As a best practice, ArcGIS Enterprise should be kept up to date with released patches.  But, how many ArcGIS Enterprise administrators really keep their organizations up to date with patches?  It’s kind of like flossing your teeth.  You know you should do it, but you may think it’s tedious and there isn’t any instant gratification.

Even if you consider it tedious and without instant gratification, we encourage you keep ArcGIS Enterprise up to date with patches.  It’s key to a successful ArcGIS Enterprise deployment.

Here we’re going to cover what patches are exactly, where to find ArcGIS Enterprise patches, how to install a patch, and why should keep up to date with patches.  It may not sound glamorous, but you’ll be thanking us by the end of this blog.

What is a patch?

When thinking of a patch, it’s not unusual for you to think of something you’d use to cover a hole in your favorite pair of jeans.  A software patch really isn’t that different; it is a set of changes designed to fix something within the software.  This “something” is often a security vulnerability or a functional defect found within the software.  It should be noted that not all defects will be fixed in patches. The decision to fix a specific defect in a patch is based on the severity and how pervasive the issue is across all customers.

Patches and ArcGIS Enterprise

When it comes to ArcGIS Enterprise, patches do not introduce new functionality into the product.  For example, ArcGIS Enterprise 10.9.1 introduced the ability to share map services from cloud data warehouses.  No matter how many patches are released for ArcGIS Enterprise 10.8.1, this functionality will never be introduced into this older release.  These patches will only address an issue in the software which produces incorrect or unexpected results.

ArcGIS Enterprise patches are often built for different operating systems and versions of the software.  This is all closely tied to the product life cycle.  ArcGIS Enterprise versions in general availability and extended support are eligible to have patches created for them.  For short-term support releases, this will be for the first 18 months after initial release.  For long-term support releases, this will be the four years following initial release.  For more information on ArcGIS Enterprise short-term and long-term support releases, see our blog on Updates to the ArcGIS Enterprise Product Lifecycle.

Where to find ArcGIS Enterprise patches

When patches are finished being developed and thoroughly tested, Esri releases them on the Esri Support website.

ArcGIS Enterprise on Windows and Linux is comprised of the following main components: ArcGIS Server, Portal for ArcGIS, ArcGIS Data Store, and ArcGIS Web Adaptor.  Each component has its own landing page where, in addition to downloading patches, you can view other details about the component.  This includes its current lifecycle stage and links to the Knowledge Base.  Selecting downloads reveals a comprehensive list of patches available for the selected release of the ArcGIS Enterprise component in question.

Patches for ArcGIS Enterprise on Kubernetes will be delivered as updates to software container images.  When an update is available, it will appear within the ArcGIS Enterprise Manager interface, and can be applied from there through the Administrator API. For more on how we provide updates using ArcGIS Enterprise on Kubernetes, see Understanding updates and upgrades in our product documentation.  The rest of this blog will focus on patches specific to ArcGIS Enterprise on Windows and Linux environments.

Selecting a patch from the list navigates you to an information page that contains the summary of the patch, any prerequisite software configurations or patches that have to be installed before applying this patch, the download link to the patch, and the Checksum information which confirms the validity and authenticity of the download.  Below this information are explicit instructions on how to install the patch as well as an “Issues addressed” section.

In addition to the Esri Support website, administrators can use the patchnotification utility that’s installed with each component of ArcGIS Enterprise on Windows and Linux.  The benefit of this utility is that it reports information on relevant ArcGIS Enterprise components based on your installed version automatically. For this utility to report available patches, the machine where each component is installed must have network access to https://downloads.esri.com/patch_notification/patches.json.  It should be noted that if you’re working in a disconnected environment, with no internet access, the patches will need to be downloaded and installed directly from the Esri Support website.

For the utility to download patches as necessary, the following sites to also be accessible to the machine where each component is installed:

• https://gisupdates.esri.com/
• https://downloads.esri.com/
• https://support.esri.com/

The utility includes options to either install only security patches, or all patches.  Please note, while this process is automated the Enterprise components in question will be restarted multiple times throughout the process.  It is important to bear your organization’s service level agreement (SLA) in mind, and to ensure that patches are being installed during off-peak hours or during a maintenance window.

How to install ArcGIS Enterprise patches

Installing patches may be relatively easy, however there are some crucial factors to consider before clicking the install button.

