Creating Patch Job for Mac Assets
Before you go ahead with patch job creation for Mac assets, go through Managing Patch Jobs for Mac Assets, wherein the details about patch jobs for Windows assets are mentioned.
Navigate to Jobs > Mac tab and then click Create Job.
- Optionally, you can go to the Assets tab > Mac and select the assets to which you want the patches to be applied. From the Quick Actions menu, click Add to New Job.
- Optionally, you can go to the Patches tab > Mac. Select the patch to add to the new job and click Add to New Job from the Quick Actions menu.
Complete the following steps to create a Mac deployment job:
- Basic Information
- Select Assets
- Select Pre-actions
- Select Patches
- Select Post-actions
- Schedule
- Options
- Job Access
- Confirmation
Basic Information
Enter a job title and description, and click Next.
Select Assets
Refer to the following details, select the assets you want to apply patches to, and click Next.
The following two asset selection options are available:
- Manual Asset Selection: This option allows you to select assets manually.
- Import Assets: This option allows you to import the asset from the CSV file you upload.
Refer to the following manual asset selection steps:
i. Select assets or asset tags to which you want to apply the patches.
Want to add assets later? Go to the Assets tab, select one or more assets from the Quick Actions menu of a single asset, or from the Actions menu (bulk actions), click Add to Existing Job or Add to New Job. Once enabled, you cannot add assets later to On-Demand or run-once (non-recurring) jobs.
Patches are deployed on the tags you select only for assets in the user's scope. The corresponding child tags are automatically selected when you select the asset tag.
- Select Any to include assets that have any of the selected tags.
- Select All to include only those assets in the patch deployment job with ALL the selected tags.
ii. (Optional) Select the Add Exclusion Assets checkbox to exclude specific assets from the deployment job.
Note: You can include and exclude a maximum of 50 assets from the job.
Based on the selected options, the final list of assets is calculated taking into consideration included and excluded asset tags and included and excluded assets.
iii. (Optional) Select the Add Exclusion Asset Tags checkbox to exclude the assets from the deployment job with All/ANY of the selected asset tags.
You can include and exclude a maximum of 50 asset tags from a job. To understand how final assets are determined for a job, see Which Assets are Included in a Job.
Refer to the import assets steps:
- Click Import Assets.
- Upload the CSV that includes the Assets you want to upload.
Important to Know
- You can import a maximum of 5000 assets from the CSV file.
- The asset names are case-sensitive. Hence, you must include the correct asset name in the CSV file. Incorrectly spelled assets or assets not available in your subscription are not considered for import.
- The CSV file is validated during the import process, and the reasoning or error for skipped assets is also recorded. You can download the validated file and get these details. Note that the CSV file validation and import process might take longer based on the number of assets included, which increases the file size.
Select Pre-actions
Select the Run Script pre-action and click Add. For more information, see About Pre-Actions and Post-Actions.
Select Patches
i. Refer to the following details, select patches to apply to the assets, and click Next.
You can select one of the following patch selection options:
- Manual Patch Selection
- Automated Patch Selection
- Patch Selection from Another Job
Manual Patch Selection:
After you select the Manual Patch Selection option, click the Select patches link to select patches. On the Patch Selector page, you can use the Within Scope option to view missing patches within the scope of the selected assets or all available patches. Select the desired patches, click Add to Job, and click Close.
On the Select Patches pane of the deployment job wizard, click Available Patches if you want to add more patches to the job.
Automated Patch Selection: You can use the Qualys Query Language (QQL) to create criteria to automate the patches that need to be installed for a job based on vulnerabilities or patches. The query can be used for run-once and recurring jobs. You cannot use a combination of a QQL and Patch list to select patches added to a job. You must either create a job that is executed based on the query or choose the patches from the Patch List.
Click Preview to view available patches associated with assets and/or tags that can be added to the job.
- You can use vulnerability tokens to create a QQL-based job only if you have a subscription to the VMDR app. You can use the RTI tokens only if you have an active subscription to the Threat Protection app.
- During the automated patch selection, you can use the patches or vulnerabilities tokens individually or in combination.
Want to add patches later? Go to the Patches tab and select one or more patches. Then, click Add to Existing Job or Add to New Job from the Quick Actions menu of a single patch or the Actions menu (bulk actions). Once you enable On-Demand or run-once (non-recurring) jobs, you cannot add patches later.
You can add patches but not target assets or asset tags when you modify a patch job using the Add to Existing Job option from the Patches tab. To apply patches to an asset that is not added to the job, you can choose one of the following approaches:
- Edit an existing job from the Jobs tab
- Select the asset from the Assets tab and use the Add to Existing Job option
- Create a new patch job for that asset.
You can add a maximum of 2000 patches to a single job. Create another job to add patches above 2000. You can run the scheduled job daily, weekly, or monthly.
