Modern Client Management for BigFix 10Administrators Guide

Special notice

Before using this information and the product it supports, read the information in Notices (on page43).

Edition notice

This edition applies to version 10.0.1 of BigFix Insights and to all subsequent releases andmodifications until otherwise indicated in new editions.

Contents

Chapter 1. Overview............................................................................................................................1

What’s new in this release.............................................................................................................1

Chapter 2. Prerequisites and requirements...................................................................................... 3

Supported system environments.................................................................................................... 3

Minimum hardware requirements..................................................................................................4

Port requirements........................................................................................................................... 4

Chapter 3. Installing BigFix............................................................................................................... 6

Chapter 4. Setting up LDAPS authentication...................................................................................7

Chapter 5. Configuring certificates....................................................................................................8

MDM SSL certificates................................................................................................................... 9

Chapter 6. Setting up the MDM Server..........................................................................................11

Installing BigFix MDM Server for Windows endpoints.............................................................11

Installing BigFix MDM Server for macOS endpoints................................................................ 12

Chapter 7. The Plugin Portal........................................................................................................... 14

Chapter 8. Installing the MDM Plugins.......................................................................................... 15

Understanding the MDM Plugin interface.................................................................................. 15

Installing MDM plugins on Windows.........................................................................................16

Installing MDM plugins on macOS............................................................................................ 16

Chapter 9. Staging BigFix Agents for delivery...............................................................................18

Chapter 10. Registering for Apple Developer Accounts................................................................19

Chapter 11. Device Enrollment........................................................................................................ 20

Enrolling Windows 10 Devices................................................................................................... 20

Enrolling macOS Devices............................................................................................................23

Chapter 12. Troubleshooting............................................................................................................ 25

Logging.........................................................................................................................................25

Error codes................................................................................................................................... 27

Installing Docker CE+ Docker compose on RHEL8.................................................................. 28

Chapter 13. Support.......................................................................................................................... 30

Chapter 14. Glossary......................................................................................................................... 31

Notices.................................................................................................................................................. 43

Contents | v

Index.............................................................................................................................................

Chapter 1. Overview

This guide is intended for HCL BigFix Master Operators (MO) and those who administer BigFixdeployments. If you are looking for information about using Modern Client Management (MCM),see the User's Guide.

With the MCM offering, you can manage endpoints that run operating systems through a vendor’sMobile Device Manager (MDM) API. With this feature, BigFix can interact with your devicesand endpoints through MDM. BigFix can deploy profiles, custom content, patches, software, anda BigFix Agent through the Console or WebUI. BigFix can also wipe or lock devices remotely ifdevices get lost or stolen. The MDM server through MDM APIs manages all the actions that youinvoke from the BigFix Console or WebUI.

What’s new in this releaseBecome familiar with the enhancements made in MCM for BigFix 10

MCM v1.0.1 updates

• Support for the BigFix Work from Home Solution

MCM v1.0.1 supports the BigFix Work from Home Solution. For complete information aboutthe BigFix Work from Home Solution, read The BigFix Work from Home Solution Guide.

• Performance enhancements

This release includes a number of stability and performance enhancements and fixes. Forcapacity planning and configuration recommendations, see BigFix Capacity Planningdocumentation at BigFix Performance & Capacity Planning Resources.

• Extended operating system support◦ The MCM solution supports RHEL 8 on MDM Server and Plugin Portal servers with

a workaround to install Docker CE+. For more information, see Installing Docker CE+Docker compose on RHEL8 (on page 28)

◦ The MCM solution supports Windows 10 (Pro, Enterprise, and Home) running on MCMendpoints.

Note: Only certain Windows editions support all available operating systemfeatures that are configured through MDM. For complete information, see the WindowsConfiguration service provider (CSP) reference document. Each CSP highlights whichWindows editions are supported.

• Fixlets to upgrade MCM components

With MCM v1.0.1 release, you can upgrade the MCM components by using Fixlets that areavailable through the BigFix Console. Take a look at the BESUEM site for the relevant Fixlets.

• WebUI Health Checks dashboard for MCM serviceability

Modern Client Management for BigFix 10 Administrators Guide | 1 - Overview | 2

The WebUI Health Checks dashboard is available to monitor the health of your BigFix MCMdeployments. For more information, see Health Checks.

• Addressed security vulnerabilities

Product security vulnerability issues from MCM v1.0.0 are addressed in this release.

Chapter 2. Prerequisites and requirements

The following packages must be pre-installed on your Red Hat® Enterprise Linux® systems beforeyou installModern Client Management (MCM):

MDM Server

The target computers must have the following elements installed:

• The computer must be running on RHEL 7+ or RHEL 8+• Docker (CE v19.x or RHEL version 1.13 or later) and Docker Compose 1.25.x• BigFix Client version 10.0 or later• OpenSSL• Unzip

Note: RHEL8 does not support Docker CE+ by default. For a workaround to install a compatibleDocker CE+ version on RHEL8, see Installing Docker CE+ Docker compose on RHEL8 (on page28)

Plugin Portal

The target computers must have the following elements installed:

1. BigFix Client version 10.0 or later2. Plugin Portal version 10.0 or later3. Mongo DB 4.2.3 or later

Requirements

• Supported system environments (on page 3)• Minimum hardware requirements (on page 4)• Port requirements (on page 4)

Supported system environmentsThis section provides the information about the supported system environments for MCM for BigFix10.

Component Supported environmentPlugin Portal and PluginRHEL7.4+, RHEL8+, OR Windows 2012 R2+

Modern Client Management for BigFix 10 Administrators Guide | 2 - Prerequisites and requirements | 4

Component Supported environmentMDM Server Host andDocker

RHEL 7 to RHEL 8

Device OperatingSystem

Windows 10 (Pro, Enterprise, and Home1), macOS 10.14 and later

Docker Engine CE v19.x or RHEL version 1.13 or laterDocker-compose 1.25.xMongoDB RHEL7.4+, RHEL8+, and Windows 10/Server 2016+

Minimum hardware requirementsFor minimum hardware requirements, see BigFix Capacity Planning documentation.

For further details and latest information about deployment and management of BigFix, see BigFixPerformance & Capacity Planning Resources

Port requirementsFor BigFix to communicate properly with the devices that you manage through the MDM Plugin,ensure that the following ports are open in your firewall.

PortNumber

Type Purpose Direction

443 HTTPS All device enrollment and management requestsare sent to this port. This must be an internet-facing port for the endpoints to reach theenrollment server.

Inbound to the MDM Serverfrom the network where MDMmanaged endpoints are located

5671 AMQP MDM Plugin receives the asynchronousnotifications from the devices through this port.This must be internally open just for the PluginPortal server.

Outbound from Plugin Portalserver to the MDM Server

8443 HTTPS MDM Plugin sends the device REST API requeststhrough this port. This must be internally open onthe MDM Server just for the Plugin Portal server.

