CPPM FAQs

Central Patch and Power Management (CPPM) FAQ (Frequently Asked Questions)

On this page:

• Introduction
• Answers to Technical Questions
• Administrative Details & Inventory Information
• More Information

Introduction to CPPM

1. What is CPPM ?
2. Why does CSUEB need a service like CPPM ?
3. What exactly does CPPM do?
4. What doesn't CPPM do?
5. How does CPPM work?
6. Does CPPM need to be installed on the computers of students, guests and visitors?
7. After the CPPM agent is installed, what should I expect?
8. Will CPPM cause problems on my computer?
9. How can I tell that the CPPM service is running on my computer?

Answers to CPPM Technical Questions

1. What versions of Windows does CPPM support?
2. What if my computer mustn't be patched, because it's being used for a specialized purpose, or is running an experiment?
3. Why not just use Windows' built-in Automatic Updates?

CPPM Administrative Details & Inventory Information

1. When will CPPM be deployed in my part of the University?
2. Should I worry about the confidentiality of data on my computer?
3. Who has access to the information retrieved by CPPM ?

Introduction to CPPM

1. What is CPPM?

CPPM uses a commercial software package and service that will improve our ability to keep desktops and laptops patched with the latest security updates, in order to reduce security attacks and keep critical data on campus safe from intrusion. CPPM also provides a power management function that allows ITS to setup policies to save power for the campus community where appropriate.

In November 2007, in close cooperation with several University organizations, ITS deployed CPPM to 120 desktops and servers as part of a pilot project. In April 2008, CSUEB acquired a 3-year 3,500-seat license, centrally funded, in order to install the CPPM software on as many Windows computers as appropriate.

Providing a patch management system for CSUEB is part of a larger effort to reduce the individual responsibility that ordinary computer users must accept to maintain their systems securely, and to protect the open CSUEB network from the steadily increasing threats found on the Internet.

If a PC is attached to the CSUEB network, or is used to transact University business, the goal is to ensure that it receives all required security updates quickly and reliably. The CPPM service at CSUEB can help meet that goal.

Do note that CPPM cannot handle all aspects of maintaining your computer securely, and only functions as an important element of good security practices. For more information on how to use your computer securely and appropriately please see the Acceptable Use Policy and Secure Computing website.


2. Why does CSUEB need a service like CPPM ?

Internet-based attacks on individual desktop and laptop computers are a worldwide problem that is continuing to grow exponentially. It's, therefore, critical to keep operating systems up-to-date by installing security patches as soon as they become available.

Until now it has been each desktop or laptop computer user's individual responsibility to install critical patches. Even people who are doing a good job of keeping their PCs updated sometimes miss important patches. Failures to keep all systems patched can place everyone on the shared network at risk. CPPM will help ITS provide this service in a more reliable and efficient way to the campus community.


3. What exactly does CPPM do?

CPPM 's main purpose is to provide a very robust computer operating system patch management service to the University community. It will also be used to distribute updates to McAfee AntiVirus, the antivirus software licensed for use at CSUEB. It collects inventory information which allows ITS to be able to patch them computers appropriately. In addition, CPPM provides CSUEB power management capabilities so that we can be a model sustainable university and save power where appropriate for the campus.


4. What doesn't CPPM do?

There can be no single, complete solution for problems of computer security. CPPM will help to ensure that operating systems are securely patched, but there are additional essential security practices that are beyond the scope of CPPM.

Such practices include having a minimum number of user accounts on your computer, choosing strong passwords, protecting passwords from theft, using up-to-date and properly configured antivirus software, enabling firewall when appropriate, configuring file sharing properly and securely if you need to share files, shutting down your computer when it's not in use, logging off your computer every night, not double-clicking suspicious e-mail attachments, correctly configuring operating system security settings, disabling unnecessary services, and so on.

Installing the CPPM client on your PC doesn't mean that you're safe: it means that you're safer.

For more information about how to secure Windows PCs, please see the Secure Computing web site.


5. How does CPPM work?

CPPM has two distinct software components, a client and a server. The client software is installed on computers that are to be managed, while the server allows system administrators to monitor those computers and enables the deployment of patches to them.

With respect to patching the machine it's installed on, the CPPM client provides extremely reliable information about the machine’s status. This accurate information is conveyed to the CPPM server, allowing system administrators charged with managing CPPM clients to patch computers appropriately and as needed.

Whenever Microsoft, for example, releases a critical security patch for Windows, it is tested and packaged by BigFix , Inc., and delivered to their customers generally within a matter of hours. The patch is then tested at CSUEB by the CPPM site administrators. After testing, under normal circumstances, tested and approved patches will then be deployed centrally to any computers still in need of them. The testing and approval process may be hastened under extraordinary circumstances.


