Tag Archives: BigFix

Standard

Posted by

Posted on

May 14, 2012

Posted under

Add-ons, BigFix, Installation, Software

Comments

1 Comment

TEM Software Usage Analysis v1.3.0.592

A very nice tool for capturing the software inventory of your enterprise is our Software Usage Analysis (SUA) add-on product. 

Here is a simplified overview of how to install this add-on into an already existing infrastructure.

For the various official guides visit: (http://publib.boulder.ibm.com/infocenter/tivihelp/v26r1/index.jsp?topic=/com.ibm.tem.doc/welcome.htm)

Considerations:

I’ve chosen to setup SUA on a physical computer with modest capabilities due to the tiny deployment I’m using.  See the Install guide for details on system requirements.  My server has an Intel E7200 Core 2 Duo processor with 4Gb of RAM.  It is running Microsoft Windows 2008r2 with SP1.  This should work perfectly for my deployment of <50 endpoints.

I will also be using a centralized SQL server that all of my applications are using including the TEM server itself.  It is a Virtual running under Hyper-V but should service my needs.  It too is a Microsoft Windows 2008r2 with SP1 installed and has MS SQL 2008r2 SP1 as well.

Everything is attached to my Microsoft Active Directory domain to make authentication easy.  The SUA services will be running under a special svBigFix account I have setup with appropriate permissions within my domain.

Very simply the installation procedure is as follows:

  1. Subscribe/Activate to DSS SAM Content Site
  2. Install SUA
  3. Configure the services that run SUA and connect to the databases
  4. Create the SUA BFEnterprise Database Connections

Let’s begin!

1. Subscribe/Activate to DSS SAM Content Site

Look under the BigFix Management->License Overview for the “DSS SAM” available site.

SUA Install Step 1a

SUA Install Step 1b

Activate and subscribe the appropriate computers.  For my tiny deployment, I’m going to subscribe all computers.

SUA Install Step 1c

Next, we’ll need to activate the three required analyses.

SUA Install Step 1d

Activate our Installation task for the SUA Scanner that runs on our endpoints.

SUA Install Step 1e

SUA Install Step 1f

Then schedule that scanner to run…

SUA Install Step 1g

SUA Install Step 1h

And schedule the uploads to occur immediately upon scan completion.

SUA Install Step 1i

SUA Install Step 1j

2. Install SUA

Now we’ll install the initial components of SUA… this is pretty straight forward.  Just remember if you are configuring the service as I am with a domain service account.. log into the desktop of this server using that account.

SUA Install Step 2a

SUA Install Step 2b

SUA Install Step 2c

SUA Install Step 2d

SUA Install Step 2e

SUA Install Step 2f

SUA Install Step 2g

SUA Install Step 2h

 

3. Configure the services that run SUA and connect to the Databases

The configuration wizard will automatically open upon completion of step 2. 

SUA Install Step 3a

Specify the domain level service account that SUA will be configured to “Run As”.

SUA Install Step 3b

Indicate if you have WebReports installed so SUA can have access to it.

SUA Install Step 3c

Specify the details surrounding connection to that WebReports server.

SUA Install Step 3d

Now specify the details of where you want your SUA database.

SUA Install Step 3e

If this is not a dedicated server, you may want to change the default port.  And even install an SSL certificate if you have one.

SUA Install Step 3f

SUA Install Step 3g

The installer will automatically launch the catalogue updater which populates the database with the latest catalogue entries which is published monthly by IBM TEM Headquarters.

SUA Install Step 3h

The various services are configured and started.

SUA Install Step 3i

SUA Install Step 3j

SUA Install Step 3k

 

4. Create the SUA BFEnterprise Database Connections

The last stage of installation is to pull up the user GUI and make the connection to BFEnterprise and run a full ETL.

SUA Install Step 4a

SUA Install Step 4b

SUA Install Step 4c

SUA Install Step 4d

SUA Install Step 4e

SUA Install Step 4f

SUA Install Step 4g

SUA Install Step 4h

SUA Install Step 4i

SUA Install Step 4j

SUA Install Step 4k

SUA Install Step 4l

SUA Install Step 4m

SUA Install Step 4n

 

If you have any questions regarding the installation of SUA, leave them below and I’ll respond.

