Automating application packaging and patching is becoming an increasingly hot topic. It’s not surprising these capabilities are in high demand. With increasingly frequent application updates made by vendors, it is becoming virtually impossible for EUC teams to manage the packaging and deployment of every application iteration across their enterprise.
I researched some numbers I thought are interesting to highlight the rapidly changing landscape of application patching. For starters, the number of critical vulnerabilities in 2022 was up 59% according to research by The Stack (Targett 2023). Rapid7 reported that 56% of vulnerabilities were exploited within 7 days of public disclosure (Rapid7 2023). The application I use as a benchmark for enterprise application updates, Google Chrome, was moved to a more frequent update cadence in 2021 (Warren 2021). Google Chrome went from a major update every six weeks, to a major update every four weeks, with minor updates every two to three weeks. In reality, I have been noticing much more frequent updates of Chrome being staged on their downloads page for some time now (not forced auto-updates on clients). Recently, Google announced another change to their update cadence with minor updates now occurring weekly (Toulas 2023).
Looking at this data it paints a picture of a large increase in the number of vulnerabilities being discovered and disclosed. Over half of critical vulnerabilities are exploited within 7 days of being disclosed. As a result, we will see vendors more frequently updating applications. Unfortunately, this puts even more pressure on enterprise IT teams, as they must quickly act to mitigate vulnerabilities in their organization as they are disclosed, while answering to their InfoSec team as they start knocking on their door.
A Shift to Accepting Breakages and Giving Up Control
The seemingly impossible task of handling application patching has organizations relenting and handing over control of application updates to software vendors by enabling auto-updates within their applications. This is something enterprises would have scoffed at just a few years ago.
As an Application Packager myself, I can confidently say step one when onboarding a new application in the past was to check if there is an auto-update feature and then figure out how to disable that. Now, some organizations will simply allow those auto updates for at least some applications.
There is increased pressure on organizations to protect their customers’ data, with the expectation that they are not knowingly utilizing out-of-date and/or vulnerable applications on their network. To some, it is better to give up control of when application updates are rolled out and allowing trusted vendors access into their network to update applications than run the risk of cyber gangs leveraging vulnerable dated software to breach their customer data. This requires accepting that sometimes auto-updates may break applications. Of course, this is better than getting hit by a cyber gang and having to disclose a data breach to the public that reveals reliance on outdated and vulnerable software was the reasoning.
Unfortunately, if auto-updates fail, IT is forced to identify and mitigate the issues. If you are relying on traditional solutions, that can mean slow deployments and fixes that takes hours or days to complete. While this may be better than a multi-day outage caused by a ransomware attack, this is still far from ideal.
Application Package Managers Can Offer a Happy Medium
An alternative to allowing vendors carte blanche access to your applications, potentially messing up employees machines, breaking applications, and ruining their workday is using an intermediary solution – such as a package manager or other third-party product that integrates with deployment tools like Configuration Manager or Intune.
Some enterprises, particularly those in finance, are unwilling to use a package manager’s public repository option to augment their own packaging efforts due to security concerns. If they do use such platforms, they tend to keep their own private repository and maintain their own packages. This is because the package managers offer a slick way to create your own internal auto-updating mechanism with commands to quickly update all hosted applications on-demand without running the risk of unknowingly deploying a malicious package hosted by a third-party.
Unfortunately, most applications available via these services in the public repositories are still MSI or EXE packages. Microsoft Principal Program Manager John Vintzel once referred to these package formats as “XP lifecycle era technology”. They were simply not designed for deploying and patching applications on remote endpoints. Traditional installers have several shortcomings, including their ability to handle context switching. A real-world scenario being deploying applications using system context but having applications which require to install some components in the user context, this may require the use of the Windows Installer Active Setup which can be problematic and cause login slowness. Another major concern with Windows Installers is the fact MSI Custom actions can do basically anything, which has been a security concern and blind spot in enterprise application management for decades. Vendors have also never followed best practices (e.g., misusing the update tables in MSIs, abusing custom actions to install their own embedded custom installers and not using any of the tables at all, marking components as permanent, using an exe to install MSIs and MSPs but also to modify files and set registry values outside of the packages themselves, and more). A move by vendors to MSIX would be best for all to help eliminate these issues and to get the most out of Package Managers like WinGet. At the moment, MSIX adoption is low, as is its rate of application compatibility.
Modern Application Management Requires Containers
What if you could eliminate the challenges of old package formats that were deemed XP lifecycle era technology by Microsoft and get the benefits of MSIX containers, but with a higher rate of compatibility? The good news is you can! Numecent Cloudpaging application containers have a compatibility rate of more than 95%. Applications with drivers, services, COM+ Component Services, and more can be seamlessly packaged and deployed to any modern Windows desktop environment. The granular controls within Cloudpaging containers – which enable you to determine what parts of the application are integrated or isolated to the operating system at the file level. – mitigates application conflicts and corruptions, enables them to be cleanly removed in real time, and handles context switching perfectly by design. When deployed with Cloudpager, applications can be rapidly deployed, updated, and rolled back to prior versions in real time if needed.
Automating Application Packaging and Patching with Containers
To make matters better, you can automate the creation of Cloudpaging application containers. We have a publicly available Non-Interactive Packager on our GitHub repository. This makes automating application packaging and patching with containers quick and easy. The Non-Interactive Packager allows you to pass native installers or even custom installers, such as a cmd file, as part of a standard JSON file to automate the containerization of applications as you see fit.
To make this even better, we have APIs and PowerShell Modules customers can use in tandem with the Non-Interactive Packager to automate the entire application lifecycle, including the packaging, updating, and deployment of your applications.
Members of the Cloudpaging community have automated workflows that check to see if a new version of an application is available every night. If a new version is detected, it is downloaded directly from the vendor’s website, packaged with the Non-Interactive Packager, then deployed to an Early Adopters group so a subset of production users get the application update first. The beauty of this process is that the application installers are taken directly from the vendor, not from an untrusted third-party source. Being that they are in application containers deployed with Cloudpager, we have full visibility into these automated application updates, with the ability to quickly roll back the application update if needed.
Containers are the key to securely automating application packaging and patching.
The Non-Interactive Packager and Cloudpager’s API make it easy to fully automate the process of packaging and deploying new applications and application updates. This is a great way to stay on top of increasingly frequent application updates, which are impossible for EUC teams to keep up with. It also offers a more secure alternative to allowing applications to auto-update, which can be extremely disruptive and difficult to monitor. The fact Cloudpaging application containers have such a high rate of compatibility also means you have a solution for virtually all applications in your estate, so you can be confident those with frequent updates won’t run into issues if you automate the process.
Cloudpager provides additional container management capabilities that enhance your ability to handle increasingly frequent application updates. Not only can the platform be used to automate application deployments to your pilot and/or production users, its rapid rollback feature also enables you to quickly roll back an application update if required. Every administrative action, including those you automate, is tracked for audit purposes. Ultimately, incorporating application containers and a modern container management platform are the key to automating application packaging and patching, revolutionizing your IT operations and strengthening security.
Check Out Our Application Updates Blog Series
I published a five-part Application Updates blog series, which includes a live demonstration of how to rapidly patch applications, as well as personal anecdotes breaking down various application update scenarios (and debacles) from my 15+ year career in IT and how Cloudpager could have saved my respective organizations a lot of time, headaches, and money.
Blog 1: How to Achieve Truly Seamless Application Updates with Cloudpager
Blog 2: Expedited Updates Without Capable Tools Fracture Teams
Blog 3: Weekend Updates Don’t Have to Take All Weekend
Blog 4: A Poorly Timed Application Update Cost a Financial Services Organization Millions in Revenue
Blog 5: Slow Application Updates Can Negatively Affect Patient Care
Subscribe to our Newsletter
Join our email list for all the latest insights on simplifying the mobilization and management of applications across Windows desktop and multi-cloud environments.