Creating and assigning firmware-compliance policies

Firmware-compliance policies ensure that the firmware on certain managed devices is at the current or specific level by flagging the devices that need attention. Each firmware-compliance policy identifies which devices are monitored and which firmware level must be installed to keep the devices in compliance. You can set compliance at the device or firmware component level. XClarity Administrator then uses these policies to check the status of managed devices and to identify devices that are out of compliance.

Before you begin

When you create a firmware-compliance policy, you select the target update version to be applied to the devices that will be assigned to the policy. Ensure that firmware updates for the target version are in the updates repository before you create the policy (see Downloading firmware updates).

If a device type is not listed in the firmware-updates repository, you must first manage a device of that type and then download or import the complete set of firmware updates before creating compliance policies for devices of that type.

About this task

When you create a firmware-compliance policy, you can choose to have XClarity Administrator flag a device when:

The firmware on the device is down level
The firmware on the device does not exactly match the compliance target version

XClarity Administrator comes with a predefined firmware-compliance policy named Latest firmware in repository. When new firmware is downloaded or imported into the repository, this policy is updated to include latest available versions of firmware in the repository.

After a firmware-compliance policy is assigned to a device, XClarity Administrator checks the compliance status of each device when the device inventory changes or firmware-updates repository changes. When the firmware on a device is not compliant with the assigned policy, XClarity Administrator identifies that device as not compliant on the Firmware Updates: Apply / Activate page, based on the rule that you specified in the firmware-compliance policy
Illustrates the process for monitoring for firmware compliance and sending alerts when a device becomes noncompliant.

Illustrates the process for monitoring for firmware compliance and sending alerts when a device becomes noncompliant.

For example, you can create a firmware-compliance policy that defines the baseline level for firmware that is installed in all ThinkSystem SR850 devices and then assign that firmware-compliance policy to all managed ThinkSystem SR850 devices. When the firmware-updates repository is refreshed and a new firmware update is added, those compute nodes might become out of compliance. When that happens, XClarity Administrator updates the Firmware Updates: Apply / Activate page to show that the devices are not compliant and generates an alert.

Note

You can choose to show or hide alerts for devices that do not meet the requirements of their assigned firmware-compliance policies (see Configuring global firmware-update settings). Alerts are hidden by default.

Procedure

To create and assign a firmware-compliance policy, complete the following steps.

