Articulating expectations and understanding to reduce surprises.
What types of computer support does Chemistry IT provide, as it relates to patching?
| Support type | Summary | Notes | Details |
|---|---|---|---|
| Self-supported computer | A computer not set-up by Chemistry IT. | It cannot be on CUAD so it cannot be managed using Cornell's tools. | System's network will be through eduroam (CIT's wireless network), AccessNet (CIT's wired network), or RedNet (Chemistry's nonIT-managed network).
|
| IT-supported computer | A computer set-up and configured by Chemistry IT. | It's on CUAD. Thus, may or may not be IT-managed (below). | |
| IT-partially-managed computer | An IT-supported computer also partially managed using Cornell's management tools to the degree permitted by the Group to best meet their needs. | For systems which cannot be forced rebooted if multiple days of warnings are ignored. Group assumes more responsibility by having to restart system, with updates, manually. Group pledges to patch/ restart system once per month.
| Depending on Microsoft Windows Updates configuration, group member may also need to initiate, and see through completion, OS patching. Windows can be set to:
Note that reboots may be required to enable subsequent patches to download and install, which in turn may require more reboots. The longer one waits, the more reboots are likely required to fully patch the system. |
| IT-fully-managed computer | Default set-up. An IT-supported computer managed using Cornell's management tools, including Cornell-managed OS patching. | Only used for systems which can be forced rebooted. Forced rebooting only occurs if system is not rebooted by user after multiple days of warnings about once per month. |
Patching behavior
| Service name | Windows OS patched | Forced reboot? | When? | Common MS apps patched | Common non-MS apps patched |
|---|---|---|---|---|---|
| A&S Central Patching | Yes | Yes | Thursday, 4pm, once per month. This Thursday is following Tuesday patch deployment by A&S IT, which is the Tuesday a week after "MS Patch Tuesday", which itself is once per month (2nd Tuesday of the month?). Except when MS skips or retracts patches in time. | Yes. List? | Some. List? |
| Researchers' needs: | Yes | No | When research group can, hopefully sooner than later. | Yes. List? | (Same as above) |
What Oliver thinks he wants:
- OS patching and application patching via CU-based WUS, but no forced reboot.
- Need for systems which can't tolerate a forced reboot.
- Which also will likely be in 10-space so we'd want to use a CU-based WUS service, especially for patched apps not retrievable because not enable via CU's Proxy server.
- Application patching, but no OS patching. Possible? (Assumes applications will NEVER force-reboot a computer. True, right?)
Notes
- Auto-installation of application software does not imply that it will be subsequently patched.
- Patched application software may not have an installation option.
Q: What software is forced on an IT-supported computer?
A: Only one enabling application: CM Client.
Q: What software is forced on an IT-patched computer?
A: Only one more enabling application: Flexera CSI (Secunia)
KEY: No software is forced-installed (software that would be new to the computer) on Windows except the following, and only under specific circumstances:
| Software forced-installed | Circumstance | Notes |
|---|---|---|
| CM Client | Added when system added to CU AD | Non-issue, right? |
| Flexera CSI (Secunia) | Added when system added to (CIT?) Central Patching | If only gets installed if a system is added to CIT Central Patching, non-issue, right? |
| No other software is forced-installed! | Forced-installed software should not to be confused with patching, action taken on pre-installed software. |
Q: What OS or application software on an IT-supported computer gets patched by Cornell?
A: None, by default.
Windows by default is set to be patched by Microsoft directly. Some third-party software may similarly be auto-patched.
Q: What OS or application software on a IT-patched computer can get patched?
A: The OS gets patched, and may force-reboot after days of warnings. And also either a group of, or individual, application software gets patched, depending on configurations to enable specific needs (is that true? Or always just a group of application software?)
Q: What software on an IT-managed computer can be installed auto-magically?
A: Only application software for which a Cornell IT group has created a "package".
Cornell IT groups can "package" application software installs using either Group Policy (GP) or Configuration Manager (CM) technology.
Whether the application gets patched after installation is a different question.
Q: If I can't afford a computer to reboot unexpectedly, what are my options?
A: Ensure system is not being IT-patched. And instead regularly patch the computer by hand, including all required reboots, at acceptable times.
Patching schedule
CU's default
A&S IT's default
Chemestry research Option 1:
Chemestry research Option 1:
Why use CM patching for non-forced reboot?
NOT pre-download.
Yes: Points to CIT's patching. WUS server: MS and non-MS patching. Ex: Flash. 10-space for non-Proxied apps.
| (1A) CU AD | (1B) CM client | CIT Central Patching | A&S Central Patching | Chemistry Central Patching | A la carte patching (CM) | A la carte patching: (GP) | A la carte installs (CM) | A la carte installs (GP) | |
|---|---|---|---|---|---|---|---|---|---|
| What service gets you or does: | Gets you CM client automatically (forced install) | Enables all other CM services, and depends on CU AD. | Patching ONLY if application already on system. A bundle. On CIT's schedule. | Patching ONLY if application already on system. A bundle. On A&S IT's schedule. | Patching ONLY if application already on system. | Patching ONLY if application already on system. | |||
| STATUS | Need? | Not exist: Need? Possible? | |||||||
| Pros of service: | Usernames are NetID and NetID passwords. Enables all other Chemistry IT management tools, including CM-related ones. | Enables other things, by default is passive. | |||||||
| Cons of service: | Enforced password strength. | Reports some hardware (applications?) data to CIT's servers (viewable by?) | Forced reboots | Our schedule | |||||
| How used in Chemistry It uses in supporting Research: | All supported Windows able to get on AD get this. | Thus, supported Windows able to get on AD get this. | Java patching | Java intalls. |
Snap-shot of a la carte patching targets (applications to be patched)
| Application | Owner | Notes |
|---|---|---|
Snap-shot of a la carte installable applications
| Application | Owner | Notes |
|---|---|---|
| SCEP | Chemistry IT | If SEP or other anti-virus software already installed, uninstalls that software first. Created by Michael Hint, and shared with the AS IT Science cluster.
|
| Others? |