migrating patching functionality from ivanti endpoint

www.ivanti.com | 801.208.1500

Migrating Patching functionality from Ivanti Endpoint Security to Ivanti Security Controls

Best Practise Guide

Migrating Patching functionality from Ivanti Endpoint Security to Ivanti Security Controls – Ivanti

Document

www.ivanti.com | 801.208.1500 Customer Confidential

Contents

Best Practise Guide ........................................................................................................... 1

1. Migration Overview ............................................................................................................ 12

1.1. Install Ivanti Security Controls on new hardware .................................................... 12

1.2. Configure Ivanti Security Controls with required settings ...................................... 13

1.3. Disable Patch and remediation module on pilot endpoints ................................... 13

1.4. Choose a mode of operation (Agentless or agent based) and enable schedule 13

1.5. Use reporting to validate progress and success of rollout .................................... 13

1.6. Scale up rollout ............................................................................................................ 13

1.7. Uninstall Ivanti Endpoint Security Agents ................................................................ 13

1.8. Decommission Ivanti Endpoint Security - Patch and Remediation Servers ....... 14

2. Planning the deployment .................................................................................................. 14

2.1. Platform sizing and architecture planning ................................................................ 14

2.2. Users and Role Assignment ...................................................................................... 15

2.3. Patch content lists ....................................................................................................... 18

2.4. Machine Groups .......................................................................................................... 18

2.5. Mandatory Baseline .................................................................................................... 19

2.6. Scheduled Jobs ........................................................................................................... 19

2.7. Retiring legacy platform .............................................................................................. 19

2.8. Task checklist .............................................................................................................. 20


Document


Background

The consolidation of AppSense, HEAT Software, LANDesk, RES and Shavlik into Ivanti resulted in multiple patch, application control, device control, and anti-virus technologies across many products. Following functional analysis, discussions with customers, and executive review, the decision was made to create a new product called Ivanti Security Controls (ISeC) with the best technologies from the merger. The Ivanti Security Controls product is based on the Ivanti Patch for Windows® architecture, from which there is a direct upgrade path. This document describes the steps required to migrate the Scan and Patch functionality from Ivanti Endpoint Security - Patch and Remediation to Ivanti Security Controls.


Document


FEATURE COMPARISON

FEATURES Ivanti Endpoint Security - Patch

and Remediation

Ivanti Security Controls

Scan / Discovery / Deployment

Agentless mode ✘ ✔ Cloud agent available ✘ ✔ Custom deployment templates ** **** Auto snapshot VMs as part of patching ✘ ✔ Stop SQL server prior to installation ✘ ✔ Custom actions (during deployment) ** **** Patch online and offline virtual machines ✘ ✔ Patch templates before they go online ✘ ✔ Automated deployment of OS and third-party patches ** **** Deployment fall-back options ✘ ✔ Independently schedule scans vs deployment ✘ ✔ Pre-deployment reboot ** **** Air gap patching ✔ ✔ Hours of Operation ✔ ✘

Machine groups

Manually populated groups ✔ ✔ Active Directory domain name derived groups ✔ ✔ Active Directory OU derived groups ✔ ✔ IP address range derived groups ✔ ✔


Document


Hypervisor based VM groups ✘ ✔ Patches

View data about available patches ✔ ✔ IAVA reporter available (US Government) ✘ ✔

Deploy 3rd party software in catalog ** **** Content subscription ✘ ✔ Predictive patch downloads ✘ ✔ Mandatory Baseline ** **** Pre-staging patch deployment ✘ ✔ Custom application patches ✔ ✔ Security

Role based Access **** ** Log in auditing ✔ ✔ Reporting and Alerting Email status notifications ** **** Ability to roll up reporting data to cloud ✘ ✔ Patch and remediation reports ✔ ✔ Agent support Windows ✔ ✔ Mac ✔ ✔ *nix ✔ ✔* Other Can suppress built in updaters ✘ ✔ CVE import ✘ ✔

Offers Cloud management ✘ ✔ API availability ✔ ✔ Xtraction connector available ✔ ✔


