Hassle-free Patch Management

The Marshall University Information Technology team is happy to announce the arrival of a new client computer service. Updating vulnerable software is an important, but tedious part, of computer ownership. We all share in the responsibility to ensure that our campus is a secure, safe and productive environment for research, instruction and learning. Identifying and updating vulnerable software is a part of this security process; and we feel most will appreciate the ability to automate the process of detecting and deploying critically-needed computer security updates.

Most computer users are aware of the importance of keeping their computers up-to-date to protect against software security vulnerabilities. Microsoft Update and Apple Update are common methods used notify an individual that their computer needs one or more updates to fix software vulnerabilities. What you may not be aware of is this: there are many other software applications and utilities installed on your computer which do not receive auto-updates from the Microsoft or Apple Update process. These applications such as Adobe Acrobat®, Adobe Flash®, Java®, and Apple QuickTime® are commonly found on your computer and frequently need updates because of security vulnerabilities.

The Marshall University Office of Information Technology understands that detecting and patching these software apps can be a tedious and time-consuming process for a computer user.  We also expect that you have many tasks – both important and enjoyable – which you would rather do besides deal with software updates. This usually means that patch updates are a task left for another time, or to be taken care of by someone else.

Introducing the KBOX Client

Marshall University has licensed a system to automate and expedite the process of software updates. This system is called the KACE K1000 Management Appliance (or KBOX for short) by Dell/KACE®. University-owned computers will have a small software client pre-installed as part of the default software image.

The KBOX Client software client will periodically remind the computer user when critical software updates are needed and ask for permission before downloading and installing those updates.

If you are in the middle of an important task and do not wish to be interrupted, you may click the ‘Snooze’ or ‘Cancel’ buttons.

Snooze works similar to an alarm clock; it gives you just a little more time to finish a task, and then KBOX Alert will pop-up again in 30 minutes, to remind you that critical patches are needed.

Cancel will clear the KBOX Alert for the day. You will be reminded during the next scheduled run – generally the next day – that critical updates are needed.

Restarting Your Computer

Some critical updates require that your computer be rebooted in order to complete their installation. In those cases, you will receive another KBOX Alert  which will notify you that while the patch is installed, a reboot is needed to complete its installation. When you click ‘YES’, the KBOX client will reboot your computer. You can click ‘No’ if rebooting would interrupt an important task and you will be reminded in 30 minutes. This is similar to ‘snooze’.

The KBOX Client will not reboot the computer until you click ‘Yes’.

IMPORTANT: You should save your work and close any open application or browser windows BEFORE you click ‘OK’.

 Frequently Asked Questions (FAQ)

What Is The KBOX Client Updating?
The KBOX Alert will notify you of two types of updates: 1) Critical Operating System (Windows or Mac) Updates; and 2) Critical Application Updates (i.e. Acrobat, Flash, Java, QuickTime, etc.).

Why Do I See The KBOX Client Pop-Up Again So Quickly?
When your computer first becomes enrolled in the patch management process, there may be quite a number of updates which need to be applied. As a result, do not be surprised if you see the KBOX Alert pop-up several times on that first day. This is normal as some patches require a reboot and some patches need to be applied prior (as a prerequisite) to other patches.

Once your computer has installed all the necessary critical updates, then you should not receive any further alerts until the next time a new security update is released.

Can I Still Apply Patches Myself?
Yes. The KACE client does not prevent you from applying patches yourself. However, if you do not apply these updates prior to receiving a KACE Alert, KACE will download and install the update for you.

Will KACE Updates Automatically Reboot My Computer (without my permission)?
No. For computers assigned to faculty and staff, the KACE client is configured to not begin the patch download/update process without your approval. If you do not click ‘YES’, then no updates will be applied. You should save all your open documents and close any open application or browser windows prior to clicking ‘YES’. For certain types of shared-use computers (i.e. computer labs), KACE can be configured to automatically apply updates without user intervention (i.e. after hours or during the next power cycle).

Will KACE Security Patches Upgrade My Applications to New Versions?
No. Security updates and application upgrades are separate processes. For example, KACE may apply a security update to your Microsoft Internet Explorer (IE) browser to take you from version 7.00 to 7.01 – or upgrade Adobe Acrobat Professional from version to; but it will not automatically upgrade you from major versions – IE 7.01 to IE 9.0 or Acrobat 8.x to 10.x. NOTE: In cases where a major application upgrade is needed – e.g. to address major security issues or to support institutional application compatibility – a separate campus upgrade notification will be sent.

What If I Have Mission-Critical Applications Which Are Sensitive to Patch Updates?
The KACE Management system provides a great deal of flexibility and does not force us to use a ‘one-size-fits-all’ approach. If you have mission-critical applications (for the institution, department, or yourself) which you believe will not respond well to an automatic update process, please contact the IT Service Desk and open a support request. The IT Service Desk will work with you either a) address the application sensitivity, or b) provide a ‘smart label’ which will include your computer in a patch exception group.

What Types of Information Does the KACE Client Collect?
The KACE Management system assists in the collection of the following types of information for University-owned computers. (Note: The KBOX client is NOT licensed for use on personally-owned computers.):

  • Computer Hardware Inventory
    • Make, model, serial/service tag number
    • Physical specifications such CPU, RAM memory, Hard disk size
    • Network configuration such as Ethernet MAC address, IP address
    • Computer Software Inventory
      • Operating system version and patch level
      • Install programs and versions as listed in ‘Add/Remove Programs’
      • Software license compliance (i.e. metering for per-seat and concurrent-use license agreements)
      • Computer Security Inventory
        • Last logged on user
        • Security patches applied/missing
        • Change management information (i.e. dates/times when hardware/software changes were reported by the KACE client).