| . . . have set up their systems to queue updates - i.e., if a given system isn't online and available at 0300 local time, when the machine reconnects to the network (typically at 0805 local time) it'll get hit with a mandatory update.
All that's left is to let the end-lusers know how that works - they can either leave their systems on, connected and available overnight, or they can face an hour or more of agonizingly slow computing (and probably a mandatory reboot at the end of that hour). Make sure that if they interrupt the mandatory update, it'll be logged as not done, so that when their system reconnects the update will be pushed again.
Ensconce this in a formal IT policy - anybody found to be intentionally circumventing this policy will be considered guilty of industrial espionage, or at least failure to obey clearly stated company policy, typically a termination-type of offense. Get through to your upper management exactly how critical this is to maintaining the health of their IT infrastructure.
In short, I suggest using the SysAdmin's +5 LART of Holy Terror. "Thou shalt use thy holy hand grenade to blow thine enemies to itsy-bitsies", or words to that effect. |