6. Does CPPM need to be installed on the computers of students, guests and visitors?

No. At this time, CPPM will only be installed on University-owned computers. It will not be installed on the privately owned computers of students, guests or visitors.


7. After the CPPM agent is installed, what should I expect?

When critical security patches have been released by Microsoft, and tested at CSUEB, they will be delivered to your PC. If necessary, you will be prompted to restart your computer.

Your work will not be disrupted. You will always be able to save open files and quit gracefully out of any running applications before you choose to restart.

During the first stages of the CPPM deployment, there may be a period of "catch-up": PCs that are missing a large number of critical security patches will receive in some cases a series of updates requiring restarts. Once that catch-up has been accomplished, patching will occur much less frequently.

Note that, under extraordinary circumstances, such as an immediate and dangerous attack on an operating system vulnerability, the patch approval and testing process may be curtailed to some degree. In every case, the CPPM site administrators will provide as much advance notice as possible that an emergency patch will be deployed. CSUEB's Chief Information Officer and ITS Executive Management will take responsibility for any such emergency actions.


8. Will CPPM cause problems on my computer?

The CPPM agent doesn't cause any problems and you won't even notice it's running on your PC. It's sometime the case, however, that the installation of operating system patches causes problems. Be aware that patches will be tested before they are released, in order to ensure that they won't cause widespread problems in the CSUEB environment.


9. How can I tell that the CPPM service is running on my computer?

You will see no obvious sign that anything has happened after installing the client - it will be running as a service. If you want to verify the installation:
• Open the Windows Task Manager by pressing CTRL + ALT + DELETE and clicking the Task List to get to the Task Manager window.
• Click the Processes tab and look for BESClient.exe in the list of processes.

Answers to Technical Questions

1. What versions of Windows does CPPM support?

The CPPM client software will run on all Windows platforms currently supported by Microsoft. The CPPM central administrators will test new operating system patches, when Microsoft releases them and before deploying them to client PCs, on English versions Windows XP Professional and Windows Vista Enterprise, all at the latest Service Pack level.


2. What if my computer mustn't be patched, because it's being used for a specialized purpose, or is running an experiment?

Certain computers can be excluded from automatic patching if appropriate. If you have concerns about your computer and patching please contact the CPPM administrator (CPPM@csueastbay.edu).


3. Why not just use Windows' built-in Automatic Updates?

CPPM is more reliable than the Windows Automatic Updates service, which is easy to use incorrectly under the best of circumstances. The CPPM system can also detect whether an installed operating system patch is corrupt, since it makes a much more thorough check of patch file versions and Windows registry entries than Automatic Updates.

If run on a schedule, Windows Automatic Updates will also force restarts for users without administrator rights, which CPPM will not do: it will gently prompt you to restart, and you'll have time to finish your work, whether or not you're logged in to Windows.

CPPM may also be used in conjunction with Automatic Updates. All that matters is that your PC is patched. If CPPM is installed on a computer that's not always connected to the CSUEB network, it's advisable to use Automatic Updates as well as CPPM .

Administrative Details & Inventory Information Answers

1. When will CPPM be deployed in my part of the University?

In order to qualify for the PG &E rebate ITS plans to deploy CPPM to as many computers as possible by the end of 2008. The expected timeline and project plan is posted at https://sharepoint.csueastbay.edu/sites/utp/desktop/bigfix/default.aspx.


2. Should I worry about the confidentiality of data on my computer?

The answer is yes: you should be worried that hackers might seize control of your computer and gain access to all of your files. Typically the hackers have no interest in your data - to them your computer is simply a resource on the Internet - but they would have access.

More and more often, though, computer viruses are appearing that do attempt to steal confidential information, such as credit card numbers, PayPal passwords, and so forth.

CPPM will help to protect you from such threats.

CPPM will permit authorized staff to collect certain data about your computer, but there are very tight controls on the nature of that data, and very tight controls on how that data may be used. CPPM does not collect data files from your computer.

See the next two questions for more information.


3. Who has access to the information retrieved by CPPM ?

The CPPM site administrator will have access to retrieved properties for all CPPM client computers. Any additional people who want access to the information must be authorized by the appropriate managers within their organizations and by the CIO and/or Information Security Officer.

CSUEB does not intend to make any use of the information that CPPM retrieves except to help ensure the security of the University's network. You should know, however, that this information - like all information on or about our network - is subject to University policies and relevant laws. See the previous question for details about the computer properties that CPPM retrieves.

More CPPM Information

If you have questions about using CPPM at CSUEB that aren't covered in the FAQ, please send e-mail to the CPPM team at CPPM@csueastbay.edu.

The tool we are using for the CPPM project is called BigFix. For additional information about this product, visit http://www.bigfix.com.

These FAQs were based on the FAQs developed by Stanford University's CPPM Team. We'd like to thank them for sharing their experiences and contributions to this project and the FAQs.