Administrators Guide Modern Client Management for BigFix 10MCM v1.0.1 supports the BigFix Work from...
Transcript of Administrators Guide Modern Client Management for BigFix 10MCM v1.0.1 supports the BigFix Work from...
Modern Client Management for BigFix 10Administrators Guide
Special notice
Before using this information and the product it supports, read the information in Notices (on page43).
Edition notice
This edition applies to version 10.0.1 of BigFix Insights and to all subsequent releases andmodifications until otherwise indicated in new editions.
Contents
Chapter 1. Overview............................................................................................................................1
What’s new in this release.............................................................................................................1
Chapter 2. Prerequisites and requirements...................................................................................... 3
Supported system environments.................................................................................................... 3
Minimum hardware requirements..................................................................................................4
Port requirements........................................................................................................................... 4
Chapter 3. Installing BigFix............................................................................................................... 6
Chapter 4. Setting up LDAPS authentication...................................................................................7
Chapter 5. Configuring certificates....................................................................................................8
MDM SSL certificates................................................................................................................... 9
Chapter 6. Setting up the MDM Server..........................................................................................11
Installing BigFix MDM Server for Windows endpoints.............................................................11
Installing BigFix MDM Server for macOS endpoints................................................................ 12
Chapter 7. The Plugin Portal........................................................................................................... 14
Chapter 8. Installing the MDM Plugins.......................................................................................... 15
Understanding the MDM Plugin interface.................................................................................. 15
Installing MDM plugins on Windows.........................................................................................16
Installing MDM plugins on macOS............................................................................................ 16
Chapter 9. Staging BigFix Agents for delivery...............................................................................18
Chapter 10. Registering for Apple Developer Accounts................................................................19
Chapter 11. Device Enrollment........................................................................................................ 20
Enrolling Windows 10 Devices................................................................................................... 20
Enrolling macOS Devices............................................................................................................23
Chapter 12. Troubleshooting............................................................................................................ 25
Logging.........................................................................................................................................25
Error codes................................................................................................................................... 27
Installing Docker CE+ Docker compose on RHEL8.................................................................. 28
Chapter 13. Support.......................................................................................................................... 30
Chapter 14. Glossary......................................................................................................................... 31
Notices.................................................................................................................................................. 43
Contents | v
Index.............................................................................................................................................
Chapter 1. Overview
This guide is intended for HCL BigFix Master Operators (MO) and those who administer BigFixdeployments. If you are looking for information about using Modern Client Management (MCM),see the User's Guide.
With the MCM offering, you can manage endpoints that run operating systems through a vendor’sMobile Device Manager (MDM) API. With this feature, BigFix can interact with your devicesand endpoints through MDM. BigFix can deploy profiles, custom content, patches, software, anda BigFix Agent through the Console or WebUI. BigFix can also wipe or lock devices remotely ifdevices get lost or stolen. The MDM server through MDM APIs manages all the actions that youinvoke from the BigFix Console or WebUI.
What’s new in this releaseBecome familiar with the enhancements made in MCM for BigFix 10
MCM v1.0.1 updates
• Support for the BigFix Work from Home Solution
MCM v1.0.1 supports the BigFix Work from Home Solution. For complete information aboutthe BigFix Work from Home Solution, read The BigFix Work from Home Solution Guide.
• Performance enhancements
This release includes a number of stability and performance enhancements and fixes. Forcapacity planning and configuration recommendations, see BigFix Capacity Planningdocumentation at BigFix Performance & Capacity Planning Resources.
• Extended operating system support◦ The MCM solution supports RHEL 8 on MDM Server and Plugin Portal servers with
a workaround to install Docker CE+. For more information, see Installing Docker CE+Docker compose on RHEL8 (on page 28)
◦ The MCM solution supports Windows 10 (Pro, Enterprise, and Home) running on MCMendpoints.
Note: Only certain Windows editions support all available operating systemfeatures that are configured through MDM. For complete information, see the WindowsConfiguration service provider (CSP) reference document. Each CSP highlights whichWindows editions are supported.
• Fixlets to upgrade MCM components
With MCM v1.0.1 release, you can upgrade the MCM components by using Fixlets that areavailable through the BigFix Console. Take a look at the BESUEM site for the relevant Fixlets.
• WebUI Health Checks dashboard for MCM serviceability
Modern Client Management for BigFix 10 Administrators Guide | 1 - Overview | 2
The WebUI Health Checks dashboard is available to monitor the health of your BigFix MCMdeployments. For more information, see Health Checks.
• Addressed security vulnerabilities
Product security vulnerability issues from MCM v1.0.0 are addressed in this release.
Chapter 2. Prerequisites and requirements
The following packages must be pre-installed on your Red Hat® Enterprise Linux® systems beforeyou installModern Client Management (MCM):
MDM Server
The target computers must have the following elements installed:
• The computer must be running on RHEL 7+ or RHEL 8+• Docker (CE v19.x or RHEL version 1.13 or later) and Docker Compose 1.25.x• BigFix Client version 10.0 or later• OpenSSL• Unzip
Note: RHEL8 does not support Docker CE+ by default. For a workaround to install a compatibleDocker CE+ version on RHEL8, see Installing Docker CE+ Docker compose on RHEL8 (on page28)
Plugin Portal
The target computers must have the following elements installed:
1. BigFix Client version 10.0 or later2. Plugin Portal version 10.0 or later3. Mongo DB 4.2.3 or later
Requirements
• Supported system environments (on page 3)• Minimum hardware requirements (on page 4)• Port requirements (on page 4)
Supported system environmentsThis section provides the information about the supported system environments for MCM for BigFix10.
Component Supported environmentPlugin Portal and PluginRHEL7.4+, RHEL8+, OR Windows 2012 R2+
Modern Client Management for BigFix 10 Administrators Guide | 2 - Prerequisites and requirements | 4
Component Supported environmentMDM Server Host andDocker
RHEL 7 to RHEL 8
Device OperatingSystem
Windows 10 (Pro, Enterprise, and Home1), macOS 10.14 and later
Docker Engine CE v19.x or RHEL version 1.13 or laterDocker-compose 1.25.xMongoDB RHEL7.4+, RHEL8+, and Windows 10/Server 2016+
Minimum hardware requirementsFor minimum hardware requirements, see BigFix Capacity Planning documentation.
For further details and latest information about deployment and management of BigFix, see BigFixPerformance & Capacity Planning Resources
Port requirementsFor BigFix to communicate properly with the devices that you manage through the MDM Plugin,ensure that the following ports are open in your firewall.
PortNumber
Type Purpose Direction
443 HTTPS All device enrollment and management requestsare sent to this port. This must be an internet-facing port for the endpoints to reach theenrollment server.
Inbound to the MDM Serverfrom the network where MDMmanaged endpoints are located
5671 AMQP MDM Plugin receives the asynchronousnotifications from the devices through this port.This must be internally open just for the PluginPortal server.
