Automatic Approval Rules
Automatic patch approvals ensures that typical system patches or system critical patches are downloaded and installed when they become available without waiting for review.
There may be patches that you and your customers always want to schedule for download and installation once they have been detected. For example, one customer may be confident that all Microsoft patches except device drivers and tools can be installed automatically on their laptops and workstations, rather than waiting for you to verify and approve them manually. Another customer may be more cautious and may want only Microsoft Critical and Security Update patches installed automatically, preferring to wait for other patches to be manually approved.
After adding automatic approval for patches to rules, patching can take place without further input from you, or waiting for your review. For information on the approval types definitions, see Approval Definitions.
Automatic approvals do not overwrite existing approvals by default; automatic approvals only apply to patches with no current existing approval or in other words patches that show "No Approval". You can force an override of existing approvals:
-
Click Configuration > Patch Management.
-
Click Automatic Approvals.
-
Click the check box for the rule and click Run Rule Now, then click Clear and Re-evaluate.
This will clear any existing approvals and replace those approvals with the rule you are running.
Note that once you approve a patch, the approval is processed as a background task that may take some time to complete, depending on a number of factors. Because of this, the N-able N-central screen may not immediately reflect your selection.
If a patch is re-issued by Microsoft, Patch Manager remembers the existing approval status of patches to ensure that the approval you defined remains and you do not have to re-select and reset the approvals.
To create automatic approvals, ensure at a minimum, the following role permissions are applied:
- Patch: Patch Approval and Patch Configuration
- Monitoring: Filters and Rules
Targeting
When creating automatic approval rules, you are able to target specific devices on which to apply these automatic approvals. Under the Targets tab, you can select collections of filtered devices (called rules). You can create these by adding a new rule.
Read More
Client/site-level actions cannot be targeted.
When automatic approval rules have the exact same targets, these rules form a hierarchy and only one approval is generated, based on hierarchy & rule order.
Install Patches Immediately
You also have the option to use the Install patches immediately feature. This feature will immediately install or remove a patch outside of your scheduled maintenance window, without additional warning to the user. If a software patch is Approved for Install, it will be installed immediately, or if a software patch is Approved for Removal, it will be removed immediately. The Patch Installation Schedule configured for the selected devices will be ignored if this option is selected.
Reorder Automatic Approval Rules
Re-arranging the automatic approval rules defines which automatic rules take precedence. Re-arrange automatic approval rules into the desired order by dragging and dropping them on the Automatic Approval Rules screen. After re-ordering the Automatic Approval Rules can be re-run. This in turn modifies the approvals for patches to be rolled out to your customer devices (and groups of devices). The phased roll out of patches can be achieved by a combination of modifying automatic approval rules over time and setting them up with delays.
Read More
Re-arranging automatic approval rules enables you to:
- see what you have configured that affects devices on multiple levels at the same time,
- review and make rules more efficient by reducing the number of automated approval rules to configure,
- minimize the number of automatic approval rules and ensure they run in the desired order. For example, you can ensure that a specific declined rule (decline Java 8 updates) can be placed before a general approve rule (approve all patches, which does include Java). This way, the decline rule runs before the approve all rule, preventing the Java update.
- Click Configuration > Patch Management.
- Click Automatic Approvals.
- Click and drag the rules to the desired order.
-
Rules that are created from higher levels are not moveable. For example, at the Customer level, you cannot move an SO level rule. You can however, move a Customer level rule from the SO level.
- Click Save.
Hold the Shift or Control keys to select and move multiple rules at the same time if they are for the same customer or site. If you select two rules for different customers will not be moveable.
N-able N-central executes the auto approvals in the configured order. The Run Rule Now feature also respects the rule ordering. For more information see the help topic Automatic patch approvals.
Ordering
Users can order their auto-approval rules via simple drag-and-drop mechanism and the order is persisted after hitting the SAVE button at the bottom of page.
There are some constraints:
-
You can only order items on your current level or any level below (you cannot move SO-level rules if you're on the customer level view).
-
You can only move items within the same customer level (you cannot place a SO-level rule between another customer-level rule or a rule from one customer in between rules from another).
-
You can move more than one item at once if none of previous constraints are violated.
-
Rules from lower customer levels are always displayed first (site-level rules are at the top of table, customer-level rules are below site rules, SO-level rules are below customer ones, and system-level rules are below those on SO).
-
Any resulting approvals also have precedence rules. Read more about Hierarchy & Rule Order.
