Creating firmware-compliance policies

Firmware-compliance policies ensure that the firmware on certain devices is at the current or specific level by flagging the devices that need attention. Each firmware-compliance policy identifies which devices are monitored and which firmware level must be installed to keep the devices in compliance. XClarity Administrator then uses these policies to check the status of managed devices and to identify devices that are out of compliance.

Before you begin

Refresh the product catalog in the firmware-updates repository, and download the appropriate firmware updates (see Refreshing the product catalog and Downloading firmware updates).

If a device type is not listed in the firmware-updates repository, you must first manage a device of that type and then download or import the complete set of firmware updates before creating compliance policies for devices of that type.

About this task

When you create a firmware-compliance policy, you can choose to have XClarity Administrator flag a device when:
  • The firmware on the device is down level
  • The firmware on the device does not exactly match the compliance target version

After a firmware-compliance policy is assigned to a device, XClarity Administrator checks the compliance status of each device when the device inventory changes or firmware-updates repository changes. When the firmware on a device is not compliant with the assigned policy, XClarity Administrator identifies that device as not compliant on the Firmware Updates: Apply / Activate page, based on the rule that you specified in the firmware-compliance policy
Illustrates the process for monitoring for firmware compliance and sending alerts when a device becomes noncompliant.

For example, you can create a firmware-compliance policy that defines the baseline level for firmware that is installed in all ThinkSystem SR850 devices and then assign that firmware-compliance policy to all managed ThinkSystem SR850 devices. When the firmware-updates repository is refreshed and a new firmware update is added, those compute nodes might become out of compliance. When that happens, XClarity Administrator updates the Firmware Updates: Apply / Activate page to show that the devices are not compliant and generates an alert.

Note: You can choose to show or hide alerts for devices that do not meet the requirements of their assigned firmware-compliance policies (see Configuring global firmware-update settings). Alerts are hidden by default.

Procedure

To create a firmware-compliance policy, complete the following steps.

  1. From the XClarity Administrator menu bar, click Provisioning > > Firmware Updates: Compliance Policies. The Compliance Policy page is displayed with a list of all existing firmware-compliance policies.

    Illustrates the list of compliance policies on the Firmware Updates: Compliance Policies page.
  2. Click the Create icon (Create icon) to display the Create a New Policy dialog.

    Illustrates how to create a new policy.
  3. Fill in the name and description for the firmware-compliance policy.
  4. Fill in the table on the following criteria for each device:
    • Device Type. Choose a type of device for which this policy is to apply.

      Tip: If you choose a server, the compliance level is done at the UXSP level. However, you can also expand the server to specify specific firmware levels for each component, such as the baseboard management controller or UEFI.
    • Compliance Target. Specify the compliance target for the applicable devices and subcomponents.

      For servers, you can choose one of the following values.
      • Default. Changes the compliance target for each subcomponent to the default value (such as the latest set of firmware in the repository for that device).

      • Do not update. Changes the compliance target for each subcomponent to "Do not update."

      For devices without subcomponents (such as CMMs, switches, or storage devices) or for subcomponents in a server, you can choose one of the following values.

      • <firmware_level>. Specifies the baseline firmware level.

      • Do not update. Specifies that the firmware is not to be updated. Note that firmware on the backup management controller is not updated by default.

      Note: When you change default values for any subcomponent in a server, the compliance target for that server changes to Custom.
    • Compliance Rule. Specify when a device is flagged as not compliant in the Installed Version column on the Firmware Updates: Apply/Activate.

      • Flag if Downlevel. If the firmware level that is installed on a device is earlier than the level that is specified in the firmware-compliance policy, the device is flagged as not compliant. For example, if you replace a network adapter in a compute node, and the firmware on that network adapter is earlier than the level identified in the firmware-compliance policy, the compute node is flagged as not compliance.
      • Flag if Not Exact Match. If the firmware level that is installed on a device is not an exact match with the firmware-compliance policy, the device is flagged as not compliant. For example, if you replace a network adapter in a compute node, and the firmware on that network adapter is different than the level identified in the firmware-compliance policy, then the compute node is flagged as not compliance.
      • No Flag. Devices that are out of compliance are not flagged.
  5. Optional: Expand the system type to display each update in the package, and select the firmware level to be used as the compliance target, or select "Do not update" to prevent firmware from being updated on that device.
  6. Click Create.

    The firmware-compliance policy is listed on the Firmware Updates: Compliance Policy page.

What to do next

The firmware-compliance policy is added to the table on the page. The table shows the usage status, origin of the policy (whether user-defined or predefined), and the last modification date.

After you create a firmware-compliance policy, you perform the following actions on a selected firmware-compliance policy:
  • Create a duplicate of an existing firmware-compliance policy by clicking the Copy icon (Copy icon).
  • Rename or edit a firmware-compliance policy by clicking the Edit icon (Edit icon).
  • Delete a firmware-compliance policy by clicking the Delete Policy icon (Delete icon) or delete a firmware-compliance policy and all associated firmware updates that are used only by that policy by clicking the Delete Any Policy and Firmware Packages icon (Delete all icon).

    If the policy is assigned to a device, the policy is unassigned before it is deleted.

  • Export firmware-compliance policy that exists in the firmware-updates repository to a local system by selecting the policies and clicking the Export icon ( Export icon). You can then import the policies to another XClarity Administrator instance by clicking the Import icon ( Import icon).

After you create a firmware-compliance policy, you can assign the policy to a specific device (see Creating firmware-compliance policies) and apply and activate updates for that device (see Applying and activating firmware updates).