Outbound from Plugin Portalserver to MDM Server

636 LDAPS For the Active Directory to securely authenticateend users during enrollment.

Outbound from MDM Server tothe Customer LDAP

389 LDAP For the Active Directory insecure authenticationof end users during enrollment.

Outbound from the MDMServer to Customer LDAP

1. Only certain Windows editions support all available operating system features that are configuredthrough MDM. For complete information, see the Windows Configuration service providerreference document. Each CSP highlights which Windows Editions are supported.

Modern Client Management for BigFix 10 Administrators Guide | 2 - Prerequisites and requirements | 5

PortNumber

Type Purpose Direction

Note: In case the Active Directory secureport is not enabled, the default insecure port is389. For best results, use the LDAPS (securecommunication) with Active Directory.

2195* TCP For sending messages from the MDM Server toAPNs.

Outbound from the MDMServer to the APNs Server(Internet).

2196* TCP Used by the MDM Server to connect to APNs forfeedback.

Outbound from the MDMServer to the APNs Server(Internet).

5223 TCP For sending messages from APNs to thecomputers in your network.

Outbound from Mac devices(whichever network they are on)to the APNs Server (Internet).

*To ensure reliable server communication, allow outbound connections from the MDM Server to theApple 17.0.0.0/8 block over TCP ports 2195 and 2196.

Chapter 3. Installing BigFix

To install BigFix Platform, obtain a license, run the installation wizard that guides you through theinstallation of the BigFix root server, console, client, and WebUI.

Purchase a license and obtain a BigFix license authorization file(*.BESLicenseAuthorization) by using your License Key Center account. In the case of aProof-of-concept evaluation, contact your HCL Technical Sales Representative.

For details on installing BigFix and its components, see BigFix Installation.

Chapter 4. Setting up LDAPS authentication

With MCM for BigFix 10, Administrators can manage Windows™ and Apple® devices byauthenticating the device users with LDAPS authentication.

Secure Lightweight Directory Access Protocol (LDAPS) authentication

BigFix Administrators verify the user credentials by using the LDAPS authenticationbefore the devices can enroll with the BigFix MDM Server.The following prerequisites must be met for the devices to connect to the MicrosoftActive Directory Server (MSAD) or LDAP server:

• An LDAPS URL• The Base Distinguished Name (base DN)• The Bind Distinguished Name (bind DN)• The bind password

These parameters are defined in Fixlets. For details about how to set up and configure an MDMserver with Fixlets, see Setting up the MDM Server (on page 11). For more details about LDAPSsettings, see LDAPS parameters.

Chapter 5. Configuring certificates

Learn how to configure certificates and establish an authorized connection between the MDM serverand Apple devices.

Apple® Push Notification

Apple Push Notification (APN) is used to notify Apple devices to check in with theMDM Server. To push notifications to Apple devices, you need an APN certificate,which is a prerequisite to manage mobile devices. You must have an Apple Developeraccount (on page 19) to create an APNs certificate.

To establish an authorized connection between the MDM server and Apple PushNotification server, you must create a Certificate Signing Request (CSR) and sendthe CSR file to HCL for signing. After signing, you must upload the CSR file to yourApple Developer account to obtain a provider certificate from Apple.

To Obtain a Provider Certificate from Apple, complete these steps:

1. Enroll for Apple Developer Program.2. In the command-line interface, run the following command to create CSR:

openssl req -newkey rsa:2048 -nodes -keyout PUSHCERTNAME_temp.key -out PUSHCERTNAME.csr -subj "/C=US/CN=HOSTNAME/emailAddress=EMAILADDRESS"

Note:• You can replace PUSHCERTNAME with a name of your choice.• EMAILADDRESS must be unique to your organization, it is not stored or used

directly by HCL or BigFix.• HOSTNAME must be the FQDN of the server on which the MDM server runs.

3. Run the following command:

openssl rsa -des3 -in PUSHCERTNAME_temp.key -out PUSHCERTNAME.key

Enter the Pem Pass Phrase of your choice when prompted. You will then beasked to verify it.

Important: Save the generated PUSHCERTNAME.csr andPUSHCERTNAME.key at a safe location. You can use these files at the time ofcertificate renewals with Apple after one year. Also, store the Pem Pass Phrase ina safe location for certificate renewals.

4. Send the CSR file to BFAppleCSR@hcl.com.

Important: Include your HCL Customer ID or BigFix server serial numberin the body of the email.

Modern Client Management for BigFix 10 Administrators Guide | 5 - Configuring certificates | 9

5. An HCL-signed version of the CSR file, plus additional instructions fromBFAppleCSR@hcl.com will be returned to the sender’s email address withinone business day. Follow the instructions in that email to obtain the required filethrough your Apple Developer account.

MDM SSL certificates

MDM Client Auth certificate

SSL Certificates are required to authenticate the Plugin to the MDM Server. Forsecure communication, you must generate the certificates through new optionswhen you run BESAdmin command on the BigFix root server. Before you run thecommand to generate the SSL certificates, create a directory. All the generated SSLcertificates after you run the command are stored in the directory that you create.

Note:

• You must have a reachable DNS host name to run the commands in the BESAdmin tool to generate certificates.

To generate SSL certificates on a Windows BigFix root server, run this command:

BESAdmin.exe /generateplugincertificates /certificatespath:<path-to-store-certs> [/commonname:<CN-for-server-and-client-cert>]

To generate SSL certificates on a Linux BigFix root server, run this command:

BESAdmin -generateplugincertificates -certificatespath=<path-to-store-certs> [-commonname:<CN-for-server-and-client-cert>

Note:

• For commonname, use the FQDN name of the MDM Server.• These commands work only if path-to-store-certsdirectory exists.

The following SSL certificates are generated in the folder that you created:

• ca.cert.pem• client.cert.pem• client.key• server.cert• server.key

Modern Client Management for BigFix 10 Administrators Guide | 5 - Configuring certificates | 10

Note: You will be using the preceding SSL certificates and keys when you installthe MDM Plugin and MDM Server.

MDM Server certificate

Customers must obtain a CA-signed domain SSL certificate for the MDM Serverin production. The endpoints need a trusted CA SSL certificate to enroll andcommunicate with the MDM Server. The SSL certificate must be available in the/var/opt/BESUEM/certs directory before you start the services. All thecertificates are deployed through the MDM Server installation Fixlets.

If you are using the staging and lab environment, self-signed certificates must begenerated as follows:

• Run the following command on a RHEL MDM Server in the OpenSSLcommand-line interface to generate mdmserver.key and mdmserver.crtfiles in the directory specified. You will need this SSL certificate and key whenyou are ready to deploy the MDM Server.

DNSNAME=<MDM_FQDN_HOSTNAME>; (cat /etc/pki/tls/openssl.cnf; printf "\n[SAN]\nsubjectAltName=DNS:$DNSNAME\n") | openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout mdmserver.key -out mdmserver.crt -subj "/CN=$DNSNAME" -config /dev/stdin

Chapter 6. Setting up the MDM Server

You can set up MDM server by running the appropriate tasks from the BESUEM content site.

• Install Docker Engine, Docker Compose, and OpenSSL.• Ensure that you have one of these user roles:

◦ A Master Operator (MO) with visibility over the MDM Server target machine and visibilityof the BESUEM site

◦ An Administrator with the privilege to run the installation.• Install BESClient on the target computer in which you want to install MDM server. This is

because you need to install MDM Server through Fixlets.

On the BESUEM content site, with some tasks, you can install standalone versions of either themacOS® MDM Server or the Windows™ MDM Server. After the installation, you can use othertasks to add more MDM Server capabilities. You can also use these Tasks to configure an MDMServer for both macOS and Windows.The Install BigFix Windows MDM Server Task or the Install BigFix macOS MDM Server Taskcompletes these activities:

1. Creates a directory.2. Downloads a set of docker images from software.bigfix.com which is needed for the MDM

installation.3. Installs the services and certificates including the Plugin certificates (on page 9) and the TLS

certificate on which the server will run, and the Apple Push certificate if you are installing amacOS MDM Server.

4. Applies all required configurations.

Installing BigFix MDM Server for Windows endpointsYou can install BigFix MDM server for Windows endpoints using the task Install BigFixWindows MDM Server.

These prerequisites must be met to install the BigFix MDM Server for Windows endpoints:

• You must have the required certificates and keys. See, MDM SSL Certificates (on page 9).• You must have a BigFix Agent running on the MDM Server target.

In the Install BigFix Windows MDM Server task, provide this information:

1. Enter the organization name.

Modern Client Management for BigFix 10 Administrators Guide | 6 - Setting up the MDM Server | 12

2. Enter user facing hostname. For example, enter mdmserver.deploy.bigfix.com.3. Enter LDAP parameters.

Note: LDAP Authentication is turned on by default.4. Enter the details of the MDM Server TLS certificate and key contents.

a. Enter a string to set TLS key password.b. In the MDM Server TLS Certificate content section, enter the entire text contents of the

generated TLS .crt file.c. In the MDM Server TLS Key content section, enter the entire text contents of the generated

TLS .key file.

Tip: If you want to use self-signed certificates, to know how to generate .crt and.key files, see MDM SSL Certificates (on page 9).

5. Enter the details of the MDM Server authentication certificate and key contents.a. In the MDM Server Certificate Authority content section, enter the entire text contents of

the generated ca.cert.pem file.b. In the MDM Server Certificate content section, enter the entire text contents of the

generated server.cert.pem file.c. In the MDM Server Key content section, enter the contents of server.key file.

Tip: For more information on how to generate .pem and .key files, see MDM SSLCertificates (on page 9).

6. Deploy the task to targeted systems.

Installing BigFix MDM Server for macOS endpointsYou can install the BigFix MDM server for macOS endpoints using the task Install BigFixMacOS MDM Server.

These prerequisites must be met to install the BigFix MDM Server for macOS endpoints:

• You must have the required certificates and keys. See, MDM SSL Certificates (on page 9).• You must have a BigFix Agent running on the MDM Server target.

Note: An Apple Push Certificate PEM file that is obtained through the HCL vendor signingprocess and processed by Apple is needed for this MDM Server deployment.

In the Install BigFix MacOS MDM Server task, provide this information:

1. Enter the organization name.2. Enter the user-facing hostname. For example, mdmserver.deploy.bigfix.com.3. Enter the MDM API password that you want to use (it can be anything, and this is not visible

externally anywhere after it is configured).4. Enter LDAP parameters.

Modern Client Management for BigFix 10 Administrators Guide | 6 - Setting up the MDM Server | 13

Note: LDAP Authentication is turned on by default.5. Enter the Apple Push certificate and key contents.

a. Enter the Apple Push key password.b. In the Apple Push Certificate PEM content section, enter the entire text contents of PushPEM file.

c. In the Apple Push Key content section, enter the entire text contents of Push key file.6. Enter the details of the MDM Server TLS certificate and key contents.

a. Enter a string to set TLS key password.b. In the MDM Server TLS Certificate content section, enter the entire text contents of the

generated TLS .crt file.c. In the MDM Server TLS Key content section, enter the entire text contents of the generated

TLS .key file.

Tip: If you want to use self-signed certificates, to know how to generate .crt and.key files, see MDM SSL Certificates (on page 9).

7. Enter the details of the MDM Server authentication certificate and key contents.a. In the MDM Server Certificate Authority content section, enter the entire text contents of

the generated ca.cert.pem file.b. In the MDM Server Certificate content section, enter the entire text contents of the

generated server.cert.pem file.c. In the MDM Server Key content section, enter the contents of server.key file.

Tip: For more information on how to generate .pem and .key files, see MDM SSLCertificates (on page 9).

8. Enter message text for an end user agreement - Optional. This message is displayed to the endusers to accept to proceed with enrollment of macOS devices through the enrollment process.This message can include, for example, a warning about allowing remote management of thedevice or helpdesk contact information.

9. Deploy the task to targeted systems.

Chapter 7. The Plugin Portal

The Plugin Portal provides the server infrastructure for the MCM technology delivered in BigFix 10.

Modern Client Management requires the Plugin Portal and one or more MDM plugins to be installedin the Plugin Portal.

Prerequisites for installing the Plugin Portal

On the computers that you intend to install the Plugin Portal on, install theseapplications:

• BigFix client, Version 10.0 or later• MongoDB Version 4.2.3 or later

Installing the Plugin Portal

To install the Plugin Portal as a service on a BigFix client, run the latest InstallBigFix Plugin Portal fixlet version available in the BES Support site. This taskinstalls the BigFix Plugin Portal Version 10.0 on the selected targets.

The Plugin Portal is typically installed in the following directories:

• Windows:◦ C:\Program Files (x86)\BigFix Enterprise\BES Plugin Portal

• Linux:◦ /var/opt/BESPluginPortal◦ /opt/BESPluginPortal

Note: You might have several Plugin Portals in your environment; but on aspecific target computer, you must have only one.

The Plugin Portal needs an MDM Plugin to work for MCM. The MDM Plugininstallation Tasks do not become relevant until there is a valid Plugin Portal presenton the system and the local BES Client evaluates the Tasks again.

For more information about Plugin Portal installation and base configuration, seePlatform documentation.

Chapter 8. Installing the MDM Plugins

Installing MDM Plugins are required to set up a connection between the MDM Servers and theBigFix Plugin Portal. MDM Plugins communicate with the MDM Server through REST APIs andthe AMQP protocol using client certificates.