Execution
We have 3 ways of executing Auto-approval Rules:
-
Run Rule Now (Clear and Re-evaluate): Rules are executed from bottom-to-top and each executed rule can overwrite results from the rule executed before it.
-
Run Rule Now (Preserve Settings): Rules are executed from top-to-bottom and results created by one rule are not overwritten by the next executed rule.
-
Automatic execution (when some new patches are reported to N-central): Same behavior as Run Rule Now (preserve settings).
Hierarchy & rule order
Patch approvals ensure that the patches a device is looking for or wants to download is legitimate and will not cause any issues or conflicts. Conflicts can occur when devices belong in multiple patching rules. When conflicting patch approval statuses are applied to a device from either a rule or a device level approval, precedence is given according to strict approval hierarchies outlined in the table below. It is best to have devices using only one rule.
Read More
| Level Order | |
| 1 | Device |
| 2 | Site |
| 3 | Customer |
| 4 | Service Organization |
| Status Order | |
| 1 | Declined |
| 2 | Approved for Install |
| 3 | Approved for Removal |
| 4 | Not Approved |
| 5 | No Approval |
Example of an Automatic Approval flow
Follow a visual example of what happens when new patches go through the automatic approval rules flow.
View the Steps
Step 1
New Patches enter the system.
Patch KB 5017500
Patch KB 5017501
Patch KB 5017502
Patch KB 5017503
Step 2
The system searches through the list of rules, identifies which rules (highlighted in green below) have targets that are affected by these patches and generates approvals accordingly.
| Site-level Rules | Customer-level Rules | SO-level Rules | System-level Rules |
|---|---|---|---|
| rule m | rule y | rule a | rule k |
| rule b | rule d | rule f | rule i |
| rule t | rule j | ||
| rule x | rule n | ||
| rule s |
The rules in the columns above are ordered based on priority. Priority can be changed by clicking-and-dragging the rule order. See Reorder Automatic Approval Rules.
Step 3
The system then orders rules based on priority and level.
| Site-level rules | rule m |
| rule t | |
| Customer-level rules | rule y |
| SO-level rules | rule f |
| System-level rules | rule j |
Step 4
The system will figure out what setting to apply to the patches based on the rules. Approved or declined statuses are preserved as the system checks through the rules from site-level (in order of priority) to the System level. If there are multiple rules at a level (rule m and t in the below example), they are ordered by status order priority. See Hierarchy & Rule Order.
| Patch # | Site-level Rules | Customer-level Rules | SO-level Rules | System-level Rules | Final Setting | |
|---|---|---|---|---|---|---|
| rule m | rule t | rule y | rule f | rule j | ||
| KB 5017500 | declined | approved for install | declined | approved for removal | not approved | rule m: declined |
| KB 5017501 | not approved | approved for install | declined | rule t: not approved | ||
| KB 5017502 | declined | approved for install | rule y: declined | |||
| KB 5017503 | approved for install | approved for install | approved for removal | approved for install | rule m: approved for install | |
Example Scenarios
These example scenarios lay out the differences in automatic approval rules that have the same target versus ones that don't.
Read more
Scenario 1
In this scenario, the two automatic approval rules have the exact same targets.
| Rule | Approval | Target |
| # 1 | Approve all upgrades: Approves everything in the upgrades class and product unknown category. | Workstations-Windows rule |
| # 2 | Decline Windows 11: Declines the upgrade class and product unknown category and specifies Windows 11 in keywords so as to target only Windows 11 upgrades. | Workstations-Windows rule |
| Generated approval: Whichever rule is above the other in the Patch Management > Automatic Approvals view in the UI would win. See Reorder Automatic Approval Rules to change this order. If rule #2 (Decline Windows 11) was at the top, all upgrades would be approved except for Windows 11, which would be declined. If rule #1 (Approve all upgrades) was at the top, all upgrades are approved. |
|
Scenario 2
In this scenario, the two automatic approval rules have different targets.
| Rule | Approval | Target |
| # 1 | Approve all upgrades: Approves everything in the upgrades class and product unknown category. | Workstations-Windows & Laptop-Windows rule |
| # 2 | Decline Windows 11: Declines the upgrade class and product unknown category and specifies Windows 11 in keywords so as to target only Windows 11 upgrades. | Workstations-Windows rule |
|
Generated approval: This scenario will generate two approvals:
Since rule #1 also targets Windows 11 upgrades for workstations like rule 2, the approval that wins depends on the hierarchy. In this case, a declined status wins over an approval status. Thus, the approval that wins is: Approve all upgrades except Windows 11 for workstations and approve all upgrades on laptops. |
|