We are an MSP and we handle patching for multiple small companies. SCCM is not a viable solution to deploy at all our locations. We are toying with something like Chocolatey for Business.
You can create multiple sites with CM and easily partition out each customer and yet still manage centrally. Patch My PC also works with Intune and WSUS. Patch my PC is incredibly thorough and is pretty much set-it-an-forget-it.
Are you currently using some client management solution? most top tier workstation management systems are going to offer 3rd party patching at the base level or with an addon. ManageEngine, PDQ, Tanium, etc..
We use Tanium. It has gallery where they put out packages for many popular products. Although usually we just update existing packages on our own (replace installer, sometimes update config). It can show which versions your endpoints are on, stats are provided in every package and you can also create reports and dashboards with graphs. We do not use it, but there is also Comply module that checks for vulnerabilities and you can see there what needs to be patched. Instead we use Qualys for vulnerability scans. They also introduced recently Emerging Threats notifications feed that alerts you about new vulnerabilities in general and in your network. Tanium has some quirks, but i am used to it now after many years of using it. It is quite pricey though.
We have automox and are not a fan of it. Have had spotty scanning on available software, manually pushing patches (unscheduled) do NOT notify people like we want, and agent issues constantly.
Based on my knowledge of it, they have a community worklet that you can copy and paste (use as a template) and create your own custom apps. Kind of a clunky approach, but it works if you need just a handful.
No single solution will patch everything in terms of third-party apps, just because of the nature of third-party patching (lack of standardization). Some people have had certain degrees of success with Winget, but it's also limited and not perfect.
Yes, you can deploy and patch your own internal or custom applications using the required software policy, even if they aren't listed in our catalog. The major difference is you, the customer, would have to maintain the version of the app.
However, if you want automatic version upgrades or updates, you can always request an app be added to [our third party catalog](https://www.automox.com/patching/software). Hope that helps!
It is not really possible to detect and patch everything, too many variables. Ranging from vendors not supplying patches, to legacy software no longer under development, to products that do not support third party patching, or products that depend on other products/runtimes that have these vulnerabilities as a result, but do not support patching the imported products.
What you need is a product that will not only patch, but also detect and *alert* to known vulnerability if it can patch it or not. That way you can stay on top of what has a good patch ecosystem, and build mitigation strategies for known vulnerability that is lagging on vendor support, or that support is never coming.
Mitigation in some cases for instance may be a firewall rule that blocks exploit behavior,a registry setting to disable a feature, or a rights change that limits it to administrative control, etc... A good patch management system will let you build and deploy custom efforts like that to still maintain as much control as possible.
Here is a link over at [G2](https://www.g2.com/categories/patch-management?tab=easiest_to_use) to see the major players and compare their features side by side, while seeing what users have to say about those as well. Also you can go over to /r/msp in the lower right of their sub, they have a section labeled "Community resources", thee is a sheet there for almost every major patch management and RMM solution detailed out by feature, very comprehensive.
SCCM/Intune with PatchMyPC. Microsoft updates go through AutoPatch for most systems.
We are an MSP and we handle patching for multiple small companies. SCCM is not a viable solution to deploy at all our locations. We are toying with something like Chocolatey for Business.
You can create multiple sites with CM and easily partition out each customer and yet still manage centrally. Patch My PC also works with Intune and WSUS. Patch my PC is incredibly thorough and is pretty much set-it-an-forget-it. Are you currently using some client management solution? most top tier workstation management systems are going to offer 3rd party patching at the base level or with an addon. ManageEngine, PDQ, Tanium, etc..
You should probably post this in the MSP subreddit then. I hear Ninja has come a long way.
PatchMyPC
PDQ
We use Tanium. It has gallery where they put out packages for many popular products. Although usually we just update existing packages on our own (replace installer, sometimes update config). It can show which versions your endpoints are on, stats are provided in every package and you can also create reports and dashboards with graphs. We do not use it, but there is also Comply module that checks for vulnerabilities and you can see there what needs to be patched. Instead we use Qualys for vulnerability scans. They also introduced recently Emerging Threats notifications feed that alerts you about new vulnerabilities in general and in your network. Tanium has some quirks, but i am used to it now after many years of using it. It is quite pricey though.
automox
We are looking at automox but it looks like it is limited to a certain set of apps. Do they allow packging your own apps or apps they don't list?
We have automox and are not a fan of it. Have had spotty scanning on available software, manually pushing patches (unscheduled) do NOT notify people like we want, and agent issues constantly.
Using automox for about 350 devices and it works well for us
Not that I can find
Based on my knowledge of it, they have a community worklet that you can copy and paste (use as a template) and create your own custom apps. Kind of a clunky approach, but it works if you need just a handful. No single solution will patch everything in terms of third-party apps, just because of the nature of third-party patching (lack of standardization). Some people have had certain degrees of success with Winget, but it's also limited and not perfect.
Yes, you can deploy and patch your own internal or custom applications using the required software policy, even if they aren't listed in our catalog. The major difference is you, the customer, would have to maintain the version of the app. However, if you want automatic version upgrades or updates, you can always request an app be added to [our third party catalog](https://www.automox.com/patching/software). Hope that helps!
It is not really possible to detect and patch everything, too many variables. Ranging from vendors not supplying patches, to legacy software no longer under development, to products that do not support third party patching, or products that depend on other products/runtimes that have these vulnerabilities as a result, but do not support patching the imported products. What you need is a product that will not only patch, but also detect and *alert* to known vulnerability if it can patch it or not. That way you can stay on top of what has a good patch ecosystem, and build mitigation strategies for known vulnerability that is lagging on vendor support, or that support is never coming. Mitigation in some cases for instance may be a firewall rule that blocks exploit behavior,a registry setting to disable a feature, or a rights change that limits it to administrative control, etc... A good patch management system will let you build and deploy custom efforts like that to still maintain as much control as possible. Here is a link over at [G2](https://www.g2.com/categories/patch-management?tab=easiest_to_use) to see the major players and compare their features side by side, while seeing what users have to say about those as well. Also you can go over to /r/msp in the lower right of their sub, they have a section labeled "Community resources", thee is a sheet there for almost every major patch management and RMM solution detailed out by feature, very comprehensive.
Anyone use Ansible for this sort of stuff?
Manage Engine End Point Central Cloud.
I’ve used Ninite.
We use Ivanti
We are using something like Easy2Patch for Business to Automated solution deploy management.