Managing the Rollout of Client Versions (Client Upgrade Policy)

Cato regularly releases new Client versions that support new features and also connectivity or performance enhancements. This article explains how to manage upgrading Clients to the newest version.

When Cato releases a new Windows, macOS, or Linux Client version, you can manage how the version is rolled out to SDP users in your organization. For each OS, you can define the Client upgrade Policy to either use the Cato Upgrade service to automatically manage the rollout or update Clients with an MDM or manually.

The Cato upgrade service provides additional control and visibility of a version rollout within your account. You can choose the SDP user experience to determine if a notification is displayed. For additional testing you can define which SDP users are the first to receive the newest version. For example, you can choose to begin the rollout of a new version with the IT team to run further tests. Once the rollout has begun, you can monitor the progress and if necessary pause and resume the rollout at any time. After a rollout is paused, the Cato Upgrade service doesn't upgrade any additional Clients to the new version until the rollout is resumed or another Client version is released.                       

Understanding the Cato Client Upgrade Policy

The Client receives the upgrade policy settings when it is connected to the Cato Cloud. This means that the first time that you install the Client on a device, it only receives the upgrade settings after it connects to the Cato Cloud.

Choose one of the following policies for updates to the Clients:

  • Automatic by Cato - The Cato upgrade service deploys the new Client version to SDP users. When a new Client version is available, it is gradually rolled out to SDP users in your account. Cato continually monitors the new versions to quickly identify any issues. The Mode defines the SDP user experience:

    • Silent Mode - The end user can’t control the Client installation, and it is automatically upgraded to the newest version. When the Client is upgrading, if the Client is connected to the Cato cloud, a notification is shown to the end user. This explains that during the upgrade, the Client disconnects from the Cato Cloud and then reconnects after the upgrade is complete.

      • For macOS Clients, the OS opens a window and requires the end user to authenticate to the computer to install the new Client version

    • User Managed Mode - When a new Client update is available, the end user receives a notification. They can choose to install the new Client immediately or at a later time. A reminder notification is shown every 12 hours.

  • Managed by Admin - Cato does not automatically upgrade the Client and Administrators can decide how Client upgrades are managed. You could use MDM software or manually install the Client on a device. The end users don't receive any notifications from Cato.

Note

Notes:

  • Users do not need admin permissions on the computer to upgrade the Windows Client

  • For Windows Clients, the Automatic Silent Upgrade and Managed Upgrade options, the Client requires access to the %TEMP% directory for the local user

  • A restrictive GPO policy may block the installation of the Cato Adapter during the installation or upgrade process of the Cato Client. To ensure the Client upgrades successfully, allow the GPO policy to permit the installation of the Cato Adapter.

Configuring the Cato Client Upgrade Policy

Select the upgrade option for each operating system used in your account.

To configure the Cato Client upgrade policy:

  1. From the navigation menu, click Access > Client Rollout.

  2. Click the Upgrade Policy tab.

  3. Choose the Client Upgrade Policy for each operating system.

  4. If you selected an Automatic by Cato Upgrade Policy, choose the Mode.

  5. Click Save.

Defining the Pilot Group for Upgrades Managed by Cato

With the Automatic by Cato upgrade policy, you can choose to begin the rollout of a new version with the Pilot Group. These are the first SDP who automatically receive the new Client before it is rolled out to the rest of your SDP users. This lets you evaluate new features with a controlled group of SDP users.

After 1-2 weeks, the upgrade rollout continues with other SDP users or you can pause the rollout. A notification is shown on the Rollout Status tab when the rollout starts for the Pilot Group. For more information about the stages of the Client rollout, see Understanding who the Newest Version is Available to.

You can define up to 100 SDP users in the Pilot Group. We recommend that you verify that each of these users has a valid SDP license.

Note

Note: The length of time the rollout says with the Pilot Group is an estimate and maybe impacted by the GA deployment lifecycle

 

Upgrade_Test_Users.png

To define the Pilot Group for Automatic by Cato Upgrades:

  1. From the navigation menu, click Access > Client Rollout.

  2. In the Upgrade Policy tab, make sure that Automatic by Cato is selected.

  3. Click the Pilot Group tab.

  4. Select the SDP users to add to the Pilot Group

  5. Click Save.

    The selected SDP users are added to the Pilot Group.

Overview of the Rollout Status Screen

2023-04-18_18-10-23.png

A notification is sent once the gradual rollout of a new Client version has begun in your account. Click on the bell icon () to view notifications) 

Each operating system used in your account has a widget for the newest Client version and a progress bar that shows how far the rollout has progressed.

The progress bar shows the progress of the new Client rollout. To view data on the SDP users that have the newest Client version installed on their device, click the More Info dropdown and select View upgraded users. This opens the Users screen with predefined filters. For more information on the SDP User Dashboard, see Using the SDP Users Dashboard.

Use Case

To provide maximum security for SDP users, Company ABC manage their SDP Client upgrades with Automatic Silent Upgrades. On May 10, a new Windows Client is available. On the same day, the IT department plans a major system upgrade. To reduce the risk of multiple upgrades on the same day, the roll out of the new Windows Client is paused. No SDP users receive the new Windows Client on May 10.

After the system upgrade is successfully deployed, the IT department download the new Windows Client for testing. The Client passes all tests and the rollout of the new Client is resumed. The IT department are able to monitor the progress of the roll out from the Pilot Group to all SDP users to ensure the Client upgrade is successful.

 

Prerequisites

  • For downloading and testing the newest Client version from the Client Rollout page, allowlist the following URL for all security endpoint software and solutions:
    • https://clients.catonetworks.com/

 

Testing the Newest Client Version

You can download the newest Client version for testing from the Cato Management Application. The following file formats are available: 

  • Windows Client:
    • exe
    • msi
  • macOS Client:
    • pkg
  • Linux Client:
    • rpm
    • deb

To test the newest Client version:

  1. From the navigation menu, click Access > Client Rollout.

  2. Click the Rollout Status tab.

  3. From the Download Client drop dropdown, choose the file type you want to download.

    The newest Client is downloaded to your device.

Monitoring the Progress of the Rollout

You can view which SDP users the newest Client version has been made available to and view which SDP users have the newest version installed. Once a new version is made available to a SDP user, their the version is only installed once the device is turned on and connected the Internet.

Understanding who the Newest Version is Available to

For automatic upgrades, once the rollout of a new Client version begins, you can monitor who the new version has been made available to. From the Access  > Client Rollout  screen, on the Rollout Status tab, you can who the newest version is available to:

  • Available to Pilot Group: The newest version is only available to your Pilot Group.
  • Gradual Rollout: Rollout to users outside of the Pilot Group has begun. Every week the new version becomes available to a new group of users
  • Available to all Users: Gradual Rollout is complete and the new version is available to all users

 

Viewing SDP Users that Installed the Newest Version

You can add predefined filters to the SDP Dashboard to view the SDP users that have the newest Client version installed on their device.

To view SDP users that installed the newest version:

  1. From the navigation menu, click Access > Client Rollout.

  2. Click the Rollout Status tab.

  3. From the More Info dropdown, select View upgraded users.

    The Users screen is displayed with a predefined filter for the newest Client version.

Pausing the Rollout of the Newest Client Version

For Automatic by Cato upgrades, you can pause the automatic rollout of the newest Client version.

To pause the rollout:

  1. From the navigation menu, click Access > Client Rollout.

  2. Click the Rollout Status tab.

  3. Click Pause Rollout.

    The rollout is paused until you click Resume Rollout or a new Client version is released.

    Note

    Note: The rollout may resume at a more advanced stage from the stage it was paused.

Checking for a New Version

After the Client connects to the Cato Cloud for the first time, these are the conditions for the Client to check for a new version:

  • Windows Clients

    • The device is powered on and connected to the Internet

  • macOS Clients

    • The user is logged in to the computer

    • The Client app is open and running, but it isn't required to be connected to the Cato Cloud

  • Linux Clients

    • The device is powered on and connected to the Internet

If an automatic upgrade fails, the Client does not attempt to upgrade again to the same version. A new version must be released before the Client attempt to upgrade.

Clients only attempt to upgrade to the latest version. If a Client is several versions behind, it does not upgrade to a previous version that was completely rolled out to the account. 

Sample Upgrade Workflows for SDP Users

This section shows sample workflows of the user experience for each of the upgrade options.

Sample Automatic by Cato - Silent Mode Workflow

  1. A new version of the Cato Client is released.

  2. The user logs in to the computer and opens the Cato Client.

  3. The Cato Client automatically downloads the new version and then installs the new version.

    The user is disconnected from the secure tunnel during the upgrade.

    For Windows, the installation file is downloaded to the %TEMP% directory.

  4. When the installation is completed, the Client behavior is:

    • For Windows - the end user can start the updated Cato Client

    • For macOS - the Client automatically restarts and if the Client was connected to the secure tunnel before the upgrade process, it then reconnects

Sample Automatic by Cato - User Managed Mode Workflow

  1. A new version of the Cato Client is released.

  2. The user logs in to the computer and opens the Cato Client.

  3. The user sees a notification in the Cato Client that there is a new version.

  4. The user can choose to download and install the new version, or continue using the older version.

  5. If the user doesn't install the new version, the Cato Client periodically shows reminders to the user that a new version is available.

    Users can also choose upgrade at any time and click Upgrade Now in the About section of the Client.

Sample Managed by Admin Upgrade Workflow

  1. A new version of the Cato Client is released.

  2. The admin chooses when to use the MDM to push the new Cato Client version to the users.

  3. The user logs in to the computer and opens the Cato Client.

  4. The new version is installed and the Client behavior is:

    • For Windows - the end user can start the updated Cato Client

    • For macOS - the Client automatically restarts and if the Client was connected to the secure tunnel before the upgrade process, it then reconnects

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment