Articulating expectations and understanding to reduce surprises.
Top-level info
Glossary
- Self-supported computer: A computer not set-up by Chemistry IT. It cannot be on AD so it cannot be managed using Cornell's tools.
- IT-supported computer: A computer set-up and configured by Chemistry IT. It's on AD. May or may not be IT-managed.
- IT-partially-managed computer: An IT-supported computer also managed using Cornell's management tools, including Cornell-managed OS patching.
- For systems which cannot be forced rebooted.
- No forced rebooting, so Group member must invoke patching. If not once per month, must be documented as such.
- IT-fully-managed computer: Default standard. An IT-supported computer also managed using Cornell's management tools, including Cornell-managed OS patching.
- For systems which cannot be forced rebooted.
- No forced rebooting, so Group member must invoke patching.
- Group-patched computer: A IT-supported computer the group pledges to patch on a regular schedule, including required restarts.
Patching behavior
| Service name | Windows OS patched | Forced reboot? | When? | Common MS apps patched | Common non-MS apps patched |
|---|---|---|---|---|---|
| A&S Central Patching | Yes | Yes | Thursday, 4pm, once per month. This Thursday is following Tuesday patch deployment by A&S IT, which is the Tuesday a week after "MS Patch Tuesday", which itself is once per month (2nd Tuesday of the month?). Except when MS skips or retracts patches in time. | Yes. List? | Some. List? |
| Researchers' needs: | Yes | No | When research group can, hopefully sooner than later. | Yes. List? | (Same as above) |
What Oliver thinks he wants:
- OS patching and application patching, but no forced reboot.
- Need for systems which can't tolerate a forced reboot. Which also will likely be in 10-space so we'd want to use CU's WUS service.
- Application patching, but no OS patching. Possible? (Assumes applications will NEVER force-reboot a computer. True, though?)
Notes
- Auto-installation of application software does not imply that it will be subsequently patched.
- Patched application software may not have an installation option.
Q: What software is forced on an IT-supported computer?
A: Only one enabling application: CM Client.
Q: What software is forced on an IT-patched computer?
A: Only one more enabling application: Flexera CSI (Secunia)
KEY: No software is forced-installed (software that would be new to the computer) on Windows except the following, and only under specific circumstances:
| Software forced-installed | Circumstance | Notes |
|---|---|---|
| CM Client | Added when system added to CU AD | Non-issue, right? |
| Flexera CSI (Secunia) | Added when system added to (CIT?) Central Patching | If only gets installed if a system is added to CIT Central Patching, non-issue, right? |
| No other software is forced-installed! | Forced-installed software should not to be confused with patching, action taken on pre-installed software. |
Q: What OS or application software on an IT-supported computer gets patched by Cornell?
A: None, by default.
Windows by default is set to be patched by Microsoft directly. Some third-party software may similarly be auto-patched.
Q: What OS or application software on a IT-patched computer can get patched?
A: The OS gets patched, and may force-reboot after days of warnings. And also either a group of, or individual, application software gets patched, depending on configurations to enable specific needs (is that true? Or always just a group of application software?)
Q: What software on an IT-managed computer can be installed auto-magically?
A: Only application software for which a Cornell IT group has created a "package".
Cornell IT groups can "package" application software installs using either Group Policy (GP) or Configuration Manager (CM) technology.
Whether the application gets patched after installation is a different question.
Q: If I can't afford a computer to reboot unexpectedly, what are my options?
A: Ensure system is not being IT-patched. And instead regularly patch the computer by hand, including all required reboots, at acceptable times.
Patching schedule
CU's default
A&S IT's default
Chemestry research Option 1:
Chemestry research Option 1:
Why use CM patching for non-forced reboot?
NOT pre-download.
Yes: Points to CIT's patching. WUS server: MS and non-MS patching. Ex: Flash. 10-space for non-Proxied apps.
| (1A) CU AD | (1B) CM client | CIT Central Patching | A&S Central Patching | Chemistry Central Patching | A la carte patching (CM) | A la carte patching: (GP) | A la carte installs (CM) | A la carte installs (GP) | |
|---|---|---|---|---|---|---|---|---|---|
| What service gets you or does: | Gets you CM client automatically (forced install) | Enables all other CM services, and depends on CU AD. | Patching ONLY if application already on system. A bundle. On CIT's schedule. | Patching ONLY if application already on system. A bundle. On A&S IT's schedule. | Patching ONLY if application already on system. | Patching ONLY if application already on system. | |||
| STATUS | Need? | Not exist: Need? Possible? | |||||||
| Pros of service: | Usernames are NetID and NetID passwords. Enables all other Chemistry IT management tools, including CM-related ones. | Enables other things, by default is passive. | |||||||
| Cons of service: | Enforced password strength. | Reports some hardware (applications?) data to CIT's servers (viewable by?) | Forced reboots | Our schedule | |||||
| How used in Chemistry It uses in supporting Research: | All supported Windows able to get on AD get this. | Thus, supported Windows able to get on AD get this. | Java patching | Java intalls. |
Snap-shot of a la carte patching targets (applications to be patched)
| Application | Owner | Notes |
|---|---|---|
Snap-shot of a la carte installable applications
| Application | Owner | Notes |
|---|---|---|
| SCEP | Chemistry IT | If SEP or other anti-virus software already installed, uninstalls that software first. Created by Michael Hint, and shared with the AS IT Science cluster.
|
| Others? |