Ensure that the server host is running the Plugin Portal and BigFix Agent is running locally. Fordetails about installing the BigFix Client, see Installing the BigFix components.

Note:

• Two versions of the MDM Plugins are available: macOS and Windows.• The tasks require credentials, specifically from cacert, the client cert, and the client key that is

generated from BESAdmin. For details, see MDM SSL certificates (on page 9)

The next step is to run the Install BigFix Plugin for MDM on macOS task or Install BigFix Plugin forMDM on Windows task to install the appropriate plugins on target computers.

Understanding the MDM Plugin interfaceThe MDM Plugin interface communicates with the MDM Server. It forwards requests to the MDMServer and fetches results from the MDM infrastructure. MDM Plugins act as an interface betweenthe Plugin Portal and the MDM Servers.

The MDM Plugin interface contains these components:

Requests to the MDM Server

These requests are the outbound interface to the MDM Server. If the plugin requiresinformation from an enrolled device or must request an action from a device or fromthe MDM Server, the plugin uses this interface. Most requests become asynchronousresponses that are received from the inbound interface. The connections between theMDM Plugin and the MDM Server is secure and is protected by client-and-servercertificates.

Responses from the MDM Server

The MDM Plugin registers as a subscriber for messages from the MDM Server. TheMDM Plugin can receive information from this interface at any time from an enrolleddevice. The connections between the MDM Plugin and the MDM Server is secure andis protected by client-and-server certificates.

Modern Client Management for BigFix 10 Administrators Guide | 8 - Installing the MDM Plugins | 16

Installing MDM plugins on WindowsTo deploy MDM plugins on Windows, complete the following steps.

Prerequisites

The targeted server host must have a BigFix Client running and Plugin Portal installed.

Procedure

1. In the MDM Server Address field, enter the MDM Server hostname or IP address.2. Enter these parameters:

a. Copy and paste the entire text contents of the ca.cert.pem file i to the CertificateAuthority content field.

b. Copy and paste the entire text contents of the client.cert.pem file into the ClientCertificate content field.

c. Copy and paste the entire text contents of the client.key file into the Client Keycontent field.

Tip: For details about how to generate the .pem and .key files, see MDM SSLCertificates (on page 9).

3. Deploy the task to the targeted systems.

• You can find the MDM plugins at this location:◦ Windows - C:\Program File (x86)\BigFix Enterprise\BES PluginPortal\Plugins

◦ Linux■ Binaries - /opt/BESPluginPortal/Plugins■ Data files - /var/opt/BESPluginPortal

• You can complete MDM actions such as deploying a BigFix Agent, or wiping or lockingdevices through the BigFix WebUI on enrolled MDM devices.

Installing MDM plugins on macOSTo deploy MDM plugins on macOS, complete these steps:

Modern Client Management for BigFix 10 Administrators Guide | 8 - Installing the MDM Plugins | 17

Prerequisites

The targeted server host must have a BigFix Client running and Plugin Portal installed.

Procedure

1. In the MDM Server Address field, enter the MDM Server hostname or IP address.2. Enter these parameters:

a. Copy and paste the entire text contents of the ca.cert.pem file i to the CertificateAuthority content field.

b. Copy and paste the entire text contents of the client.cert.pem file into the ClientCertificate content field.

c. Copy and paste the entire text contents of the client.key file into the Client Keycontent field.

Tip: For details about how to generate the .pem and .key files, see MDM SSLCertificates (on page 9).

3. Deploy the task to the targeted systems.

• You can find the MDM plugins in the path:◦ Windows - C:\Program Files (x86)\BigFix Enterprise\BES PluginPortal\Plugins

◦ Linux■ Binaries - /opt/BESPluginPortal/Plugins■ Data files - /var/opt/BESPluginPortal

• You can perform MDM actions such as deploying a BigFix Agent or wiping or locking devicesthrough the BigFix WebUI on the enrolled MDM devices.

Chapter 9. Staging BigFix Agents for delivery

Learn how to pre-stage and deploy the latest version of the BigFix Agent on the MDM Server.

MCM can be used to deploy BigFix Agents on the enrolled macOS® or Windows™ 10 devices.

For macOS, a Fixlet is available for each released version of the BigFix Platform. Stage the packageagainst the MDM Server before any Mac devices are enrolled. The BigFix WebUI deploys thelatest timestamped BigFix Agent on the MDM Server in this directory: /var/opt/BESUEM/packages. The deployment happens on the MDM Server that was staged through the BESUEMFixlet - Stage BigFix Client packages for Mac on MDM Server.

For Windows, a custom MSI package must be prepared that includes the site masthead, and ifrequired, set the Authenticating Relay information with the client settings to deploy the BigFix Agentaction through WebUI correctly. Each package is unique and different for each user. For this versionof MCM, the package that is to be deployed on Windows 10 devices must be manually copied to the/var/opt/BESUEM/packages folder on the MDM server.

After the installation, you can find the base MSI on the BigFix server. You can repeat the procedurefor both macOS and Windows packages every time an updated version of BigFix Agent becomesavailable.

For installing the BES server installation on Windows, the installer copies a BigFix Agent in tothe BigFix Enterprise\BES Installers\ClientMSI folder, but without a masthead(configuration profile for the BigFix Agent). To install a BigFix Agent with a preconfiguredmasthead, complete these steps:

1. Locate the MSI that is installed with the server component.2. Copy the masthead.afxm file and the MSI file into a new folder on a Windows machine to

add the masthead to the MSI.3. Run the BESClientSetupMSI.exe command and follow the instructions from the installer

to add the masthead.4. Optionally add authenticating relay command details if you have an authenticating relayBESClientSetupMSI.exe /secureregistration <RELAY_PASSWORD> /relayserver1 http://<RELAY_HOST>:52311/bfmirror/downloads/<TARGET_MSI> to the MSI file.

5. Upload the BigFixAgent.msi file to the /var/opt/BESUEM/packages folder on theMDM Server.

Chapter 10. Registering for Apple DeveloperAccounts

To obtain a push certificate, you as a BigFix Administrator, require Apple Developer accounts. Fordetails on how to register for Developer accounts, see Mac developer account registration.

Chapter 11. Device Enrollment

Device enrollment is the first step for managing devices using MDM. Mac and Windows deviceshave different enrollment procedures. Only after successful enrollment will Mac and Windowsdevices report in to BigFix as MDM devices and start appearing on the BigFix Console and WebUI.The devices will interact with the MDM servers through APIs and based on the MDM policies.

Enrolling Windows 10 DevicesRead this section to understand how to enroll Windows 10 devices to MDM.

• You must know the MDM Server enrollment URL, which the BigFix administrator sharesthrough email or chat. The MDM Server enrollment URL must be the fully qualified domainname of the MDM server (For example, https://enroll-mdm.bigfix.com).

• To log in to the enrollment URL, you need an email ID and password associated with a validActive Directory (AD) credentials. These credentials are associated with the AD credentialssupplied on MDM Server setup.

