Add an automatic approval rule
Automatic patch approvals ensure that typical system patches or system critical patches are downloaded and installed without waiting for review. Automatic approvals ensure that timely system and security critical patches are immediately approved when they become available so the customer's devices are safe and up-to-date. For more information, see Approving patches automatically with rules. You configure patch approvals once you have created a patch profile and applied it to a device using a rule.
When adding an automatic approval rule, the software must be installed on devices to complete correctly. This enables the agent to properly register with N-able N-central and the Patch Manager. Creating an approval rule then installing older software so the patching will update it, will not work properly because N-able N-central is not aware of software not yet installed.
To create automatic approvals, ensure at a minimum, the role permissions are:
- Patch: Patch Approval and Patch Configuration
- Monitoring: Filters and Rules
See Permission Dictionary & Menus for details.
- Click Configuration > Patch Management .
- In the Patch Approval area, click Automatic Approvals, and click Add.
- Enter a name and description.
- In the Products and Classifications section, select the types of updates to include.
- Select products by clicking the pencil icon for a product and click Select. To ensure that you select both the top level and the children under the top level, click the pencil icon and click Apply to Children.
- To automatically approve specific product types or KBs, at the bottom of the page, enter the information to include or not include in the approval process. Separate keywords using a semicolon. Keywords are not case-sensitive. Keywords can contain multiple words and do not require quotes. If you add multiple keywords or phrases, separated by a “;” N-able N-central evaluates each keyword or phrase separately. The patch name needs to match any one of the words, not all of them.
- Click the Targets tab.
- Select the pencil icon for the desired rule and click Approved for Install.
- Click the Advanced Configurationtab to set a delay for the auto approval.
- Click the Delay approvals by radio button and enter the number of days to delay the patch install.
- Click Save.
Some Microsoft patches do not accurately report their product. To cover this situation, select the product category Product Unknown. Combined with a keyword, you can automatically approve patches where the product has not been defined by Microsoft.
When N-able N-central executes the rules, the Classifications and Products filters are applied first; the KB and Keyword filters are applied to the patches available after the Classification and Product filtering.
To use the filtering successfully, you need to click the top-level product and select Apply to Children. See step 5.
Select the top level to apply approvals across all Rules. N-able recommends that you perform your approvals against the patch rules you have created. You can review the list of patch enabled rules by going to Configuration > Patch Management.
It is recommended that you do not select Install Patches Immediately unless it is a critical update that you are concerned about, as this will install auto-approved patches immediately, ignoring any installation schedule.
N-able recommends a delay of up to 15 days. This allows for time to review and install the patch before the update is superseded by the next month's release.
With the new approval rule, when a patch for the selected product becomes available, N-able N-central will automatically download and install the patch on the customer's devices during the next patch install maintenance window. If you set a delay on the auto approval, N-able N-central installs the patch after the defined number of days.
If a patch is re-issued by Microsoft, Patch Manager remembers the existing approval status, and delay if set, of the patch to ensure that the approval you defined remains and you do not have to re-select and reset the approvals.
Some software patches require the target device be re-started to complete the installation. Until the target device is re-started, patches will be reported as Approved but not installed even after a successful installation.
After you set up automatic approvals, there will still be patches that are not covered by these Rules. You will need to perform some maintenance by manually approving and declining patches that are not covered by the automatic rules. For more information, see Approving patches manually.