IBM Tivoli Turns Patch Management Headaches
into Faint Memories

IBM Tivoli Turns Patch Management Headaches into Faint Memories

Tivoli Beat - A weekly IBM service management perspective.With the recent release of IBM Tivoli Endpoint Manager (TEM), IBM redefined best-in-class endpoint management for enterprise-class organizations. And of this solution family's powerful feature set, the extensive patch management capabilities will be particularly welcome.

It's no exaggeration to say IT administrators today consider endpoint patch management a major headache. Given an infrastructure with tens of thousands of end-user devices, keeping them up to date with the latest patches is essential—but also often seems essentially impossible.

Multiply the number of operating systems by the number of applications and drivers by the number of endpoints—that answer comprises a major challenge for patch management.

And as new vulnerabilities continue to be discovered, new patches continue to be released, and security mandates and government regulations both demand compliance, that challenge only becomes more and more daunting over time.

Complete insight into, and control over, every endpoint

Unlike competing solutions, Tivoli Endpoint Manager for Patch Management provides a complete range of capabilities to address every point in the patch management lifecycle via a closed loop. Each iteration of the loop feeds information into the next—a better outcome through better execution.Thankfully, TEM for Patch Management can resolve exactly these issues (and many more besides). It delivers a single point of control via which IT managers can easily ensure the right patches are installed on the right endpoints in a timely, prioritized, resource-optimized, and largely automated fashion.

As with all TEM-family solutions, the exceptionally intelligent TEM endpoint agent plays a key role. This agent (there is only one) supports the full range of platforms—both hardware and OS—likely to be deployed in the organization, from Windows to Mac OS to various flavors of UNIX and Linux.

And once installed, the agent decentralizes the work involved in patch management—a tremendous optimization. Instead of an overburdened server or a harried IT manager having to track which software requires patching on which machines, the TEM agent does so automatically, using the endpoint's own resources.

That information substantially accelerates the installation and deployment process. It means, among other things, that patches can be installed in a custom fashion—based on the specific context and needs of every endpoint. If a given patch isn't needed, it isn't migrated across the network and it isn't installed.

This significantly reduces both the time and the resources required when compared to installation processes based on much larger, much more generic patch collections. It makes patch deployment more accurate, and endpoints more secure. It also simplifies compliance because the window of potential compliance failure has been shortened.

TEM addresses the complete patch management lifecycle

Unlike competing solutions, TEM for Patch Management provides a complete range of capabilities to address every point in the patch management lifecycle via a closed loop. Each iteration of the loop feeds information into the next—a better outcome through better execution.


This first stage is the process of keeping track of new patches and deciding which are needed—a time-consuming drain on resources for most organizations. Those with TEM for Patch Management, though, will find this stage is significantly easier and faster because IBM continually does much of the work.

As new patches are released from major vendors, IBM discovers and tests them, then distributes IBM Fixlet messages to TEM clients over the Internet. These messages are policy packages; they include everything TEM and TEM managers need to know, such as patch dependencies, applicable systems, and severity level.

Armed with this insight, it's much easier for managers to decide whether a given patch is needed, what's involved in deploying it, and what its priority should be—the ideal outcome of good research.


If a patch should be deployed, which endpoints should get it? Tens of thousands of endpoints are possible candidates; assessment is obviously needed, but typically no easy feat.

Here, too, TEM for Patch Management offers tremendous value because the TEM agent continually keeps IT completely apprised of endpoint status and configuration. This is exactly the information needed to determine suitable deployment targets—all but solving the assessment challenge before it happens.

Furthermore, the agent can even compare endpoint-specific data against policies specifying mandatory patch levels. This makes TEM a particularly good solution for extremely high-priority patches delivered outside regular vendor release schedules—the kind of patches that require an unusually rapid response to fend off a potentially devastating business impact.


Actually installing the patch is, of course, a critical step. It's also a step that can create unwanted problems. IT must avoid, for instance, overwhelming network capacity, installing inappropriate patches, or inadvertently skipping certain endpoints (such as those not running Windows or not currently on a high-bandwidth network).

With TEM for Patch Management, those issues essentially disappear. IBM Fixlets include distribution data; this, combined with TEM agent-delivered endpoint information, makes it simple to ensure all the endpoints in need of a patch will get it, and only them. TEM also works on both Windows and non-Windows platforms as well as faster and slower network types; this makes it universally applicable. And TEM empowers IT to orchestrate the patch installation in an optimized way by notifying users of the update (or not), forcing reboots (or not), or allowing users to delay installation (or not).

Finally, thanks to cryptographic identity confirmation, only authorized TEM administrators can create or distribute policies—a critical security feature needed to ensure remediation solves problems, rather than creates them.


Once a patch has been installed, how can IT be sure? A surprising number of patch management tools provide no, or minimal, confirmation functionality—significantly increasing the odds that endpoints will be skipped and multiplying the difficulty of demonstrating compliance on demand.

Fortunately, TEM for Patch Management not only provides confirmation, but also does so in real time—reducing to virtually zero the lag between the update being installed and explicit confirmation of that fact.

This translates into better security for every endpoint the organization owns. It also proactively addresses the compliance complexities that might otherwise arise.


Even if a patch is both appropriate for an endpoint and correctly installed, the problems it was meant to fix could return.

How? User activity and malware are just two of the possibilities; either could take action to corrupt or remove the patch.

For this reason, TEM for Patch Management includes superior enforcement of security policies. As suggested earlier, the TEM agent continually monitors endpoints looking for security policy violations. This means that if a patch is compromised, IT is informed and TEM managers (or the solution itself, if so configured) can take swift action to address the issue and minimize the window of vulnerability and/or noncompliance.

In the unlikely event a patch turns out to be problematic, TEM can even "roll it back"—remove it and replace it with an earlier rendition until a corrected version is released.


Finally, TEM for Patch Management also includes extensive reporting capabilities. This includes both traditional reports and Web-based dashboards to yield an up-to-the-minute look at endpoint issues/configuration and the progress of jobs such as complex remediations.

In both contexts, TEM's reporting is customizable for any context or job role—whether security specialists, executives, or government auditors. Reports can also provide information at any necessary level of abstraction—from patch specifics to the endpoints receiving them to the authorization involved in taking action.

Learn more

Recent Articles

IBM Links IT Development and Operations for Superior Application Lifecycle Management
Jun 07

Subscribe to IBM Maximo for Easy, Cost-Efficient Updates
May 31

Get Greater Return on Assets (ROA) with IBM Maximo
May 24

Energy Management with IBM Tivoli: Get Power over Power
May 17

Innovate 2011: Collaborative Development and Operations
May 10

New IBM Security IPS Appliance Boasts Twice the Speed of Any Competitor Without Compromising Security
May 03

Get Up To Speed at the IBM European Tivoli Technical Conference
Apr 26

IBM Tivoli: Get the Business Perspective in Real Time
Apr 19

IBM's 2010 Trend and Risk Report Delivers Key Security Insights and Analysis
Apr 12

Hot Spots Revealed: Increase Building IQ via IBM
Apr 05

Browse full Tivoli Beat archive

Contact IBM

Considering a purchase?

Rate & Review IBM Tivoli Products

Your opinions matter to us! Share your thoughts and become a part of the IBM Tivoli community.

Featured community

Leverage and contribute to the collective wisdom around Tivoli