Content Database

Large App Icon

I’ve just added a new feature to my BigFix.me website… the Content Database!!! Come check it out!

This side-project catalogues fixlets, tasks, and analyses into one big content database (CDB). The first available feature of the CDB is the ability to search relevance statements. Type in one or more keywords like "operating system" or "exists" and you’ll get back tons of examples of how to use those inspectors or key words within your own relevance statements. The database even knows what type of data will be returned and we sort all the results by re-use count, which can be helpful in finding the most popular statements.

If you want to contribute to the database, simply logon or register and visit our import BES content page.

You can learn more here: http://bigfix.me/cdb.

Installing BigFix.me MDM onto your iOS devices.

The following step-by-step process demonstrates how to install/configure MDM on your iOS devices… iPhones, iPods, and iPads.

1. Visit https://bigfix.me using your mobile device. Step 1 of 13
2. Click "Continue to this website (not recommended)" if prompted. Step 2 of 13
3. Click the "SSL certificate" link towards the bottom. Step 3 of 13
4. Click the "Install" button on the "Install Profile" screen. Step 4 of 13
5. Click the "Install" button on the "Warning" screen. Step 5 of 13
6. If you have a password set, you will need to enter it now and hit "Done". Step 6 of 13
7. Click the "Done" button on the "Profile Installed" screen, you will be returned to Sarfari. Step 7 of 13
8. Enter your email address, choose Device Ownership value and click the "Enroll" button. Step 8 of 13
9. Click the "Install" button on the "Install Profile" screen. Step 9 of 13
10. Click the "Install Now" button within the popup box. Step 10 of 13
11. If you have a password set, you will need to enter it now. Step 11 of 13
12. Click the "Install" button one more time for the "Warning" screen and your done. Step 12 of 13
13. Click "Done" and your all finished. Step 13 of 13

BigFix Endpoint Command Polling

Command polling is a feature built into every Tivoli Endpoint Manager endpoint.  This feature instructs endpoints to query their relay for new instructions instead of waiting the UDP ping regarding new actions.

This feature is invaluable when it comes to endpoints that are beyond your DMZ or UDP pings are not allowed.  By activating this task, you can speed up the responsiveness of your endpoints in this ping restricted locations.

Look for the “BES Client Setting: Enable Command Polling” task within the BES Support external site.

My DMZ relay is identified when endpoints communicate with my public domain name: bigfix.me.  When the endpoint talks to this relay I would like them to poll for commands every 45 minutes.  When the endpoints switch to talking to a different relay, I would like them to turn off the polling settings.

To do this I will activate two different actions.  One that is targeted at computers talking to my bigfix.me relay.  A second task will have additional relevance to differentiate them and allow me to turn off polling.

Enable Polling

Activate this action choosing the second take action option which allows us to specify the number of seconds… at 2700 or 45 minutes.

Command Polling 1

Command Polling 2

Next we’ll need to copy the “Relay” global property relevance so we can add a bit of logic to our action.

Command Polling 3

Copy the relevance for “Relay” into the clipboard and hit Cancel to close the Manage Properties window.

Command Polling 4

Returning to the Take Action dialog, specify the Preset = Policy   and select “All Computers” as the target.

Command Polling 5

On the “Applicability” tab we’ll want to modify the relevance and add the following to the end of what is there (copied from the Relay global property):

 AND (if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server") as lowercase contains "bigfix.me" AND NOT exists setting "_BESClient_Comm_CommandPollEnable" of client

Command Polling 6

After updating the relevance, we’re ready to hit OK to activate this action.

It will run on all endpoints which have “bigfix.me” within the Relay global property.

Disable Polling

Now that we have this feature getting enabled, we’ll want to disable it where it is not needed.  In other words, when endpoints are talking to any other relay except my “bigfix.me” DMZ relay.

Command Polling 7

Under the Target tab, specify all computers, configure Preset = Policy and update the name so we know this will “Disable Command Polling”.

Command Polling 8

Next we’ll move over to the “Applicability” tab as we did before and add the following slightly modified relevance from before (notice the “does not” at the end):

AND (if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server") as lowercase does not contains "bigfix.me" AND exists setting "_BESClient_Comm_CommandPollEnable" of client

Command Polling 9

After updating the relevance, we’re ready to hit OK to activate this action.

Now I will start to receive better response from endpoints communicating through my DMZ relay server.

If you have any questions or comments, please add them to the comments section below.

How to Tattoo your BigFix Endpoints

A large organization utilizing Tivoli Endpoint Manager (BigFix) has many things to do when it comes to organizing your endpoints.

Organization comes in many forms… grouping computers by: Operating System, Processor, Available Disk Space and Last Report Time are all out-of-the-box features of any BigFix infrastructure.  BUT that doesn’t make it very useful for the business side of your organization. 

To help organize your endpoints into business centric groups… we need to utilize a process I call automatic tattooing.  Tattooing endpoints can happen in many ways but they are all triggered off from properties on endpoints.  These properties can be values within INI files somewhere on the file system of your endpoints.  They can also take the form of: is a certain program installed?

For this article I will limit the scope to a few windows properties that are hidden deep within the registry.  In a later article I will help describe the process of a cross-platform tattooing method.

For my purpose I will focus on the RegisteredOrganization and RegisteredOwner string values within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion of the Registry.

I will create a few things:

1. Two global properties which I can use within WebReports, and to help with targeting actions.

2. A task to make it very easy to configure this value using an action.

Global Properties

Crafting relevance for my two global properties is actually really easy.  In my case I’ll be reading into the registry for the values of my properties as such:

Registered Organization = value "RegisteredOrganization" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 1

Registered Owner = value "RegisteredOwner" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 2

Now let’s implement those within our console. 

Tattooing 3

Click on Tools->Manage Properties, Click “Add New” and specify the “Name:” and “Relevance:”.  If you have more than 100k endpoints, you may want to consider increasing the “Evaluate” property to something like “1 day” or longer.  For my tiny deployment, I will leave it at the default “Every Report”.

Tattooing 5    Tattooing 6

Once the properties have propagated, your endpoints will start to return data…

Tattooing 7

 

Configuration Task

Next up is something a tad more difficult, depending on your experience with creating custom content.  We will create a custom task which will allow us to configure these two registry values.  This task will utilize to very special commands: action parameter query, regset and regset64.  Read more about those in this document.

Let’s start with a new task:

Tattooing 8

Tattooing 9

As anybody who has read my previous articles knows, I like to fill in every blank.  It makes for a better deliverable product to customers.

Tattooing 10

The action script for this task will need to do the following things expressed in sudo-code:

Query the user for the value they want to configure for both properties.

if 64bit OS

    configure 64bit registry values

else

    configure 32bit registry values

validate

After a bit of research, our action script ends up looking like this:

action parameter query "Organization" with description "Please enter the name of your Organization (Ex: Moran IT):" and with default value ""
action parameter query "Owner" with description "Please enter the Owner’s name (Ex: Daniel):" and with default value ""

if {exists x64 of operating system}
    regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOrganization]" = "{parameter "Organization"}"
    regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOwner]" = "{parameter "Owner"}"
endif 


regset  "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOrganization]" = "{parameter "Organization"}" 
regset  "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOwner]" = "{parameter "Owner"}"

continue if {(value "RegisteredOrganization" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) = (parameter "Organization")}
continue if {(value "RegisteredOwner" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) = (parameter "Owner")}

Tattooing 11

Of course we can’t forget about a URL with additional detail on this task…

Tattooing 12

The relevance required to do this is actually very simple.  Since only windows computer have a “registry” we can eliminate all non-windows endpoints from running this action with the following relevance:

name of operating system contains "Win"

Tattooing 13

It is highly unlikely that a windows registry will not have the following key, but so we all learn good habits I’ve added the following relevance as well:

exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 14

Let us not forget my article on Properties.

Tattooing 15

It’s been a few minutes and it looks like my fastest computers have already responded with their applicability responses.

Tattooing 16

I won’t go into detail on how to launch this task, I’ve already covered that.  Targeting is way more important to think through and understand how you are going to organize your endpoints.  In later articles I will cover other tattooing methods and how they can benefit your organizations.

For your convenience, here is a zip file containing the content covered in this article:  http://dl.dropbox.com/u/41985632/Content/Configure%20Registered%20Organization%20and%20Owner.zip

If you have any questions or comments, please leave them below.  I’d love to hear about some other tattooing methods and how you implement them within your deployment.

Visual Studio: Add Uninstall to Your Application

First let me send a shout out to my reference for this little tidbit of information:  How to add a Uninstall option in Visual Studio Setup project without writing code GoGoToTo created a very nice article on this.  I simply expanded it further to include getting your application “registered” so within BigFix it will show up as one of the registered apps.

First View your File System so we can add the special folder “System”

Uninstall and Register 1

If your application is x86, then we’ll want to add the msiexec.exe from the c:\windows\SysWow64 folder.

Uninstall and Register 2

Uninstall and Register 3

Left click to highlight the msiexec.exe file and in the properties window, adjust as indicated in the following image:

Uninstall and Register 4

Next we’ll need to add a shortcut to the “User’s Program Menu”.  In my example, I’ve created a sub-folder named after my application.  Click that folder and in the right window, right-click and create a shortcut.

Uninstall and Register 5

Navigate to the System Folder and select the msiexe.exe file.

Uninstall and Register 6

Uninstall and Register 7

Before we modify the shortcut’s properties, we’ll need to copy the ProductCode from the Setup Application Properties.

Uninstall and Register 8

Using that ProductCode, modify the shortcut’s properties as follows:

Uninstall 8a

Now we get to register our application… Open the Registry View.

Uninstall and Register 9

Under HKEY_LOCAL_MACHINE add the following sub-keys:

Microsoft\Windows\CurrentVersion\App Paths\[name of your exe]

Remember to specify the last key to “DeleteAtUninstall” = True

Add the following 2 string values with the values as shown.

Uninstall and Register 10

 

That’s it.  You now have an uninstall link that will be created upon installation of your app.  You will also have your application properly “registered” so BigFix can properly detect it.

New BigFix Deployment

When you first setup your Tivoli Endpoint Manager (BigFix) deployment, you will want to enable a few analyses.  These analyses will collect data that can be very helpful when managing your infrastructure as well as troubleshooting and adding customizations.

First up is to activate the BES Component Versions analysis…  You can find a shortcut to this under BigFix Management->Deployment Overview

New Deployment 1

Simply Activate this analysis…

New Deployment 2

And the data will start pouring in.  This information will then be read by various dashboards within the product which help you manage your deployment.

New Deployment 3

Another analysis to be activated is the BES Health Checks Analysis.  This will help you analyze the health and configuration of your deployment.  It provides basic information on the components that make up your infrastructure.  You can find the shortcut to this under BigFix Management->Deployment Health Checks

New Deployment 4

Activate this as well…

New Deployment 5

and you’ll start to see data from this analysis as well.  Just like the first analysis, this one will pull in data and feed that to dashboards within the product.

New Deployment 6

Further down on the Deployment Health Checks dashboard in the Deployment Optimization section is a Warning about activating the BES Relay Status Analysis.  Click that shortcut to activate that as well…

New Deployment 7

New Deployment 8

Just as the others, the data will be pulled in for use by various dashboards.

New Deployment 9

 

If you have any questions or comments, please leave them below.

Endpoint Manager (BigFix) Licensing Updates

Occasionally your BigFix deployment will receive a notice that it has gathered an update to your license.  Then it will ask you to propagate that license to your endpoints.  It notifies you with the following screen:

Licensing Propagate 1 of 8

Licensing Propagate 2 of 8

Licensing Propagate 3 of 8

Licensing Propagate 4 of 8

This private key will require your master password…

Licensing Propagate 5 of 8

Once the tool opens, it will immediately notify you that a propagation is required.  Simply hit YES to this box.

Licensing Propagate 6 of 8

Nothing to do once the tool itself opens, so simply hit OK to close it.

Licensing Propagate 7 of 8

All done.  Return to the console, hit the refresh button in the upper right and the licensing message should be gone.

Licensing Propagate 8 of 8