Patch Management Statement
UIT is dedicated to fostering a secure computing environment for all individuals utilizing or accessing UND’s IT resources. This encompasses various scenarios, such as individually assigned or shared computers, isolated or networked systems, and those physically situated on campus or utilized by remote employees.
The compromise of any computer within our network poses a potential threat to the entire system and any connected devices. Patch management stands as a fundamental practice aimed at significantly reducing vulnerabilities within an organization’s IT infrastructure. An effective patch management program minimizes the time and resources expended compared to handling an actual security incident.
What is the purpose of Patch Management?
Patch Management ensures that all University-owned devices are patched with the latest security updates. Doing so enhances the security and reliability of computers and networks. Additionally, UND’s patch management process informs the UND community about UIT’s patch management procedures and any changes that will potentially affect the employee’s workflow.
Who does Patch Management impact?
The UIT patch management process is applicable to all members of the UND community, including faculty, staff, students, contractors, delegates, and any other parties utilizing or accessing UND resources, whether on campus (locally) or remotely. It is important to note that this policy specifically pertains to UND-owned devices only and not personally owned devices.
What devices will Patch Management impact?
This policy applies to all UND-owned devices. This includes servers, endpoints, tablets, and phones. This policy currently applies to Windows and Apple devices. Note that while Linux is not officially supported by UIT, all Linux operators must ensure their devices comply with the policy standards and remain up to date.
When/how often will devices be patched?
Software and system patches will be deployed two times a month on the second and fourth Mondays of every month at 8 am. Critical security updates, however, may be applied as soon as practically possible to mitigate the security risk to the UND community.
There used to be only one patch a month. Why is UIT now pushing two patches a month?
The Cybersecurity team has observed a significant increase in critical vulnerabilities being addressed across all major browsers (Firefox, Chrome, and Edge) and Zoom. In response they have requested the patching schedule be adjusted to twice a month.
Will there be any differences in both of the patches?
Yes! The first patch (second Monday of the month) will focus on Microsoft Edge, Mozilla Firefox, Google Chrome, and Zoom updates only. A system restart will not be required for this patch, but these applications will need to be closed for this patch to complete successfully.
The second patch (fourth Monday of the month) will target a larger group of applications with vulnerabilities and will include Microsoft Windows / Office updates. This patch will require a system reboot.
I am in the middle of a critical project or a meeting and have received a notification that I must update and reboot. I cannot update and reboot right now. What should I do? Can I reboot later?
Yes! If you find yourself in the midst of a critical project or meeting and receive a notification requiring an update and reboot, but cannot do so immediately, you do have the option to defer the update.
Simply click the “defer” button on the notification popup, which will effectively silence the notification for a minimum of 15 minutes. Employees are permitted to defer the patch/reboot up to 10 times.
However, it is important to note that once all deferrals are used, the patches will automatically install, and the computer will need to be rebooted.
UIT encourages employees to reboot their computers at their earliest convenience to prevent potential data loss or disruptions during meetings. This ensures a smooth experience for all involved.
I was in the middle of something and accidentally applied the patch. Will I be given time to finish what I was doing before rebooting?
Yes. Once the patch is applied, you will be given a time limit of 2 hours to reboot your device. This will be displayed in a notification message. You will have the option to “Restart Now” or to “Minimize” the notification. If you minimize the notification, it will reappear (and be unable to be minimized) within 2 minutes of the device restart. Please be sure to save your work.
I am a student here at UND. Am I required to be compliant with this policy?
As a student at UND, your compliance with this policy depends on whether you are using a personally owned device or a UND-owned device. If you are using a personally owned device, your compliance is not mandatory; however, UIT strongly recommends adhering to best practices by using an officially supported operating system. This ensures that you receive the latest feature updates, bug fixes, and security patches, thus enhancing the safety of your computer against potential vulnerabilities.
For PC users, UIT recommends either Windows 10 or Windows 11, both of which are still supported by Microsoft and regularly receive bug and security patches. Remember that Microsoft will end support for Windows 10 on October 14, 2025, please plan to update Windows 11 before the end of support. For macOS users, UIT suggests running either macOS 12 (Monterey), 13 (Ventura), or 14 (Sonoma), as Apple continues to provide security updates and bug fixes for these operating systems.
