When is SolarWinds going to improve the usability of Patch Manager?

Thanks for your input, Alex.  As you are aware, we are always looking for ways to improve the SolarWinds products.  That being said, could you and I have a conversation offline about what you’d like to see in the product’s future?  I'd love to get your input as someone on the "front lines" of the product.  For all our products, we do publish the What We're Working On (WWWO), and you can normally get some good information there.

If you'd be open to having a call, just reply to the forum, and I'll contact you offline.

Thanks again,

--KMSigma

Half the packages must be downloaded manually

I feel your pain, Alex; however, this is a restriction imposed by the product vendors: Apple, Adobe, Oracle,et. al., and not anything that SolarWinds has any control over. Were it ideal, every file would be directly downloadable via FTP or HTTP without any convolutions. Unfortunately Adobe and Oracle require acknowledgement of an End-User Redistribution Licensing Agreement. Adobe's process is somewhat onerous, but luckily only has to be done one time (per product), and afterwards they will email you a direct download link for subsequent releases. Oracle's process is much simpler (check one box on the download page), but has to be done for every Java release. Apple doesn't make the binaries for Apple Application Support or Apple Mobile Device Support available as individual downloads, so those files must be extracted from the iTunesSetup.exe.

some of the packages aren't signed

To be sure, it's the FILE associated with the package that is or is not signed, and that, also, is a function of the individual product vendors. Most are signed, however; and for a very long time we only packaged/distributed products that provided signed binaries. In fact, Patch Manager, in earlier versions, prevented the publication of an unsigned binary. However, as the catalog grew into scopes of products requested by customers, and the resulting unavailability of vendor-signed binaries for those products (e.g. Notepad++), we had to make a choice: Provide those packages with unsigned binaries, or don't provide the packages at all. We chose the former.

and have to be signed by you (still haven't figure this one out, although one of your folks at TechEd said I should be able to),

As for this requirement ... this is an explicit limitation of Configuration Manager (standalone WSUS environments do not have to deal with this).

The procedure works like this (let's use Notepad++ as an example, which is a classic scenario):

1. Download the binary file using the "Download Content" action.
2. Following completion of the download, note the Update/PackageID in the Package Details tab. (For Notepad++ v6.6.6 (Upgrade) this is 4cb24533-f755-46e4-9648-8d69d1aa9a66.)
3. On the Patch Manager server, navigate to %ProgramFiles%\SolarWinds\Patch Manager\Server\packages\publisher\PackageID  -- where PackageID is the value identified from step #2.
4. Inside that folder will be the vendor's binary that was just downloaded. In this instance, the file is npp.6.6.6.Installer.exe. Sign that file with a Code Signing Certificate of your preference: Self-Signed, Enterprise CA, or Third-Party. Now ConfigMgr will be happy because the binary is signed.
   

I'd be open and glad to talk offline. While I'm frustrated with Patch Manager, it does work and I would love to see it get better vs switching to another product.

Thanks,

Alex

this is a restriction imposed by the product vendors: Apple, Adobe, Oracle,et. al., and not anything that SolarWinds has any control over.

I'm not certain how the other vendors got around this, but they have. I watched one publish Adobe Flash to Configuration Manager without going through a manual download process. Seems to me that if my company has an active agreement with Adobe, there's no reason why Patch Manager couldn't download those files automatically.

Each patch was easy to find and select (no EXE, MSI, ZIP, and other various iterations). You could select certain classifications of updates to automatically publish to ConfigMgr. And there was still the ability to modify various options if necessary.

Apple doesn't make the binaries for Apple Application Support or Apple Mobile Device Support available as individual downloads, so those files must be extracted from the iTunesSetup.exe.

No they certainly don't. Certainly, however, there must be a way to programmaticly do this. Patch Manager can download iTunesSetup.exe, why couldn't it extract it and select the necessary file as well.

To be sure, it's the FILE associated with the package that is or is not signed, and that, also, is a function of the individual product vendors

On the verge of sounded like a broken record... just image how much better of an experience to your customers it would be if you could program and process to handle this for them. I'd be willing to add my own code signing certificate and if Patch Manager could handle this for me it would be a good deal less work each month.

And on the experience soap box again... The product feels strongly like a WSUS product that has been ported to work with ConfigMgr (which it is). Still... the experience could be made better without making it a separate product. Certain options just don't apply to ConfigMgr or offer you little benefit and yet you still see these in the setup and configuration.

I'm not certain how the other vendors got around this, but they have.

By violating the binary redistribution licensing agreements of Adobe, Oracle, et.al.

I know of at least one such product vendor who got their hands slapped by Adobe a couple years ago for redistributing Flash binaries.

Also know that Adobe does publish their own Flash catalog, which does provide a direct download link. You can actually configure Patch Manager to use that catalog, but I'll warn you the catalog is not good. While it appears to have a half-dozen or so Flash versions in it, because Adobe uses generic naming for the Flash installer, you can actually only publish the newest package from that catalog.

Seems to me that if my company has an active agreement with Adobe, there's no reason why Patch Manager couldn't download those files automatically.

That agreement is between you and Adobe, and doesn't allow third-parties to act as agents on your behalf. Also, there's no way for Patch Manager to verify/validate, or even test the existence of, such an agreement. This runs the risk that the product could be used to obtain binaries by parties who do not have the requisite agreements with those vendors in place.

Patch Manager can download iTunesSetup.exe, why couldn't it extract it and select the necessary file as well.

I actually engaged in a discussion about this very question informally earlier today. The challenge is that iTunesSetup.exe isn't actually extracted until the Windows Update Agent launches it to be installed. At that point, the very first thing the installer does is verify that the correct version of Apple Application Support is already installed. The architecture of WSUS and Patch Manager doesn't provide for this type of scenario, so we're talking about writing a custom module of Patch Manager, expressly for handling this very unique, and awkward, creation of Apple Computer -- and frankly, they could change the way they do this with the next release.