How ArcGIS Enterprise has been deployed may cause some difference in workflows comes to patching.  Let’s look at three deployment scenarios and discuss the best patching path for each:

1. Single and multiple machine ArcGIS Enterprise environments.

• The order on installation does not matter, each ArcGIS Enterprise component can be patched in any order.

2. Multiple machine standalone ArcGIS Server environments.

• As long as one single machine remains active in an ArcGIS Server site, machines may be patched in any order – independent of each other.

3. Highly available (HA) ArcGIS Enterprise environments.

• If moving to the failover site is not an option, patching the standby Enterprise portal should occur first.
• As mentioned above, so long as a single working machine of an ArcGIS Server site remains reachable, machines participating on the site may be updated in any order.
• ArcGIS Data Store must be patched in a specific order to ensure that the data hosted on the datastore is still accessible (similarly to the Enterprise portal).
• Read more on this in our Apply patches and updates to highly available components section of the product documentation.

Patches should be applied to your development and staging environments first, to validate the applied patch before patching your production ArcGIS Enterprise environment.

Patching considerations

Once you know you want to apply an ArcGIS Enterprise patch, there are some additional considerations to keep in mind:

• When a patch is applied to ArcGIS Enterprise it will require that the component being patched restarts.  This may lead to system downtime, so it’s important to plan accordingly.  Administrators should patch their system during a scheduled window of downtime (after business hours or during a specified update window in your organization’s SLA).
• Several ArcGIS Enterprise patches are cumulative. We use this term for a patch that combines previous, relevant patches into a single major patch. When patching an ArcGIS Enterprise component, the cumulative patch may be installed instead of the individual patches preceding it. A patch can be verified as cumulative from its download page, where you will see a statement such as: “Note: This security patch is cumulative and includes several security and non-security related fixes from earlier patches that are also listed below under Issues Addressed with this patch.”
• Starting with ArcGIS Enterprise 10.9.1, improvements were made to the patching process in order to make it more efficient.

Why install ArcGIS Enterprise patches?

Now that we’re all on the same page with what patches are and what you can expect from ArcGIS Enterprise patches, we can get to the real question here: why install ArcGIS Enterprise patches?

Patches keep your system up to date with the latest updates available for ArcGIS Enterprise.  It may seem silly to install a patch that’s unnecessary for any workflows you’re doing.  However, most patches fix more than one issue.  As we mentioned earlier, the specifics of what issues are addressed in each patch can be found on the Support website under the “Issues Addressed with this patch heading”.

And you may not even know you’re encountering that unexpected behavior until you go through the workflow that produces it.  We’ve realized something isn’t perfect in the software we provided you and we’d like to help you out.  Save yourself time and frustration by installing these patches before you even know you need them.

As helpful as patches are, we realize installing them may cause downtime, which is a concern for many users, particularly for those who have SLAs that allow for very limited downtime.  Patches provide critical fixes to issues in the software and often security vulnerabilities.  The implications of not resolving these issues could cause significantly more downtime and challenges down the line as opposed to proactively installing a patch during scheduled downtime, especially with the patching efficiency improvements introduced at 10.9.1.

As mentioned earlier, patches don’t just fix issues in our software.  There can be other fixes too, such as software vulnerabilities.  An example of this is what occurred late last year with the Apache Log4j vulnerabilities.  A vulnerability in a common third-party logging tool was discovered in many different types of software, not just ArcGIS Enterprise and Esri products.  Though there were no known ways to exploit this vulnerability in any version of ArcGIS Enterprise, we released patches to help fully mitigate this vulnerability from ArcGIS Enterprise.  Even if you don’t consider yourself vulnerable without this patch, many security scans have been flagging log4j so take the time to ensure your ArcGIS Enterprise deployment has this patch applied.

And now you’re prepared to start patching your ArcGIS Enterprise deployments.  Please let us know if you have any feedback or questions below – we’d love to hear from you! Don’t let us off the hook if you find anything we can improve.

About the authors

Jill Edstrom-Shoemaker

Jill is a senior product manager for ArcGIS Enterprise. She works to empower ArcGIS Enterprise users and their organizations. In her free time, Jill loves to be outside in the California sunshine.

Jon Emch

Jon Emch is a Product Advocacy Lead (PAL) for ArcGIS Enterprise. He has been working at Esri for five years, specializing in networking with many product teams with the goal of building common understanding and knowledge. Be Brief, Be Bold, Be Gone

Connect: