Managing Policies

You can create patch, software, and custom configuration policies (Worklets) that are enforced regardless of geographic location.

Viewing Policies

You can view a list of all policies in your organization from the System Management page.

  • Use the Filter Policies field to search for a specific policy.

  • Click the Unused Policies tile to toggle between all policies and the policies that are not assigned to any devices.

Creating a Policy

You can create new patch policies from the System Management page. Click Create Policy in the upper-right corner to create different types of policies, which are described here.

Patch Policies: These patch some or all of the software that Automox natively supports. The following categories of patching are available: Patch All, Patch All Except, Patch Only, Manually Approve, By Severity, and Advanced Policy.

Required Software Policy: You can install and patch software packages that do not have native support from Automox.

Worklets: Worklets can perform any scriptable action on devices, including disabling a vulnerable process, managing native OS controls, mass rollback of patches, removing unwanted applications, and many other system configurations.

These different types of patch policies are described in the following sections:

Creating a Patch Policy

To create a Patch policy, follow these steps for each type of patch:

  1. From the System Management page, click the Create Policy button.

  2. From the Create Policy page, click the type of policy you want to create. The options are:

    • Patch All

    • Patch All Except

    • Patch Only

    • Manually Approve

    • By Severity

    • Advanced Policy

  3. In the Policy Info area, configure the following:

    • In the Name field, enter a name for the policy.

    • In the Notes field, enter any notes if required.

    • Toggle the Policy Status to On or Off. This will enable or disable patching. If you want to pause patching, select Off.

    • Toggle the Automatic Reboot switch. Automatic Reboot restarts the machine if a reboot is required to complete patching. Select No if you do not want the device to reboot after patching.

  4. The Policy Scope area will differ for each policy type.

    Policy Type

    Description

    Patch All

    This policy will be applied to all supported software. This includes all operating system patches and supported third-party software.

    Patch All Except

    For this type of policy, you can select all packages that you do not want patched. Use the search and filter options to find these packages. Select the checkbox next to each package that you want to exclude from the patch. Your selections will appear on the right.

    Patch Only

    For this type of policy, you can select all packages that you want patched. Use the search and filter options to find these packages. Select the checkbox next to each package that you want to include in the patch. Your selections will appear on the right.

    Manually Approve

    For this type of patch, the scope area remains empty until it is associated with a device or group of devices.

    By Severity

    For this type of patch, you can select the severity level you want to have included in the patch update: Low, Medium, High, Critical, and Unknown. You can select multiple severities. The severity level are defined by the CVE score.

    Advanced Policy

    This type of policy allows you to create custom patching configurations. Choose conditions that match the desired compliance requirement for the device. See Using the Advanced Patch Policy.

  5. For Schedule, set the patching schedule that will run on the device. The Schedule Preview provides a calendar view of the patching schedule. See Setting a Patching Schedule.

  6. (Optional) Select the Notifications checkbox to notify users about a pending patch update. The Policy Status must be On.

  7. (Optional) To assign this policy to a group, in the Assigned Groups area click the plus icon and select the desired group(s). Click Assign Groups. NOTE: The policy must be created before assigning a group.

  8. Click Create Policy.

Policy Status "On" to ensure that patches are scheduled

Creating a Required Software Policy

You can create a policy that allows you to automate your third-party software patching.

  1. From the System Management page, click Create Policy.

  2. From the Required Software Policy section, click the OS for the software policy you want to create.

  3. In the Policy Info area, configure the following:

    • In the Name field, enter a name for the policy. This field is required.

    • In the Notes field, enter any notes, if required.

  4. Complete the Identify Package section before uploading the installation file. To do this, enter the required package name and version information as it will appear on the endpoint. This makes it easier to determine if remediation is necessary on the assigned endpoint.

  5. Click Upload File to upload the installation file for the software update.

  6. Use the Installation Command field to create a script for the software installation. This is required if a script is not found on the device.

  7. In the Schedule area, set the patching schedule that will run on the device. The Schedule Preview provides a calendar view of the patching schedule. See Setting a Patching Schedule.

  8. (Optional) Assign this policy to a group by selecting the plus in the upper right of the page and selecting the desired group(s).

    NOTE: The policy must be created before assigning a group.

  9. Click Create Policy.

Creating a Worklet

Use the Automox Worklet™ option to perform any scriptable action on devices, including disabling a vulnerable process, managing native OS controls, mass rollback of patches, removing unwanted applications, and many other system configurations.

To create a worklet follow these steps:

  1. From the System Management page, click Create Policy.

  2. From the Worklet section, click the OS for the custom policy you are creating.

  3. In the Policy Info area, configure the following:

    • In the Name field, enter a name for the worklet. The field is required.

    • In the Notes field, enter any notes, if required.

  4. In the Evaluation Code area, enter a script for the worklet you are creating. You can also select on the right from pre-packaged worklets. To use a pre-packaged worklet, click the name. It will automatically populate the field.

  5. In the Remediation code area, enter remediation logic to execute when the evaluation code above returns non-compliance. If a pre-package worklet was selected in the previous step, this field is automatically populated.

  6. If relevant, you can also upload a software installation file for your worklet.

  7. In the Schedule area, set the patching schedule that will run on the device. The Schedule Preview provides a calendar view of the patching schedule. See Setting a Patching Schedule.

  8. (Optional) Assign this policy to a group by selecting the plus in the upper right of the page and selecting the desired group(s).

    NOTE: The worklet must be created before assigning a group.

  9. Click Create Worklet.

Disabling a Worklet

To disable a worklet, follow these steps:

  1. From the System Management page, click the worklet you want to disable.

  2. Click Unassign for any groups that are assigned to the worklet.

  3. Click Save Changes.

  4. Repeat for each worklet that concerns any of the beta applications listed.

Setting a Patching Schedule

When you create a policy or worklet, you must set a schedule. There are two ways to set a schedule:

1. From the Schedule area of the Create Policy page, you can click Select All to automatically preselect all months, weeks, and days.

  • You can then deselect any specific fields that do not apply to the schedule you want.

  • In the Choose Patch Window field, set the time that the update should start.

2. You can also incrementally set the schedule. When the Select All checkbox is not selected, choose the individual months, weeks, days, and time of when you want patching updates to run on the device(s). (Blue indicates the selection.)

  • From Select Months, click the months.

  • From Select Weeks, click the weeks.

  • From Select Days, click the days.

  • In the Choose Patch Window field, set the time that the update should start.

Verify the settings in the Schedule Preview pane.

NOTE: Patching occurs at the selected time using the local timezone of the machine being patched.

3. Complete any other options according to the policy or worklet you are creating or editing and select Create Policy or Save Policy.

Related Topics: See our Community discussions around worklets.