Document


Agentless Mode Ivanti Security Controls supports agentless mode (for patching only). This has no footprint on the target machine, and may be more suited for highly controlled / mission critical servers. Agent mode is also available which optimises bandwidth consumption and has fewer firewall port requirements. Agent-based deployments also support more features within the product. Further details can be found in the following knowledge article Pros and Cons of Agent and Agentless Implementations Cloud Agent Available Ivanti Security Controls can optionally be configured to sync its patch configuration with the cloud so that managed endpoints anywhere with appropriate internet connectivity can continue to be patched. Custom deployment templates Ivanti Endpoint Security - Patch and Remediation supports custom templates (via content wizard only). Ivanti Security Controls natively supports customisable deployment templates which allow granular control over pre and post deployment actions, notifications and repository locations. For further details refer to the product documentation Auto snapshot VMs as part of patching Ivanti Security Controls can be configured to automatically take a hypervisor snapshot prior to patching a guest VM, and performing housekeeping on (ie deleting) the snapshot after a configurable duration to provide easy rollback in the event of a problem with the patch. Stop SQL server prior to installation Ivanti Security Controls can automatically stop SQL server services prior to installing patches (This is ideally done prior to a planned reboot) Custom actions during deployment Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls support the ability to push custom files to the machines being patched, and to program customized commands that will be executed during patch deployment. Ivanti Endpoint Security - Patch and Remediation requires the content wizard to facilitate this. Ivanti Security Controls has the workflow integrated within the product Proxy server support


Document


Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls have support for web proxy servers. In Ivanti Endpoint Security - Patch and Remediation, proxy servers are an intrinsic part of the scale out strategy. This differs to the scale out strategy in Ivanti Security Controls which scales through a combination of specification adjustments and topology scale out. This is referenced in section 2 of this document, but for full information please refer to page 10 of the Ivanti Patch for Windows® Best Practises guide and the product documentation Patch online and offline virtual machines Ivanti Security Controls has advanced VMware vCenter integration which allows it to patch both online and offline virtual machines and templates. For further information refer to the product documentation Patch templates before they go online Ivanti Security Controls has the ability to patch VMware templates before they are brought online Automated Deployment of OS and third-party patches Ivanti Endpoint Security - Patch and Remediation has some limited ability to automate patching via the Mandatory Baseline feature. Ivanti Security Controls has the ability to automate the delivery of OS and third-party patches. The patching engine in Ivanti Security Controls is more advanced and offers more granular control over each phase in the patching process Deployment fall-back options Ivanti Security Controls can be configured with resiliency options in the event a distribution server is not available to ensure patching can still occur. It can be configured to target an alternate distribution server or go direct to the vendor for the required update. Independently schedule scans vs deployment Ivanti Security Controls provides granular control over the full scan and remediation cycle – it’s possible to independently schedule the vulnerability scan, the staging (deployment) of patches, and the execution of those patches Pre-deployment reboot Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls can be configured to perform a reboot prior to patching to ensure the target machine is in a consistent state Air Gap patching


Document


Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls can be used to patch devices within an ‘air gapped’ network which does not have line of sight to either the Internet or the console server. Hours of Operation Ivanti Endpoint Security - Patch and Remediation supports an ‘Hours of Operation’ concept where a maintenance window start and end time can be set, between which operations can occur. Ivanti Security Controls has more granular controls for defining the start times of the different phases of patching (which increases the chances of a job succeeding within a maintenance window), but does not currently have the facility to configure a job end time where any current activity should cease Manually populated groups Like Ivanti Endpoint Security - Patch and Remediation, Ivanti Security Controls supports arbitrary groupings of machines into groups. The groups can be populated by file import Active Directory Name Derived Groups Like Ivanti Endpoint Security - Patch and Remediation, Ivanti Security Controls can be targeted at an Active Directory domain name to encapsulate all of the endpoints that reside under it Active Directory OU Derived Groups Like Ivanti Endpoint Security - Patch and Remediation, Ivanti Security Controls can be targeted at an Active Directory Organizational Unit (OU) to encapsulate all of the endpoints that reside under it IP Address Range Derived Groups Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls support the definition of groups based on IP address ranges Hypervisor based VM groups Ivanti Security Controls allows the targeting of a hypervisor to encapsulate all of the VMs that are hosted by it View data about available patches Like Ivanti Endpoint Security - Patch and Remediation, Ivanti Security Controls provides a patch information page which allows the browsing of available patch content in the catalog IAVA reporter available (US Government) When you purchase the Government Edition of Ivanti Security Controls you will receive a license key that enables you to use the Information Assurance Vulnerability Alert (IAVA) Reporter. The IAVA-specific files are automatically installed when Ivanti Security Controls is installed.