Patch Selection from Another Job: After you select the Patch Selection from Another Job option, click the Select the job to fetch patches link. From the Select Job window, select the job you want to fetch the patches from its latest run and click Apply.
- After you select and apply the job from which you want to fetch the patches from its latest run, its run cycle details, such as the previous run and the next run, are shown. The run cycle details are not shown for Run Once and On-demand jobs and jobs with the Disabled status.
- If the selected job has unresolved patches, no patches will be fetched for the job that you create. Also, when you view the job progress of the job that you created, the status will be shown as No patch available.
After selecting the required patches by using the options that are explained, click Next.
Select Post-actions
Select the Run Script post-action and click Add. For more information, see About Pre-Actions and Post-Actions.
Schedule
Refer to the following details, complete the job schedule settings, and click Next.
i. Choose when to install the patches, whether On-Demand or Schedule.
- The On-Demand option lets you install the patches immediately once the job is created and enabled.
- The Schedule option allows you to install the patches at a set time. You can run the scheduled job daily, weekly, or monthly.
For more information, see Schedule Job Settings.
Monthly jobs which are scheduled to run on the 31st of the month will be scheduled every two months (where 31st date is available). You can schedule the job to run on the last day of the month which ensures that the job runs on the last day irrespective of whether the month has 28, 30, or 31 days.
ii. (Optional) To configure a Patch Window, click Set Duration.
A Patching Window is used to enforce time-bound execution. The Patch Window can be set between 30 minutes to 168 hours or 10080 minutes.
Options
Configure the communication options by referring to the following details on how to notify users about the patch deployment, and click Next.
Deployment Messages
Configure the Deployment and Reboot Communication Options, configure notification settings, and click Next. For more information, see Configuring Reboot Settings for Mac Deployment Jobs.
The MacOS deployment messages are available on the UI if you the Mac agent binary version 4.30.0 and later for Intel and 4.40.0 and later for ARM.
Request for Credentials
You can go through the details provided in the Request for Credentials section and decide whether to clear the Save User Credentials checkbox. Note that the Save User Credentials checkbox is selected by default.
- When the Mac ARM OS update is pushed to the user's machine, a message will be shown about entering credentials to start with the OS update.
- When the checkbox is selected, the user credentials will be saved and used for all the runs of the current job being created and for other jobs where this checkbox is selected.
- When the check box is cleared, the user credentials will not be saved, and the user will be required to enter the credentials for every Mac ARM OS update.
Note: The expected behavior of saving user credentials for Mac ARM OS updates will work only if you have the Agent binary version 5.5.0.x or later. - If you clone the job, revisit the Save User Credentials setting to decide whether to save the credentials.
- If you edit the job before it is enabled, revisit the Save User Credentials settings.
Notification Settings
You can choose to send email notifications for events, such as a job has started, or a job has been completed to the intended recipients. You can enter a maximum of 50 email addresses. Also, the distribution list is not supported.
Important to Know
- If the email notification is configured for a recurring job, you will receive it once per day for the job run. If the same recurring job is edited and scheduled again for the same day, you will not receive the email notification again on that day.
- The job completion email is sent after the job is sent to all agents, considering all agent timezones, and after the job completion criterion is met. When this is implemented, the email notifications might be impacted for that day.
- The email notifications are tracked for up to six months. Agent getting updates after six months might trigger false email notifications.
See the examples of the 'Patch Job Started' and 'Patch Job Completed' email notifications, respectively.
Additional Job Settings
i. Turn the Download Patches from the Internal Repository toggle to On to allow cloud agents to download the patches from the internal repository server.
ii. Select the name of the internal repository server from the Select Name list. The URL associated with the server is auto-populated. Note that you can add only one internal repository server.
You can enable this setting only if the Download Patches from the Internal Repository Subscription-level setting is enabled and the internal repository server and URL are entered. For more information, see the "Enabling Download Patches from the Internal Repository" section from the Subscription Level Settings topic.
When the job is created, you can see the internal repository details from the Options tab on the Job Details page.
Job Access
Choose Co-Authors for this job and click Next. The co-authors can perform job actions based on their permissions, such as editing the job.
Confirmation
Review your selections, and choose to Save or Save & Enable the job.
Note that the SuperUser or Administrator can change the job status (enable/disable), delete and edit the job.
- When you click Save, the job is saved, and its status is DISABLED. You can enable it later.
To run a job in the DISABLED state, you must enable it. To enable it, go to the Jobs tab and click Enable from the Quick Actions menu of a job.
- When you click Save & Enable, the job is saved and ENABLED. This option is available only when creating a Job the first time, not during editing the job.
The Save & Enable option should be chosen only when you are confident that the job is correctly configured because it's enabled and in a good-to-execute state.
You can use the Disable option to temporarily disable a scheduled job. Later, at your convenience, you can re-enable the job.
On-demand or run-once (nonrecurring) jobs cannot be edited or disabled once enabled.
See Enabling or Disabling Jobs