Excerpt
Articulating expectations and understanding to reduce surprises.

Top-level info

Glossary

...

Self-supported computer: A computer not set-up by Chemistry IT. It

...

cannot be on AD so it cannot be managed

...

using Cornell's tools.

...

IT-supported computer: A computer set-up and configured by Chemistry IT. It's on AD. May or may not be IT-managed.
IT-patched-forced-reboot computer: An IT-supported computer also managed using Cornell's management tools, including Cornell-managed OS patching.
- System may be forced rebooted.
IT-patched-not-forced-reboot computer: An IT-supported computer also managed using Cornell's management tools, including Cornell-managed OS patching.
- For systems which cannot be forced rebooted.
- No forced rebooting, so Group member must invoke patching.
Group-patched computer: A

...

IT-supported computer the group pledges to patch on a regular schedule, including required restarts.
- For systems which cannot be forced rebooted.
- No forced rebooting, so Group member must invoke patching.

Patching behavior

Service name

Windows OS patched

Forced reboot?

When?

Common MS apps patched

Common non-MS apps patched

A&S Central Patching

Yes

Thursday, 4pm, once per month.

This Thursday is following Tuesday patch deployment by A&S IT, which is the Tuesday a week after "MS Patch Tuesday", which itself is once per month (2nd Tuesday of the month?). Except when MS skips or retracts patches in time.

Yes. List?

Some. List?

Researchers' needs:

Yes

No

When research group can, hopefully sooner than later.

Yes. List?

(Same as above)

What Oliver thinks he wants:

OS patching and application patching, but no forced reboot.
- Need for systems which can't tolerate a forced reboot. Which also will likely be in 10-space so we'd want to use CU's WUS service.
Application patching, but no OS patching. Possible? (Assumes applications will NEVER force-reboot a computer. True, though?)

Notes

Auto-installation of application software does not imply that it will be subsequently patched.
Patched application software may not have an installation option.

Q: What software is forced on

...

an IT-supported computer?

A: Only one enabling application: CM Client.

Q: What software is forced on

...

an IT-patched computer?

A: Only one more enabling application: Flexera CSI (Secunia)

...

Software forced-installed	Circumstance	Notes
CM Client	Added when system added to CU AD	Non-issue, right?
Flexera CSI (Secunia)	Added when system added to (CIT?) Central Patching	If only gets installed if a system is added to CIT Central Patching, non-issue, right?
No other software is forced-installed!		Forced-installed software should not to be confused with patching, action taken on pre-installed software.

Q: What OS or application software on

...

an IT-supported computer gets patched by Cornell?

A: None, by default.

Windows by default is set to be patched by Microsoft directly. Some third-party software may similarly be auto-patched.

Q: What OS or application software on a IT-patched computer can get patched

...

?

A:

...

The OS gets patched, and may force-reboot after days of warnings. And also either a group of

...

, or individual, application software gets patched, depending on configurations to enable specific needs

...

(is that true? Or always just a group of application software?)

Q: What software on

...

an IT-managed computer can be installed auto-magically?

A: Only application software for which a Cornell IT group has created a "package".

Q: If software is installed

Either software for which either a Cornell IT groups can "package" application software installs using either Group Policy (GP) or Managed Desktop Configuration Manager (MD)CM) technology.

Whether the application gets patched after installation is a different question.

Q: If I can't afford a computer to reboot unexpectedly, what are my options?

A: Ensure system is not being IT-patched. And instead regularly patch the computer by hand, including all required reboots, at acceptable times.

Patching schedule

CU's default

A&S IT's default

Chemestry research Option 1:

Why use CM patching for non-forced reboot?

NOT pre-download.

Yes: Points to CIT's patching. WUS server: MS and non-MS patching. Ex: Flash. 10-space for non-Proxied apps.