• To enroll a device successfully, the user doing the enrollment on the Windows 10 device mustbe an administrator of the Windows 10 device.

To enroll a Windows 10 device in MDM, complete the following steps:

1. On an unenrolled Windows / macOS device, launch a web browser and go to the MDM serverURL.

Modern Client Management for BigFix 10 Administrators Guide | 11 - Device Enrollment | 21

2. Enter an email address that is associated with a valid AD set of credentials and click Enroll.

3. A pop-up window appears requesting you to open the Microsoft account, click Open Microsoftaccount.

4. On the next screen, enter an email address that is associated with a valid AD set of credentials.The MDM enrollment server URL should already be preconfigured and doesn’t need to bealtered.

5. Click Next.

6. On the next screen, enter the following information:• User name or email ID – This field is optional and can be empty.• Password – This field is mandatory.

Modern Client Management for BigFix 10 Administrators Guide | 11 - Device Enrollment | 22

7. Click Next.

After successful authentication, the device gets enrolled. To verify MDM enrollment status, go toSettings > Access work or school. You can view that the device is connected to MDM.

Modern Client Management for BigFix 10 Administrators Guide | 11 - Device Enrollment | 23

Enrolling macOS DevicesThe users must enroll macOS devices in MDM to manage and secure it through BigFix WebUI.

Initially, users must visit an enrollment URL provided to them through their BigFix administrator(via email or chat). This enrollment URL is the FQDN of the MDM Server (For example, https://enroll-mdm.bigfix.com). After authenticating in this enrollment portal, users must install theenrollment profile on their devices as an administrator.

To enroll the macOS device in MDM, follow these steps:

1. On the macOS device, launch a web browser and navigate to the MDM Server URL.

2. Enter a valid email address and password associated with the Active Directory deploymentconfigured when the MDM Server was set up.

3. Click Enroll to download the Mac enrollment profile.4. OSX opens this Enrollment Profile and shows users the information about the MDM

deployment they are about to enroll in. If things look okay, click Install to enroll the device inMDM.

Modern Client Management for BigFix 10 Administrators Guide | 11 - Device Enrollment | 24

Chapter 12. Troubleshooting

This section is intended to help you solve problems that might occur when using BigFix MCM.

LoggingThe MCM component generates log files which can provide extra information when youtroubleshoot an issue.

Log file locationsThe following table shows the location of various MCM logs that are stored in your Windows andLinux systems.

Component Windows LinuxPlugin Portal log(Configurable through_BESPluginPortal_HTTPServer_LogFilePath)

C:\Program Files(x86)\BigFixEnterprise\BESPlugin Portal\BESPluginPortal.log

/var/log/BESPluginPortal.log

Windows MDM Plugin C:\Program Files(x86)\BigFixEnterprise\BESPlugin Portal\Plugins\WindowsMDMPlugin\Logs

/var/opt/BESPluginPortal/Plugins/WindowsMDMPlugin/Logs

macOS MDM Plugin C:\Program Files(x86)\BigFixEnterprise\BESPlugin Portal\Plugins\MacMDMPlugin\Logs

/var/opt/BESPluginPortal/Plugins/MacMDMPlugin/Logs

Windows MDM Server N/A /var/opt/BESUEM/windows/logs/windowsmdm.log

macOS MDM Server N/A /var/opt/BESUEM/mac/logs/micromdm.log

macOS MDM Gateway N/A /var/opt/BESUEM/mac/logs/mdmgateway.log

macOS MDM Webhook N/A /var/opt/BESUEM/mac/logs/mdmwebhook.log

WebUI log (Configurablethrough the server setting_WebUI_Logging_LogPath)

c:\Program Files(x86)\BigFix

/var/opt/BESWebUI/WebUI/logs/

Modern Client Management for BigFix 10 Administrators Guide | 12 - Troubleshooting | 26

Component Windows LinuxEnterprise\BESWebUI\WebUI\logs\

Client settings - Verbose Logs for Plugin or Plugin Portal

Parameter Description_BESPluginPortal_Log_Verbose Sets the Plugin Portal Verbose to Off if the value

is 0 (only critical messages are logged); sets it toOn (to enable more logging) if the value is 1. Thedefault value is 0.

_BESPluginPortal_Log_EnabledLogs When Plugin Portal Verbose is enabled, setsthe Plugin Portal message type configuration.Possible values include: all, critical, debug,timing, events. You can add values delimited bysemicolons.Example:

_BESPluginPortal_Log_Verbose = 1_BESPluginPortal_Log_EnabledLogs = events;timing

The default message type is '“all”.

Note: This can have a detrimental impact onPlugin Portal performance.

_WindowsMDMPlugin_LogVerbose Sets the Windows MDM Plugin Verbose On ifthe value is 1 and sets Off if the value is 0. Thedefault value is 0.

_MacMDMPlugin_LogVerbose Sets the macOS Plugin Verbose On if the value is1 and sets Off if the value is 0. The default valueis 0.

Logrotate

Logrotate handles the automatic rotation and compression of log files to manage available diskspace. On 0th minute of every hour, log files are rotated, and old log files are compressed and kept asbackup by running cron jobs in the following containers:

• windowsmdm• macmdm• rabbitmq• openresty

Modern Client Management for BigFix 10 Administrators Guide | 12 - Troubleshooting | 27

The backup file name format is <Filename.log>_<YYYY-MM-DD>_<HH-mm-ss>.gz. For example,mdmgateway.log_2020-06-03_07-13-00.gz

Logs are rotated under the following conditions and backed up to the following log locations.

Container Log location Max File size Rotate CountScheduled cron JOBrunning

For all containers Container’s internalpath

10 MB 10 every hour 0th minute

For macmdm log /var/opt/BESUEM/mac/logs

50 MB 10 every hour 0th minute

For windowsmdmlog

/var/opt/BESUEM/windows/logs

50 MB 10 every hour 0th minute

For openresty log /var/opt/BESUEM/openresty/logs

50 MB 10 every hour 0th minute

Note: If log file size is less than 50 MB, running the logrotate cron job does not create a new logfile.

MCM Debug Logging

Debug logs can help you troubleshoot issues because these logs have an extended logging level. Inthe BESUEM site, look for Fixlets that are marked as TROUBLESHOOTING to enable logging ondifferent MCM components; they are relevant if you have the components available.

Error codesThe following includes commonly encountered error messages and related information.

Windows Endpoint enrollment error codes

Error code Description Cause0x80190191 Unauthorized user User is not authorized.0x80190190 The server could not process the

transfer request.The syntax of the remote file name isinvalid.

0x801901F4 It prevents the apps from openingor forces them to close soon afteropening.

Incorrectly configured system settings orirregular entries in the Windows registry.