Document


Deploy free 3rd party software in catalog Ivanti Security Controls can be used to deploy and install (not just patch) certain free 3rd party software titles from the catalog Content subscription Unlike Ivanti Endpoint Security - Patch and Remediation, Ivanti Security Controls has the ability to download only content that is applicable to the environment Predictive patch downloads Ivanti Security Controls has the ability to optionally pre-emptively download content based on the last known scan results which indicates devices which may require the patch Mandatory Baseline Like Ivanti Endpoint Security - Patch and Remediation, Ivanti Security Controls supports mandatory baselines. In Ivanti Endpoint Security - Patch and Remediation, there is very little control over the deployment mechanism (If you add a new endpoint it will immediately start receiving updates which may not always be desirable – especially when large numbers of endpoints are involved) Ivanti Security Controls has a flexible approach which allows specifying either a patch list or one or more patch groups that collectively represent a baseline set of patches, and also offers finite control over when deployment occurs via the scheduling options. Management of large patch lists is made easier by groups filter/sort constructs. Pre-staging patch deployment Unlike Ivanti Endpoint Security - Patch and Remediation, Ivanti Security Controls has the ability to download patches to endpoints ahead of the actual execution to help minimise the required patching window. This is especially useful in environments with bandwidth challenges. Custom application patches Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls can facilitate the distribution of custom application patches not contained within the Ivanti catalog Do not Patch lists Ivanti Endpoint Security - Patch and Remediation offers a ‘do not patch’ functionality, which can be used to disable deployment of a specific patch (e.g. as part of a patch approval process workflow). Ivanti Security Controls does not have this feature; however, a similar result can be achieved by leveraging the exclusion list in the deployment template. It should be noted however that this setting is not global, and would need to be configured in each deployment template to achieve a global blacklist


Document


Disable patches with reason code As part of Ivanti Endpoint Security - Patch and Remediation ‘do not patch’ functionality, disabled patches can have a reason code specified. Ivanti Security Controls does not have this feature; however, it is possible to add comments against patches, which could be used instead. Role based access Ivanti Endpoint Security - Patch and Remediation supports 145 granular settings and custom groups. Ivanti Security Controls currently supports the following fixed roles: Administrator, Full User, Scan and Report Only, Deploy and Report Only, Report only. For further details, refer to section 2.2 below or the product documentation. Please be aware of the following considerations if using multiple administrative accounts: https://help.ivanti.com/sh/help/en_US/PWS/93/Topics/Potential_Issues_When_Using_Multiple_Admins.htm Log in auditing Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls maintain a log of which users have logged in to the application. Ivanti Endpoint Security - Patch and Remediation logs are retrieved directly from the database. Ivanti Security Controls outputs logs to disk when configured (separate log files for console users) Email status notifications Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls support email status notifications. Ivanti Security Controls has granular control over recipients (eg notify another business unit that their server(s) have been patched) Ability to roll up reporting data to the cloud Ivanti Security Controls can optionally centrally store reporting information in the cloud so it can be accessed from outside of the network Patch and remediation reports Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls provide vulnerability and remediation status reports for the environment. Ivanti Security Controls canned reports are as follows:


Document


Windows Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls support the Windows operating system as a patching destination Mac Ivanti Endpoint Security - Patch and Remediation supports Mac patching natively. Ivanti Security Controls offers Mac patching via Empower today, with integrated capabilities coming soon. *nix Ivanti Endpoint Security - Patch and Remediation Supports patching *nix devices. Ivanti Security Controls support for *nix (along with installation considerations) can be found in the system requirements document which will be updated as further *nix variant support is added. https://help.ivanti.com/iv/help/en_US/isec/94/Topics/System_requirements.htm CVE Import


Document


Ivanti Security Controls has the ability to import a list of CVEs from a file, and provide details of the patches in the Ivanti patch catalog that can remediate the vulnerabilities. These can then be used in patch workflows, such as scheduling for deployment. Can Suppress built-in updaters Ivanti Security Controls can suppress certain Windows 3rd party product updaters which are being managed. API Availability Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls offer APIs to facilitate integration and automation. The API in EMSS is a data-only API. The API in ISeC is RESTful offering deeper automation and integration capabilities Xtraction connector available Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls have Xtraction connectors available for custom reports and dashboards

1. Migration Overview There is no automated method to switch between patch systems. Migration involves a methodical approach of installing a new patch system, and configuring it to match the existing system as close as possible. Endpoints will be systematically moved from one system to another with testing to ensure patch coverage is maintained throughout out the process. Updates and improvements to your patch process can be made along the way to optimize use of the new system. Here are the major steps to complete the migration.

1.1. Install Ivanti Security Controls on new hardware The first step will involve installing an Ivanti Security Controls Console (server) on alternate hardware, or virtual infrastructure, in a side-by-side location with an/the existing Ivanti Endpoint Security server. This will allow configuration / testing / validation to take place on a test group of endpoints prior to moving onto the next stage. For more details and resources to assist with planning your deployment, refer to section 2 and Ivanti Patch for Windows® best practises guide:


Document


1.2. Configure Ivanti Security Controls with required settings Once installed, the next step is to assess and migrate the desired configuration from Endpoint Security - Patch and Remediation to Ivanti Security Controls. Please refer to section 2.1.x for recommendations relating to this.

1.3. Disable Patch and remediation module on pilot endpoints The next recommended step is to disable the Endpoint Security Patch and remediation module on some test endpoints to facilitate testing with Ivanti Security Controls.

1.4. Choose a mode of operation (Agentless or agent based) and enable schedule From an Ivanti Security Controls perspective, you can then choose a mode of operation and configure scan jobs. further information on choosing the best mode of operation (agentless, agent-based or a hybrid of the two) is detailed in section 2.1.x).

1.5. Use reporting to validate progress and success of rollout Once the schedule has been enabled, leverage the reporting functionality in Ivanti Security Controls to validate successful operation

1.6. Scale up rollout Once the configuration has been validated, the solution can be scaled out to production users.

1.7. Uninstall Ivanti Endpoint Security Agents If the Patch module in Ivanti Endpoint Security - Patch and Remediation was the last product of the Ivanti Endpoint Security suite in use, the agents can now be removed from endpoints. There are multiple approaches that can be used to accomplish this – refer to section 2.7 for further details


Document


1.8. Decommission Ivanti Endpoint Security - Patch and Remediation Servers Once all agents have been uninstalled (or sooner if leveraging Ivanti Security Controls to remove old agents), the last step is to decommission the legacy Ivanti Endpoint Security - Patch and Remediation servers once any product logging retention requirements have elapsed (or logs have been archived)

2. Planning the deployment This section will outline the steps required to plan the deployment.

2.1. Platform sizing and architecture planning Ivanti Security Controls has equivalent or better scalability to Ivanti Endpoint Security - Patch and Remediation. IF you use a single console in Ivanti Endpoint Security - Patch and Remediation, a single console in Ivanti Security Controls should normally suffice. It should be considered that if additional modules are enabled in Ivanti Security Controls, these may place additional demands on the server and reduce user density, potentially requiring additional servers to service the load. As per the migration overview in section 1, we recommend starting the deployment on a representative sample set of endpoints to ensure satisfactory behaviour before rolling out and completing the migration at a larger scale. The topology of the final rollout will depend on several environmental requirements, eg number of sites, available connectivity/bandwidth, air-gapped network segments and number of endpoints to support. In larger networks, Ivanti Security Controls may be deployed to test and staging networks for evaluation before being installed in production. It should be noted that running both products on an endpoint side-by-side may result in an increase in IO requirements. To avoid this extra overhead, it is possible, and recommended to disable the Patch and Remediation module on the target endpoints at the point of transition – For further details on how to disable the module whilst leaving the rest of the agent functionality intact, refer to the “Disabling Modules on an Endpoint” section of


Document


https://help.ivanti.com/ht/help/en_US/IES/85U1/xmlcontent/concept/concept_LEMSS_WorkingWithEndpointPage.html For full details on hardware requirements, software prerequisites, firewall ports and topology/scale out information please refer to the product documentation and the following Ivanti Patch for Windows® best practises guide: Please see below for some further supplementary knowledge articles relating to Ivanti Security Controls architecture and scale Ivanti Ivanti Patch for Windows® requirements guide Limitations When Using SQL Express Editions as Backend for Protect How To:Configure a UNC based Distribution Server

2.2. Users and Role Assignment As part of the configuration of the new platform, you will need to migrate any application users from Ivanti Endpoint Security to Ivanti Security Controls It may be desirable to perform this step first so that other admin users can assist with the configuration. Ivanti Endpoint Security has four default roles, plus any custom roles. These are: Administrator Operator Manager Guest These have different access levels assigned through 145 different options. Ivanti Security Controls has a different approach to role-based access control. It currently supports the following roles: Administrator Full User Scan and report only Deploy and report only


Document


Report only These roles are ‘pre-canned’ meaning the access levels are predetermined and cannot currently be altered by the administrator. A further restriction to note is that there is a limitation between sharing service credentials between admins (they currently need to create their own credentials) Migration: There is no in-product method to migrate users between platforms, although Ivanti Endpoint Security - Patch and Remediation contains an ‘export’ option:

and also a clipboard enable feature:


Document


to allow copying of usernames. These can be pasted (one at a time) into the ‘Select User and Role’ dialogue in Ivanti Security Controls and an appropriate role selected (Local users must already exist)


