ManageEngine launched Patch Manager Plus at the end of March 2017. So, after almost six years in production, how does this patch manager stack up against the competition? In the Spring 2022 Market Report from software marketplace G2, ManageEngine reached the top of the league in the patch management listings. So, let’s explore Patch Manager Plus to see its strengths and weaknesses.
Who would need Patch Manager Plus?
Any business that runs bought-in software needs to ensure those packages are up-to-date. Software producers frequently produce updates that fix discovered bugs. Another reason for updates is to introduce or perfect a new feature between full releases. The most important updates address recently discovered exploits in the software. Software updates are also known as “patches”.
An exploit is a security loophole that hackers have just discovered. You might wonder why software businesses don’t get their act together and ensure that those security weaknesses are ironed out of their products before they are released. The fact is that if you know every trick that hackers can use to break into your system, you still don’t know what new method they will come up with tomorrow, next week, or next year. So, even the cleverest software house has products that will one day include a security weakness.
Software producers must keep an ear to the ground and listen for incidents of security breaches that might indicate their software is now insecure. As soon as a weakness is suspected, they need to produce an adjustment or a replacement for part of their software suite to block that new hacker strategy.
Businesses that don’t install all the available software updates are leaving themselves open to attack. Hacker attacks are even more pernicious if they allow entry into the operating system. By getting underneath software – including security systems – hackers can act unseen or cover their tracks by deleting log messages or writing fake records.
Patch Manager Plus features
The main features of ManageEngine Patch Manager Plus are typical of an automated patch manager. These are:
- Software inventory management
- Patch gathering
- Patch assessment
- Patch scheduling
- Manual patch management
- Completion status reporting
- Compliance reporting
You can read more about each of these topics in the following sections.
Software inventory management
The Patch Manager Plus system scans each of your endpoints and records all the software installed on it and also the version of the operating system. This routine operates on devices running Windows, macOS, and Linux.
The patch discovery process is automated. The compiled software inventory is a source of details about each copy of a software package on your system – different endpoints may have different versions of the same software package. The current version number of each package indicates the last patch that was applied. The patch manager can perform this task for operating systems and more than 850 software packages.
The patch discovery procedure in Patch Manager Plus is called Automated Patch Deployment (APD).
The Patch Manager Plus instance running on your server doesn’t go directly to the websites of software suppliers to look for patches. Instead, ManageEngine centrally polls the suppliers of its approved list of software and stores those installers on its own server. The APD unit on your site refers to the ManageEngine library for a patch rather than going directly to the supplier.
When APD identifies a new patch that has become available, it copies it over to the installer for the update and stores it. There might be many patches that become available in a patching cycle – the period that elapses between each patch run is up to you – you can set the process to run once a month or once a week.
Although the ManageEngine APD system only sources patches from trusted sources, it will verify each patch. The ManageEngine server scans each file for malware and stores it in a library. Thus, when the latest patch is copied down from the ManageEngine server to your site, it has already been approved as secure.
Once a patch installer has been acquired, it is shown in the Patch Manager Plus console as being available for installation. The service allows an administrator to test each patch by rolling it out temporarily and then checking for the impact of those changes. It is possible to set up an example device for testing and run each patch manually, and then approve it in the console. Another option is to indicate in the settings of the Patch Manager Plus console that each patch should be tested automatically on a specified test device and then approved if no problems are detected after the patch has been run.
You need to set up a calendar in the console for Patch Manager Plus that defines hours of the day and specific days, such as a day of the week or a day of the month, when patches can be applied. It is possible to use Patch Manager Plus to implement patching on multiple sites. This can also extend to sites in different time zones. However, the system will relate to the time that is local to the device and so will apply patches in different locations at different times relative to the central controller’s time zone.
It is possible to define different maintenance windows for different groups of endpoints. So, the setup for patch scheduling can get complicated and requires a detailed plan before it is implemented. However, this is preferable to a much simpler system that applies all patches to all devices at the same time, which could result in the rollout being attempted on some devices that are still in use.
It is important to ensure that a device is not in use when patches are applied because the installation process will disrupt the availability of the device. If a specific package is open when the patch manager runs, it will need to be closed down first. Patch Manager Plus handles these actions and can also wake up a device that has been turned off,
Many patches involve multiple software packages and also might require certain environment variables to be set up before the new program is installed. Patch Manager Plus deals with these issues, which are known as “patch dependencies.”
It is common for software updates to require that the system is restarted to set up startup conditions at the end of the program’s installation. If a patch queue involves many updates. Each device being managed can be restarted many times before the full list of updates has been implemented. Finally, the patch schedule will turn the device off. For all of these reasons, scheduling patch rollouts to occur outside of office hours is very important, and that is possible with Patch Manager Plus.
If, for some reason, patching needs to take place during office hours, the patch manager has an option to automatically send notifications to users of an upcoming patch session. This option is available for devices running Windows and Linux, but not macOS. The live notification system allows the user of a computer to decline the patch run. This is an unsatisfactory outcome, but it could be useful if company software has been installed on the user-owned device of a remote worker, and it is under centralized patch management.
Manual patch management
The manual path management features in the Patch Manager Plus package are more negative than active. For example, it is possible to pause a patch so that it is excluded from the next patch run, in which case, it will remain in the patch queue for a subsequent run. Another option is to decline a patch, in which case, it will be permanently removed from a patch requirement list for a device.
There are a few complications over declining patches. The removed patch is not counted as being deferred, which means that the patch manager won’t alert for or search for that patch again. If that software product has a new patch available after the declined patch, the missing patch will cause complications because there might be a patch dependency. So, declining a patch can permanently end the patching cycle for a specific piece of software.
The decline function can be implemented for just a group of computers, such as PCs of a particular make and model, which are too old to cope with the new software version. In this scenario, all other devices will receive the update.
As Patch Manager Plus is an automated patch manager, the concept of manually applying a patch doesn’t really fit into the remit of the tool. If previous patches are completed in error, you could just rerun the batch and the uncompleted patches will reapply. Launching at an imminently approaching time, can, effectively, enable the administrator to run one patch immediately.
The administrator can run the installer by itself outside the Patch Manager Plus environment, in which case, the Patch Manager will notice the new version number of the updated software and amend its software inventory accordingly. The problem with this workaround is that the manual patch run will occur outside the logging system of Patch Manager Plus, so the administrator will have to take steps to ensure documentation for all patch activity is complete.
Completion status reporting
As explained, the major benefit of an automated patching system, such as Patch Manager Plus is that it can apply patches outside of office hours. In days gone by, a technician would have to be prepared to stay on after hours to run patch installers. However, the scheduler in Patch Manager Plus means those installers can be run unattended.
The important information that a system administrator needs on arriving at work the next day is whether each patch in the list applied successfully and at which point in the installation process failed if a patch did not terminate successfully.
Even those patches that applied correctly need to be documented through log files that list which programs were updated and where those program files are stored in the server’s directory structure.
System security is part of the requirements for accreditation by data security standards bodies, and patching all endpoints to ensure that they are up-to-date is part of that requirement. A system administrator needs to be able to prove at any time that the system is up-to-date and the reports included in the Patch Manager Plus provide that proof.
The key compliance reports in Patch Manager Plus are called the Vulnerable Systems Report and the Vulnerable Patches Report. The Vulnerable Systems Report can be run periodically with the results stored, and it lists all endpoints with their version statuses for all installed systems, compared with the stated latest version of each package at that moment. Hopefully, you get your system to the point where all software is up-to-date. The Vulnerable Patches Report shows which patches are available but have not been applied.
It is acceptable to have reports showing some patches that have not been applied. The report is a snapshot and no one expects patches to be applied immediately, running patches weekly or monthly is standard practice. The recognition of the state of the system is enough to remain in compliance with most data protection standards.
Patch Manager Plus deployment options
There are two delivery methods for ManageEngine Patch Manager Plus. These are:
- Cloud edition
- On-premises edition
The cloud edition is a SaaS package that installs agents on each enrolled device. The software is hosted by ManageEngine and so there are, effectively, no system requirements to access this service.
Patch Manager Plus system requirements
The requirements to host Patch Manager Plus on Premises are as follows.
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows 11
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Although it is installed on your own server, you access the console for Patch Manager Plus through a Web browser. The browser must be one of these:
- Microsoft Edge (all versions)
- Mozilla Firefox 44 and later versions
- Google Chrome 47 and later versions
Patch Manager Plus uses a database for its own internal storage. You need to install this separately, and it can be one of these:
- MS SQL Server
The hardware requirements for the server software increase according to the number of devices that are to be monitored.
To monitor up to 250 devices:
- Hard drive space: 10 GB minimum
- CPU: Intel Core i3 (2 cores/ 4 threads) 2.0 GHz 3 MB cache
- RAM: 2 GB
To monitor 251 to 500 devices:
- Hard drive space: 20 GB minimum
- CPU: Intel Core i3 (2 cores/ 4 threads) 2.0 GHz 3 MB cache
- RAM: 4 GB
To monitor 501 to 1,000 devices:
- Hard drive space: 30 GB minimum
- CPU: Intel Core i3 (4 cores/ 4 threads) 2.3 GHz 6 MB cache
- RAM: 4 GB
Patch Manager Plus editions
There are three editions of Patch Manager Plus. These are:
- Professional – Suitable for LANs
- Enterprise – Suitable for WANs
The Free edition has all the features of the Standard edition, but it is limited to managing 20 workstations and five servers.
- Patching for Windows, macOS, and Linux operating systems
- Third-party patch management
- Server application patch management
- Service pack deployment
- Variable scheduling
- A central repository of verified patch installers
- Patch management reports
- Role-based administration
- Two-factor authentication
- Features of the Professions edition
- Distribution server for bandwidth optimization
- Antivirus definition updates
- Automated patch testing
ManageEngine produces many system monitoring and management tools, but you don’t need any of them to be installed to run the Patch Management Plus system – it is a standalone service. Several other ManageEngine packages also provide patch management, so it is important to note these so that you don’t end up paying for duplicate services that you don’t need.
The packages from ManageEngine that also provide patch management are:
- Vulnerability Manager Plus
- RMM Central (for MSPs)
- Endpoint Central
- Endpoint Central MSP
- Patch Connect Plus
Patch Manager Plus free trial
Both the SaaS version and the on-premises package of Patch Manager Plus are available for a 30-day free trial.