Treating each and every software implementation -- regardless of size and complexity -- as an officially chartered IT project is critical to the success of a patch management software implementation. That's because the requirements, capabilities, dependencies and budget identified in the project planning phase all come to a point during the procurement phase.
- Microsoft System Center Configuration Manager
- Symantec Patch Management Solution
- SolarWinds Patch Manager
- HEAT PatchLink
- Kaseya VSA
- Quest KACE
- ManageEngine Patch Manager Plus
- GFI LanGuard
Operating system, platform and application support
The operating system (OS), platform and application support are all critical to patch management. Obviously, you want to avoid purchasing a software management product that does not support all of your current -- and any potential future -- platforms. That plan, of course, may require a certain amount of hard-to-acquire knowledge about what's going to happen in the future.
As much as possible, you should compare and select patch management software that either supports platforms your organization has deployed or those you will deploy. For most IT shops, this future-proofing is likely to include mobile platforms, including smartphones, tablets and other portable computing devices. If your requirements include patch management for mobile devices, keep in mind that there is still no single patch management tool that includes support for all common desktop, server and mobile devices.
However, two well-established patch management tools offer separate mobile management tool suites that may also meet your requirements, although neither supports true patch management on mobile devices, as mobile platforms typically install updated versions of entire apps rather than incremental patches for existing apps.
The widest range of platform, application and OS support among the top patch management software on the market comes with Microsoft's System Center Configuration Manager (SCCM), which supports modern Windows computers of all types, most Linux and Unix variants, as well as iOS and Windows-based mobile devices. Microsoft has a separate product called Intune that supports and manages all major mobile OSes and platforms.
Symantec Patch Management Solution also includes a wide range of support for Windows, Linux/Unix and macOS. The company also farms out its mobile management functions to a separate collection of products, referred to as its mobile device management suite, which offers sophisticated mobile management capabilities, but not patch management specifically.
Integration with other systems management products
The integration of your chosen software with other systems management products is another important consideration. Choosing framework-based patch management software usually -- but not always -- ensures cooperation and integration with your infrastructure management software. As one of the veterans in this market, Microsoft SCCM is well-established as a leading framework-based configuration, management and monitoring tool.
With that in mind, many top patch management products integrate with SCCM, typically via plug-ins, enabling administrators to perform patch management from within the SCCM admin console. Included in the list of patch management tools that play well with SCCM are SolarWinds Patch Manager, HEAT PatchLink and Quest KACE. If you are considering one of these patch management tools because it is integrated with SCCM, research the software to understand exactly how that integration works to verify that it meets your requirements. Some products integrate through the export and import of data while supporting a direct connection to the SCCM database.
Additional features and vendor support
Other important considerations are whether or not the patch management software supports other features, such as physical desktops and servers; cloud-based computing, offering virtual desktops and servers; and how well each vendor supports their customers.
Gauging a vendor's support mechanisms is difficult, but not impossible during proof of concept (POC) testing. We recommend always asking vendors for authorization to call their support line during a POC, to use online chat or to post questions in the vendor's support forums. Experiencing a vendor's support staff response time and expertise is one of the most important ways you can verify that a vendor's software is right for your company. In addition, be sure to speak directly to their support team rather than presales personnel.
Of the top patch management products on the market, most support virtual and cloud-based computers out of the box. Though all modern patch management software should support virtual computing platforms, the following products explicitly support virtual and remote patch management of computers, according to their online marketing and technical information: Kaseya, Microsoft SCCM, Quest KACE, SolarWinds, ManageEngine Desktop Central, GFI LanGuard and Symantec Patch Management Solution.
If your company operates a Citrix environment, note that HEAT's patch management software specifically supports Citrix, a unique and popular virtualization platform with unique capabilities and requirements.
If cost is your primary consideration, there are a range of patch management tools that can fit any budget. As you might expect, framework-based patch management products, such as those included in Microsoft System Center, tend to be the more expensive options, though that may not be true, depending on your specific Microsoft licensing scheme.
In some cases, such as with Microsoft System Center, patch management services might be included in a larger suite that addresses multiple aspects of systems management rather than just patch management. So that means, if your company already has an enterprise licensing agreement with a software company such as Microsoft, Symantec/Altiris, ManageEngine, Kaseya or HEAT, you may be able to start using the patch management capabilities of those frameworks for little or no additional licensing cost.
If you are starting from scratch, and do not have a requirement for framework-based software, SolarWinds and GFI LanGuard are excellent, relatively low-cost options to implement patch management on a smaller scale.
As is the case with most business software, patch management software performance is usually a tradeoff between features, the cost of the software licenses and the cost of the underlying infrastructure required to effectively run the software. Unfortunately, performance is not an effective metric for comparing patch management tools because every vendor will tell you that their software is high-performance, but the only way to tell if that's true is by testing your short list of patch management tools in your IT environment.
There are also a number of factors that can affect the perceived performance of a patch management product, including available network bandwidth and utilization and other processes or applications running on the target computer to be patched. This is where a free trial of your choice of patch management software can really come in handy.
Most of the vendors mentioned in this article offer free trials of their patch management software for companies evaluating their products. This proverbial software bake-off is an opportunity to evaluate competing products in real-world -- or isolated sandbox -- environments to see which offers the highest performance, while maintaining compatibility with other hardware and software in the environment.
There is a wide variety of patch management software on the market, with a variety of different capabilities, features, integration capabilities and price points. Careful planning and a solid requirements list should be your first priority, followed by a review of the recommendations above for specific factors that can help identify the best patch management tools for you. Keep in mind that automating your patch management efforts can save your company time and money and mitigate data losses and legal exposure by ensuring that security vulnerabilities and bugs are fixed as quickly as possible and as easily possible.
Implementing the right patch management software for your environment is the best way for you to sleep soundly at night, knowing that you've done everything possible to protect your company's data, platforms and users.
Why are emergency patches so difficult to implement?
Why CISOs should get involved in security patching
How much time should you put into application patching?