	(1A) CU AD	(1B) CM client	CIT Central Patching	A&S Central Patching	Chemistry Central Patching	A la carte patching (CM)	A la carte patching: (GP)	A la carte installs (GP)
What service gets you or does:	Gets you CM client automatically (forced install)	Enables all other CM services, and depends on CU AD.	Patching ONLY if application already on system. A bundle. On CIT's schedule.	Patching ONLY if application already on system. A bundle. On A&S IT's schedule.	Patching ONLY if application already on system.	Patching ONLY if application already on system.
STATUS					Need?	Not exist: Need? Possible?
Pros of service:	Usernames are NetID and NetID passwords. Enables all other Chemistry IT management tools, including CM-related ones.	Enables other things, by default is passive.
Cons of service:	Enforced password strength.	Reports some hardware (applications?) data to CIT's servers (viewable by?)		Forced reboots	Our schedule
How used in Chemistry It uses in supporting Research:	All supported Windows able to get on AD get this.	Thus, supported Windows able to get on AD get this.					Java patching	Java intalls.

Patching schedule

CU's default

A&S IT's default

Chemestry research Option 1:

Why use CM patching for non-forced reboot?

NOT pre-download.

...

.

...

Snap-shot of a la carte patching targets

...

(applications to be patched)

Application	Owner	Notes

Snap-shot of a la carte installable applications

...

Application Owner Notes
SCEP Chemistry IT
If SEP or other anti-virus software already installed, uninstalls that software first.
Created by Michael Hint, and shared with the AS IT Science cluster.
Why not made available to anyone at A&S?
Why not made available to anyone at Cornell?
Others?

Space shortcuts

Child pages

Versions Compared

Old Version 6

New Version 7

Key

Table of Contents

Top-level info

Glossary

What Oliver thinks he wants:

Notes

Q: What software is forced on

an IT-supported computer?

A: Only one enabling application: CM Client.

Q: What software is forced on

an IT-patched computer?

A: Only one more enabling application: Flexera CSI (Secunia)

Q: What OS or application software on

an IT-supported computer gets patched by Cornell?

A: None, by default.

Q: What OS or application software on a IT-patched computer can get patched

?

A:

The OS gets patched, and may force-reboot after days of warnings. And also either a group of

, or individual, application software gets patched, depending on configurations to enable specific needs

(is that true? Or always just a group of application software?)

Q: What software on

an IT-managed computer can be installed auto-magically?

A: Only application software for which a Cornell IT group has created a "package".

Q: If I can't afford a computer to reboot unexpectedly, what are my options?

A: Ensure system is not being IT-patched. And instead regularly patch the computer by hand, including all required reboots, at acceptable times.

Snap-shot of a la carte patching targets

(applications to be patched)

Snap-shot of a la carte installable applications

Application Owner Notes
SCEP Chemistry IT
If SEP or other anti-virus software already installed, uninstalls that software first.
Created by Michael Hint, and shared with the AS IT Science cluster.
Why not made available to anyone at A&S?
Why not made available to anyone at Cornell?
Others?

Space shortcuts

Child pages

Page History

Versions Compared

Old Version 6

New Version 7

Key

Table of Contents

Top-level info

Glossary

What Oliver thinks he wants:

Notes

Q: What software is forced on

an IT-supported computer?

A: Only one enabling application: CM Client.

Q: What software is forced on

an IT-patched computer?

A: Only one more enabling application: Flexera CSI (Secunia)

Q: What OS or application software on

an IT-supported computer gets patched by Cornell?

A: None, by default.

Q: What OS or application software on a IT-patched computer can get patched

?

A:

The OS gets patched, and may force-reboot after days of warnings. And also either a group of

, or individual, application software gets patched, depending on configurations to enable specific needs

(is that true? Or always just a group of application software?)

Q: What software on

an IT-managed computer can be installed auto-magically?

A: Only application software for which a Cornell IT group has created a "package".

Q: If I can't afford a computer to reboot unexpectedly, what are my options?

A: Ensure system is not being IT-patched. And instead regularly patch the computer by hand, including all required reboots, at acceptable times.

Snap-shot of a la carte patching targets

(applications to be patched)

Snap-shot of a la carte installable applications

ApplicationOwnerNotesSCEPChemistry ITIf SEP or other anti-virus software already installed, uninstalls that software first.Created by Michael Hint, and shared with the AS IT Science cluster.Why not made available to anyone at A&S?Why not made available to anyone at Cornell?Others?

Application Owner Notes
SCEP Chemistry IT
If SEP or other anti-virus software already installed, uninstalls that software first.
Created by Michael Hint, and shared with the AS IT Science cluster.
Why not made available to anyone at A&S?
Why not made available to anyone at Cornell?
Others?