Document


2.3. Patch content lists Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls support custom patch content lists. Ivanti Endpoint Security - Patch and Remediation refers to these as ‘Custom patch lists’, in Ivanti Security Controls, these are called ‘Custom Patch groups’. Whilst the Ivanti Endpoint Security - Patch and Remediation product has an ‘export’ functionality, and Ivanti Security Controls has an ‘Import’ functionality, unfortunately this mechanism cannot directly be used to migrate patch content lists between the products, since Ivanti Security Controls requires a ‘KB’ field which is not present in Ivanti Endpoint Security - Patch and Remediation data. It is possible however to leverage the API to import via CVE field. Please refer to this knowledge article for a script which can automate the import of a list:

2.4. Machine Groups Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls support Active Directory, IP based and arbitrary (custom) groups. Condition based groups need to be recreated in Ivanti Security Controls with equivalent settings to facilitate discovery. If custom groups are being used in Ivanti Endpoint Security - Patch and Remediation, these can be imported into Ivanti Security Controls using the following workflow.

- Firstly, navigate to the desired group in Ivanti Endpoint Security - Patch and Remediation. Select Export and save as CSV.

- Open the CSV file in Excel or similar and select all the machine names in the relevant column and copy/paste to a txt document, so all endpoints are listed one-per-line. Save as a .txt file.

-


Document


- In Ivanti Security Controls create a new machine group and after naming it, select Import from file.

- Browse to the file you saved containing the machine names and import. - Configure the group settings according to requirements.

In the case where there are a very large number of groups/endpoints, it is possible to leverage the Ivanti Security Controls API (PowerShell) to add new patch groups – refer to the API help guide for further details

2.5. Mandatory Baseline Both Ivanti Endpoint Security - Patch and Remediation and Ivanti Security Controls support mandatory baselines. Ivanti Security Controls baselines work by specifying a txt file containing the KB numbers of the required patches (one per line). These can also be defined using patch group(s) or imported via API

2.6. Scheduled Jobs Job schedules will need to be created in Ivanti Security Controls to define the appropriate times per group to scan, deploy and execute appropriately Following creation of the scan jobs, should any unexpected behaviour be seen such as patches remaining stuck in a Scheduled or Executing status or machines fail to reboot after patching, please ensure AV exclusions are in place for the following executables: https://community.shavlik.com/docs/DOC-24215

2.7. Retiring legacy platform Once Ivanti Security Controls is fully deployed and operational, the next step will be to remove the legacy Endpoint security agents. It should be noted that it is not necessary to uninstall the Patch module prior to uninstalling the agent from an endpoint. There are 3 different methods of decommissioning the Endpoint Security Agents from endpoints which may suit different environments. In Summary:


Document


Method 1: Uninstalling Agents by Agent Management Job: https://help.ivanti.com/ht/help/en_US/IES/85U1/Update/Task/task_UninstallingAgentsbyAgentManagementJob.html This method can be useful when all endpoints are generally online. It’s important that the Ivanti Endpoint Security infrastructure remains online during the removal process. Method 2: Manual removal of agents (Assumes agent hardening has been disabled): Uninstall is accomplished Via Add/Remove programs. Refer to the following help page for details on viewing uninstall password: https://help.ivanti.com/ht/help/en_US/IES/85U1/Update/Task/task_ViewingtheAgentUninstallPassword.html This method is useful for ad-hoc cleanup of agents where there is no connectivity back to the server. Method 3: Via script, called from Ivanti Security Controls By removing the agent using the new Ivanti Security Controls infrastructure, it ensures a reliable cleanup process and minimises the amount of time both platforms have to remain concurrently in commission. Please view the following community article for details on how to remove via script https://community.ivanti.com/docs/DOC-68093

2.8. Task checklist The following task checklist contains a summary of the actions contained within this document Milestone Key Activity License Obtained Ensure you have received a license for Ivanti

Patch for Windows® Deploy Ivanti Security Controls Deploy to alternate hardware Test deployment on small number of endpoints

Create a test config to deploy to a small representative sample of endpoints

Recreate Users and Roles Create required operator/administrator accounts


Document


Recreate patch content lists Recreate any required patch content lists

Migrate machine groups Recreate / migrate machine groups as required

Create mandatory baseline If required, configure mandatory baseline(s)

Recreate scheduled jobs Recreate scheduled jobs as required

Disable Ivanti Endpoint Security - Patch and Remediation module on endpoints

Disable the Ivanti Endpoint Security - Patch and Remediation module and continue to monitor

Uninstall Ivanti Endpoint Security Agents

Remove Ivanti Endpoint Security agents from endpoints

Decommission Ivanti Endpoint Security Servers

Decommission Ivanti Endpoint Security servers

migrating patching functionality from ivanti endpoint

Documents