topic Re: Best Practices Guide for upgrading endpoint clients in Endpoint

Best Practices Guide for upgrading endpoint clients

Michael_Overby — Fri, 22 Jun 2018 17:06:01 GMT

We have approx 1500 endpoint clients and most are running version E80.65 and our Management Sever is R77.30.03.

We currently have 3 versions in environment, E80.65, E80.71 and now E80.83.

Is there a best practices guide on how to upgrade the clients?

Thanks, Mike

Re: Best Practices Guide for upgrading endpoint clients

PhoneBoy — Fri, 22 Jun 2018 18:30:12 GMT

You can deploy new versions from the Endpoint Security Server.

Instructions are here: Endpoint Security Admin Guide

If you don't want to use the Endpoint Security Server to do it: How to upgrade Endpoint Security Client without using Endpoint Security Server

If any of your clients are Windows 10 and you are running Full Disk Encryption, see: How to upgrade to Windows 10 1607 and above with FDE in-place

Re: Best Practices Guide for upgrading endpoint clients

Michael_Overby — Fri, 22 Jun 2018 18:48:37 GMT

Dameon, I have looked at those previously and none of them help.

I want to be able to push the new version out to all the clients without having to touch them.

I know I can create a deployment rule and change the version.

Upgrading 1500 devices at one time would bring any network to a crawl.

How is everyone else pushing out new versions in a test environment and then to the production environment?

Thanks,

Re: Best Practices Guide for upgrading endpoint clients

PhoneBoy — Fri, 22 Jun 2018 21:04:24 GMT

While I am not an Endpoint expert, I would think you would create a few different groups and deploy to one group at a time, versus all 1500 at once.

And, in fact, that's along the lines of what the documentation suggests under the heading "Gradual Upgrade."

To upgrade more gradually, you can create a new deployment profile and distribute it only to specified computers.
Note - For an exported package, save the new package in a different location than the previous package.
When you are prepared to upgrade all clients, upgrade all deployment profiles

That said, I'd love to see what others are doing as well.

Re: Best Practices Guide for upgrading endpoint clients

Steve_Lander — Tue, 26 Jun 2018 13:42:56 GMT

This is the way that I do upgrades and create packages for my environment.

We first started off with the default rule for all the endpoints. Then, to upgrade those clients to a new version, I would upload the new installers, create a package/rule for export (for new machines) and then in the software deployment rules, create a new rule with the new group I created. I can now just add the users/computers to this group and they will get the upgrades. Once everyone is in that group, you can just change the default global rule to be the same rule as the one you created to do the upgrades, then delete that rule.

If you have computers that need different rules, the upgrade path is pretty much the same. Just move the users/computers into the new group and when you are done you can just delete the old group/rule they had.

This is good as you can put your test machines, then test users in there first before you just blanket everyone. Also, if you have certain machines with certain blades/rules, you will always be using groups anyway. We have the default rule and upgrade group for computer that do not use FDE, and a group/upgrade group for computers with FDE.

To make it easier, you can specify what group a brand new client goes in to in the Packages for Export tab in Deployment when you install CheckPoint Endpoint on a brand new computer.