Outbound from Plugin Portalserver to the MDM Server
8443 HTTPS MDM Plugin sends the device REST API requeststhrough this port. This must be internally open onthe MDM Server just for the Plugin Portal server.
Outbound from Plugin Portalserver to MDM Server
636 LDAPS For the Active Directory to securely authenticateend users during enrollment.
Outbound from MDM Server tothe Customer LDAP
389 LDAP For the Active Directory insecure authenticationof end users during enrollment.
Outbound from the MDMServer to Customer LDAP
1. Only certain Windows editions support all available operating system features that are configuredthrough MDM. For complete information, see the Windows Configuration service providerreference document. Each CSP highlights which Windows Editions are supported.
Modern Client Management for BigFix 10 Administrators Guide | 2 - Prerequisites and requirements | 5
PortNumber
Type Purpose Direction
Note: In case the Active Directory secureport is not enabled, the default insecure port is389. For best results, use the LDAPS (securecommunication) with Active Directory.
2195* TCP For sending messages from the MDM Server toAPNs.
Outbound from the MDMServer to the APNs Server(Internet).
2196* TCP Used by the MDM Server to connect to APNs forfeedback.
Outbound from the MDMServer to the APNs Server(Internet).
5223 TCP For sending messages from APNs to thecomputers in your network.
Outbound from Mac devices(whichever network they are on)to the APNs Server (Internet).
*To ensure reliable server communication, allow outbound connections from the MDM Server to theApple 17.0.0.0/8 block over TCP ports 2195 and 2196.
Chapter 3. Installing BigFix
To install BigFix Platform, obtain a license, run the installation wizard that guides you through theinstallation of the BigFix root server, console, client, and WebUI.
Purchase a license and obtain a BigFix license authorization file(*.BESLicenseAuthorization) by using your License Key Center account. In the case of aProof-of-concept evaluation, contact your HCL Technical Sales Representative.
For details on installing BigFix and its components, see BigFix Installation.
Chapter 4. Setting up LDAPS authentication
With MCM for BigFix 10, Administrators can manage Windows™ and Apple® devices byauthenticating the device users with LDAPS authentication.
Secure Lightweight Directory Access Protocol (LDAPS) authentication
BigFix Administrators verify the user credentials by using the LDAPS authenticationbefore the devices can enroll with the BigFix MDM Server.The following prerequisites must be met for the devices to connect to the MicrosoftActive Directory Server (MSAD) or LDAP server:
• An LDAPS URL• The Base Distinguished Name (base DN)• The Bind Distinguished Name (bind DN)• The bind password
These parameters are defined in Fixlets. For details about how to set up and configure an MDMserver with Fixlets, see Setting up the MDM Server (on page 11). For more details about LDAPSsettings, see LDAPS parameters.
Chapter 5. Configuring certificates
Learn how to configure certificates and establish an authorized connection between the MDM serverand Apple devices.
Apple® Push Notification
Apple Push Notification (APN) is used to notify Apple devices to check in with theMDM Server. To push notifications to Apple devices, you need an APN certificate,which is a prerequisite to manage mobile devices. You must have an Apple Developeraccount (on page 19) to create an APNs certificate.
To establish an authorized connection between the MDM server and Apple PushNotification server, you must create a Certificate Signing Request (CSR) and sendthe CSR file to HCL for signing. After signing, you must upload the CSR file to yourApple Developer account to obtain a provider certificate from Apple.
To Obtain a Provider Certificate from Apple, complete these steps:
1. Enroll for Apple Developer Program.2. In the command-line interface, run the following command to create CSR:
openssl req -newkey rsa:2048 -nodes -keyout PUSHCERTNAME_temp.key -out PUSHCERTNAME.csr -subj "/C=US/CN=HOSTNAME/emailAddress=EMAILADDRESS"
Note:• You can replace PUSHCERTNAME with a name of your choice.• EMAILADDRESS must be unique to your organization, it is not stored or used
directly by HCL or BigFix.• HOSTNAME must be the FQDN of the server on which the MDM server runs.
3. Run the following command:
openssl rsa -des3 -in PUSHCERTNAME_temp.key -out PUSHCERTNAME.key
Enter the Pem Pass Phrase of your choice when prompted. You will then beasked to verify it.
Important: Save the generated PUSHCERTNAME.csr andPUSHCERTNAME.key at a safe location. You can use these files at the time ofcertificate renewals with Apple after one year. Also, store the Pem Pass Phrase ina safe location for certificate renewals.
4. Send the CSR file to [email protected].
Important: Include your HCL Customer ID or BigFix server serial numberin the body of the email.
Modern Client Management for BigFix 10 Administrators Guide | 5 - Configuring certificates | 9
5. An HCL-signed version of the CSR file, plus additional instructions [email protected] will be returned to the sender’s email address withinone business day. Follow the instructions in that email to obtain the required filethrough your Apple Developer account.
MDM SSL certificates
MDM Client Auth certificate
SSL Certificates are required to authenticate the Plugin to the MDM Server. Forsecure communication, you must generate the certificates through new optionswhen you run BESAdmin command on the BigFix root server. Before you run thecommand to generate the SSL certificates, create a directory. All the generated SSLcertificates after you run the command are stored in the directory that you create.
Note:
• You must have a reachable DNS host name to run the commands in the BESAdmin tool to generate certificates.
To generate SSL certificates on a Windows BigFix root server, run this command:
BESAdmin.exe /generateplugincertificates /certificatespath:<path-to-store-certs> [/commonname:<CN-for-server-and-client-cert>]
To generate SSL certificates on a Linux BigFix root server, run this command:
BESAdmin -generateplugincertificates -certificatespath=<path-to-store-certs> [-commonname:<CN-for-server-and-client-cert>
Note:
• For commonname, use the FQDN name of the MDM Server.• These commands work only if path-to-store-certsdirectory exists.
The following SSL certificates are generated in the folder that you created:
• ca.cert.pem• client.cert.pem• client.key• server.cert• server.key
Modern Client Management for BigFix 10 Administrators Guide | 5 - Configuring certificates | 10
Note: You will be using the preceding SSL certificates and keys when you installthe MDM Plugin and MDM Server.
MDM Server certificate
Customers must obtain a CA-signed domain SSL certificate for the MDM Serverin production. The endpoints need a trusted CA SSL certificate to enroll andcommunicate with the MDM Server. The SSL certificate must be available in the/var/opt/BESUEM/certs directory before you start the services. All thecertificates are deployed through the MDM Server installation Fixlets.
If you are using the staging and lab environment, self-signed certificates must begenerated as follows:
• Run the following command on a RHEL MDM Server in the OpenSSLcommand-line interface to generate mdmserver.key and mdmserver.crtfiles in the directory specified. You will need this SSL certificate and key whenyou are ready to deploy the MDM Server.
