Endpoint Update Policies provide a comprehensive and straightforward way to manage updating your endpoints directly from the Proofpoint Information and Cloud Security Platform. In an Endpoint Update Policy, you define which endpoints will be updated by the Auto Updater. (Auto Updater component contains the service for installing and updating your endpoints. For information about installing the Auto Updater, see Auto Updater. )
Latest Version Release and Gradual Rollout
When a new version of the Updater is released in a gradual rollout, it is progressively made available to a subset of users over time until fully deployed.
Do one of the following:
Choose the Latest Updater version, if you want the Updater to automatically update itself whenever a new version is released.
Choose the specific version is you want the Updater to stay on a version and not update automatically.
You can create multiple Endpoint Update Policies with various conditions. Examples include setting different policies for various geographical locations or updating test and production environments to different versions.
A suggested policy is to configure 2 update policies, one for the pilot endpoints and one for the rest of the organization. The pilot groups should receive the release first, and after a week or so you can update the policy for the rest of the organization to receive the updated release.
For more information about how to add Endpoint Update Policies, see Setting Up Endpoint Update Policies.
When installing the Auto Updater, make sure you download and use the Updater Configuration file option.
You can review, monitor and modify the Endpoint Update Policies, from the Endpoint Update Policies view. See Endpoint Update Policies View.
Endpoint Update Policies are assigned to Agent Realms. To associate an Endpoint Update Policy with an Agent Realm, you must enable Endpoint Update in the Advanced Settings.
Endpoint Bundle and Endpoint Updater Versions
Endpoint Bundle Version
You can choose the version of the Endpoint Bundle to update to an Agent/Bundle version and Endpoint Updater to update the Updater version.
Once you select a Bundle version, the relevant Content Analyzer displays, allowing you to enable the Content Scanning component update.
Endpoint Updater Version
You have control over target Updater versions, providing the flexibility to test them before deployment.
When a new Updater version is released as gradual rollout, do one of the following:
-
If you want the Updater to automatically update, select Latest.,
-
If you want to lock the Updater to a specific version and prevent updates, choose that version.
Update Policy Scheduling
You can schedule when you want the policy update to occur, either immediately or at a specific date and time. Additionally, you can configure the policy to update itself indefinitely by selecting the Never option or choose a specific date and time for it to stop.
Endpoint Update Policies and Agent Realms
You can assign an Endpoint Update Policy to more than one Agent Realm. For example, your company has 2 Agent Realms, one for Boston and one for New York. You've set up an Endpoint Update Policy to update to the latest Windows Bundle. You do not need to create separate Endpoint Update Policies for each Agent Realm. You assign this Endpoint Update Policy to both Agent Realms.
More than one Endpoint Update Policy can be assigned to an Agent Realm. For example, you have Policy 1, that updates 10 specific endpoints with the latest Windows Bundle. You use this to test the new Bundle. You have another Endpoint Update Policy - Policy 2 - that updates all the endpoints. You assign both Endpoint Update Policies to the same Agent Realm.
Endpoint Update Policies Priorities
You can assign a priority order to the Endpoint Update Policies. In the above example, you use Policy 2 after you have tested the new Bundle on the small group of endpoints. You can set up priority order so the Policy 1 has priority before Policy 2. (See Policy Priorities.)
A policy is not active until it is assigned to an Agent Realm.
You must Enable Endpoint Update in the Advanced Settings area of the Agent Realm.
Updater Load Balancing
The update time is affected by the Auto Updater load balancing mechanism. In general, you can expect that the update will start downloading about 10 minutes after its creation. This can however be impacted by the load balancing mechanism and the policy polling time.
The load balancing mechanism is a cyclic random process at the endpoint, in which the Auto Updater attempts up to 3 times to start the version download and apply the update. If the Auto Updater is unsuccessful 3 times, the Auto Updater is queued to start. (The time this takes will vary depending on which attempt is successful.) To ensure that the update doesn't create too much drag on your network, set the load balancer to less that 10%.
To set up load balancing, set the Group of Endpoints updating per Time Period and Update Time Period.
The Group of Endpoints updating per Time is a percentage of the total endpoints in the Realm and it is recommended to set it to less than 10. The lower the percentage, the less drag on your network.
Update Time Period is the amount of time it will take the Auto Updater to update the endpoints in its policy.
For example, if you have 100 endpoints, and percentage for Group of Endpoints updating per Time is set to 10% and Update Time Period is set to 2 min, then 10 endpoints are updated in 2 minutes. ITo update all 100 endpoints, the process will repeat 10 times, taking a total of 20 minutes.
Keep the group of endpoints small (10% is recommended). The suggested update time period is 3-4 minutes.
Additionally the following Advanced Options are available:
-
Retry Count is the numbers of times the endpoint will try to start the version download and apply the update.
-
Interval Controls is the time the endpoint will wait between retries.
< Back Auto Updater | Setting Up Endpoint Update Policies Next>