Aram,
Do you happen to know if the underlying issues I was speaking of in the post below have been resolved?
Yes and no. Patch Policies has since been enabled for department-level usage (many more capabilities - with associated permissions - for non-master operators). See BigFix WebUI Update - 2019-05-17 for more details on this.
That said, I’m not sure I entirely understand the concern around the Applicable Patches. Patch Policies is meant to show you those patches that are in scope given the defined policy criteria, rather than those that are applicable to managed endpoints (regardless of MO vs nMO).
I do understand the feedback around timezones/scheduling…that is still something we are exploring…
1 Like
That said, I’m not sure I entirely understand the concern around the Applicable Patches. Patch Policies is meant to show you those patches that are in scope given the defined policy criteria, rather than those that are applicable to managed endpoints (regardless of MO vs nMO).
- So one good example I can provide here is when we go to setup Patch Policies and target a subset of devices we would expect to see content that is relevant for those targeted devices. Instead we see all items that a MO/nMO can see. This causes confusion since one would think with a device targeted you would see only applicable patches for that targeted device. I provided a screenshot of what I can see on a device that is only missing patches for May. Another comparison is the BF Console compared to the WebUI. If I select a device in BF Console I will only see what is applicable to that specific device. You get that same functionality within WebUI as well if you go to Devices → Select Device and view patches. This only shows patches relevant to that selected system so it seems the only difference here is within Patch Policies. This also leads to patch policy actions being ran that end up in a non-relevant status so makes it difficult to predict what will specifically be applied in a coming patch policy window. Hopefully that provides more insight for you.
1 Like
To my mind I think that is as-designed and has a valid use case. A common practice would be to show “all patches currently applicable given the policy settings”, but this is really just a preview for sanity-checking the policy, not to see what applies on a given set of devices.
The use-case I see most often, is to create a policy and then define a schedule for that policy targetting a specific set of test devices. After the first schedule is applied and tested, it is common to add a second, or even a third/fourth schedule, to target larger sets of devices.
You may not have devices applicable to some of those patches in the first round of schedules, but as you add more devices and more schedules more of the patches get applied.