Deny patches for a specific software on a single device

You can use filters and rules to deny patches for a single device.

There may be situations where you have a computer where certain software should not be updated. For example, a website that is regularly referenced requires a specific version of Java and Internet Explorer, updating these applications would mean that the site could not be accessed. You want to make sure that the software never receives any patches or updates.

Using filters, rules and custom device properties, you can set automatic approvals to deny those updates.

Create a custom device property.

  1. Click Administration > Custom Properties.
  2. Click Add > By Devices and select Text Type from the drop-down list.
  3. Enter a descriptive name for the device property.
  4. Select an Operating System and Device Classes for the device(s) that the property applies to.
  5. Click Save.

On the device itself, enter a unique value for that property to use in a filter.

  1. Click ViewsAll Devices.
  2. Select the check box next to the device and click Custom Properties.
  3. The field will appear in the dialog box. Click the Value check box and enter a unique identifier.
  4. Click OK.

Create a custom filter that looks for the property value to single out a particular device.

  1. Click ConfigurationFilters and click Add.
  2. Enter a Filter Name.
  3. In the Find devices where drop-down menus select DeviceCustom Device Property.
  4. In the drop-down menus, select the new added property > Equal To, and enter the value created in the previous step.
  5. Click Save.

Create a rule that uses this filter.

  1. Click MonitoringRules.
  2. Enter a name for the rule.
  3. On the Devices to Target tab, select the filter created above.
  4. Click Save.

Create an auto approval rule that uses the rule created.

  1. Click Configuration > Patch ManagementAutomatic Approvals and click Add.
  2. In the Product and Classifications tab, select the classification of patches to exclude.
  3. For the products, locate the software, click the pencil icon and click Selected.
  4. On the Targets tab, locate the rule created above. Click the pencil icon and select Declined.
  5. Click Save.

Finally, move the new approval rule to the top of the rules list using auto-approval rule ordering. By doing this, the new Java decline rule is activated first, before the approval of Java for all devices.

The result is a rule that will always decline the Java and IE patch updates against the selected device when they become available.