DNSNAME=<MDM_FQDN_HOSTNAME>; (cat /etc/pki/tls/openssl.cnf; printf "\n[SAN]\nsubjectAltName=DNS:$DNSNAME\n") | openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout mdmserver.key -out mdmserver.crt -subj "/CN=$DNSNAME" -config /dev/stdin
Chapter 6. Setting up the MDM Server
You can set up MDM server by running the appropriate tasks from the BESUEM content site.
• Install Docker Engine, Docker Compose, and OpenSSL.• Ensure that you have one of these user roles:
◦ A Master Operator (MO) with visibility over the MDM Server target machine and visibilityof the BESUEM site
◦ An Administrator with the privilege to run the installation.• Install BESClient on the target computer in which you want to install MDM server. This is
because you need to install MDM Server through Fixlets.
On the BESUEM content site, with some tasks, you can install standalone versions of either themacOS® MDM Server or the Windows™ MDM Server. After the installation, you can use othertasks to add more MDM Server capabilities. You can also use these Tasks to configure an MDMServer for both macOS and Windows.The Install BigFix Windows MDM Server Task or the Install BigFix macOS MDM Server Taskcompletes these activities:
1. Creates a directory.2. Downloads a set of docker images from software.bigfix.com which is needed for the MDM
installation.3. Installs the services and certificates including the Plugin certificates (on page 9) and the TLS
certificate on which the server will run, and the Apple Push certificate if you are installing amacOS MDM Server.
4. Applies all required configurations.
Installing BigFix MDM Server for Windows endpointsYou can install BigFix MDM server for Windows endpoints using the task Install BigFixWindows MDM Server.
These prerequisites must be met to install the BigFix MDM Server for Windows endpoints:
• You must have the required certificates and keys. See, MDM SSL Certificates (on page 9).• You must have a BigFix Agent running on the MDM Server target.
In the Install BigFix Windows MDM Server task, provide this information:
1. Enter the organization name.
Modern Client Management for BigFix 10 Administrators Guide | 6 - Setting up the MDM Server | 12
2. Enter user facing hostname. For example, enter mdmserver.deploy.bigfix.com.3. Enter LDAP parameters.
Note: LDAP Authentication is turned on by default.4. Enter the details of the MDM Server TLS certificate and key contents.
a. Enter a string to set TLS key password.b. In the MDM Server TLS Certificate content section, enter the entire text contents of the
generated TLS .crt file.c. In the MDM Server TLS Key content section, enter the entire text contents of the generated
TLS .key file.
Tip: If you want to use self-signed certificates, to know how to generate .crt and.key files, see MDM SSL Certificates (on page 9).
5. Enter the details of the MDM Server authentication certificate and key contents.a. In the MDM Server Certificate Authority content section, enter the entire text contents of
the generated ca.cert.pem file.b. In the MDM Server Certificate content section, enter the entire text contents of the
generated server.cert.pem file.c. In the MDM Server Key content section, enter the contents of server.key file.
Tip: For more information on how to generate .pem and .key files, see MDM SSLCertificates (on page 9).
6. Deploy the task to targeted systems.
Installing BigFix MDM Server for macOS endpointsYou can install the BigFix MDM server for macOS endpoints using the task Install BigFixMacOS MDM Server.
These prerequisites must be met to install the BigFix MDM Server for macOS endpoints:
• You must have the required certificates and keys. See, MDM SSL Certificates (on page 9).• You must have a BigFix Agent running on the MDM Server target.
Note: An Apple Push Certificate PEM file that is obtained through the HCL vendor signingprocess and processed by Apple is needed for this MDM Server deployment.
In the Install BigFix MacOS MDM Server task, provide this information:
1. Enter the organization name.2. Enter the user-facing hostname. For example, mdmserver.deploy.bigfix.com.3. Enter the MDM API password that you want to use (it can be anything, and this is not visible
externally anywhere after it is configured).4. Enter LDAP parameters.
Modern Client Management for BigFix 10 Administrators Guide | 6 - Setting up the MDM Server | 13
Note: LDAP Authentication is turned on by default.5. Enter the Apple Push certificate and key contents.
a. Enter the Apple Push key password.b. In the Apple Push Certificate PEM content section, enter the entire text contents of PushPEM file.
c. In the Apple Push Key content section, enter the entire text contents of Push key file.6. Enter the details of the MDM Server TLS certificate and key contents.
a. Enter a string to set TLS key password.b. In the MDM Server TLS Certificate content section, enter the entire text contents of the
generated TLS .crt file.c. In the MDM Server TLS Key content section, enter the entire text contents of the generated
TLS .key file.
Tip: If you want to use self-signed certificates, to know how to generate .crt and.key files, see MDM SSL Certificates (on page 9).
7. Enter the details of the MDM Server authentication certificate and key contents.a. In the MDM Server Certificate Authority content section, enter the entire text contents of
the generated ca.cert.pem file.b. In the MDM Server Certificate content section, enter the entire text contents of the
generated server.cert.pem file.c. In the MDM Server Key content section, enter the contents of server.key file.
Tip: For more information on how to generate .pem and .key files, see MDM SSLCertificates (on page 9).
8. Enter message text for an end user agreement - Optional. This message is displayed to the endusers to accept to proceed with enrollment of macOS devices through the enrollment process.This message can include, for example, a warning about allowing remote management of thedevice or helpdesk contact information.
9. Deploy the task to targeted systems.
Chapter 7. The Plugin Portal
The Plugin Portal provides the server infrastructure for the MCM technology delivered in BigFix 10.
Modern Client Management requires the Plugin Portal and one or more MDM plugins to be installedin the Plugin Portal.
Prerequisites for installing the Plugin Portal
On the computers that you intend to install the Plugin Portal on, install theseapplications:
• BigFix client, Version 10.0 or later• MongoDB Version 4.2.3 or later
Installing the Plugin Portal
To install the Plugin Portal as a service on a BigFix client, run the latest InstallBigFix Plugin Portal fixlet version available in the BES Support site. This taskinstalls the BigFix Plugin Portal Version 10.0 on the selected targets.
The Plugin Portal is typically installed in the following directories:
• Windows:◦ C:\Program Files (x86)\BigFix Enterprise\BES Plugin Portal
• Linux:◦ /var/opt/BESPluginPortal◦ /opt/BESPluginPortal
Note: You might have several Plugin Portals in your environment; but on aspecific target computer, you must have only one.
The Plugin Portal needs an MDM Plugin to work for MCM. The MDM Plugininstallation Tasks do not become relevant until there is a valid Plugin Portal presenton the system and the local BES Client evaluates the Tasks again.
For more information about Plugin Portal installation and base configuration, seePlatform documentation.