 

I’ve put together a video guide of this process over on YouTube…

Standard

Posted by

Posted on

May 4, 2012

Posted under

BigFix, Technology

Comments

Leave a comment

NEW Tivoli Endpoint Manager OS Deployment 2.2

IBM just announced the release of our new Tivoli Endpoint Manager for OS Deployment version 2.2!

This release has two new features:

  • Driver Management – A new dashboard was added that will allow you to upload and manage drivers that would be used during an OS reimaging.
  • Bootable Media Creation Tool – will allow you to create self contained bootable media for imaging offline for bare metal needs.
  1. A New Driver Library Dashboard:image
  2. New Analyses:
    image
  3. New Fixlets… Deploy MDT Media Creator and Update Server Whitelist for Driver Management:
    image

Look for version 13… to get these latest updates:
image

 

If you’re looking for more information… visit us over on the IBM forums:

https://www.ibm.com/developerworks/forums/thread.jspa?threadID=427062

 

Standard

Posted by

Posted on

January 20, 2012

Posted under

BigFix, Configuration, Technology

Comments

1 Comment

Adding LDAP Authentication to the TEM (BigFix) Console

The latest version (8.2.x) of Tivoli Endpoint Manager comes with it the ability to authenticate console users with your LDAP directory.  Here is a simplified step-by-step guide for setting that up.

Open your console and use one of your Master Operator accounts.  Find the LDAP Directories branch in the left side tree and right click it.  Choose to Add LDAP Directory from that list…

image

Enter any “Name” you’d like and specify your LDAP authentication server as well as if it is a global catalog server.  In my tiny network, I only have the one DC.

image

Click the Test button to validate the connectivity…

image

My network is very tiny, however I would encourage you if alternate DC servers are available to specify them in the Backup Server X spaces provided.

image

 

Adding the link to the DC is one step… next you’ll probably want to create a special AD group which Console users will belong.  Remember that within TEM, we have Console Operators and Master Operators.  Each user/group has a specified set of computers they are responsible for and this can be extended into AD.  Simply create a AD user group for how your organization is divided and based on their required level of console access.

In my case I created two AD groups:  BigFix_Admin and BigFix_Console.  Then added my user account to the Admin group.

image

 

Our next/last step is to specify the level of access each of these new AD groups have within the TEM infrastructure.

image

You can name this new Role anything you’d like, however I like to match the AD group name up with this Role name to make it easy to understand.

image

My Admin group has near unlimited privileges… thus I’ll chose yes to the following options:  Master Operator, Custom Content, and Show Other Operators’ Actions.

image

Next we’ll need to assign the computers that this group will have control over… in my case I’ll be specifying “all computers”

image

Using this dialog I can specify individual computers as well as systems based on Retrieved Properties or Group Membership.

image

I will not be adding TEM users to this group as it was setup specifically for my LDAP Admin group… so I’ll skip the “Operators” tab.

image

Instead I’ll be focusing on the LDAP Groups tab… and Assigning LDAP Group to this TEM Group I’m currently defining…

image

Search for the group to be added to this TEM group, and Assign it.

image

image

Lastly I’ll glaze over the Sites tab since I currently only have 1 site in this new infrastructure, however I can specify specific site permissions just like I can for TEM users.

image

Don’t forget when you are done to Save Changes…

image

Since this is a fresh installation, the setting which requires entering your authentication password to authorize this new action has been disabled by default.  In a different article I will explain this very cool security feature, how it works and how to force the password requirement just like in previous versions.   For now, let’s log in with my Domain credentials to test things out!

image

image

Let’s re-launch the console but this time using my Domain credentials…

Be sure to include your Domain within the User name field…  In my case it’s “MoranIT\Daniel”

image

Success!!  The authentication was accepted and I’m logging into the console!

image

Something very important to notice here is that my operator site and account was automatically generated upon login.  This means that if too many new users login it could cause network traffic on your network since a subscription action is deployed to the authorized computers list.

image

 

Enjoy your new LDAP authenticated user access… let me know if you have any questions or comments in the section below.  I respond to all my comments, so please engage…

Standard

Posted by

Posted on

January 20, 2012

Posted under

BigFix, Installation, Technology

Comments

Leave a comment

Installing Tivoli Endpoint Manager (BigFix) Console 8.2.1093

My latest installation of the TEM v8.2.1093 server comes with it the installation of the Console.  This new console is extremely cool and has features like LDAP authentication, HTTP communications channel, and more.  Here is the basic step-by-step installation procedure to get the client installed on your workstation.

image_thumb[44]_thumb

image_thumb[45]_thumb

image_thumb[46]_thumb

image_thumb[47]_thumb

image_thumb[48]_thumb

 

If you have any questions, let me know!

Standard

Posted by

Posted on

January 19, 2012

Posted under

BigFix, Installation, Technology

Comments

1 Comment

Installing Tivoli Endpoint Manager (BigFix) v8.2.1093

imageInstalling this newest version of TEM is relative straight forward and easy to do.  Drawing from my previous articles, a SQL server Installation (and SP1), and the Installing of Pre-requisites, I give you the full installation of v8.2.1093.  I also have downloaded the latest v8.2.1093 version from the TEM website.

I have already attached my new virtual server to my internal Windows Domain so authentication is easily accomplished within my existing network.

image

image

image

I’m going to remove WebReports from this particular installation, favoring to install it onto a different server for simplicity.

image

image

I will be using a remote database to a different installed instance of SQL server as noted at the top of this article.

image

image

image

image

image

image

image

image

image

I plan on integrating this newest version of TEM with my Domain.  Thus a generic admin account is exactly what I need here.

image

image

image

Everything looking good according to the TEM Server Diagnostics tool.  The only error it showed was the resolution of the DNS name used for my new infrastructure.  Now I’ll add a quick little entry in my DNS server for this domain name.

image

There we go… that’s better…

image

 

If you have any questions, please them below…

Standard

Posted by

Posted on

December 12, 2011

Posted under

BigFix, Fixlets, Tasks, Technology

Comments

8 Comments

Activating a BigFix Task

The Tivoli Endpoint Manager is a fantastic way of controlling your infrastructure from one central location.  One of the most basic skills is activating a task and direct it to do something on an endpoint.  Here is a step-by-step for activating a task to perform an action on an endpoint.

First find the task you wish to activate, in my example I will be installing a service onto one of my root servers.  Select the task to be activated and click the Take Action button…

SNAGHTML1e2b905b

image

Here is our targeting screen… Since I’ll only be installing this service onto one endpoint, I’ll simply select it out of the right side computer list.  I could just as easily choose the second radio button called “All computers with the property…” which allows me to target based on endpoint properties, or even “The computers specified in the list…” which allows me to type endpoint hostnames in one line per endpoint.  Note that the third option should be limited to <100 endpoints.  If you need to target more than that you should utilize the computer groups feature.

SNAGHTML1e2e5281

I’m very happy with the defaults on this particular task, however the Execution tab will allow me to start a task at a particular time, have it run between certain hours and even control the failure/retry activities of this task.  Try not to restrict these options to much… for example, you wouldn’t want to limit the run between to 10min since the larger your infrastructure the more difficult or impossible that will be to happen.

SNAGHTML1e308c84

In some cases your action will interact with end users and you may need to prevent the action from running if no user is logged in.  The following Users tab allows you to constrain the task to only run with certain users…

SNAGHTML1e33c060

Other cases you’ll want to present messaging to the end user or even allow the user to control the processing of this particular action.  Maybe you’ll allow the user to determine when the most convenient time for them to have a particular action occur.  This screen is used for that purpose…

SNAGHTML1e34db5f

Here we have the screen to Offer the user this optional action…

SNAGHTML1e35d759

What if your action requires a restart, and you want to allow the end user delay the restart till it’s convenient for them.

SNAGHTML1e35fb3e

Rarely will you need to change the Applicability tab.   Occasionally I find it necessary to alter the default behavior of an action on a one time basis.  This tab allows me to force the installation of something ignoring the default applicability relevance of the original task.

SNAGHTML1e37de6b

If I’ve modified the applicability relevance, I’ll need to modify the success relevance as well…

SNAGHTML1e385a1f

Lastly we have the ability to modify the default Action Script of this task.
SNAGHTML1e38dc78

Once you’re all done modifying the action… click the OK button at the bottom and you’ll be asked for your credentials.  (FYI:  This is no longer the case in v8.2 unless you upgraded from a previous version or you enabled this validation step)

SNAGHTML1e39ef0e

Our task is now activated and the action status window appears.  Here we can monitor the progression of our action to each of the endpoints… on the Computers tab we can see status details on individual computers.

image

 

If you have any questions or comments, please leave them below!

Standard

Posted by

Posted on

December 9, 2011

Posted under

BigFix, Technology

Comments

1 Comment

Tivoli Endpoint Manager (BigFix) Creating Custom Sites

Custom sites are an extremely nice way to collect related content together into one easily manageable group.  I am an avid believer in Agile software development and believe that BigFix is perfectly setup to support this methodology.

The use of custom sites is great way to organize content (IE: Tasks, Fixlets and Analyses) together and also allow for sub-categorizing using Domains… don’t forget to learn how to fill in the extra properties related to custom content.  They also allow for multiple non-master operators to work with content generated by other users including editing and stopping actions.

Creating a custom site is easy… here’s a simple step-by-step to do so:

SNAGHTML1e09615e

SNAGHTML1e0a6352

You’ll need to enter a short-name for your project.  In many cases I’ll just name it the vendor of the software… for example, I have published multiple free software under the name Moran IT, therefore it’s logical that my custom site be called “Moran IT”.  This could also be the name of your project… in one project I developed content related to the management of BigFix.  I called my project and my custom site “Core Infrastructure” since it directly relates.

SNAGHTML1e0ae923

I now have my custom site.. but I’ll need to add further detail like the description and put it into the correct Domain.  (FYI: For simplification, try not to put anything into the “All Content” domain.  You will benefit long-term if you avoid this domain.)

image

You’ll need to specify which endpoints are part of this project.  In some cases this might be all Windows computers, in others it might be all Windows computers with a certain software already installed.  You have very granular control over which endpoints are subscribed.  You can even use a complex relevance statement to subscribe only the computers related to the project.  I would encourage you to get very specific here since it will make it easier to not affect systems not part of your project.

SNAGHTML1e112c4b   image

The next most important part is specifying the operators that are allowed to view and manipulate your content as well as actions.  If you have a 5-person team of developers, with only one on-call at any one time… you’ll want to give all 5 appropriate permissions to this custom site.  If you get that 2am page, they can stop actions or activate troubleshooting tasks without engaging team mates in the middle of the night.

image

 

I hope you’ve come to realize the true value of sites in the organization of projects and developers… if you have any questions or comments please leave them below!

Standard

Posted by

Posted on

December 8, 2011

Posted under

BigFix, Technology

Comments

3 Comments

Tivoli Endpoint Manager (BigFix) Understanding Domains

It is important to properly organize and categorize custom content within your BigFix infrastructure.  Below is a very simple outline of the Domain feature built into BigFix called Domains.  They are used as organizing buckets for custom content that goes beyond content collecting ability of Sites.

The first thing to ask yourself in any custom content creation project is under what “domain” this task, fixlet or analysis falls under?

imageAll Content, I would consider this domain a cop-out.  Basically it is the bucket you put things that do not properly fit into any of the other buckets.  Choose this bucket only after examining and considering any of the others with great detail.

image

BigFix Management is a vital domain since it relates to the health, maintenance, and management of the BigFix infrastructure itself.  If you are creating any content (tasks, fixlets, analyses) which relate to the health of the infrastructure… put it in this bucket.

image

Endpoint Protection relates to the Antivirus, malware, and adware protection of endpoints.  Put anything related to those products in here.  If your intention is to protect the system from outside threats by using integrated or 3rd party apps, put it in here.

image

Patch Management involves the updating of any software.  Typically it involves Operating System patches but doesn’t stop there.  If you have a software update that must be distributed and has a priority… call it a fixlet and put it under this Domain.

image

Security Configuration is the place where all system changes go if they affect the security of an endpoint or environment.  If there are settings that can be changed to make a system, software, or network more secure it falls under this Domain.

image

Systems Lifecycle is a Domain that holds a lot of content related to the use of an endpoint.  Software Distribution, configuration changes, Power Management, RDP configurations, etc… all fall under the Systems Lifecycle domain.

image

BigFix Labs is a new Domain that allows us to distribute the toys.  Here you’ll find simple add-ons, prototypes, and other pretty cool and useful extensions of the BigFix platform and applications.  This is of course a use at your own risk bucket which is provided “as is” with no corp support.

 

Hopefully with this article you’ll have learned another way to organize your custom content and make your BigFix infrastructure easier to manage.

If you have any questions or comments, please leave it below!