Patch Policy Overview

To open the Patch Policy application, from the BigFix WebUI Apps menu, select Patch Policies.

Perform the following steps to create a patch policy:
  1. Enter a name for the policy and select the types of patches it should include. For example, create a policy that includes important service packs for operating system updates.
  2. Create a roll out schedule for the policy, including deployment timing, frequency, and behavior.
  3. Select policy targets: the devices to be patched.
  4. Activate the policy.

    The process is described in detail in Create a Patch Policy.

Keeping Policies Current

The Patch Policy app notifies you when new patches that meet policy criteria become available. The delta icon next to a policy name on the Policy List tells you patch content has been added or changed. Refresh a policy to include the new material. Refresh policies manually or use the Auto-refresh option to keep policies up-to-date.

Exclusions

You can exclude patches from a policy that otherwise meet its inclusion criteria. For example, manually exclude a patch you know causes problems in a custom application. Or set a dynamic exclusion to automatically exclude Microsoft Office updates from a policy that updates Windows. Once set, exclusions remain in effect until you remove them. Patch policies never include patches used for auditing, corrupt patches, or patches without a default action.

Use the WebUI Deployment views to monitor policy-based patching results. For more information, see Get Started with Deployments.

Permissions and Patch Policy

BigFix master operators (MOs) have full access to all Patch Policy functions. MOs can create, edit, delete, activate, and suspend polices, manage patch rollouts and schedules, and refresh policies when new patches are released. non-master operators (NMOs) can add, edit or delete a policy. NMOs can also add targets to an existing schedule, and remove targets from a schedule if they have relevant permissions.

Patch Policy Category

The following table shows the mapping between the Patch Policy external content categories and Fixlet categories:

WebUI Patch Policy category Fixlet category
BUG FIX

Bug Fix

Bug Fix Advisory

Bug

ENHANCEMENT

Definition Update

Definition Updates

Feature Pack

Hotfix

Update

Updates

Product Enhancement Advisory

ENHANCEMENT

Recommended

Optional

Upgrade

SERVICE PACK

Rollup

Service Pack

Update Rollup

SECURITY

Critical Update

Critical Updates

Security

Security Advisory

Security Hotfix

Security Setting

Security Update

Security Updates

SECURITY

Mandatory

Execution behavior

The following table shows the Patch Policy behavior when using Pre/Post contents and when not using Pre/Post contents:

Table 1. Patch Policy execution behavior
Configuring Pre/Post contents Execution of MAG order enforced in sequence (MAG1, MAG2, MAG3, and so on) Using "Force Restart" option available when configuring the schedule Execution Behavior
When using Pre/Post contents Yes The restart is only applied at the end of the last MAG execution. Sequence of MAGs will be executed on all targeted devices, even when patch Fixlets are not relevant. This means any Pre/Post tasks or Post action restarts will also execute if they are relevant.
When not using Pre/Post contents No1 The restart is applied after each MAG because it is unknown which MAG will be the last one to execute. Each MAG will only execute on targeted devices if the device is applicable to at least one of the Fixlets in the MAG.
Note:

A Fixlet is included in the MAG if it is relevant to at least one endpoint managed by the operator who defined the targets in the schedule.

  1. When not using pre/post content: MAGs do not necessarily execute in order on the endpoint. The MAGs will execute in order when they become relevant on the endpoint.
Note:

The MAG action issued in Patch Policies through Target by Property, Target by Group, or Target by Device will exclusively consist of fixlets that are relevant to the devices targeted at the time the MAG is issued. If there are no relevant fixlets available, then no MAG will be issued. For more details, see Server Settings.

Operating system updates

The following table shows the mapping between Fixlet sites and the selections available in Patch Policies:

Amazon Linux
Table 2. OS Version and Fixlet site name for Amazon Linux
OS Version Fixlet Site Name
Amazon Linux 2 Patches for Amazon Linux 2
Amazon Linux 2 with Graviton Patches for Amazon Linux 2 Graviton
Rocky Linux
Table 3. OS Version and Fixlet site name for Rocky Linux
OS Version Fixlet Site Name
Rocky Linux 8 Patches for Rocky Linux 8
CentOS
Table 4. OS Version and Fixlet site name for CentOS
OS Version Fixlet Site Names
CentOS 6 Patches for CentOS 6 Plugin R2
CentOS 7 Patches for CentOS 7 Plugin R2
CentOS 8 Patches for CentOS 8
Debian
Table 5. OS Version and Fixlet site name for Debian
OS Version Fixlet Site Names
Debian 7 Patches for Debian 7
Debian 11 Patches for Debian 11
Mac OS X
Table 6. OS Version and Fixlet site name for Mac OS X
OS Version Fixlet Site Name
Any, patches are dynamically filtered from sites Patches for Mac OS X
Oracle Linux
Table 7. OS Version and Fixlet site name for Oracle Linux
OS Version Fixlet Site Names
Oracle Linux 6 Patches for Oracle Linux 6
Oracle Linux 7 Patches for Oracle Linux 7
Oracle Linux 8 Patches for Oracle Linux 8
Red Hat Enterprise Linux
Table 8. OS Version and Fixlet site name for Red Hat Enterprise Linux
OS Version Fixlet Site Names
Red Hat Enterprise 5 Patches for RHEL 5 ESU
Red Hat Enterprise 6
  • Patches for RHEL 6 Native Tools
  • Patches for RHEL RHSM 6 on System Z
  • Patches for RHEL 6 ESU
Red Hat Enterprise 7
  • Patches for RHEL 7
  • Patches for RHEL 7 ppc64le
  • Patches for RHEL 7 ppc64be
  • Patches for RHEL RHSM 7 on System Z
  • Patches for RHEL 7 ESU
Red Hat Enterprise 8
  • Patches for RHEL 8
  • Patches for RHEL 8 ESU
  • Patches for RHEL 8 ppc64le
Red Hat Enterprise 9
  • Patches for RHEL 9
SUSE Linux Enterprise
Table 9. OS Version and Fixlet site name for SUSE Linux Enterprise
OS Version Fixlet Site Names
SLE 11 Patches for SLE 11 Native Tools
SLE 12 Patches for SLE 12
SLE 12 PPC64LE Patches for SLE 12 ppc64le
SLE 12 System z Patches for SLE 12 on System z
SLE 15 Patches for SLE 15
SLE 15 System z Patches for SLE 15 on System z
Ubuntu
Table 10. OS Version and Fixlet site name for Ubuntu
OS Version Fixlet Site Names
Ubuntu 14.04 Patches for Ubuntu 1404
Ubuntu 16.04 Patches for Ubuntu 1604
Ubuntu 18.04 Patches for Ubuntu 1804
Ubuntu 20.04 Patches for Ubuntu 2004
Ubuntu 22.04 Patches for Ubuntu 2204
Windows
Table 11. OS Version and Fixlet site name for Windows
OS Version Fixlet Site Name
Any patches for OS versions selected are dynamically filtered from sites
  • Enterprise Security
  • Patches for Windows (German)
  • Patches for Windows (French)
  • Patches for Windows (Polish)
  • Patches for Windows (Italian)
  • Patches for Windows (Spanish)
  • Patches for Windows (Czech)
  • Patches for Windows (Brazilian Portuguese)
  • Patches for Windows (Japanese)
  • Patches for Windows (Simplified Chinese)
  • Patches for Windows (Korean)
  • Patches for Windows (Turkish)
  • Patches for Windows (Hungarian)
  • Patches for Windows (NLD)
  • Patches for Windows (CHT)
  • Patches for Windows (Norwegian)
  • Patches for Windows (Finnish)
  • Patches for Windows (Swedish)
  • Patches for Windows (Greek)
  • Patches for Windows (Danish)
  • Patches for Windows (Hebrew)
  • Patches for Windows (Russian)
  • Patches for Windows 7 ESU
  • Patches for Windows 2008 ESU

Operating system application updates

The following table shows the Operating System application updates which includes OS, various site names, and applications:

OS Application Updates for Mac OS X and Windows
Table 12. Fixlet site name and Application updates for Mac OS X and Windows
OS Fixlet Site Names Applications
Mac OS X Patches for Mac OS X
  • Java
  • iTunes
  • Safari
Windows
  • Enterprise Security
  • Patches for Windows (German)
  • Patches for Windows (French)
  • Patches for Windows (Polish)
  • Patches for Windows (Italian)
  • Patches for Windows (Spanish)
  • Patches for Windows (Czech)
  • Patches for Windows (Brazilian Portuguese)
  • Patches for Windows (Japanese)
  • Patches for Windows (Simplified Chinese)
  • Patches for Windows (Korean)
  • Patches for Windows (Turkish)
  • Patches for Windows (Hungarian)
  • Patches for Windows (NLD)
  • Patches for Windows (CHT)
  • Patches for Windows (Norwegian)
  • Patches for Windows (Finnish)
  • Patches for Windows (Swedish)
  • Patches for Windows (Greek)
  • Patches for Windows (Danish)
  • Patches for Windows (Hebrew)
  • Patches for Windows (Russian)
  • Patches for Windows 7 ESU
  • Patches for Windows 2008 ESU
For more information, see System requirements.

Third-party updates

The following table shows the third-party updates which includes OS, various site names, and application/publisher:

Third-party updates for Mac OS X and Windows
Table 13. Fixlet site name and Application/Publisher updates for Mac OS X and Windows
OS Fixlet Site Names Applications/Publisher
Mac OS X Updates for Mac Applications
  • Adobe Acrobat
  • Adobe Air
  • Adobe Flash
  • Adobe Reader
  • Adobe Shockwave
  • Google Chrome
  • GoToMeeting
  • Microsoft
  • Mozilla Firefox
  • Webex
  • Zoom
Windows
  • Updates for Windows Applications
  • Advanced Patching
  • Updates for Windows Applications Extended
See System requirements for more details.

Severity mapping

The following table shows the mapping between the Patch Policy Severity categories and Fixlet Severity Field categories:

Table 14. Patch Policy Severity and Fixlet Severity Field
Patch Policy Severity Fixlet Severity Field
CRITICAL Critical, Mandatory, High
IMPORTANT Important, Recommended
MODERATE Moderate, Medium
LOW Low, Optional, Negligible
UNSPECIFIED Unspecified, NA, and empty values