1. Visit https://bigfix.me using your mobile device.
2. Click "Continue to this website (not recommended)" if prompted.
3. Click the "SSL certificate" link towards the bottom.
4. Click the "Install" button on the "Install Profile" screen.
5. Click the "Install" button on the "Warning" screen.
6. If you have a password set, you will need to enter it now and hit "Done".
7. Click the "Done" button on the "Profile Installed" screen, you will be returned to Sarfari.
8. Enter your email address, choose Device Ownership value and click the "Enroll" button.
9. Click the "Install" button on the "Install Profile" screen.
10. Click the "Install Now" button within the popup box.
11. If you have a password set, you will need to enter it now.
12. Click the "Install" button one more time for the "Warning" screen and your done.
13. Click "Done" and your all finished.

Posted by

DanielHeth

Posted on

May 31, 2012

Posted under

BigFix, Configuration, Fixlets, Software, Tasks

Comments

Leave a comment

BigFix Endpoint Command Polling

Command polling is a feature built into every Tivoli Endpoint Manager endpoint. This feature instructs endpoints to query their relay for new instructions instead of waiting the UDP ping regarding new actions.

This feature is invaluable when it comes to endpoints that are beyond your DMZ or UDP pings are not allowed. By activating this task, you can speed up the responsiveness of your endpoints in this ping restricted locations.

Look for the “BES Client Setting: Enable Command Polling” task within the BES Support external site.

My DMZ relay is identified when endpoints communicate with my public domain name: bigfix.me. When the endpoint talks to this relay I would like them to poll for commands every 45 minutes. When the endpoints switch to talking to a different relay, I would like them to turn off the polling settings.

To do this I will activate two different actions. One that is targeted at computers talking to my bigfix.me relay. A second task will have additional relevance to differentiate them and allow me to turn off polling.

Enable Polling

Activate this action choosing the second take action option which allows us to specify the number of seconds… at 2700 or 45 minutes.

Next we’ll need to copy the “Relay” global property relevance so we can add a bit of logic to our action.

Copy the relevance for “Relay” into the clipboard and hit Cancel to close the Manage Properties window.

Returning to the Take Action dialog, specify the Preset = Policy and select “All Computers” as the target.

On the “Applicability” tab we’ll want to modify the relevance and add the following to the end of what is there (copied from the Relay global property):

AND (if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server") as lowercase contains "bigfix.me" AND NOT exists setting "_BESClient_Comm_CommandPollEnable" of client

After updating the relevance, we’re ready to hit OK to activate this action.

It will run on all endpoints which have “bigfix.me” within the Relay global property.

Disable Polling

Now that we have this feature getting enabled, we’ll want to disable it where it is not needed. In other words, when endpoints are talking to any other relay except my “bigfix.me” DMZ relay.

Under the Target tab, specify all computers, configure Preset = Policy and update the name so we know this will “Disable Command Polling”.

Next we’ll move over to the “Applicability” tab as we did before and add the following slightly modified relevance from before (notice the “does not” at the end):

AND (if ((it does not contain "127.0.0.1" and it does not contain "::1") of name of registration server) then (name of registration server) else if (exists setting "_BESRelay_PostResults_ParentRelayURL" of client and exists value of setting "_BESRelay_PostResults_ParentRelayURL" of client as string) then (preceding text of first "/" of (following text of first "//" of (value of setting "_BESRelay_PostResults_ParentRelayURL" of client))) else "BES Root Server") as lowercase does not contains "bigfix.me" AND exists setting "_BESClient_Comm_CommandPollEnable" of client

After updating the relevance, we’re ready to hit OK to activate this action.

Now I will start to receive better response from endpoints communicating through my DMZ relay server.

If you have any questions or comments, please add them to the comments section below.

Posted by

DanielHeth

Posted on

May 30, 2012

Posted under

BigFix, Software, Tasks

Comments

Leave a comment

How to Tattoo your BigFix Endpoints

A large organization utilizing Tivoli Endpoint Manager (BigFix) has many things to do when it comes to organizing your endpoints.

Organization comes in many forms… grouping computers by: Operating System, Processor, Available Disk Space and Last Report Time are all out-of-the-box features of any BigFix infrastructure. BUT that doesn’t make it very useful for the business side of your organization.

To help organize your endpoints into business centric groups… we need to utilize a process I call automatic tattooing. Tattooing endpoints can happen in many ways but they are all triggered off from properties on endpoints. These properties can be values within INI files somewhere on the file system of your endpoints. They can also take the form of: is a certain program installed?

For this article I will limit the scope to a few windows properties that are hidden deep within the registry. In a later article I will help describe the process of a cross-platform tattooing method.

For my purpose I will focus on the RegisteredOrganization and RegisteredOwner string values within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion of the Registry.

I will create a few things:

1. Two global properties which I can use within WebReports, and to help with targeting actions.

2. A task to make it very easy to configure this value using an action.

Global Properties

Crafting relevance for my two global properties is actually really easy. In my case I’ll be reading into the registry for the values of my properties as such:

Registered Organization = value "RegisteredOrganization" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Registered Owner = value "RegisteredOwner" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Now let’s implement those within our console.

Click on Tools->Manage Properties, Click “Add New” and specify the “Name:” and “Relevance:”. If you have more than 100k endpoints, you may want to consider increasing the “Evaluate” property to something like “1 day” or longer. For my tiny deployment, I will leave it at the default “Every Report”.

Once the properties have propagated, your endpoints will start to return data…

Configuration Task

Next up is something a tad more difficult, depending on your experience with creating custom content. We will create a custom task which will allow us to configure these two registry values. This task will utilize to very special commands: action parameter query, regset and regset64. Read more about those in this document.

Let’s start with a new task:

As anybody who has read my previous articles knows, I like to fill in every blank. It makes for a better deliverable product to customers.

The action script for this task will need to do the following things expressed in sudo-code:

Query the user for the value they want to configure for both properties.

if 64bit OS

configure 64bit registry values

else

configure 32bit registry values

validate

After a bit of research, our action script ends up looking like this:

action parameter query "Organization" with description "Please enter the name of your Organization (Ex: Moran IT):" and with default value ""
action parameter query "Owner" with description "Please enter the Owner’s name (Ex: Daniel):" and with default value ""

if {exists x64 of operating system}
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOrganization]" = "{parameter "Organization"}"
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOwner]" = "{parameter "Owner"}"
endif

regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOrganization]" = "{parameter "Organization"}"
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" "RegisteredOwner]" = "{parameter "Owner"}"

continue if {(value "RegisteredOrganization" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) = (parameter "Organization")}
continue if {(value "RegisteredOwner" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) = (parameter "Owner")}

Of course we can’t forget about a URL with additional detail on this task…

The relevance required to do this is actually very simple. Since only windows computer have a “registry” we can eliminate all non-windows endpoints from running this action with the following relevance:

name of operating system contains "Win"

It is highly unlikely that a windows registry will not have the following key, but so we all learn good habits I’ve added the following relevance as well:

exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry

Let us not forget my article on Properties.

It’s been a few minutes and it looks like my fastest computers have already responded with their applicability responses.

I won’t go into detail on how to launch this task, I’ve already covered that. Targeting is way more important to think through and understand how you are going to organize your endpoints. In later articles I will cover other tattooing methods and how they can benefit your organizations.

For your convenience, here is a zip file containing the content covered in this article: http://dl.dropbox.com/u/41985632/Content/Configure%20Registered%20Organization%20and%20Owner.zip

If you have any questions or comments, please leave them below. I’d love to hear about some other tattooing methods and how you implement them within your deployment.

Posted by

DanielHeth

Posted on

May 28, 2012

Posted under

BigFix, Installation, Microsoft, Programming, Software, Visual Studio

Comments

4 Comments

Visual Studio: Add Uninstall to Your Application

First let me send a shout out to my reference for this little tidbit of information: How to add a Uninstall option in Visual Studio Setup project without writing code GoGoToTo created a very nice article on this. I simply expanded it further to include getting your application “registered” so within BigFix it will show up as one of the registered apps.

First View your File System so we can add the special folder “System”

If your application is x86, then we’ll want to add the msiexec.exe from the c:\windows\SysWow64 folder.

Left click to highlight the msiexec.exe file and in the properties window, adjust as indicated in the following image:

Next we’ll need to add a shortcut to the “User’s Program Menu”. In my example, I’ve created a sub-folder named after my application. Click that folder and in the right window, right-click and create a shortcut.

Navigate to the System Folder and select the msiexe.exe file.

Before we modify the shortcut’s properties, we’ll need to copy the ProductCode from the Setup Application Properties.

Using that ProductCode, modify the shortcut’s properties as follows:

Now we get to register our application… Open the Registry View.

Under HKEY_LOCAL_MACHINE add the following sub-keys:

Microsoft\Windows\CurrentVersion\App Paths\[name of your exe]

Remember to specify the last key to “DeleteAtUninstall” = True

Add the following 2 string values with the values as shown.

That’s it. You now have an uninstall link that will be created upon installation of your app. You will also have your application properly “registered” so BigFix can properly detect it.

Posted by

DanielHeth

Posted on

May 26, 2012

Posted under

BigFix, Configuration, Requirements, Software

Comments

2 Comments

New BigFix Deployment

When you first setup your Tivoli Endpoint Manager (BigFix) deployment, you will want to enable a few analyses. These analyses will collect data that can be very helpful when managing your infrastructure as well as troubleshooting and adding customizations.

First up is to activate the BES Component Versions analysis… You can find a shortcut to this under BigFix Management->Deployment Overview

Simply Activate this analysis…

And the data will start pouring in. This information will then be read by various dashboards within the product which help you manage your deployment.

Another analysis to be activated is the BES Health Checks Analysis. This will help you analyze the health and configuration of your deployment. It provides basic information on the components that make up your infrastructure. You can find the shortcut to this under BigFix Management->Deployment Health Checks

Activate this as well…

and you’ll start to see data from this analysis as well. Just like the first analysis, this one will pull in data and feed that to dashboards within the product.

Further down on the Deployment Health Checks dashboard in the Deployment Optimization section is a Warning about activating the BES Relay Status Analysis. Click that shortcut to activate that as well…

Just as the others, the data will be pulled in for use by various dashboards.

If you have any questions or comments, please leave them below.

Posted by

DanielHeth

Posted on

May 25, 2012

Posted under

BigFix, Licensing, Software

Comments

Leave a comment

Endpoint Manager (BigFix) Licensing Updates

Occasionally your BigFix deployment will receive a notice that it has gathered an update to your license. Then it will ask you to propagate that license to your endpoints. It notifies you with the following screen:

This private key will require your master password…

Once the tool opens, it will immediately notify you that a propagation is required. Simply hit YES to this box.

Nothing to do once the tool itself opens, so simply hit OK to close it.

All done. Return to the console, hit the refresh button in the upper right and the licensing message should be gone.

Posted by

DanielHeth

Posted on

May 24, 2012

Posted under

BigFix, Microsoft, Office, Requirements, Software

Comments

1 Comment

Tivoli Endpoint Manager (BigFix) Console Requirement

There are a few requirements for the BigFix console to run on your admin machine. I’ll discuss only one of them here.

Office Web Controls is a Microsoft Office Components requirement which allows us to display charts and graphs within the console. It can be found here.

The installation of this requirement is relatively easy… here are my screen shots of the process:

Once the components are installed, you will need to restart your console. But once you do, the console fills with beautiful shapes and bars.

If you have any questions about the process or would like to share your comments, please do so below.

If you’d like to see some of the screen shots I skipped in this article, visit http://www.flickr.com/photos/danielheth/sets/72157629877524866/

Posted by

DanielHeth

Posted on

May 15, 2012

Posted under

Add-ons, BigFix, Installation, Technology

Comments

Leave a comment

TEM SUA Upgrade 1.3.0.592 –> 1.3.1.597

Lately I released an article on installing Tivoli Endpoint Manager’s add-on product Software Usage Analysis (SUA) v1.3.0.592. Well… we have release another upgrade and here’s how you can upgrade your installation:

Launching the installation is pretty easy… unlike the initial installation, there is basically one “step”. Launch the installer:

Typical license agreement stuff.

Since this is an upgrade, we are good about warning you that no one will be able to access the GUI interface at this point.

We’ll need to confirm the user account that is being used for the services here.

I ran into one little problem where but it was due to service account permissions to the database. After adjusting them for the duration of this install, the installation continued.

SUA_Upgrade_10

The installation went well with just the one permissions based hiccup. To confirm installation was successful simply log into the GUI and look at the bottom right for version and catalogue numbers.

If you have any questions or comments, please leave them below.

To view all of the images from this upgrade visit: http://www.flickr.com/photos/danielheth/sets/72157629743080378/

Posted by

DanielHeth

Posted on

May 14, 2012

Posted under

Add-ons, BigFix, Installation, Software

Comments

1 Comment

TEM Software Usage Analysis v1.3.0.592

A very nice tool for capturing the software inventory of your enterprise is our Software Usage Analysis (SUA) add-on product.

Here is a simplified overview of how to install this add-on into an already existing infrastructure.

For the various official guides visit: (http://publib.boulder.ibm.com/infocenter/tivihelp/v26r1/index.jsp?topic=/com.ibm.tem.doc/welcome.htm)

Considerations:

I’ve chosen to setup SUA on a physical computer with modest capabilities due to the tiny deployment I’m using. See the Install guide for details on system requirements. My server has an Intel E7200 Core 2 Duo processor with 4Gb of RAM. It is running Microsoft Windows 2008r2 with SP1. This should work perfectly for my deployment of <50 endpoints.

I will also be using a centralized SQL server that all of my applications are using including the TEM server itself. It is a Virtual running under Hyper-V but should service my needs. It too is a Microsoft Windows 2008r2 with SP1 installed and has MS SQL 2008r2 SP1 as well.

Everything is attached to my Microsoft Active Directory domain to make authentication easy. The SUA services will be running under a special svBigFix account I have setup with appropriate permissions within my domain.

Very simply the installation procedure is as follows:

Subscribe/Activate to DSS SAM Content Site
Install SUA
Configure the services that run SUA and connect to the databases
Create the SUA BFEnterprise Database Connections

Let’s begin!

1. Subscribe/Activate to DSS SAM Content Site

Look under the BigFix Management->License Overview for the “DSS SAM” available site.

Activate and subscribe the appropriate computers. For my tiny deployment, I’m going to subscribe all computers.

Next, we’ll need to activate the three required analyses.

Activate our Installation task for the SUA Scanner that runs on our endpoints.

Then schedule that scanner to run…

And schedule the uploads to occur immediately upon scan completion.

2. Install SUA

Now we’ll install the initial components of SUA… this is pretty straight forward. Just remember if you are configuring the service as I am with a domain service account.. log into the desktop of this server using that account.

3. Configure the services that run SUA and connect to the Databases

The configuration wizard will automatically open upon completion of step 2.

Specify the domain level service account that SUA will be configured to “Run As”.

Indicate if you have WebReports installed so SUA can have access to it.

Specify the details surrounding connection to that WebReports server.

Now specify the details of where you want your SUA database.

If this is not a dedicated server, you may want to change the default port. And even install an SSL certificate if you have one.

The installer will automatically launch the catalogue updater which populates the database with the latest catalogue entries which is published monthly by IBM TEM Headquarters.