Today, everything has to be patched. From desktop and laptop to server and every operating system in between. With compliance, what we have to pay attention to is what’s actually out there on our network – not just what you wish were there. Servers (Windows, UNIX and Linux)Even Windows-centric environments have at least a few UNIX or Linux servers that need to be secure and patched. Linux and UNIX servers often fulfill critical functions with few and short maintenance windows. These can be a real pain point for admins who specialize in Windows or are managed by an entirely different admin. Desktops (Windows and Macs)Maybe you are responsible for desktops instead of servers. Again it’s not just a Windows story any more. More and more people are opting for Macs instead of Windows. Watch the vulnerability lists and you’ll see that Macs need patching too. The kicker though is the 80/20 rule. If at least 80% of the computers on your network are Windows and the remaining 20% are everything else – it’s a safe bet, given the maturity and ease of WSUS, that 20% of your patching effort goes to Windows but 80% of your effort is consumed with patching all the different flavors of UNIX, Linux and your Mac computers. We need one system to manage all our patches and one pane of glass to prove compliance from data center to desktop. Believe it or not System Center 2012 R2 provides the infrastructure to do just that – it just needs a little help. Last time we showed you how you can patch 3rd party apps on Windows through System Center Update Manager. This time we’ll show you how you can patch non-Windows systems using the new System Center clients for UNIX, Linux and Mac.

1. Sponsored by
Using System Center
Configuration Manager 2012 R2
to Patch Linux, UNIX and Macs
© 2014 Monterey Technology Group Inc.

2. Thanks to
© 2014 Monterey Technology Group Inc.
www.Lumension.com

3. Preview of Key
Points
 Need for patching from Data center to desktop
 System Center support for *nix
 8 steps for patching *nix from System Center
 How far does that get you and what’s left?
 Show elegant Lumension Patch Manager DataCenter solution for
bringing WSUS functionality to *nix with compliance reporting unified
with SC for single pane of glass patch management from Data center
to desktop

4. The situation
 Have to be compliant and secure
 Everything has to be patched
 Everything includes
 Windows
 MS Apps
 3rd party apps
 UNIX
 Linux
 Mac OS X
 Don’t just have to be secure
 Have to be able show you are secure and compliant
 Can waste a lot of time on
 Patching the one-offs and minority systems – 80/20 rule
 Showing compliance

5. System Center
 System Center de facto standard in MS-centric environments
 25% of OpsMgr environments already monitor Linux and UNIX
 System Center 2012 R2 has Linux, UNIX and Mac support
 Inventory
 Hardware
 Software
 Script execution

6. System Center
 Can you patch *nix from SC?
 Yes
 Manual
 Patch by patch
 Watering can
 Can you show compliance?
 Not without significant custom work
 Everything repeated for each flavor/distribution
 Walk you through how to do the above
 Show elegant Lumension Patch Manager DataCenter solution for
bringing WSUS functionality to *nix with compliance reporting unified
with SC for single pane of glass patch management from Data center
to desktop

7. Patching *nix
from System
Center
1. Install SCCM agents
2. Create collections
3. Get inventory
4. Pick out a patch for a given OS
 OpenSSL fix for HeartBleed for SUSE
5. Download the patch to distribution point(s)
6. Determine applicability criteria
7. Create a package
8. Deploy

8. 1. Install SCCM
Agents
 Microsoft System Center 2012 R2 Configuration Manager - Clients for
Additional Operating Systems
 Specific versions supported for each flavor/distro
 http://technet.microsoft.com/en-us/library/c1e93ef9-761f-4f60-8372-
df9bf5009be0#BKMK_SupConfigLnUClientReq
 http://www.microsoft.com/en-us/download/details.aspx?id=39360

9. 1. Install SCCM
Agents
 Mac
 http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/PCIT-B336#
fbid=
 Steps
 Download the Mac client msi file to a Windows system
 Run the msi and it will create a dmg file under the default location
“C:Program Files (x86)MicrosoftSystem Center 2012 Configuration
Manager Mac Client” on the Windows system
 Copy the dmg file to a network share or a folder on a Mac computer
 Access and open the dmg file on a Mac computer and install the client using
instructions in the online documentation. http://technet.microsoft.com/en-us/
library/jj591553.aspx

10. 1. Install SCCM
Agents
 Linux
 http://prajwaldesai.com/how-to-install-sccm-2012-sp1-client-agent-on-linux-
computers/
 https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src
=microsoft.holsystems.com&altadd=true&labid=10436
 Steps
 On a Windows computer download the Linux client
 The downloaded file is a self-extracting exe and will extract tar files for
the different versions of your operating system.
 Copy the install script and the .tar file for your computer’s operating
system version to a folder on your Linux computer.
 Install the client using instructions in the online documentation.
http://technet.microsoft.com/en-us/library/jj573939.aspx

11. 1. Install SCCM
Agents
 UNIX
 http://technet.microsoft.com/en-us/library/jj573939.aspx
 Steps
 On a Windows computer download the appropriate file for UNIX flavor
you wish to manage
 The downloaded file is a self-extracting exe and will extract tar files for
the different versions of your operating system.
 Copy the install script and the .tar file for your computer’s operating
system version to a folder on your UNIX computer.
 Install the client using instructions in the online documentation.
http://technet.microsoft.com/en-us/library/jj573939.aspx

12. A little more
 Rootless discover
 http://blogs.catapultsystems.com/ttaylor/archive/2012/01/17/scom-manual-
linux-agent-install-and-rootless-discovery-1.aspx
 Troubleshooting
 http://social.technet.microsoft.com/wiki/contents/articles/4966.troubles
hooting-unixlinux-agent-discovery-in-system-center-2012-operations-manager.
aspx
 Licensing
 Remember, you probably need valid subscriptions to legally patch most
flavors

13. Patching *nix
from System
Center
1. Install SCCM agents
2. Create collections
3. Get inventory
4. Pick out a patch for a given OS
 OpenSSL fix for HeartBleed for SUSE
5. Download the patch to distribution point(s)
6. Determine applicability criteria
7. Create a package
8. Deploy

14. Watering can
patching
 Automatic updates on Linux
 Yum
 Zypper
 Others?
 Mac
 Automatic Updates
 http://blogs.technet.com/b/scd-odtsp/archive/2013/05/29/system-center-configuration-
manager-2012-sp1-automatic-updates-on-a-mac-2.aspx
 Problems with this approach
 No control, granularity, management
 Every computer downloads directly from vendor over Internet
 No maintenance windows
 Not an enterprise solution
 No reporting or compliance

15. What’s left?
 What’s left?
 Reporting
 Think about this
 We’ve patched one vulnerability on SUSE
 What if you also have
 Redhat
 AIX
 Macs
 etc
 What if you have
 What if you aren’t a *nix troll expert?
 What if someone else manages *nix?
Discover
Download
Package
Assess
Deploy
Report

16. Wouldn’t be
nice…
 Wouldn’t it be nice…
 If you could get WSUS-like functionality for Linux, UNIX, Mac
 Download patches
 Assess applicability
 Deploy
 Report
 Without leaving System Center
 And be able to report on everything from one console?
 And wouldn’t be nice
 To add 3rd Party Windows apps to all of that?

17. Wouldn’t be
nice…
AIX
HP-UX
Solaris
Mac
OS
X
CentOS
Oracle
Linux
SUSE
Red Hat
Windows
MS Apps
3rd Party
Windows Apps

18. Wouldn’t be
nice…
AIX
HP-UX
Solaris
Mac
OS
X
CentOS
Oracle
Linux
SUSE
Red Hat
Windows
MS Apps
3rd Party
Windows Apps

19. Wouldn’t be
nice…
AIX
HP-UX
Solaris
Mac
OS
X
CentOS
Oracle
Linux
SUSE
Red Hat
Windows
MS Apps
3rd Party
Windows Apps
Patch Manager DataCenter

20. Wouldn’t be
nice…
AIX
HP-UX
Solaris
Mac
OS
X
CentOS
Oracle
Linux
SUSE
Red Hat
Windows
MS Apps
3rd Party
Windows Apps
Patch Manager DataCenter
Patch Manager DeskTop

21. Wouldn’t be
nice…
AIX
HP-UX
Solaris
Mac
OS
X
CentOS
Oracle
Linux
SUSE
Red Hat
Windows
MS Apps
3rd Party
Windows Apps
Patch Manager DataCenter
Discover
Download
Package
Assess
Deploy
Report
Patch Manager DeskTop

22. Additional Information
22
Whitepaper
Practical Patch Compliance
Relieving IT Security Audit Pain, From the
Data Center to the Desktop
https://www.lumension.com/sccm
Free Adobe SCUP Catalog
https://lumension.com/system-center/patch-manager-
desktop/free-catalog.aspx