Patch Management Solutions

Helping a client who wants a Patch Management system for any version of Microsoft and some MAC. They want to empower the users to apply the patches. Not saying I agree with the approach but looking for a solid product. I have been told Tanium or Big Fix but any thoughts?


You might want to take a look at Puppet, I’m not terribly well versed in Puppet but my understanding is it will support both Windows and OSX from a configuration and patch management perspective.

Again, devops is not my personal area of expertise but you might also look at Chef, Ansible, and Salt Stack as well.

@mike.mitchell or @mike_dunn might have some additional guidance.

While I do not have any experience with Tanium or Big Fix, I have looked at brief descriptions of the functionality that they provide, and they may indeed be the best solution for your client. There are more traditional configuration management systems that are more commonly used, but they do not have the same focus on visibility into the server’s lifecycle. Other configuration tools will meet your client’s stated goal, however they will not have the other tools such as SIEM installed natively.

If you do not go a route like Tanium, choosing the best tooling will depend on the type of environment that these systems are in. Is your client running Windows systems that are configured to a domain? If so, using System Center Configuration Manager (SCCM) you can set Group Policies that allow users to install updates on their own. This will be the most well-supported and robust solution if the systems are tied into a domain. Unfortunately SCCM cannot provide the management solution needed for Mac devices.

At this time there are no fully developed, native config management tools provided by Apple, however there is a rather solid third-party product called JAMF that can be used to set policies similar to what can be done in Windows systems with SCCM. Tools like the JAMF Casper suite are quite commonly used in large enterprises, and as such has a rather decent feedback cycle, and their product has been quite reliable where I have seen it implemented. A downside to JAMF is that it is not a free product.

If the overhead of running enterprise-scale domain tools is too much work one of the more popular platform-agnostic configuration tools such as Puppet and Chef may provide a workable solution. They both use the native Powershell DSC to provide resources that are applied to target systems, ensuring and validating their state with each check-in. With this you can manage patch policies and the expected configuration for each machine. The caveat to this approach is that each system will need to have a Puppet or Chef agent installed that can reach a centrally managed server for updates.

While tools like Puppet and Chef are fully supported in Windows and Mac OS environments, the methods of configuring systems use patterns that are less native to these respective ecosystems. Configuration management tools such as Puppet and Chef thrive much more in Linux environments. While these tools will get the job done, it will require development time to produce the configurations needed for Windows and Mac.

In my opinion managing the lifecycle of a system is more robust with SCCM and JAMF, although it requires a larger infrastructural overhead. The approach will depend on the needs of your client, but a diversity of tools certainly exist that can help you get the job done.