One question that often comes up when we are out talking to IT administrators and IT executives is “Is patch management a solved problem?” On the surface it seems like this is the case, but as computing evolves, we have seen the challenges of patch management evolve right along with it.

Shavlik Systems Engineer John Rush and I sat down last week to discuss one of these newer challenges in patch management - how do we keep off-network machines up-to-date?

“For customers I talk to the biggest issue they have for patch management is that most of the tools out there require you to be connected to the network to get your patching done. That’s just not realistic,” Rush said.

Is this a new problem brought on by the proliferation of cloud-based applications and BYOD?

“It’s been a problem for a number of years now. Take the Shavlik Team for example, we exclusively use SaaS-based tools in our sales team like Concur, Salesforce, etc., so employees in the field never have to connect to our network,” Rush explained.

“In the old days, we had to VPN in to get email. Everyone had to be connected, but today, they never have to connect to the VPN. They are doing everything from their own laptops, and some are doing it from their iPads. The world has changed with respect to connectivity.”

With that change, IT is left with lots of questions about these off-network machines.

  • What’s being installed?
  • What versions are out there?
  • Is it time for a hardware refresh?
  • Are these machines lacking patches that make them vulnerable?

Rush added, “Today’s world no longer conforms to a Visio diagram. We are connected to the internet, but we are not connected to the corporate network.”

How can we solve it?

As an industry we need to build tools for managing machines in the wild, let those machines/users become self-sufficient when it comes to things like patch management and asset inventory, and then provide a mechanism to give that data back to corporate.

Shavlik addresses this problem with the Protect Cloud. The Protect Cloud is a cloud-enabled patch services that aggregates, analyzes, and distributes patch data and associated deployment policies over the Internet. This services is used to send patch data to your Protect console, but that is just the beginning.

The Protect Agent can be installed on off-network machines and be configured for use with the Protect Cloud. So long as the machine connects to the internet (off network or on network), the Protect Agent communicates with the Protect Cloud to receive patch and policy updates and to return update status to the Protect console. This means that without additional infrastructure IT can ensure that off-network machines are patched and monitored in the same manner as those PC’s that sit inside the firewall.

“Before The Protect Cloud we had to have a box outside in the DMZ, and we had to open up ports. Now, with this technology, we have business as usual for everybody; the only difference is the Protect Cloud,” Rush said.

How does the Protect Cloud work with the Protect Agent?

Protect Agents that are configured to use the Protect Cloud can receive updates via the console if they are on-network or via the cloud if they are off-network.

Here’s how it works.

  • The Protect Console uses a secure connection to push agent policy information to the Protect Cloud.
  • At its next scheduled check in time, remote agents first attempt to check in directly with the console.
  • If they do not have access to the console, they perform the check in using the cloud.
  • The agents use a secure connection to the cloud service to report the same information they would have reported to the console (e.g. scan results, threat information, etc.)
  • The cloud stores the uploaded agent results until the console retrieves that data.
  • Agents download and apply any new policy updates that were pushed to the cloud from the console.
  • The console retrieves the agent data from the cloud. This happens several times every hour.

Scan engines and XML data are not a part of the cloud synchronization process. Agents receive updated engines and XML data from either the console or the vendor websites.

Check out the video, “Introduction to Protect Cloud” at, to learn more about how the Protect Cloud works and how to configure agents to use the cloud service.

How can I get this?

This capability was introduced in Shavlik Protect 9.0 as part of the Standard, Advanced, and Government editions. All customers running 9.0 have access to it, and those who are on earlier versions of Protect can upgrade to 9.0 at no cost. Learn more about upgrading Protect here.