It is important to note that older versions of macOS, specifically macOS Sierra and earlier, do not meet the security standards required for connecting to the campus Wi-Fi.
If you are a student employed by UND and utilize a UND-owned device for work purposes, it is mandatory for the UND-owned system to be compliant with this policy.
What is a software patch? I am not sure what that is.
A software patch is an update to existing software, typically consisting of code that is inserted (patched) into the codebase of a program after its initial release. These patches serve various purposes, including updating the software, rectifying bugs (errors), installing new hardware drivers, addressing security vulnerabilities, and enhancing stability. Patches are released after the initial launch of the application to improve its performance and address any identified issues.
I am concerned about potential complications. What steps is UIT taking to reduce the risk?
UIT will be testing all rollouts on our systems prior to releasing them to the rest of the campus. If any issues arise during testing, UIT will postpone the rollout until those issues are resolved.
Will UIT provide the UND campus reminders about upcoming patches?
Yes! We will announce upcoming patches to the UND campus through email announcement.
In the event of a zero-day exploit (i.e., a security vulnerability that is actively being exploited) UIT will take immediate action and will deploy the required patch and promptly issue campus-wide notification.
I am hesitant to patch my UND-owned device. Whenever I install security patches, I encounter issues, and my computer’s performance suffers.
To ensure a secure computing environment for all campus users, UIT requires that all systems remain up to date with the latest security and system patches. Failure to comply with this requirement jeopardizes the security of UND systems and may result in the device being disconnected from the network.
If past experiences with patch installations have caused problems for your device, UIT advises submitting a support ticket. Our team can then assist with troubleshooting or potentially re-imaging the device to resolve any issues effectively.
You have referred to IT Resources multiple times. Could you elaborate on what falls under this category?
IT resources encompass a wide range of assets critical to our operations, including but not limited to endpoints, servers, networking equipment, communication equipment, applications, hardware and software systems, data and databases, physical facilities, services provided by cloud-based vendors, software as a service offerings, and any related materials and services essential for supporting our technological environment.
What will the patch software look like? Do you have any examples?
Yes. Sample Images are included below of what users will experience. Users across campus will experience one of the first two images listed below. The first image will be encountered if the patching software does not find any open software programs that are going to be patched.
In the second image, the software found that Google Chrome is open and needs to be closed before the patch can continue.
These notifications indicate which software is going to be patched (or removed) and notes the remaining deferrals the user has remaining. In this case the notification indicates there are 3 deferrals remaining.
Both notifications offer the option to “Defer” or either to “Continue” or “Close Programs.”
Once the user clicks “Continue” or “Close Program,” the patching software will begin software patching and any software removal that may be required. Users will be notified of the software patching progress by the notification window below. The software will provide each user with updates on where it is at in the patching/removal process.
Once the patching software is complete, users will receive a popup warning asking to restart the computer. Users may minimize this window to continue working. Keep in mind that the window will return 2 minutes before a computer restart is forced. The window cannot be minimized at that time. You can also restart your computer at any time by clicking the “Restart Now” button. UIT strongly recommends that the computer be restarted at the soonest available time to prevent an inconvenient restart during a meeting or while working on a project.
Apple Application Patching
I understand that MacOS devices are now being included in the monthly application patching process. Can you provide examples of what this looks like?
Certainly. When the software runs, it will begin analyzing all the software that is installed in the Applications folder within MacOS. After compiling a list it will compare installed versions against the latest versions of the software that are available for download. When the application is scanning your device you will see a Window that will look like this. Continue to let it scan until it finishes locating all software installed on your device.
Once the application finishes scanning, it will provide you with a list of all applications that will require updating. Of note, you will be allowed up to 10 deferrals and there will be a 2 hr 5 minute timer enforced. If you are away from your computer when the timer expires, it will automatically defer if you have deferrals remaining. UIT encourages our employees to update all applications first thing in the morning when the patch is pushed to avoid running out of deferrals later in the day. In the below image you will notice that App Auto-Patch located 11 applications that require updates. There are 2 deferrals remaining and 4 minutes 37 seconds remaining in the timer to either Defer or Continue with the application updates.
