Implementing Ivanti Patch for SCCM (Part 1): Introduction, Planning and Installation
Implementing Ivanti Patch for SCCM (Part 2): WSUS Code Signing Certificate
Implementing Ivanti Patch for SCCM (Part 3): Ivanti Settings
Implementing Ivanti Patch for SCCM (Part 4): Publishing a Third-Party Update
Implementing Ivanti Patch for SCCM (Part 5): End-to-end Demonstration
In Part 3 of this guide we will go through each tab in the Ivanti settings window to get everything configured as needed. Open the SCCM console and go to Software Library > Software Updates > Ivanti Patch. The Settings Window may appear on its own, but if it does not, click on Settings in the ribbon to open it.
Ivanti Patch for SCCM works in two modes: User mode and shared mode. As explained by Ivanti in the Shared Settings tab, by default all settings and scheduled tasks created within Ivanti are unique per user per machine. This means they will only appear for a for the administrator who created them, on the machine they created them on. Not ideal for larger companies with many administrators! Thankfully, Ivanti also allows settings to be stored in a database, and then as long as every administrator configures Shared Settings and selects the same database, they will all see the same view.
I will assume you want to use Shared Settings. So, tick Shared Settings and select a SQL database to store the settings in. I just use the SCCM database – Ivanti simply adds a new table and it does not interfere with SCCM. If you do not wish to do that, you can simply create a new database on the same SQL instance that runs the SCCM database. Click Test server connection to ensure the connection can be made.
Click Save connection and Ivanti will begin to create the new table. You will get a message asking you to confirm that it is okay for Ivanti to update the database. Click Update.
After a moment you should get a message informing you the database was successfully updated.
Click OK and read and confirm the next notice informing you that certain settings should be re-verified (we’ll be doing this as we continue through the Ivanti settings).
The majority of work here has already been done in Part 2, however you should make sure that the WSUS server hostname and port are still set (click Test connection to make sure that it’s still working) and also just double check the certificate details are what you expect. One final thing that is worth doing, is setting a timestamp server. The advantage to signing the updates with a timestamp is that even after the certificate expires, updates signed by it when it was valid will continue to be trusted. If the timestamp server is not set, once the certificate expires, everything signed by it will no longer be trusted.
You can use any number of freely available timestamp servers that can be found online. I use the one provided by DigiCert, which is http://timestamp.digicert.com. Enter this (or any other of your choosing) and click Test. After a moment you should get a message informing you that it is a valid RFC 3161 timestamp server.
You may have already been to this tab to configure a proxy, as you may not have been able to complete previous parts of this guide without giving Ivanti access to the internet! By default, Ivanti will use the same proxy settings that are configured in Internet Explorer. If your proxy requires authenticated access, tick Use proxy and enter the username and password required for access.
If you are not certain about needing a proxy, Ivanti offers a quick test to see if it can access the internet. Click Do I need proxy information? and Ivanti will test and let you know.
Click Enter / refresh license key. If you have already purchased your license, make sure that activation mode is set to Product license, and copy and paste your activation key into the field, and then click Add. In the activation method section select Online and click Activate online now (configure a proxy if that is needed to reach the internet).
If you are testing this product you can select Trial mode as the activation mode, and then click Activate online now (configure a proxy if that is needed to reach the internet). After a moment a green tick should appear informing you that the activation has completed successfully.
You will get 2 months from now to test Ivanti Patch for SCCM. You can test with up to 50 clients and can patch up to 5 products.
Like WSUS, Ivanti offers some updates in multiple languages. You can choose to either download updates in all available languages, use the same languages that are configured in WSUS, or select which languages you want. I think it makes the most sense to use the same languages that you use in WSUS.
Catalogs are the list of updates that are available from a provider. By default, the Ivanti catalog will be ticked as active, as this is part of what you are paying for with Ivanti. You can optionally search online for additional catalogs to add if you wish, however most of these are not free. For now, let’s just stick with the Ivanti catalog, so no changes need to be made in this tab.
Now you can verify that everything you have configured is working. Click on Launch Configuration Checker and check that the WSUS server name and port are correct. Make sure your user account is entered correctly and enter your password. If a username and password are required to access the internet through the proxy, tick Use proxy and enter the username and password.
With that all set, click Start! All going well, you will see every test pass. If some do not, correct whatever is wrong and re-run the test.
Nothing to configure in here, but the Finish button lights up when you click on this tab. Click Finish to save all your configuration and close the settings window.
Tune in for Part 4 where the fun stuff finally begins. We will create a service account that will be used by Ivanti to publish updates on a schedule and publish the first third-party update into WSUS and SCCM.