0x8600023 Already Imported this Package Importing this PPKG has been attemptedbefore, and the action failed

0x80180026 Device is ExternallyManaged This occurs when a device is locked inProvisioningMode.

0x80192ee7 Network Name Not resolved Either DNS is not available or yourcomputer does not have internet access.

Modern Client Management for BigFix 10 Administrators Guide | 12 - Troubleshooting | 28

Error code Description Cause0x8004002 File Not Found The Provisioning Package file cannot be

read.0x8004005 Access Denied This occurs when UAC is disabled, or when

someone clicks ‘No’ at the MDM enrollmentprompt.

For a comprehensive list of error codes, see https://docs.microsoft.com/en-us/windows/win32/mdmreg/mdm-registration-constants.

Installing Docker CE+ Docker compose on RHEL8RHEL8 does not support Docker CE+ by default. The following information provides a workaroundto install compatible Docker CE+ on RHEL8.

Install Docker CE+Docker compose on RHEL 8

To install Docker CE+Docker compose on RHEL 8:

1. Add the external repository by running the following command.

sudo dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo

a. Verify whether the repository has been enabled. To do that, run the following commandthat returns detailed information about all the enabled repositories.

sudo dnf repolist -v

2. Install docker-ce with the --nobest option. With this option, the first version of docker-ce withsatisfiable dependencies is selected as the "fallback" version.

sudo dnf install --nobest docker-ce

3. Install the latest available containerd.io package manually

sudo dnf install https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.2.6-3.3.el7.x86_64.rpm

4. Install the latest docker-ce version:

sudo dnf install docker-ce

5. Start and enable the docker daemon

sudo systemctl enable --now docker

a. Confirm whether the daemon is active by running this command:

Modern Client Management for BigFix 10 Administrators Guide | 12 - Troubleshooting | 29

systemctl is-active docker

6. Install docker-compose globally.a. Download the binary file from the project’s GitHub page:

curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o docker-compose

b. After the binary file is downloaded, move it to the /usr/local/bin folder, and thenmake it executable:

sudo mv docker-compose /usr/local/bin && sudo chmod +x /usr/local/bin/docker-composesudo ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

For detailed information, see https://linuxconfig.org/how-to-install-docker-in-rhel-8

After this installation, you might encounter a Docker CE container connectivity issue. Completethese steps to resolve this issue.

Resolve Docker CE container connectivity issueTo resolve Docker CE container connectivity issue:

1. Check which interface Docker is using. For example, 'docker0'.

ip link show

2. Check available firewalld zones. For example, 'public'

sudo firewall-cmd --get-active-zones

3. Check which zone the Docker interface is bound to. Typically, the Docker interface is not boundto a zone yet.

sudo firewall-cmd --get-zone-of-interface=docker0

4. Add the 'docker0' interface to the 'public' zone. Changes are visible only after the firewalld isreloaded

sudo nmcli connection modify docker0 connection.zone public

5. Masquerading enables Docker ingress and egress.

sudo firewall-cmd --zone=public --add-masquerade --permanent

6. Reload the firewalld

sudo firewall-cmd --reload

7. Restart dockerd

sudo systemctl restart docker

Chapter 13. Support

For more information about this product, see the following resources:

• BigFix Support Portal• BigFix Developer• BigFix playlist on YouTube• BigFix Tech Advisors channel on YouTube• BigFix Forum

Chapter 14. Glossary

This glossary provides terms and definitions for the Modern Client Management for BigFix softwareand products.

The following cross-references are used in this glossary:

• See refers you from a nonpreferred term to the preferred term or from an abbreviation to thespelled-out form.

• See also refers you to a related or contrasting term.

A (on page 31) B (on page 32) C (on page 32) D (on page 34) E (on page 35) F(on page 35) G (on page 36) L (on page 36) M (on page 36) N (on page 37) O (onpage 37) P (on page 38) R (on page 38) S (on page 39) T (on page 40) U (on page41) V (on page 41) W (on page 41)

A

action

1. See Fixlet (on page 35).2. A set of Action Script commands that perform an operation or administrative

task, such as installing a patch or rebooting a device.

Action Script

Language used to perform an action on an endpoint.

agent

See BigFix agent (on page 32).

ambiguous software

Software that has an executable file that looks like another executable file, or thatexists in more than one place in a catalog (Microsoft Word as a standalone product orbundled with Microsoft Office).

audit patch

A patch used to detect conditions that cannot be remediated and require the attentionof an administrator. Audit patches contain no actions and cannot be deployed.

automatic computer group

A computer group for which membership is determined at run time by comparing theproperties of a given device against the criteria set for group membership. The set

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 32

of devices in an automatic group is dynamic, meaning that the group can and doeschange. See also computer group (on page 33).

B

baseline

A collection of actions that are deployed together. A baseline is typically used tosimplify a deployment or to control the order in which a set of actions are applied. Seealso deployment group (on page 34).

BigFix agent

The BigFix code on an endpoint that enables management and monitoring by BigFix.

BigFix client

See BigFix agent (on page 32).

BigFix console

The primary BigFix administrative interface. The console provides a full set ofcapabilities to BigFix administrators.

C

client

A software program or computer that requests services from a server. See also server(on page 39).

client time

The local time on a BigFix client's device.

Cloud

A set of compute and storage instances or services that are running in containers or onvirtual machines.

Common Vulnerabilities and Exposures Identification Number (CVE ID)

A number that identifies a specific entry in the National Vulnerability Database. Avendor's patch document often includes the CVE ID, when it is available. See alsoNational Vulnerability Database (on page 37).

Common Vulnerabilities and Exposures system (CVE)

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 33

A reference of officially known network vulnerabilities, which is part of the NationalVulnerabilities Database (NVD), maintained by the US National Institute of Standardsand Technology (NIST).

component

An individual action within a deployment that has more than one action. See alsodeployment group (on page 34).

computer group

A group of related computers. An administrator can create computer groups toorganize systems into meaningful categories, and to facilitate deployment of contentto multiple computers. See also automatic computer group (on page 31) andmanual computer group (on page 36).

console

See BigFix console (on page 32).

content

Digitally-signed files that contain data, rules, queries, criteria, and other instructions,packaged for deployment across a network. BigFix agents use the detection criteria(Relevance statements) and action instructions (Action Script statements) in content todetect vulnerabilities and enforce network policies.

content relevance

A determination of whether a patch or piece of software is eligible for deployment toone or more devices. See also device relevance (on page 35).

Coordinated Universal Time (UTC)

The international standard of time that is kept by atomic clocks around the world.

corrupt patch

A patch that flags an operator when corrections made by an earlier patch have beenchanged or compromised. This situation can occur when an earlier service pack orapplication overwrites later files, which results in patched files that are not current.The corrupt patch flags the situation and can be used to re-apply the later patch.

custom content

BigFix code that is created by a customer for use on their own network, for example, acustom patch or baseline.

CVE

See Common Vulnerabilities and Exposures system (on page 32).

CVE ID

See Common Vulnerabilities and Exposures Identification Number (on page 32).

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 34

D

data stream

A string of information that serves as a source of package data.

default action

The action designated to run when a Fixlet is deployed. When no default action isdefined, the operator is prompted to choose between several actions or to make aninformed decision about a single action.

definitive package

A string of data that serves as the primary method for identifying the presence ofsoftware on a computer.

deploy

To dispatch content to one or more endpoints for execution to accomplish anoperation or task, for example, to install software or update a patch.

deployment

Information about content that is dispatched to one or more endpoints, a specificinstance of dispatched content.

deployment group

The collection of actions created when an operator selects more than one action for adeployment, or a baseline is deployed. See also baseline (on page 32), component(on page 33), deployment window (on page 34), and multiple action group (onpage 37).

deployment state

The eligibility of a deployment to run on endpoints. The state includes parameters thatthe operator sets, such as 'Start at 1AM, end at 3AM.'

deployment status

Cumulative results of all targeted devices, expressed as a percentage of deploymentsuccess.

deployment type

An indication of whether a deployment involved one action or multiple actions.

deployment window

The period during which a deployment's actions are eligible to run. For example,if a Fixlet has a deployment window of 3 days and an eligible device that has beenoffline reports in to BigFix within the 3-day window, it gets the Fixlet. If the devicecomes back online after the 3-day window expires, it does not get the Fixlet. See alsodeployment group (on page 34).

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 35

device

An endpoint, for example, a laptop, desktop, server, or virtual machine that BigFixmanages; an endpoint running the BigFix Agent.

device holder

The person using a BigFix-managed computer.

device property

Information about a device collected by BigFix, including details about its hardware,operating system, network status, settings, and BigFix client. Custom properties canalso be assigned to a device.

device relevance

A determination of whether a piece of BigFix content applies to applies to a device,for example, where a patch should be applied, software installed, or a baseline run.See also content relevance (on page 33).

device result

The state of a deployment, including the result, on a particular endpoint.

Disaster Server Architecture (DSA)

An architecture that links multiple servers to provide full redundancy in case offailure.

DSA

See Disaster Server Architecture (on page 35).

dynamically targeted

Pertaining to using a computer group to target a deployment.

E

endpoint

A networked device running the BigFix agent.

F

filter

To reduce a list of items to those that share specific attributes.

Fixlet

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 36

A piece of BigFix content that contains Relevance and Action Script statementsbundled together to perform an operation or task. Fixlets are the basic building blocksof BigFix content. A Fixlet provides instructions to the BigFix agent to perform anetwork management or reporting action.

G

group deployment

A type of deployment in which multiple actions were deployed to one or moredevices.

H

Hybrid cloud

The utilization of distinct sets of cloud services (typically public and private) withintegration and/or orchestration across them.

L

locked

An endpoint state that prevents most of the BigFix actions from running until thedevice is unlocked.

M

MAG

See multiple action group (on page 37).

management rights

The limitation of console operators to a specified group of computers. Only a siteadministrator or a master operator can assign management rights.

manual computer group

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 37

A computer group for which membership is determined through selection by anoperator. The set of devices in a manual group is static, meaning they do not change.See also computer group (on page 33).

master operator

A console operator with administrative rights. A master operator can do everythingthat a site administrator can do, except creating operators.

masthead

A collection of files that contain the parameters of the BigFix process, includingURLs to Fixlet content. The BigFix agent brings content into the enterprise based onsubscribed mastheads.

mirror server

A BigFix server required if the enterprise does not allow direct web access but insteaduses a proxy server that requires password-level authentication.

Multicloud

The utilization of distinct sets of cloud services, typically from multiple vendors,where specific applications are confined to a single cloud instance.

multiple action group (MAG)

A BigFix object that is created when multiple actions are deployed together, as in abaseline. A MAG contains multiple Fixlets or tasks. See also deployment group (onpage 34).

N

National Vulnerability Database (NVD)

A catalog of officially known information security vulnerabilities and exposures,which is maintained by the National Institute of Standards and Technology (NIST).See also Common Vulnerabilities and Exposures Identification Number (on page32).

NVD

See National Vulnerability Database (on page 37).

O

offer

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 38

A deployment option that allows a device holder to accept or decline a BigFix actionand to exercise some control over when it runs. For example, a device holder candecide whether to install a software application, and whether to run the installation atnight or during the day.

open-ended deployment

A deployment with no end or expiration date; one that runs continuously, checkingwhether the computers on a network comply.

operator

A person who uses the BigFix WebUI, or portions of the BigFix console.

P

patch

A piece of code added to vendor software to fix a problem, as an immediate solutionthat is provided to users between two releases.

patch category

A description of a patch's type and general area of operation, for example, a bug fix ora service pack.

patch severity

The level of risk imposed by a network threat or vulnerability and, by extension, theimportance of applying its patch.

R

relay

A client that is running special server software. Relays spare the server and thenetwork by minimizing direct server-client downloads and by compressing upstreamdata.

Relevance

BigFix query language that is used to determine the applicability of a piece of contentto a specified endpoint. Relevance asks yes or no questions and evaluates the results.The result of a Relevance query determines whether an action can or should beapplied. Relevance is paired with Action Script in Fixlets.

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 39

S

SCAP

See Security Content Automation Protocol (on page 39).

SCAP check

A specific configuration check within a Security Content Automation Protocol(SCAP) checklist. Checks are written in XCCDF and are required to include SCAPenumerations and mappings per the SCAP template.

SCAP checklist

A configuration checklist that is written in a machine-readable language (XCCDF).Security Content Automation Protocol (SCAP) checklists have been submitted to andaccepted by the NIST National Checklist Program. They also conform to a SCAPtemplate to ensure compatibility with SCAP products and services.

SCAP content

A repository that consists of security checklist data represented in automated XMLformats, vulnerability and product name related enumerations, and mappings betweenthe enumerations.

SCAP enumeration

A list of all known security related software flaws (CVEs), known softwareconfiguration issues (CCEs), and standard vendor and product names (CPEs).

SCAP mapping

The interrelationship of enumerations that provides standards-based impactmeasurements for software flaws and configuration issues.

Security Content Automation Protocol (SCAP)

A set of standards that is used to automate, measure, and manage vulnerability andcompliance by the National Institute of Standards and Technology (NIST).

server

A software program or a computer that provides services to other software programsor other computers. See also client (on page 32).

signing password

A password that is used by a console operator to sign an action for deployment.

single deployment

A type of deployment where a single action was deployed to one or more devices.

site

A collection of BigFix content. A site organizes similar content together.

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 40

site administrator

The person who is in charge of installing BigFix and authorizing and creating newconsole operators.

software package

A collection of Fixlets that install a software product on a device. Software packagesare uploaded to BigFix by an operator for distribution. A BigFix software packageincludes the installation files, Fixlets to install the files, and information about thepackage (metadata).