Once you are ready to update all outdated applications, click Continue. App Auto-Patch will begin installing the latest versions. As you can see in the image App Auto Patch has successfully updated both Google Chrome and Grammarly Desktop to the latest versions and is currently updating KeyAccess. In testing, if App Auto Patch fails to install an update it should skip the application and move to the next in the list. When all applications have been installed you can click Done to complete the process.
During the application update process, if App Auto-Patch detects that an application it needs to update is open, it will ask you to Quit and Update. Please save your work and click on Quit and Update.
Once all applications have been updated, the Update Progress screen should look like the image below. You will notice that it says "Updates Complete" and the Done button is now colored blue and is clickable. Click Done to finish.
**Note: If an application fails to update, it will say "error" (instead of the green check mark), and the expected behavior is to move to the next application and begin updating that one.**
I enjoy keeping my applications up to date and typically do so once a week. I appreciate that this application updates everything at once. Is it possible to make it available in the UND Software Center?
Yes! UIT encourages systems and applications to stay current with the latest software versions. We've made the "app Auto Patch" application available in the UND Software Center. To access it:
- Open UND Software Center
- Click Browse > App / MacOS Patching
- Locate the "App Auto Patch" application and click the Update button.
Running this app regularly will help reduce the time required for the monthly patch updates on patch Monday.
macOS Patching
I understand UIT is now implementing system updates for macOS. Can you clarify the update process?
UIT will include macOS updates as part of the regular patching schedule on the fourth Monday of each month, alongside Windows/Office updates and other application patches. Here's what you can expect during the update process.
- Update Detection and Downloading
When the process begins, your Mac will contact Apple servers to check if the system is up to date. If your Mac is outdated, it will start downloading the latest available update (whether major, minor, or a patch) in the background. The download may take anywhere from 10 minutes to an hour, depending on the type and size of the update, as well as network speeds and Apple's server traffic. You can continue to use your Mac during this time.
- Update Notification
Once the update has downloaded, you'll receive a prompt to restart your Mac and install the update. This prompt will appear as a pop-up window indicating that a restart is required. You will have the option to defer the restart up to 10 times within a 2-hour 5-minute window. The timer counts down in the window, and the prompt cannot be minimized, but it can be moved off to the side
- If the timer runs out or if all deferrals are used, the Mac will automatically restart to apply the update.
- After deferrals are exhausted, you must restart your Mac to complete the update.
Can you provide pictures of what the process will look like on macOS?
The update will begin quietly downloading in the background. If you do happen to open up Software Update on the fourth Monday of the month you can track the process within System Settings. Go to System Settings > General > Software Update, where you'll see a progress bar indicating the download status. The download time will depend on various factors, including the update size, internet speed, and server load. You can still use your Mac while the download is in progress.
When the download is complete, you'll receive a pop-up notification like the one below. It will show the available update (e.g., macOS Sequoia 15.1.1), and you will be given the option to either:
- Click "Restart Now" to apply the update immediately, or
- Defer the restart by clicking the blue defer button. The number of remaining deferrals will be displayed.
You can also choose to manually initiate the update at any time by navigating to System Settings > General > Software Update and clicking the "Upgrade Now" button.
The update has finished downloading. I now have the option to Upgrade Now/Restart. How long will the OS update take to install?
The installation time depends on the type of update:
- Minor or Patch updates generally take between 10-15 minutes
- Major updates (e.g., upgrading from macOS 14 to macOS 15) may take anywhere from 30 minutes to 2 hours, depending on your Mac's hardware. Older systems may experience longer installation times.
What if my Mac is too old to run macOS 15 (Sequoia)?
If your Mac is unable to run the latest version of macOS, it will check with Apple servers to determine the most recent version it can support. For example, if your Mac can only run macOS 13.7.2, it will be updated to that version instead of macOS 15.
Which macOS versions are currently supported by Apple?
Apple supports the following macOS versions:
- macOS 15 (Sequoia),
- macOS 14 (Sonoma)
- macOS 13 (Ventura)
Apple dropped support for macOS 12 (Monterey) in September of 2024.
I have other questions on the patching policy that are not listed. Who can I speak with?
Please open a chat with UIT and speak with a member of the service desk on your concern. They can create a ticket and route to the appropriate team, if they are unable to answer your concern adequately. UIT Chat Support
Alternatively, you can submit a ticket to UIT detailing your concern. This can be done here: Report an Issue with UND Provided Computers and Devices.