Endpoint Manager (BigFix) Licensing Updates

Occasionally your BigFix deployment will receive a notice that it has gathered an update to your license.  Then it will ask you to propagate that license to your endpoints.  It notifies you with the following screen:

Licensing Propagate 1 of 8

Licensing Propagate 2 of 8

Licensing Propagate 3 of 8

Licensing Propagate 4 of 8

This private key will require your master password…

Licensing Propagate 5 of 8

Once the tool opens, it will immediately notify you that a propagation is required.  Simply hit YES to this box.

Licensing Propagate 6 of 8

Nothing to do once the tool itself opens, so simply hit OK to close it.

Licensing Propagate 7 of 8

All done.  Return to the console, hit the refresh button in the upper right and the licensing message should be gone.

Licensing Propagate 8 of 8

Tivoli Endpoint Manager (BigFix) Console Requirement

There are a few requirements for the BigFix console to run on your admin machine.  I’ll discuss only one of them here.

Office Web Controls is a Microsoft Office Components requirement which allows us to display charts and graphs within the console.  It can be found here.

The installation of this requirement is relatively easy… here are my screen shots of the process:

Console Req 1

Console Req 2

Console Req 3

Console Req 4

Console Req 5

Console Req 9

Console Req 10

Once the components are installed, you will need to restart your console.  But once you do, the console fills with beautiful shapes and bars.

Console Req 11

If you have any questions about the process or would like to share your comments, please do so below.

If you’d like to see some of the screen shots I skipped in this article, visit http://www.flickr.com/photos/danielheth/sets/72157629877524866/

TEM SUA Upgrade –>

Lately I released an article on installing Tivoli Endpoint Manager’s add-on product Software Usage Analysis (SUA) v1.3.0.592.  Well… we have release another upgrade and here’s how you can upgrade your installation:

Launching the installation is pretty easy… unlike the initial installation, there is basically one “step”.  Launch the installer:



Typical license agreement stuff.




Since this is an upgrade, we are good about warning you that no one will be able to access the GUI interface at this point.


We’ll need to confirm the user account that is being used for the services here.



I ran into one little problem where but it was due to service account permissions to the database.  After adjusting them for the duration of this install, the installation continued.







The installation went well with just the one permissions based hiccup.  To confirm installation was successful simply log into the GUI and look at the bottom right for version and catalogue numbers.



If you have any questions or comments, please leave them below.

To view all of the images from this upgrade visit:  http://www.flickr.com/photos/danielheth/sets/72157629743080378/

TEM Software Usage Analysis v1.3.0.592

A very nice tool for capturing the software inventory of your enterprise is our Software Usage Analysis (SUA) add-on product. 

Here is a simplified overview of how to install this add-on into an already existing infrastructure.

For the various official guides visit: (http://publib.boulder.ibm.com/infocenter/tivihelp/v26r1/index.jsp?topic=/com.ibm.tem.doc/welcome.htm)


I’ve chosen to setup SUA on a physical computer with modest capabilities due to the tiny deployment I’m using.  See the Install guide for details on system requirements.  My server has an Intel E7200 Core 2 Duo processor with 4Gb of RAM.  It is running Microsoft Windows 2008r2 with SP1.  This should work perfectly for my deployment of <50 endpoints.

I will also be using a centralized SQL server that all of my applications are using including the TEM server itself.  It is a Virtual running under Hyper-V but should service my needs.  It too is a Microsoft Windows 2008r2 with SP1 installed and has MS SQL 2008r2 SP1 as well.

Everything is attached to my Microsoft Active Directory domain to make authentication easy.  The SUA services will be running under a special svBigFix account I have setup with appropriate permissions within my domain.

Very simply the installation procedure is as follows:

  1. Subscribe/Activate to DSS SAM Content Site
  2. Install SUA
  3. Configure the services that run SUA and connect to the databases
  4. Create the SUA BFEnterprise Database Connections

Let’s begin!

1. Subscribe/Activate to DSS SAM Content Site

Look under the BigFix Management->License Overview for the “DSS SAM” available site.

SUA Install Step 1a

SUA Install Step 1b

Activate and subscribe the appropriate computers.  For my tiny deployment, I’m going to subscribe all computers.

SUA Install Step 1c

Next, we’ll need to activate the three required analyses.

SUA Install Step 1d

Activate our Installation task for the SUA Scanner that runs on our endpoints.

SUA Install Step 1e

SUA Install Step 1f

Then schedule that scanner to run…

SUA Install Step 1g

SUA Install Step 1h

And schedule the uploads to occur immediately upon scan completion.

SUA Install Step 1i

SUA Install Step 1j

2. Install SUA

Now we’ll install the initial components of SUA… this is pretty straight forward.  Just remember if you are configuring the service as I am with a domain service account.. log into the desktop of this server using that account.

SUA Install Step 2a

SUA Install Step 2b

SUA Install Step 2c

SUA Install Step 2d

SUA Install Step 2e

SUA Install Step 2f

SUA Install Step 2g

SUA Install Step 2h


3. Configure the services that run SUA and connect to the Databases

The configuration wizard will automatically open upon completion of step 2. 

SUA Install Step 3a

Specify the domain level service account that SUA will be configured to “Run As”.

SUA Install Step 3b

Indicate if you have WebReports installed so SUA can have access to it.

SUA Install Step 3c

Specify the details surrounding connection to that WebReports server.

SUA Install Step 3d

Now specify the details of where you want your SUA database.

SUA Install Step 3e

If this is not a dedicated server, you may want to change the default port.  And even install an SSL certificate if you have one.

SUA Install Step 3f

SUA Install Step 3g

The installer will automatically launch the catalogue updater which populates the database with the latest catalogue entries which is published monthly by IBM TEM Headquarters.

SUA Install Step 3h

The various services are configured and started.

SUA Install Step 3i

SUA Install Step 3j

SUA Install Step 3k


4. Create the SUA BFEnterprise Database Connections

The last stage of installation is to pull up the user GUI and make the connection to BFEnterprise and run a full ETL.

SUA Install Step 4a

SUA Install Step 4b

SUA Install Step 4c

SUA Install Step 4d

SUA Install Step 4e

SUA Install Step 4f

SUA Install Step 4g

SUA Install Step 4h

SUA Install Step 4i

SUA Install Step 4j

SUA Install Step 4k

SUA Install Step 4l

SUA Install Step 4m

SUA Install Step 4n


If you have any questions regarding the installation of SUA, leave them below and I’ll respond.


I’ve put together a video guide of this process over on YouTube…

NEW Tivoli Endpoint Manager OS Deployment 2.2

IBM just announced the release of our new Tivoli Endpoint Manager for OS Deployment version 2.2!

This release has two new features:

  • Driver Management – A new dashboard was added that will allow you to upload and manage drivers that would be used during an OS reimaging.
  • Bootable Media Creation Tool – will allow you to create self contained bootable media for imaging offline for bare metal needs.
  1. A New Driver Library Dashboard:image
  2. New Analyses:
  3. New Fixlets… Deploy MDT Media Creator and Update Server Whitelist for Driver Management:

Look for version 13… to get these latest updates:


If you’re looking for more information… visit us over on the IBM forums:



Adding LDAP Authentication to the TEM (BigFix) Console

The latest version (8.2.x) of Tivoli Endpoint Manager comes with it the ability to authenticate console users with your LDAP directory.  Here is a simplified step-by-step guide for setting that up.

Open your console and use one of your Master Operator accounts.  Find the LDAP Directories branch in the left side tree and right click it.  Choose to Add LDAP Directory from that list…


Enter any “Name” you’d like and specify your LDAP authentication server as well as if it is a global catalog server.  In my tiny network, I only have the one DC.


Click the Test button to validate the connectivity…


My network is very tiny, however I would encourage you if alternate DC servers are available to specify them in the Backup Server X spaces provided.



Adding the link to the DC is one step… next you’ll probably want to create a special AD group which Console users will belong.  Remember that within TEM, we have Console Operators and Master Operators.  Each user/group has a specified set of computers they are responsible for and this can be extended into AD.  Simply create a AD user group for how your organization is divided and based on their required level of console access.

In my case I created two AD groups:  BigFix_Admin and BigFix_Console.  Then added my user account to the Admin group.



Our next/last step is to specify the level of access each of these new AD groups have within the TEM infrastructure.


You can name this new Role anything you’d like, however I like to match the AD group name up with this Role name to make it easy to understand.


My Admin group has near unlimited privileges… thus I’ll chose yes to the following options:  Master Operator, Custom Content, and Show Other Operators’ Actions.


Next we’ll need to assign the computers that this group will have control over… in my case I’ll be specifying “all computers”


Using this dialog I can specify individual computers as well as systems based on Retrieved Properties or Group Membership.


I will not be adding TEM users to this group as it was setup specifically for my LDAP Admin group… so I’ll skip the “Operators” tab.


Instead I’ll be focusing on the LDAP Groups tab… and Assigning LDAP Group to this TEM Group I’m currently defining…


Search for the group to be added to this TEM group, and Assign it.



Lastly I’ll glaze over the Sites tab since I currently only have 1 site in this new infrastructure, however I can specify specific site permissions just like I can for TEM users.


Don’t forget when you are done to Save Changes…


Since this is a fresh installation, the setting which requires entering your authentication password to authorize this new action has been disabled by default.  In a different article I will explain this very cool security feature, how it works and how to force the password requirement just like in previous versions.   For now, let’s log in with my Domain credentials to test things out!



Let’s re-launch the console but this time using my Domain credentials…

Be sure to include your Domain within the User name field…  In my case it’s “MoranIT\Daniel”


Success!!  The authentication was accepted and I’m logging into the console!


Something very important to notice here is that my operator site and account was automatically generated upon login.  This means that if too many new users login it could cause network traffic on your network since a subscription action is deployed to the authorized computers list.



Enjoy your new LDAP authenticated user access… let me know if you have any questions or comments in the section below.  I respond to all my comments, so please engage…