Patch Management - Third Party Application Updates | ITS Services

Third Party Application Updates

Patches for commonly used applications are deployed as they become available from the vendor and have completed quality assurance testing. An application restart is frequently required to apply application updates. When possible, notifications display for any applications that require a restart to update.

Application patching intends to provide security enhancements, not interrupt production with feature changes. Feature changes are evaluated before release and communicated to users when they may be disruptive to productivity. Application updates are managed in three categories.

Independent

Application updates are released onto all managed endpoints as they become available from the vendor. Examples of Independent applications include Firefox, Chrome, and Zoom

Managed

Application updates undergo a pre-release pilot period on a subset of production endpoints before release onto all managed endpoints. Pre-release occurs 1 week before the full production release, allowing ITS time to identify issues with the latest release of the software, including version upgrades. Examples of Managed applications include Adobe products, SPSS, and Palo Alto Cortex XDR.

Service Dependent

Application updates install automatically following a service upgrade. Pre-release testing occurs as part of the release testing for the service itself. Examples of Service Dependent applications include SAP, BeyondTrust, and Palo Alto GlobalProtect.

Third-Party Application Deployment Cycle

Windows and macOS endpoints enrolled in Endpoint Management Services receive third-party updates through Patch My PC via Configuration Manager (SCCM / MECM) on Windows and Jamf Pro (Jamf) on macOS.

New third-party patches release on Mondays, Wednesdays, and Fridays. Applications silently update when they are not in use or will prompt the endpoint device user to close the application if necessary. A restart may be required for critical updates to install, notification and deferral will be provided to avoid loss of work.

Update Process - Windows

Private Endpoints (Faculty/Staff)

Application Updates will be automatically and silently installed when applications are closed or will prompt the endpoint device user to close the application if necessary. Endpoint device users may "Snooze" the update notification for up to 5 days in the event they are not able to install the update when prompted.

Prompt with the text "University of Nebraska System requires an update for *ApplicationName* To ensure files aren't in use during the update. *ApplicationName* needs to be closed. Please save your work and close the application to proceed with the update. You can postpone the update until 2/23/2022. If no action is taken before the timer expires the update for *ApplicationName* will be deferred."

While application updates are being installed, you may receive the following notice. Please wait a few minutes for the update to complete the installation and try opening the application again.

Dialog message with the text "Update in progress... An update is cumently being installed on your computer. Please. do not try to start 7fm.exe"

Installation Deadline

Application Updates are required to be installed within 5 days of being offered. Once this deadline is reached, endpoint device users will receive a notification to close the application within the specified time before the application is automatically closed for updates to occur.

Shared Endpoints (Lab/Classroom/Conference Rooms) or Kiosks (Digital Signage/Walk-up Stations)

Application Updates will be automatically and silently installed during established maintenance windows. Shared endpoint device users will not typically see third-party application patching notifications.

Maintenance Windows

Shared endpoint devices running Windows will have a maintenance window from 10:00 pm to 7:00 am daily by default. An alternate 12:00 am to 6:00 am daily maintenance window is available by request. Third-Party Application Updates will only be installed during this time window unless manually ran via Software Center.

Update Process - macOS

Third Party updates are applied on a weekly schedule. Application Updates will be automatically and silently installed when applications are closed. If an Applicaiton is open, users will receive macOS system notifications that application updates are available.

At any time during the week a user can open Self Service to install the application update at a convenient time.

When open Applications need to quit for updates to Apply, you will see the following notification:

macOS Prompt with the text "The following Applications require an update. Please save your work before continuing."

This prompt will allow you to continue with the following options:

Update Now
Postpone

After selecting "Update Now", you will be given additional for Applications that need to be closed:

macOS Prompt with the text "Please save your work in the following Applications before they are automatically closed."

While an Application is updating, a prompt will stay on-screen until the update is complete:

macOS Prompt with the text "Mozilla Firefox is updating, please wait."

When postponing an update, you will receive a prompt with a multiple selection drop-down similar to the following:

macOS Prompt with the text "Please select a deferral period. You won't be notified again until after the deferral expires."

This Guide Applies To:

Device Security - Patch Management