SQL Server

A full-scale database engine from Microsoft that can be acquired and installed into theBigFix system to satisfy more than the basic reporting and data storage needs.

standard deployment

A deployment of BigFix that applies to workgroups and to enterprises with a singleadministrative domain. It is intended for a setting in which all Client computers havedirect access to a single internal server.

statistically targeted

Pertaining to the method used to target a deployment to a device or piece of content.Statically targeted devices are selected manually by an operator.

superseded patch

A type of patch that notifies an operator when an earlier version of a patch has beenreplaced by a later version. This occurs when a later patch updates the same files as anearlier one. Superseded patches flag vulnerabilities that can be remediated by a laterpatch. A superseded patch cannot be deployed.

system power state

A definition of the overall power consumption of a system. BigFix PowerManagement tracks four main power states Active, Idle, Standby or Hibernation, andPower Off.

T

target

To match content with devices in a deployment, either by selecting the content fordeployment, or selecting the devices to receive content.

targeting

The method used to specify the endpoints in a deployment.

task

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 41

A type of Fixlet designed for re-use, for example, to perform an ongoing maintenancetask.

U

UTC

See Coordinated Universal Time (on page 33).

V

virtual private network (VPN)

An extension of a company intranet over the existing framework of either a public orprivate network. A VPN ensures that the data that is sent between the two endpointsof its connection remains secure.

VPN

See virtual private network (on page 41).

vulnerability

A security exposure in an operating system, system software, or application softwarecomponent.

W

Wake-from-Standby

A mode that allows an application to turn a computer on from standby mode duringpredefined times, without the need for Wake on LAN.

Wake on LAN

A technology that enables a user to remotely turn on systems for off-hoursmaintenance. A result of the Intel-IBM Advanced Manageability Alliance and partof the Wired for Management Baseline Specification, users of this technology canremotely turn on a server and control it across the network, thus saving time onautomated software installations, upgrades, disk backups, and virus scans.

WAN

See wide area network (on page 41).

wide area network (WAN)

Modern Client Management for BigFix 10 Administrators Guide | 14 - Glossary | 42

A network that provides communication services among devices in a geographic arealarger than that served by a local area network (LAN) or a metropolitan area network(MAN).

Notices

This information was developed for products and services offered in the US.

HCL may not offer the products, services, or features discussed in this document in other countries.Consult your local HCL representative for information on the products and services currentlyavailable in your area. Any reference to an HCL product, program, or service is not intended to stateor imply that only that HCL product, program, or service may be used. Any functionally equivalentproduct, program, or service that does not infringe any HCL intellectual property right may be usedinstead. However, it is the user's responsibility to evaluate and verify the operation of any non-HCLproduct, program, or service.

HCL may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You cansend license inquiries, in writing, to:

HCL330 Potrero Ave.Sunnyvale, CA 94085USAAttention: Office of the General Counsel

For license inquiries regarding double-byte character set (DBCS) information, contact the HCLIntellectual Property Department in your country or send inquiries, in writing, to:

HCL330 Potrero Ave.Sunnyvale, CA 94085USAAttention: Office of the General Counsel

HCL TECHNOLOGIES LTD. PROVIDES THIS PUBLICATION "AS IS" WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUTNOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions donot allow disclaimer of express or implied warranties in certain transactions, therefore, this statementmay not apply to you.

This information could include technical inaccuracies or typographical errors. Changes areperiodically made to the information herein; these changes will be incorporated in new editions of thepublication. HCL may make improvements and/or changes in the product(s) and/or the program(s)described in this publication at any time without notice.

Any references in this information to non-HCL websites are provided for convenience only and donot in any manner serve as an endorsement of those websites. The materials at those websites are notpart of the materials for this HCL product and use of those websites is at your own risk.

HCL may use or distribute any of the information you provide in any way it believes appropriatewithout incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:

HCL330 Potrero Ave.Sunnyvale, CA 94085USAAttention: Office of the General Counsel

Such information may be available, subject to appropriate terms and conditions, including in somecases, payment of a fee.

The licensed program described in this document and all licensed material available for it areprovided by HCL under terms of the HCL Customer Agreement, HCL International Program LicenseAgreement or any equivalent agreement between us.

The performance data discussed herein is presented as derived under specific operating conditions.Actual results may vary.

Information concerning non-HCL products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. HCL has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-HCLproducts. Questions on the capabilities of non-HCL products should be addressed to the suppliers ofthose products.

Statements regarding HCL's future direction or intent are subject to change or withdrawal withoutnotice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business operations. Toillustrate them as completely as possible, the examples include the names of individuals, companies,brands, and products. All of these names are fictitious and any similarity to actual people or businessenterprises is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, which illustrateprogramming techniques on various operating platforms. You may copy, modify, and distributethese sample programs in any form without payment to HCL, for the purposes of developing, using,marketing or distributing application programs conforming to the application programming interfacefor the operating platform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. HCL, therefore, cannot guarantee or imply reliability,serviceability, or function of these programs. The sample programs are provided "AS IS," withoutwarranty of any kind. HCL shall not be liable for any damages arising out of your use of the sampleprograms.

Each copy or any portion of these sample programs or any derivative work must include a copyrightnotice as follows:© (your company name) (year).Portions of this code are derived from HCL Ltd. Sample Programs.

TrademarksHCL Technologies Ltd. and HCL Technologies Ltd. logo, and hcl.com are trademarks or registeredtrademarks of HCL Technologies Ltd., registered in many jurisdictions worldwide.

Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks ortrademarks of Adobe Systems Incorporated in the United States, and/or other countries.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporationin the United States, other countries, or both.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other product and service names might be trademarks of HCL or other companies.

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the following terms andconditions.

Applicability

These terms and conditions are in addition to any terms of use for the HCL website.

Personal use

You may reproduce these publications for your personal, noncommercial use provided that allproprietary notices are preserved. You may not distribute, display or make derivative work of thesepublications, or any portion thereof, without the express consent of HCL.

Commercial use

You may reproduce, distribute and display these publications solely within your enterprise providedthat all proprietary notices are preserved. You may not make derivative works of these publications,or reproduce, distribute or display these publications or any portion thereof outside your enterprise,without the express consent of HCL.

Rights

Except as expressly granted in this permission, no other permissions, licenses or rights are granted,either express or implied, to the publications or any information, data, software or other intellectualproperty contained therein.

HCL reserves the right to withdraw the permissions granted herein whenever, in its discretion, theuse of the publications is detrimental to its interest or, as determined by HCL, the above instructionsare not being properly followed.

You may not download, export or re-export this information except in full compliance with allapplicable laws and regulations, including all United States export laws and regulations.

HCL MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS.THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANYKIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIEDWARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR APARTICULAR PURPOSE.