Chapter 8. Installing the MDM Plugins
Installing MDM Plugins are required to set up a connection between the MDM Servers and theBigFix Plugin Portal. MDM Plugins communicate with the MDM Server through REST APIs andthe AMQP protocol using client certificates.
Ensure that the server host is running the Plugin Portal and BigFix Agent is running locally. Fordetails about installing the BigFix Client, see Installing the BigFix components.
Note:
• Two versions of the MDM Plugins are available: macOS and Windows.• The tasks require credentials, specifically from cacert, the client cert, and the client key that is
generated from BESAdmin. For details, see MDM SSL certificates (on page 9)
The next step is to run the Install BigFix Plugin for MDM on macOS task or Install BigFix Plugin forMDM on Windows task to install the appropriate plugins on target computers.
Understanding the MDM Plugin interfaceThe MDM Plugin interface communicates with the MDM Server. It forwards requests to the MDMServer and fetches results from the MDM infrastructure. MDM Plugins act as an interface betweenthe Plugin Portal and the MDM Servers.
The MDM Plugin interface contains these components:
Requests to the MDM Server
These requests are the outbound interface to the MDM Server. If the plugin requiresinformation from an enrolled device or must request an action from a device or fromthe MDM Server, the plugin uses this interface. Most requests become asynchronousresponses that are received from the inbound interface. The connections between theMDM Plugin and the MDM Server is secure and is protected by client-and-servercertificates.
Responses from the MDM Server
The MDM Plugin registers as a subscriber for messages from the MDM Server. TheMDM Plugin can receive information from this interface at any time from an enrolleddevice. The connections between the MDM Plugin and the MDM Server is secure andis protected by client-and-server certificates.
Modern Client Management for BigFix 10 Administrators Guide | 8 - Installing the MDM Plugins | 16
Installing MDM plugins on WindowsTo deploy MDM plugins on Windows, complete the following steps.
Prerequisites
The targeted server host must have a BigFix Client running and Plugin Portal installed.
Procedure
1. In the MDM Server Address field, enter the MDM Server hostname or IP address.2. Enter these parameters:
a. Copy and paste the entire text contents of the ca.cert.pem file i to the CertificateAuthority content field.
b. Copy and paste the entire text contents of the client.cert.pem file into the ClientCertificate content field.
c. Copy and paste the entire text contents of the client.key file into the Client Keycontent field.
Tip: For details about how to generate the .pem and .key files, see MDM SSLCertificates (on page 9).
3. Deploy the task to the targeted systems.
• You can find the MDM plugins at this location:◦ Windows - C:\Program File (x86)\BigFix Enterprise\BES PluginPortal\Plugins
◦ Linux■ Binaries - /opt/BESPluginPortal/Plugins■ Data files - /var/opt/BESPluginPortal
• You can complete MDM actions such as deploying a BigFix Agent, or wiping or lockingdevices through the BigFix WebUI on enrolled MDM devices.
Installing MDM plugins on macOSTo deploy MDM plugins on macOS, complete these steps:
Modern Client Management for BigFix 10 Administrators Guide | 8 - Installing the MDM Plugins | 17
Prerequisites
The targeted server host must have a BigFix Client running and Plugin Portal installed.
Procedure
1. In the MDM Server Address field, enter the MDM Server hostname or IP address.2. Enter these parameters:
a. Copy and paste the entire text contents of the ca.cert.pem file i to the CertificateAuthority content field.
b. Copy and paste the entire text contents of the client.cert.pem file into the ClientCertificate content field.
c. Copy and paste the entire text contents of the client.key file into the Client Keycontent field.
Tip: For details about how to generate the .pem and .key files, see MDM SSLCertificates (on page 9).
3. Deploy the task to the targeted systems.
• You can find the MDM plugins in the path:◦ Windows - C:\Program Files (x86)\BigFix Enterprise\BES PluginPortal\Plugins
◦ Linux■ Binaries - /opt/BESPluginPortal/Plugins■ Data files - /var/opt/BESPluginPortal
• You can perform MDM actions such as deploying a BigFix Agent or wiping or locking devicesthrough the BigFix WebUI on the enrolled MDM devices.
Chapter 9. Staging BigFix Agents for delivery
Learn how to pre-stage and deploy the latest version of the BigFix Agent on the MDM Server.
MCM can be used to deploy BigFix Agents on the enrolled macOS® or Windows™ 10 devices.
For macOS, a Fixlet is available for each released version of the BigFix Platform. Stage the packageagainst the MDM Server before any Mac devices are enrolled. The BigFix WebUI deploys thelatest timestamped BigFix Agent on the MDM Server in this directory: /var/opt/BESUEM/packages. The deployment happens on the MDM Server that was staged through the BESUEMFixlet - Stage BigFix Client packages for Mac on MDM Server.
For Windows, a custom MSI package must be prepared that includes the site masthead, and ifrequired, set the Authenticating Relay information with the client settings to deploy the BigFix Agentaction through WebUI correctly. Each package is unique and different for each user. For this versionof MCM, the package that is to be deployed on Windows 10 devices must be manually copied to the/var/opt/BESUEM/packages folder on the MDM server.
After the installation, you can find the base MSI on the BigFix server. You can repeat the procedurefor both macOS and Windows packages every time an updated version of BigFix Agent becomesavailable.
For installing the BES server installation on Windows, the installer copies a BigFix Agent in tothe BigFix Enterprise\BES Installers\ClientMSI folder, but without a masthead(configuration profile for the BigFix Agent). To install a BigFix Agent with a preconfiguredmasthead, complete these steps:
1. Locate the MSI that is installed with the server component.2. Copy the masthead.afxm file and the MSI file into a new folder on a Windows machine to
add the masthead to the MSI.3. Run the BESClientSetupMSI.exe command and follow the instructions from the installer
to add the masthead.4. Optionally add authenticating relay command details if you have an authenticating relayBESClientSetupMSI.exe /secureregistration <RELAY_PASSWORD> /relayserver1 http://<RELAY_HOST>:52311/bfmirror/downloads/<TARGET_MSI> to the MSI file.
5. Upload the BigFixAgent.msi file to the /var/opt/BESUEM/packages folder on theMDM Server.
Chapter 10. Registering for Apple DeveloperAccounts
To obtain a push certificate, you as a BigFix Administrator, require Apple Developer accounts. Fordetails on how to register for Developer accounts, see Mac developer account registration.
Chapter 11. Device Enrollment
Device enrollment is the first step for managing devices using MDM. Mac and Windows deviceshave different enrollment procedures. Only after successful enrollment will Mac and Windowsdevices report in to BigFix as MDM devices and start appearing on the BigFix Console and WebUI.The devices will interact with the MDM servers through APIs and based on the MDM policies.
Enrolling Windows 10 DevicesRead this section to understand how to enroll Windows 10 devices to MDM.
• You must know the MDM Server enrollment URL, which the BigFix administrator sharesthrough email or chat. The MDM Server enrollment URL must be the fully qualified domainname of the MDM server (For example, https://enroll-mdm.bigfix.com).
• To log in to the enrollment URL, you need an email ID and password associated with a validActive Directory (AD) credentials. These credentials are associated with the AD credentialssupplied on MDM Server setup.
• To enroll a device successfully, the user doing the enrollment on the Windows 10 device mustbe an administrator of the Windows 10 device.
To enroll a Windows 10 device in MDM, complete the following steps:
1. On an unenrolled Windows / macOS device, launch a web browser and go to the MDM serverURL.
Modern Client Management for BigFix 10 Administrators Guide | 11 - Device Enrollment | 21
2. Enter an email address that is associated with a valid AD set of credentials and click Enroll.
3. A pop-up window appears requesting you to open the Microsoft account, click Open Microsoftaccount.
4. On the next screen, enter an email address that is associated with a valid AD set of credentials.The MDM enrollment server URL should already be preconfigured and doesn’t need to bealtered.
5. Click Next.
6. On the next screen, enter the following information:• User name or email ID – This field is optional and can be empty.• Password – This field is mandatory.
Modern Client Management for BigFix 10 Administrators Guide | 11 - Device Enrollment | 22
7. Click Next.
After successful authentication, the device gets enrolled. To verify MDM enrollment status, go toSettings > Access work or school. You can view that the device is connected to MDM.
Modern Client Management for BigFix 10 Administrators Guide | 11 - Device Enrollment | 23
Enrolling macOS DevicesThe users must enroll macOS devices in MDM to manage and secure it through BigFix WebUI.
Initially, users must visit an enrollment URL provided to them through their BigFix administrator(via email or chat). This enrollment URL is the FQDN of the MDM Server (For example, https://enroll-mdm.bigfix.com). After authenticating in this enrollment portal, users must install theenrollment profile on their devices as an administrator.
To enroll the macOS device in MDM, follow these steps:
1. On the macOS device, launch a web browser and navigate to the MDM Server URL.
2. Enter a valid email address and password associated with the Active Directory deploymentconfigured when the MDM Server was set up.
3. Click Enroll to download the Mac enrollment profile.4. OSX opens this Enrollment Profile and shows users the information about the MDM
deployment they are about to enroll in. If things look okay, click Install to enroll the device inMDM.
Modern Client Management for BigFix 10 Administrators Guide | 11 - Device Enrollment | 24
Chapter 12. Troubleshooting
This section is intended to help you solve problems that might occur when using BigFix MCM.
LoggingThe MCM component generates log files which can provide extra information when youtroubleshoot an issue.
Log file locationsThe following table shows the location of various MCM logs that are stored in your Windows andLinux systems.
Component Windows LinuxPlugin Portal log(Configurable through_BESPluginPortal_HTTPServer_LogFilePath)
C:\Program Files(x86)\BigFixEnterprise\BESPlugin Portal\BESPluginPortal.log
/var/log/BESPluginPortal.log
Windows MDM Plugin C:\Program Files(x86)\BigFixEnterprise\BESPlugin Portal\Plugins\WindowsMDMPlugin\Logs
/var/opt/BESPluginPortal/Plugins/WindowsMDMPlugin/Logs
macOS MDM Plugin C:\Program Files(x86)\BigFixEnterprise\BESPlugin Portal\Plugins\MacMDMPlugin\Logs
/var/opt/BESPluginPortal/Plugins/MacMDMPlugin/Logs
Windows MDM Server N/A /var/opt/BESUEM/windows/logs/windowsmdm.log
macOS MDM Server N/A /var/opt/BESUEM/mac/logs/micromdm.log
macOS MDM Gateway N/A /var/opt/BESUEM/mac/logs/mdmgateway.log
macOS MDM Webhook N/A /var/opt/BESUEM/mac/logs/mdmwebhook.log
WebUI log (Configurablethrough the server setting_WebUI_Logging_LogPath)
c:\Program Files(x86)\BigFix
/var/opt/BESWebUI/WebUI/logs/
Modern Client Management for BigFix 10 Administrators Guide | 12 - Troubleshooting | 26
Component Windows LinuxEnterprise\BESWebUI\WebUI\logs\
Client settings - Verbose Logs for Plugin or Plugin Portal
Parameter Description_BESPluginPortal_Log_Verbose Sets the Plugin Portal Verbose to Off if the value
is 0 (only critical messages are logged); sets it toOn (to enable more logging) if the value is 1. Thedefault value is 0.
_BESPluginPortal_Log_EnabledLogs When Plugin Portal Verbose is enabled, setsthe Plugin Portal message type configuration.Possible values include: all, critical, debug,timing, events. You can add values delimited bysemicolons.Example:
_BESPluginPortal_Log_Verbose = 1_BESPluginPortal_Log_EnabledLogs = events;timing
The default message type is '“all”.
Note: This can have a detrimental impact onPlugin Portal performance.
_WindowsMDMPlugin_LogVerbose Sets the Windows MDM Plugin Verbose On ifthe value is 1 and sets Off if the value is 0. Thedefault value is 0.
_MacMDMPlugin_LogVerbose Sets the macOS Plugin Verbose On if the value is1 and sets Off if the value is 0. The default valueis 0.
Logrotate
Logrotate handles the automatic rotation and compression of log files to manage available diskspace. On 0th minute of every hour, log files are rotated, and old log files are compressed and kept asbackup by running cron jobs in the following containers:
• windowsmdm• macmdm• rabbitmq• openresty
Modern Client Management for BigFix 10 Administrators Guide | 12 - Troubleshooting | 27
The backup file name format is <Filename.log>_<YYYY-MM-DD>_<HH-mm-ss>.gz. For example,mdmgateway.log_2020-06-03_07-13-00.gz
Logs are rotated under the following conditions and backed up to the following log locations.
Container Log location Max File size Rotate CountScheduled cron JOBrunning
For all containers Container’s internalpath
10 MB 10 every hour 0th minute
For macmdm log /var/opt/BESUEM/mac/logs
50 MB 10 every hour 0th minute
For windowsmdmlog
/var/opt/BESUEM/windows/logs
50 MB 10 every hour 0th minute
For openresty log /var/opt/BESUEM/openresty/logs
50 MB 10 every hour 0th minute
Note: If log file size is less than 50 MB, running the logrotate cron job does not create a new logfile.
MCM Debug Logging
Debug logs can help you troubleshoot issues because these logs have an extended logging level. Inthe BESUEM site, look for Fixlets that are marked as TROUBLESHOOTING to enable logging ondifferent MCM components; they are relevant if you have the components available.
Error codesThe following includes commonly encountered error messages and related information.
Windows Endpoint enrollment error codes
Error code Description Cause0x80190191 Unauthorized user User is not authorized.0x80190190 The server could not process the
transfer request.The syntax of the remote file name isinvalid.
0x801901F4 It prevents the apps from openingor forces them to close soon afteropening.
Incorrectly configured system settings orirregular entries in the Windows registry.
0x8600023 Already Imported this Package Importing this PPKG has been attemptedbefore, and the action failed
0x80180026 Device is ExternallyManaged This occurs when a device is locked inProvisioningMode.
0x80192ee7 Network Name Not resolved Either DNS is not available or yourcomputer does not have internet access.
Modern Client Management for BigFix 10 Administrators Guide | 12 - Troubleshooting | 28
Error code Description Cause0x8004002 File Not Found The Provisioning Package file cannot be
read.0x8004005 Access Denied This occurs when UAC is disabled, or when
someone clicks ‘No’ at the MDM enrollmentprompt.
For a comprehensive list of error codes, see https://docs.microsoft.com/en-us/windows/win32/mdmreg/mdm-registration-constants.
Installing Docker CE+ Docker compose on RHEL8RHEL8 does not support Docker CE+ by default. The following information provides a workaroundto install compatible Docker CE+ on RHEL8.
Install Docker CE+Docker compose on RHEL 8
To install Docker CE+Docker compose on RHEL 8:
1. Add the external repository by running the following command.
sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
a. Verify whether the repository has been enabled. To do that, run the following commandthat returns detailed information about all the enabled repositories.
sudo dnf repolist -v
2. Install docker-ce with the --nobest option. With this option, the first version of docker-ce withsatisfiable dependencies is selected as the "fallback" version.
sudo dnf install --nobest docker-ce
3. Install the latest available containerd.io package manually
sudo dnf install https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm
4. Install the latest docker-ce version:
sudo dnf install docker-ce
5. Start and enable the docker daemon
sudo systemctl enable --now docker
a. Confirm whether the daemon is active by running this command:
Modern Client Management for BigFix 10 Administrators Guide | 12 - Troubleshooting | 29
systemctl is-active docker
6. Install docker-compose globally.a. Download the binary file from the project’s GitHub page:
curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o docker-compose
b. After the binary file is downloaded, move it to the /usr/local/bin folder, and thenmake it executable:
sudo mv docker-compose /usr/local/bin && sudo chmod +x /usr/local/bin/docker-composesudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
For detailed information, see https://linuxconfig.org/how-to-install-docker-in-rhel-8
After this installation, you might encounter a Docker CE container connectivity issue. Completethese steps to resolve this issue.
Resolve Docker CE container connectivity issueTo resolve Docker CE container connectivity issue:
1. Check which interface Docker is using. For example, 'docker0'.
ip link show
2. Check available firewalld zones. For example, 'public'
sudo firewall-cmd --get-active-zones
3. Check which zone the Docker interface is bound to. Typically, the Docker interface is not boundto a zone yet.
sudo firewall-cmd --get-zone-of-interface=docker0
4. Add the 'docker0' interface to the 'public' zone. Changes are visible only after the firewalld isreloaded
sudo nmcli connection modify docker0 connection.zone public
5. Masquerading enables Docker ingress and egress.
sudo firewall-cmd --zone=public --add-masquerade --permanent
6. Reload the firewalld
sudo firewall-cmd --reload
7. Restart dockerd
sudo systemctl restart docker
Chapter 13. Support
For more information about this product, see the following resources:
• BigFix Support Portal• BigFix Developer• BigFix playlist on YouTube• BigFix Tech Advisors channel on YouTube• BigFix Forum
Chapter 14. Glossary
This glossary provides terms and definitions for the Modern Client Management for BigFix softwareand products.
The following cross-references are used in this glossary:
• See refers you from a nonpreferred term to the preferred term or from an abbreviation to thespelled-out form.
• See also refers you to a related or contrasting term.
A (on page 31) B (on page 32) C (on page 32) D (on page 34) E (on page 35) F(on page 35) G (on page 36) L (on page 36) M (on page 36) N (on page 37) O (onpage 37) P (on page 38) R (on page 38) S (on page 39) T (on page 40) U (on page41) V (on page 41) W (on page 41)
A
action
1. See Fixlet (on page 35).2. A set of Action Script commands that perform an operation or administrative
task, such as installing a patch or rebooting a device.
Action Script
Language used to perform an action on an endpoint.
agent
See BigFix agent (on page 32).
ambiguous software
Software that has an executable file that looks like another executable file, or thatexists in more than one place in a catalog (Microsoft Word as a standalone product orbundled with Microsoft Office).
audit patch
A patch used to detect conditions that cannot be remediated and require the attentionof an administrator. Audit patches contain no actions and cannot be deployed.
automatic computer group
A computer group for which membership is determined at run time by comparing theproperties of a given device against the criteria set for group membership. The set
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 32
of devices in an automatic group is dynamic, meaning that the group can and doeschange. See also computer group (on page 33).
B
baseline
A collection of actions that are deployed together. A baseline is typically used tosimplify a deployment or to control the order in which a set of actions are applied. Seealso deployment group (on page 34).
BigFix agent
The BigFix code on an endpoint that enables management and monitoring by BigFix.
BigFix client
See BigFix agent (on page 32).
BigFix console
The primary BigFix administrative interface. The console provides a full set ofcapabilities to BigFix administrators.
C
client
A software program or computer that requests services from a server. See also server(on page 39).
client time
The local time on a BigFix client's device.
Cloud
A set of compute and storage instances or services that are running in containers or onvirtual machines.
Common Vulnerabilities and Exposures Identification Number (CVE ID)
A number that identifies a specific entry in the National Vulnerability Database. Avendor's patch document often includes the CVE ID, when it is available. See alsoNational Vulnerability Database (on page 37).
Common Vulnerabilities and Exposures system (CVE)
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 33
A reference of officially known network vulnerabilities, which is part of the NationalVulnerabilities Database (NVD), maintained by the US National Institute of Standardsand Technology (NIST).
component
An individual action within a deployment that has more than one action. See alsodeployment group (on page 34).
computer group
A group of related computers. An administrator can create computer groups toorganize systems into meaningful categories, and to facilitate deployment of contentto multiple computers. See also automatic computer group (on page 31) andmanual computer group (on page 36).
console
See BigFix console (on page 32).
content
Digitally-signed files that contain data, rules, queries, criteria, and other instructions,packaged for deployment across a network. BigFix agents use the detection criteria(Relevance statements) and action instructions (Action Script statements) in content todetect vulnerabilities and enforce network policies.
content relevance
A determination of whether a patch or piece of software is eligible for deployment toone or more devices. See also device relevance (on page 35).
Coordinated Universal Time (UTC)
The international standard of time that is kept by atomic clocks around the world.
corrupt patch
A patch that flags an operator when corrections made by an earlier patch have beenchanged or compromised. This situation can occur when an earlier service pack orapplication overwrites later files, which results in patched files that are not current.The corrupt patch flags the situation and can be used to re-apply the later patch.
custom content
BigFix code that is created by a customer for use on their own network, for example, acustom patch or baseline.
CVE
See Common Vulnerabilities and Exposures system (on page 32).
CVE ID
See Common Vulnerabilities and Exposures Identification Number (on page 32).
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 34
D
data stream
A string of information that serves as a source of package data.
default action
The action designated to run when a Fixlet is deployed. When no default action isdefined, the operator is prompted to choose between several actions or to make aninformed decision about a single action.
definitive package
A string of data that serves as the primary method for identifying the presence ofsoftware on a computer.
deploy
To dispatch content to one or more endpoints for execution to accomplish anoperation or task, for example, to install software or update a patch.
deployment
Information about content that is dispatched to one or more endpoints, a specificinstance of dispatched content.
deployment group
The collection of actions created when an operator selects more than one action for adeployment, or a baseline is deployed. See also baseline (on page 32), component(on page 33), deployment window (on page 34), and multiple action group (onpage 37).
deployment state
The eligibility of a deployment to run on endpoints. The state includes parameters thatthe operator sets, such as 'Start at 1AM, end at 3AM.'
deployment status
Cumulative results of all targeted devices, expressed as a percentage of deploymentsuccess.
deployment type
An indication of whether a deployment involved one action or multiple actions.
deployment window
The period during which a deployment's actions are eligible to run. For example,if a Fixlet has a deployment window of 3 days and an eligible device that has beenoffline reports in to BigFix within the 3-day window, it gets the Fixlet. If the devicecomes back online after the 3-day window expires, it does not get the Fixlet. See alsodeployment group (on page 34).
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 35
device
An endpoint, for example, a laptop, desktop, server, or virtual machine that BigFixmanages; an endpoint running the BigFix Agent.
device holder
The person using a BigFix-managed computer.
device property
Information about a device collected by BigFix, including details about its hardware,operating system, network status, settings, and BigFix client. Custom properties canalso be assigned to a device.
device relevance
A determination of whether a piece of BigFix content applies to applies to a device,for example, where a patch should be applied, software installed, or a baseline run.See also content relevance (on page 33).
device result
The state of a deployment, including the result, on a particular endpoint.
Disaster Server Architecture (DSA)
An architecture that links multiple servers to provide full redundancy in case offailure.
DSA
See Disaster Server Architecture (on page 35).
dynamically targeted
Pertaining to using a computer group to target a deployment.
E
endpoint
A networked device running the BigFix agent.
F
filter
To reduce a list of items to those that share specific attributes.
Fixlet
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 36
A piece of BigFix content that contains Relevance and Action Script statementsbundled together to perform an operation or task. Fixlets are the basic building blocksof BigFix content. A Fixlet provides instructions to the BigFix agent to perform anetwork management or reporting action.
G
group deployment
A type of deployment in which multiple actions were deployed to one or moredevices.
H
Hybrid cloud
The utilization of distinct sets of cloud services (typically public and private) withintegration and/or orchestration across them.
L
locked
An endpoint state that prevents most of the BigFix actions from running until thedevice is unlocked.
M
MAG
See multiple action group (on page 37).
management rights
The limitation of console operators to a specified group of computers. Only a siteadministrator or a master operator can assign management rights.
manual computer group
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 37
A computer group for which membership is determined through selection by anoperator. The set of devices in a manual group is static, meaning they do not change.See also computer group (on page 33).
master operator
A console operator with administrative rights. A master operator can do everythingthat a site administrator can do, except creating operators.
masthead
A collection of files that contain the parameters of the BigFix process, includingURLs to Fixlet content. The BigFix agent brings content into the enterprise based onsubscribed mastheads.
mirror server
A BigFix server required if the enterprise does not allow direct web access but insteaduses a proxy server that requires password-level authentication.
Multicloud
The utilization of distinct sets of cloud services, typically from multiple vendors,where specific applications are confined to a single cloud instance.
multiple action group (MAG)
A BigFix object that is created when multiple actions are deployed together, as in abaseline. A MAG contains multiple Fixlets or tasks. See also deployment group (onpage 34).
N
National Vulnerability Database (NVD)
A catalog of officially known information security vulnerabilities and exposures,which is maintained by the National Institute of Standards and Technology (NIST).See also Common Vulnerabilities and Exposures Identification Number (on page32).
NVD
See National Vulnerability Database (on page 37).
O
offer
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 38
A deployment option that allows a device holder to accept or decline a BigFix actionand to exercise some control over when it runs. For example, a device holder candecide whether to install a software application, and whether to run the installation atnight or during the day.
open-ended deployment
A deployment with no end or expiration date; one that runs continuously, checkingwhether the computers on a network comply.
operator
A person who uses the BigFix WebUI, or portions of the BigFix console.
P
patch
A piece of code added to vendor software to fix a problem, as an immediate solutionthat is provided to users between two releases.
patch category
A description of a patch's type and general area of operation, for example, a bug fix ora service pack.
patch severity
The level of risk imposed by a network threat or vulnerability and, by extension, theimportance of applying its patch.
R
relay
A client that is running special server software. Relays spare the server and thenetwork by minimizing direct server-client downloads and by compressing upstreamdata.
Relevance
BigFix query language that is used to determine the applicability of a piece of contentto a specified endpoint. Relevance asks yes or no questions and evaluates the results.The result of a Relevance query determines whether an action can or should beapplied. Relevance is paired with Action Script in Fixlets.
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 39
S
SCAP
See Security Content Automation Protocol (on page 39).
SCAP check
A specific configuration check within a Security Content Automation Protocol(SCAP) checklist. Checks are written in XCCDF and are required to include SCAPenumerations and mappings per the SCAP template.
SCAP checklist
A configuration checklist that is written in a machine-readable language (XCCDF).Security Content Automation Protocol (SCAP) checklists have been submitted to andaccepted by the NIST National Checklist Program. They also conform to a SCAPtemplate to ensure compatibility with SCAP products and services.
SCAP content
A repository that consists of security checklist data represented in automated XMLformats, vulnerability and product name related enumerations, and mappings betweenthe enumerations.
SCAP enumeration
A list of all known security related software flaws (CVEs), known softwareconfiguration issues (CCEs), and standard vendor and product names (CPEs).
SCAP mapping
The interrelationship of enumerations that provides standards-based impactmeasurements for software flaws and configuration issues.
Security Content Automation Protocol (SCAP)
A set of standards that is used to automate, measure, and manage vulnerability andcompliance by the National Institute of Standards and Technology (NIST).
server
A software program or a computer that provides services to other software programsor other computers. See also client (on page 32).
signing password
A password that is used by a console operator to sign an action for deployment.
single deployment
A type of deployment where a single action was deployed to one or more devices.
site
A collection of BigFix content. A site organizes similar content together.
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 40
site administrator
The person who is in charge of installing BigFix and authorizing and creating newconsole operators.
software package
A collection of Fixlets that install a software product on a device. Software packagesare uploaded to BigFix by an operator for distribution. A BigFix software packageincludes the installation files, Fixlets to install the files, and information about thepackage (metadata).
SQL Server
A full-scale database engine from Microsoft that can be acquired and installed into theBigFix system to satisfy more than the basic reporting and data storage needs.
standard deployment
A deployment of BigFix that applies to workgroups and to enterprises with a singleadministrative domain. It is intended for a setting in which all Client computers havedirect access to a single internal server.
statistically targeted
Pertaining to the method used to target a deployment to a device or piece of content.Statically targeted devices are selected manually by an operator.
superseded patch
A type of patch that notifies an operator when an earlier version of a patch has beenreplaced by a later version. This occurs when a later patch updates the same files as anearlier one. Superseded patches flag vulnerabilities that can be remediated by a laterpatch. A superseded patch cannot be deployed.
system power state
A definition of the overall power consumption of a system. BigFix PowerManagement tracks four main power states Active, Idle, Standby or Hibernation, andPower Off.
T
target
To match content with devices in a deployment, either by selecting the content fordeployment, or selecting the devices to receive content.
targeting
The method used to specify the endpoints in a deployment.
task
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 41
A type of Fixlet designed for re-use, for example, to perform an ongoing maintenancetask.
U
UTC
See Coordinated Universal Time (on page 33).
V
virtual private network (VPN)
An extension of a company intranet over the existing framework of either a public orprivate network. A VPN ensures that the data that is sent between the two endpointsof its connection remains secure.
VPN
See virtual private network (on page 41).
vulnerability
A security exposure in an operating system, system software, or application softwarecomponent.
W
Wake-from-Standby
A mode that allows an application to turn a computer on from standby mode duringpredefined times, without the need for Wake on LAN.
Wake on LAN
A technology that enables a user to remotely turn on systems for off-hoursmaintenance. A result of the Intel-IBM Advanced Manageability Alliance and partof the Wired for Management Baseline Specification, users of this technology canremotely turn on a server and control it across the network, thus saving time onautomated software installations, upgrades, disk backups, and virus scans.
WAN
See wide area network (on page 41).
wide area network (WAN)
Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 42
A network that provides communication services among devices in a geographic arealarger than that served by a local area network (LAN) or a metropolitan area network(MAN).
Notices
This information was developed for products and services offered in the US.
HCL may not offer the products, services, or features discussed in this document in other countries.Consult your local HCL representative for information on the products and services currentlyavailable in your area. Any reference to an HCL product, program, or service is not intended to stateor imply that only that HCL product, program, or service may be used. Any functionally equivalentproduct, program, or service that does not infringe any HCL intellectual property right may be usedinstead. However, it is the user's responsibility to evaluate and verify the operation of any non-HCLproduct, program, or service.
HCL may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You cansend license inquiries, in writing, to:
HCL330 Potrero Ave.Sunnyvale, CA 94085USAAttention: Office of the General Counsel
For license inquiries regarding double-byte character set (DBCS) information, contact the HCLIntellectual Property Department in your country or send inquiries, in writing, to:
HCL330 Potrero Ave.Sunnyvale, CA 94085USAAttention: Office of the General Counsel
HCL TECHNOLOGIES LTD. PROVIDES THIS PUBLICATION "AS IS" WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUTNOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions donot allow disclaimer of express or implied warranties in certain transactions, therefore, this statementmay not apply to you.
This information could include technical inaccuracies or typographical errors. Changes areperiodically made to the information herein; these changes will be incorporated in new editions of thepublication. HCL may make improvements and/or changes in the product(s) and/or the program(s)described in this publication at any time without notice.
Any references in this information to non-HCL websites are provided for convenience only and donot in any manner serve as an endorsement of those websites. The materials at those websites are notpart of the materials for this HCL product and use of those websites is at your own risk.
HCL may use or distribute any of the information you provide in any way it believes appropriatewithout incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:
HCL330 Potrero Ave.Sunnyvale, CA 94085USAAttention: Office of the General Counsel
Such information may be available, subject to appropriate terms and conditions, including in somecases, payment of a fee.
The licensed program described in this document and all licensed material available for it areprovided by HCL under terms of the HCL Customer Agreement, HCL International Program LicenseAgreement or any equivalent agreement between us.
The performance data discussed herein is presented as derived under specific operating conditions.Actual results may vary.
Information concerning non-HCL products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. HCL has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-HCLproducts. Questions on the capabilities of non-HCL products should be addressed to the suppliers ofthose products.
Statements regarding HCL's future direction or intent are subject to change or withdrawal withoutnotice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. Toillustrate them as completely as possible, the examples include the names of individuals, companies,brands, and products. All of these names are fictitious and any similarity to actual people or businessenterprises is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrateprogramming techniques on various operating platforms. You may copy, modify, and distributethese sample programs in any form without payment to HCL, for the purposes of developing, using,marketing or distributing application programs conforming to the application programming interfacefor the operating platform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. HCL, therefore, cannot guarantee or imply reliability,serviceability, or function of these programs. The sample programs are provided "AS IS," withoutwarranty of any kind. HCL shall not be liable for any damages arising out of your use of the sampleprograms.
Each copy or any portion of these sample programs or any derivative work must include a copyrightnotice as follows:© (your company name) (year).Portions of this code are derived from HCL Ltd. Sample Programs.
TrademarksHCL Technologies Ltd. and HCL Technologies Ltd. logo, and hcl.com are trademarks or registeredtrademarks of HCL Technologies Ltd., registered in many jurisdictions worldwide.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks ortrademarks of Adobe Systems Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporationin the United States, other countries, or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other product and service names might be trademarks of HCL or other companies.
Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the following terms andconditions.
Applicability
These terms and conditions are in addition to any terms of use for the HCL website.
Personal use
You may reproduce these publications for your personal, noncommercial use provided that allproprietary notices are preserved. You may not distribute, display or make derivative work of thesepublications, or any portion thereof, without the express consent of HCL.
Commercial use
You may reproduce, distribute and display these publications solely within your enterprise providedthat all proprietary notices are preserved. You may not make derivative works of these publications,or reproduce, distribute or display these publications or any portion thereof outside your enterprise,without the express consent of HCL.
Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted,either express or implied, to the publications or any information, data, software or other intellectualproperty contained therein.
HCL reserves the right to withdraw the permissions granted herein whenever, in its discretion, theuse of the publications is detrimental to its interest or, as determined by HCL, the above instructionsare not being properly followed.
You may not download, export or re-export this information except in full compliance with allapplicable laws and regulations, including all United States export laws and regulations.
HCL MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS.THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANYKIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIEDWARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR APARTICULAR PURPOSE.