The real question here... and it's a question for APPLE... Why doesn't the iTunesSetup.exe automatically UPGRADE the Apple Application Support that's already installed (since it knows the upgrade is needed, and the binary is already bundled in the package)? A second part of that question (currently unanswered) is this: Why is the Apple Application Support installer bundled in iTunesSetup.exe in the first place if iTunesSetup.exe isn't going to make the effort to upgrade an existing instance of AAS?

... just image how much better of an experience to your customers it would be if you could program and process to handle this for them. I'd be willing to add my own code signing certificate and if Patch Manager could handle this for me it would be a good deal less work each month.

This is actually a great Feature Request for the product, and since I know the current product manager is already monitoring this thread.... :-)

The product feels strongly like a WSUS product that has been ported to work with ConfigMgr (which it is).

It absolutely is, and there's no secret about the heritage of the product. It was birthed as a "WSUS Extension Pack". In 2009 we added the Package Creation Wizard to allow the creation of locally published content. In response to that, customers asked us to provide ready-to-use content, and in 2010, the third-party-updates catalog was born. At that point, this heretofore previously WSUS-only product became of interest to Configuration Manager customers because of the ready-to-use content and the fact that ConfigMgr 2007 leveraged WSUS for metadata. In the subsequent version we then built a number of additional client management tools specifically targeted at Configuration Manager 2007 environments. With the release of Configuration Manager 2012, we moved that content from the MMC into the ConfigMgr 2012 console as integrated functionality.

Certain options just don't apply to ConfigMgr or offer you little benefit and yet you still see these in the setup and configuration.

The experience for Configuration Manager 2012 users is intended to exist within the CM2012 integrated console functionality. There is very little use for the MMC in a CM2012 environment, and what does exist revolves around product administration. All package management and publishing activities, as well as the client management tools I mentioned previously, are all accessed from the CM2012 console.

If you're still using ConfigMgr 2007,  it's also possible to integrate the PM snap-in with the CM2007 snap-in into a single MMC console experience. The WSUS-only features can also be visually suppressed from the MMC console for Configuration Manager 2007 environments.

By violating the binary redistribution licensing agreements of Adobe, Oracle, et.al. I know of at least one such product vendor who got their hands slapped by Adobe a couple years ago for redistributing Flash binaries.

And I can understand SolarWinds' desire to be on the up-and-up license agreement-wise. Still it is a onerous process. Adobe offers no special agreements for companies such as SolarWinds?

That agreement is between you and Adobe, and doesn't allow third-parties to act as agents on your behalf. Also, there's no way for Patch Manager to verify/validate, or even test the existence of, such an agreement. This runs the risk that the product could be used to obtain binaries by parties who do not have the requisite agreements with those vendors in place.

Not that my interpretation matters much to Adobe, but is it seems that your tool isn't a 3rd party agent as much as a tool to download the files. By the above rational it seems as if Internet Explorer or Chrome could be considered an agent acting on my behalf. Has SolarWinds reached out to companies such as Adobe recently? I certainly would in your shoes if only to ask why company XYZ can offer direct downloading in their product, but you can't by the way the license agreement reads.

so we're talking about writing a custom module of Patch Manager, expressly for handling this very unique, and awkward, creation of Apple Computer

I for one would appreciate the addition and I imagine it could come in useful in other situations as well. I can't even count how many times I've used 7-zip to extract and EXE to get to the underlying MSIs.

This is actually a great Feature Request for the product, and since I know the current product manager is already monitoring this thread.... :-)

And that would be very helpful!

The experience for Configuration Manager 2012 users is intended to exist within the CM2012 integrated console functionality. There is very little use for the MMC in a CM2012 environment, and what does exist revolves around product administration. All package management and publishing activities, as well as the client management tools I mentioned previously, are all accessed from the CM2012 console.

I need to give the console extension another try. When I first started using Patch Manager the extension was very slow and sluggish and often cause my ConfigMgr console to become unresponsive. I found it easier to use the MMC environment. But again, I haven't used it in a while and perhaps I should take the time to work with your support to get to the underlying issue if the problem does still exist.

That said, although pressing frustration with Patch Manager is the difficultly selecting the packages that I wish to publish. If the license agreements above could never be worked out, it would greatly aid the product experience if I could somehow only see the specific updates that I want. For example, I only want upgrade packages, the business edition of chrome, MSI packages over EXE, etc. Now I know I can write filters in the MMC console (perhaps the ConfigMgr extension too, I'm not certain), but they are per-user. Meaning the month's when one of my co-workers publishes updates he/she often publishes the wrong or extra packages.

I believe it would greatly aid in the experience if we could somehow select these things so only the packages we want show up. Perhaps with the option to show all the packages for special situations.

Either way... I do appreciate you taking the time to talk through these things.

Alex

Adobe offers no special agreements for companies such as SolarWinds?

Unfortunately, it seems not.

but is it seems that your tool isn't a 3rd party agent as much as a tool to download the files. By the above rational it seems as if Internet Explorer or Chrome could be considered an agent acting on my behalf.

That's a great point, Alex. Definitely food for more thought. :-)

For example, I only want upgrade packages, the business edition of chrome, MSI packages over EXE, etc. Now I know I can write filters in the MMC console (perhaps the ConfigMgr extension too, I'm not certain), but they are per-user. Meaning the month's when one of my co-workers publishes updates he/she often publishes the wrong or extra packages.

Great use-cases, Alex.

Lawrenece,

I appreciate your answers and the time you've taken to go back on forth on the various points listed here. KMSigma has reached out to me offline and we'll continue the conversation there.

Thanks for listening.

Alex