From the XClarity Administrator menu bar, click Provisioning > Firmware Updates: Compliance Policies. The Compliance Policy page is displayed with a list of all existing firmware-compliance policies.
Create a firmware -compliance policy.
1. Click the Create icon () to display the Create a New Policy dialog.
2. Fill in the name and description for the firmware-compliance policy.
3. Fill in the table based on the following criteria for each device.
  - Device Type. Choose a type of device or component for which this policy is to apply.
    Tip
    If you choose a server, the compliance level is done at the UXSP level. However, you can also expand the server to specify specific firmware levels for each component, such as the baseboard management controller or UEFI.
  - Compliance Target. Specify the compliance target for the applicable devices and subcomponents.
    For servers, you can choose one of the following values.
    Default. Changes the compliance target for each subcomponent to the default value (such as the latest set of firmware in the repository for that device).
    Do not update. Changes the compliance target for each subcomponent to Do not update.
    For devices without subcomponents (such as CMMs, switches, or storage devices) or for subcomponents in a server, you can choose one of the following values.
    - <firmware_level>. Specifies the baseline firmware level.
    - Do not update. Specifies that the firmware is not to be updated. Note that firmware on the backup management controller is not updated by default.
    Note
    When you change default values for any subcomponent in a server, the compliance target for that server changes to Custom.
  - Compliance Rule. Specify when a device is flagged as not compliant in the Installed Version column on the Firmware Updates: Apply/Activate.
    - Flag if Downlevel. If the firmware level that is installed on a device is earlier than the level that is specified in the firmware-compliance policy, the device is flagged as not compliant. For example, if you replace a network adapter in a compute node, and the firmware on that network adapter is earlier than the level identified in the firmware-compliance policy, the compute node is flagged as not compliance.
    - Flag if Not Exact Match. If the firmware level that is installed on a device is not an exact match with the firmware-compliance policy, the device is flagged as not compliant. For example, if you replace a network adapter in a compute node, and the firmware on that network adapter is different than the level identified in the firmware-compliance policy, then the compute node is flagged as not compliance.
    - No Flag. Devices that are out of compliance are not flagged.
4. Optional: Expand the system type to display each update in the package, and select the firmware level to be used as the compliance target, or select Do not update to prevent firmware from being updated on that device.
5. Click Create.
  The firmware-compliance policy is listed in the table on the Firmware Updates: Compliance Policy page. The table shows the usage status, origin of the policy (whether user-defined or predefined), and the last modification date.
From the XClarity Administrator menu bar, click Provisioning > Firmware Updates: Apply/Activate. The Firmware Updates: Apply/Activate page is displayed with a list of managed devices.
Assign the firmware-compliance policy to devices.
- To a single device
  For each device, select a policy from the drop-down menu in the Assigned Compliance Policy column.
  You can select from a list of firmware-compliance policies that are applicable to each device. If a policy is not currently assigned to the device, the assigned policy is set to No assignment. If no policies are applicable to the device, the assigned policy is set to No applicable policies.
- To multiple devices
  1. Optional: Select one or more devices to which you want to assign a firmware-compliance policy.
  2. Click the Assign policy icon () to display the Assign Policy dialog.
  3. Select a firmware-compliance policy from the Policy to assign drop-down menu.
    You can select from a list of firmware-compliance policies that are applicable to all selected devices. If devices were not selected before opening the dialog, all policies are listed.
    To unassign a policy, select No assignment.
  4. Select one of the following scopes for the policy assignment.
    - All applicable devices that are…
    - Only selected applicable devices that are …
  5. Select one or more device criteria.
    - Without an assigned policy
    - Non-compliant (overwrite current assigned policy)
    - Compliant (overwrite current assigned policy)
    - Not monitored (overwrite current assigned policy)
    - Other (overwrite current assigned policy). This applies to devices in other states, such as the Pending state, with missing data, or not supported for updates. Hover over the help icon () to see a list of applicable devices.
    Note
    Not monitored and Other criteria are listed only when there are devices in those states.
  6. Click OK.
    The policy that is listed in the Assigned Policy column on the Firmware Updates: Repository page changes to the name of the selected firmware-compliance policy.

After you finish

After you create a firmware-compliance policy, you perform the following actions on a selected firmware-compliance policy:

View policy details, including a list of assigned devices, by clicking on the policy name in the table.
Create a duplicate of a selected policy by clicking the Copy icon ().
Rename or modify a a selected policy by clicking the Edit icon ().
You cannot edit a predefined firmware-compliance policy or a policy that is assigned to a managed device.
If you modify an assigned policy in such a way that causes it to no longer apply to certain assigned devices, the policy is automatically unassigned from those devices.
You cannot rename or modify the predefined Latest Firmware policy.
Delete a selected firmware-compliance policy by clicking the Delete policy icon () or delete the selected firmware-compliance policy and all associated firmware updates that are used only by that policy by clicking the Delete any policy and firmware packages icon ().
You can choose to delete the policy even if it is assigned to a device.
When you delete a policy that is assigned to a device, the policy is unassigned before it is deleted.
You cannot delete the predefined Latest Firmware policy; however, you can disable the policy by clicking the Global Settings icon (), and then selecting Disable Latest Firmware Policy. When this option is selected, the Latest firmware policy is unassigned from managed devices, and the policy is no longer updated to include the latest available versions of firmware in the repository.
Export a selected policy to a local system by selecting the policies and clicking the Export icon ( ). You can then import the policies to another XClarity Administrator instance by clicking the Import icon ( ).

After you create a firmware-compliance policy, you can assign the policy to a specific device (see Creating and assigning firmware-compliance policies) and apply and activate updates for that device (see Applying and activating firmware updates).

Give feedback