrals.

Reboot Notification Settings is on

The default reboot notification message will be issued after an update installs if the update requires a reboot.

Deferral Enabled is selected

A user can select to defer a reboot by 1 hour, 4 hours, or 8 hours for a maximum of three times before the system reboots.

What to expect for default user notifications

If you choose to use the default settings for a patch policy, a user will experience the following for an update that requires a reboot. The associated patch policy is active and scheduled. This is an example for macOS.

  1. A system update install notification is issued with the option of deferral.

  2. The user can select any of the deferral options, up to 3 times.

  3. After the update install completes, a reboot notification is issued with the option of deferral.

  4. The system shuts down the device (reboots) to complete the update. Note: If a user does not select a deferral option, the system will reboot automatically after 15 minutes.

Customizing Install Notifications

You can configure how a user receives notice of an update that is scheduled to be installed.

Note: The policy must be Active and scheduled for the notifications to take effect. If a policy is triggered manually, install notifications are not sent, however, reboot notifications (if configured) will still show up.

1. From the create or edit patch policy page, go to User Notifications > Automatic Reboot. Then select if you want the device to automatically reboot or not after the update is installed.

  • If you want the device to reboot after patching, select Enable automatic reboot after updates are installed.

  • If you do not want the device to automatically reboot after patching, select Do not enable automatic reboot after updates are installed.

2. Go to End User Notifications > Install Notifications Settings.

  • To configure notification messages, turn on Install Notifications Settings.

  • If you do not want user notification messages to be sent, turn off Install Notification Settings.

Note: If you disable this notification setting for end users, it might result in the loss of unsaved work.

3. Choose when to send an install notification.

  • To send notification messages before the update occurs, select Before installing any update.

  • To only send notification messages prior to an update that requires a reboot, select Before an install that requires a reboot.

4. Review and edit Install Notification Messages. If you do not configure the notification message, the default message is sent.

You can use the default notification messages for end users or configure them here:

  • For updates that do not require a reboot, you can configure the Install - No Reboot Notification Message. To set a custom message for the install of an update, fill in the text box with the messaging of your choice. The message can be up to 125 characters for Windows or 70 characters in length for macOS.

  • For updates that require a reboot, you can configure the Install - Reboot Notification Message. To set a custom message for reboot, fill in the text box with the messaging of your choice. The message can be up to 125 characters for Windows or 70 characters in length for macOS.

Example install notification messages

5. Choose the Deferral Settings.

  • Hourly Deferral Options: You can set three or fewer deferral times for notifications, allowing end users to delay an update install for a number of hours. By default, users are able to defer for 1, 4, or 8 hours. To set custom deferral times, fill in the three boxes for the first, second, and third deferral options, as needed. Leave a field blank to have fewer options. All numbers are represented in hours, only integers are accepted, and the maximum single deferral time is 24 hours.

  • Max Number of Deferrals: You can set a custom number of deferrals for notifications. When set, the end user is able to defer install up to the provided number of deferrals. On the last possible deferral, the patch is applied as guided by the policy. To set the number of deferrals, fill in a number in the Max Number of Deferrals field. The default number of deferrals is 3. You can set as few as 1 deferral or as many as 10. If a user misses the patch notification, their system is automatically patched 15 minutes after the missed notification. A user can proactively install the update by clicking Install Now (Windows) or Options: Now (macOS)

Customizing Reboot Notifications

For updates requiring a reboot, you can configure the reboot notification message similar to update install notifications.

Requirements for configuring reboot notifications:

  • Select Enable automatic reboot after updates are installed.

  • Turn on Reboot Notification Settings.

1. From the create or edit patch policy page, go to Reboot Notification Settings. This setting must be turned on in order to send reboot notification messages.

Note: If Reboot Notification Settings is turned off, the user might lose unsaved work if the system reboots without warning.

2. Configure the Reboot Notification Message for end users:

  • You can do nothing and use the default message.

  • You can set a custom message for reboot. Fill in the text box with the messaging of your choice. The message can be up to 125 characters for Windows or 70 characters in length for macOS.

Examples of default reboot notifications

If you allow users to defer reboots when reboot notifications are enabled, it’s worth noting how the reboot deferral options work (see Using Reboot Notifications). NOTE: If a user does not respond to a reboot notification in 15 minutes, the system will automatically reboot. You might consider adding this information to the reboot notification messaging when reboot deferral is enabled.

3. From Deferral Settings you can allow users to defer system reboots.

  • Deferral Enabled: - Click the Deferral Enabled checkbox to allow a user to defer a reboot. - Clear the checkbox to not allow a user to defer a reboot.

  • Hourly Deferral Options: You can set three or fewer deferral times for notifications, allowing end users to delay a reboot. By default, users are able to defer for 1, 4, or 8 hours. To set custom deferral times, fill in the three boxes for the first, second, and third deferral options, as needed. Leave a field blank to have fewer options. All numbers are represented in hours, only integers are accepted, and the maximum single deferral time is 24 hours.

  • Max Number of Deferrals: You can set a custom number of deferrals for notifications. When set, the end user is able to defer a reboot up to the provided number of deferrals. After the last possible deferral, the device reboots. To set the number of deferrals, fill in a number in the Max Number of Deferrals field. The default number of deferrals is 3. You can set as few as 1 deferral or as many as 10. Important: If a user misses the reboot notification or closes the reboot notification, their system is automatically restarted 15 minutes after the missed notification is sent. A user can choose to reboot immediately by clicking Reboot Now (Windows) or Options > Now (macOS).

Setting a Patching Schedule

When you create a policy or worklet, you must set a schedule.

From the Schedule area of the Create Policy or Create Worklet page, you can click Select All to automatically preselect all months, weeks, and days.

You can then deselect any specific fields that do not apply to the schedule you want.

  • In the Scheduled Start Time field, set the time that the update should start.

  • Decide how you want the device to patch if a configured patch time is missed. By selecting the checkbox, the device will patch the next time it checks in.

Verify the settings in the calendar preview pane.

NOTE: Patching occurs at the selected time using the local timezone of the machine being patched.

Complete any other options according to the policy or worklet you are creating or editing and select Create Policy or Save Policy.

Related Topics: