How to Tattoo your BigFix Endpoints


A large organization utilizing Tivoli Endpoint Manager (BigFix) has many things to do when it comes to organizing your endpoints.

Organization comes in many forms… grouping computers by: Operating System, Processor, Available Disk Space and Last Report Time are all out-of-the-box features of any BigFix infrastructure.  BUT that doesn’t make it very useful for the business side of your organization. 

To help organize your endpoints into business centric groups… we need to utilize a process I call automatic tattooing.  Tattooing endpoints can happen in many ways but they are all triggered off from properties on endpoints.  These properties can be values within INI files somewhere on the file system of your endpoints.  They can also take the form of: is a certain program installed?

For this article I will limit the scope to a few windows properties that are hidden deep within the registry.  In a later article I will help describe the process of a cross-platform tattooing method.

For my purpose I will focus on the RegisteredOrganization and RegisteredOwner string values within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion of the Registry.

I will create a few things:

1. Two global properties which I can use within WebReports, and to help with targeting actions.

2. A task to make it very easy to configure this value using an action.

Global Properties

Crafting relevance for my two global properties is actually really easy.  In my case I’ll be reading into the registry for the values of my properties as such:

Registered Organization = value "RegisteredOrganization" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 1

Registered Owner = value "RegisteredOwner" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 2

Now let’s implement those within our console. 

Tattooing 3

Click on Tools->Manage Properties, Click “Add New” and specify the “Name:” and “Relevance:”.  If you have more than 100k endpoints, you may want to consider increasing the “Evaluate” property to something like “1 day” or longer.  For my tiny deployment, I will leave it at the default “Every Report”.

Tattooing 5    Tattooing 6

Once the properties have propagated, your endpoints will start to return data…

Tattooing 7

 

Configuration Task

Next up is something a tad more difficult, depending on your experience with creating custom content.  We will create a custom task which will allow us to configure these two registry values.  This task will utilize to very special commands: action parameter query, regset and regset64.  Read more about those in this document.

Let’s start with a new task:

Tattooing 8

Tattooing 9

As anybody who has read my previous articles knows, I like to fill in every blank.  It makes for a better deliverable product to customers.

Tattooing 10

The action script for this task will need to do the following things expressed in sudo-code:

Query the user for the value they want to configure for both properties.

if 64bit OS

    configure 64bit registry values

else

    configure 32bit registry values

validate

After a bit of research, our action script ends up looking like this:

action parameter query "Organization" with description "Please enter the name of your Organization (Ex: Moran IT):" and with default value ""
action parameter query "Owner" with description "Please enter the Owner’s name (Ex: Daniel):" and with default value ""

if {exists x64 of operating system}
    regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOrganization]" = "{parameter "Organization"}"
    regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOwner]" = "{parameter "Owner"}"
endif 


regset  "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOrganization]" = "{parameter "Organization"}" 
regset  "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOwner]" = "{parameter "Owner"}"

continue if {(value "RegisteredOrganization" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) = (parameter "Organization")}
continue if {(value "RegisteredOwner" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) = (parameter "Owner")}

Tattooing 11

Of course we can’t forget about a URL with additional detail on this task…

Tattooing 12

The relevance required to do this is actually very simple.  Since only windows computer have a “registry” we can eliminate all non-windows endpoints from running this action with the following relevance:

name of operating system contains "Win"

Tattooing 13

It is highly unlikely that a windows registry will not have the following key, but so we all learn good habits I’ve added the following relevance as well:

exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Tattooing 14

Let us not forget my article on Properties.

Tattooing 15

It’s been a few minutes and it looks like my fastest computers have already responded with their applicability responses.

Tattooing 16

I won’t go into detail on how to launch this task, I’ve already covered that.  Targeting is way more important to think through and understand how you are going to organize your endpoints.  In later articles I will cover other tattooing methods and how they can benefit your organizations.

For your convenience, here is a zip file containing the content covered in this article:  http://dl.dropbox.com/u/41985632/Content/Configure%20Registered%20Organization%20and%20Owner.zip

If you have any questions or comments, please leave them below.  I’d love to hear about some other tattooing methods and how you implement them within your deployment.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s