VIPRE Cloud provides flexibility over the deployment of agent software updates, whether you want them automatically deployed to all of your endpoints, or prefer full manual control. In this article, we show you the options available and how to select the right amount of control for your needs.
As a VIPRE Cloud administrator, you are responsible for ensuring the best possible security posture of your business. By confirming that you are using the latest VIPRE agent software on all your devices, you know they're protected by the most current and robust defense VIPRE offers.
What are agent software updates?
Agent software updates are packages pushed to each of your endpoint devices. Agent software updates can range from including a few patches to a full version release with new functionality. VIPRE Security releases agent software updates as needed; from every few months to a few times a year.
Agent software updates are different from definition updates. Definitions are used by the VIPRE agent to identify and remediate malware and therefore, are automatically updated multiple times per day.
Unlike definition updates, software updates can be gated by VIPRE Cloud prior to pushing out to your endpoint devices. This gating process gives you the ability to review the agent update that is available and either a) immediately approve for production, or b) try in a test environment first and then approve for production.
Production and Test environments
We understand that administrators often prefer to test software updates in a secluded environment before deploying the changes to their production devices. The VIPRE Cloud agent software update process is built around this potential need for a Test environment vs. Production environment.
The agent software update process (show in the diagram below) is:
- Current agent software (e.g. v1.0) exists on your production devices
- An agent software update (e.g. v1.1) is released
- You can choose to either
- Test the new version by deploying it to your Test environment
or - Skip the test process
- Test the new version by deploying it to your Test environment
- At your convenience, you can then approve the new version. Production devices that are told to update will update to this new version.
Test before Approving for Production
As a Best Practice, you should test new software (including updates) on a group of devices that represent a cross-functional sampling of devices used in your production environment. When assembling a test group, consider hardware types and features; and the software and web sites your users access in their day-to-day activities.
The actual testing method of your devices is up to you. Generally, we recommend you perform enough activity on your various test devices to ensure you are confident with the end results. When you are satisfied the test period is complete, you can then approve the agent for use in production.
Split Test and Production Devices by Policy
Use policies to separate your production devices from your test devices to try out potentially disruptive changes in a non-production environment. Using a test policy to contain your test devices also enables you to easily test-deploy brand new VIPRE agent releases to this group.
A policy is simply a collection of settings that are applied to a group — one or more devices.
Generally, customers have separate policies for servers, workstations or laptops, and even for subgroups, like "Accounting laptops" or "Admin support machines". You can create policies for any group of devices that you like, and the devices belonging to that policy are all affected by that policy's settings.
Refer to Related Articles for more information on policies.
We recommend you leverage this policy-based approach to segment production devices from test devices. By creating a new policy (or policies) to affect only test devices, you have quickly isolated these machines as your test group.
By creating a test policy, changes applied to this policy affect only those devices — keeping your test activity apart from your day-to-day work (production) machines.
Therefore, at any time, you can have all of your production policies as well as one (or more) test policies:
- Production policies - Your policies for your production machines. All of your 'normal' policies fall under this category. These policies use the production-approved version of the VIPRE agent — the latest version of the agent which you have approved, or auto-approved.
- Test policies - A distinct set of test devices, isolated from production. You can deploy updated versions of the VIPRE agent to your test policies before you approve them for production.
In the adjacent visual example, all of our devices are grouped into a few different policies: Production (A, B, C) and Test.
Policy A contains some servers. Policies B and C are groups of workstations and laptops. Our Test Policy contains our test devices (a server, two workstations, and a laptop) that are not part of our production set.
How new Agent Software gets to Devices
The agent update process can be thought of in two parts:
- VIPRE Security releases a new agent update. Admins choose whether manually approve (and potentially test) the new software, or auto-approve it for use in production.
- The approved agent is deployed to devices. Any policies which are set to auto-update will deploy the new agent to their end devices. Otherwise, admins may manually deploy the update to devices.
The first step in the new agent software update is determining if you wish to manually approve updates, or have VIPRE automatically approve them for production.
Manually Approve
Choosing to manually approve each VIPRE agent software update is a method of forcing a stop (or gate) in the process. This can be used to enable the option to fully test agent software updates before they are deployed to your endpoint devices.
The Update Agent system setting is how you determine if new updates are automatically pushed to production, or "hold for clearance" by an admin.
If you choose to gate software updates - using the notify option - VIPRE Cloud displays a notification on the Deploy agents page each time an agent software update is available.
Automatically Approve
To skip the notification and approval process, use the auto-approve option. This tells VIPRE Cloud to go ahead and make a software update available immediately.
Controlling agent software updates to devices
The auto approve setting, in Update Agent, is combined with the policy-setting Automatically update VIPRE agent software to control whether updates are immediately pushed to all, some, or none of your agents.
Once new agent software is approved (either manually or automatically), the settings in each policy determine when that policy will push (or deploy) the update to its devices. Policies set to "auto-update" their agents will deploy the new software to each device as soon as possible. Policies NOT set to auto-update will need a manual deployment in order for their devices to receive the new software.
How to set the options for the right amount of control
There are two sets of options that work together to control the amount of automation used to deploy agent software updates to your endpoints.
- The option Auto approve or Notify first (manual approval) is set in System > Settings > Update Agent.
- The option to control the deployment of automatic updates to all, some, or none of your agents is set in Policy > Agent > Updates & Communication.
Refer to the table below to check which settings you should use.
Goal | Description | How to accomplish |
---|---|---|
Automatic approval and deployment | No control over timing of deployment. |
Repeat step 2 for each policy. |
Automatic approval, combination of automatic and manual deployment; | Partial control - immediate and manual deployment, based on policy.You want all VIPRE agent software updates to be automatically approved.You have some policies where auto-deploying the new agent to your devices is acceptable, but prefer to manually deploy the new agent to others. |
Repeat steps 2a/2b for each policy. |
Automatic approval, manual deployment | Greater control - all manual deployment. You want all VIPRE agent software updates to be automatically approved.You do not want any devices to have the new agent auto-deployed to them. You will choose when to manually deploy the new agent to all of your devices. |
Repeat step 2 for each policy. |
Manual approval, automatic deployment | Less control - immediate deployment after manual approval.You want to manually approve and potentially test every VIPRE agent software update.Once approved, all of your devices may have the new agent automatically deployed to them. |
Repeat step 2 for each policy. |
Manual approval, combination of automatic and manual deployment; | Partial control - immediate and manual deployment, based on policy.You want to manually approve and potentially test every VIPRE agent software update.You have some policies where auto-deploying the new agent to your devices is acceptable, but prefer to manually deploy the new agent to others. |
Repeat steps 2a/2b for each policy. |
Manual approval & deployment | Full control - manual deployment after manual approval.You want to manually approve and potentially test every VIPRE agent software update.You do not want any devices to have the new agent auto-deployed to them. You will choose when to manually deploy the new agent to all of your devices. |
Repeat step 2 for each policy. |
Troubleshooting
I received an email notification for a new agent. Where is the approval button?
Note - Coming Soon! The email notification for software agent updates will be coming soon! Until then, you can find the notification on the Deploy agents screen.
The Deploy Agents screen shows there is a new agent available and that action is required.
When there is an agent software update, VIPRE Cloud gives you two options:
- Try on devices - enables pushing the new software version to test devices
- Approve Version - accepts the software for use in your production environment
You may also select Download Agent Installer, which saves a copy of the latest version of the agent install package. This is intended for advanced manual testing.
How can I check which devices are running which agent versions?
There are a few ways to look at a list of the agent software versions you have distributed across your devices
- Check the AGENT VERSION SPREAD section of the Dashboard
- Look at the Devices screen or Device Registrations Report. You can sort your agents by version
I've approved the latest agent software update, but my devices are on an old version. What should I do?
- Check if your policies are set for auto-update
- Check the status of the outdated devices to see if they have deferred work pending
- For manual deployment, you can have a device update it's agent software in a few ways:
- Schedule updates for the devices on the old versions
- Manually push out the updates for each device