Profile Management tasks

You can enforce device compliance by creating and deploying profiles.

Operators can work with Windows 10 or MAC OS profiles by selecting Profile from the content list.

Profile List View

The list displays the profiles that the logged-in operator is authorized to manage. Depending on the specific user role and permissions, some profile actions might not be available. For more information, see Operator permissions and associated profile actions.
Profile List View

In the Profile list, the profiles are displayed in order of creation time. You can also sort profiles by name, or by Last modified. On the left, you can set more filters, such as selecting to display only those profiles that have applicable devices, displaying profiles that are created only for Windows 10 or MAC OS devices, filtering for profiles that are owned by you or another operator, or viewing profiles that were modified within a specified time interval.

For each profile, you can view how many devices are relevant (currently not compliant) for that profile. Directly below, you can view the number of open deployments for the profile. For information about profile deployments and how they work, see Profile compliance behavior.

Create a profile

To create a new profile, from the Profile list view click Add Profile, and select the the Operating System. You must specify a Profile Name, Description, and select the Site in which the profile is created. For details about the profile properties, seeProfile attributes for Windows 10 devices and Profile properties for MAC OS X devices. When you save the profile, a Fixlet is created. When you deploy the profile, the Fixlet is run on the computers that are subscribed to the specified site. The Fixlet checks if the current settings on the devices meet the security settings that are specified in the profile. If the settings on the devices are less restrictive, they are marked as relevant for the profile and are considered not compliant.

View or edit a profile

To view or edit profile properties, click the profile name. The Profile Overview page is displayed.


Profile Overview Page
In the Overview page you can drill down to view detailed information pages by using the summary links. You can view details about which devices are noncompliant, the list of open or failed deployments, and which deployments occurred in the last 24 hours. The percentage of noncompliant devices is calculated from the total number of subscribed computers to the site where the profile is stored.

On the right, you can view the login name of the operator that created the profile, the operator that last modified the profile, and the date and time of the last modification. From this page, you can also deploy the profile.

Several checks are completed to determine whether the profile can be edited or not. A lock icon indicates that the profile cannot be edited because there are open deployments for it, or because the currently logged in operator does not have permission to create (edit) custom content. The link text View Profile is displayed after the lock symbol. A warning message indicates the reason. When you open the profile, the Save option is disabled. If the profile is editable, when you click the link the profile page is opened in edit mode. Make the required changes and click Save.

Open deployments and profile updates

When there are open deployments for a profile, the profile is locked and cannot be edited. If you want to change policies in a profile, you must first stop any open deployments for that profile before you can edit and make the required changes. When the new profile attributes are saved, you must redeploy the profile to activate enforcement.

Copy a profile

You can make a new copy of a selected profile. From the Profile List view, click the profile that you want to copy. On the Overview page, click View Profile or Edit Profile depending on whether the profile can be edited or not. In the profile properties page, click Copy. A new profile page is displayed with the settings of the source profile. The new profile name contains the source profile name followed by - Copy. For example, If you are copying a profile that is named Winprf1, the new profile name is Winprf1 - Copy You can change the name, site, description, and any other category settings as required. Click Save to create the profile.

Delete a profile

You can delete a profile from the edit profile page, only if no open deployments exist for it. Select the corresponding action and confirm your choice.

Deploy a profile

  1. From the Profile List view select a profile and click Deploy. Alternatively, you can click the Profile name and deploy it from the Profile Overview page.
  2. The list of devices for which the profile is relevant are displayed. Select one or more devices, or device groups and click Next. You can use filters to select devices that satisfy specific criteria, such as by Operating system, or IP address.
  3. In the Configure section, by default, the deployment is open-ended. If you clear this option, you can specify an End Time. Click Next. Review your options and click Deploy, or Cancel to return to the profile list.
When you deploy a profile. In the DEPLOYMENTS view, the profile state is Open indicating that continuous compliance checking and automatic enforcement are active. By default, if a device becomes noncompliant, meaning that the device is relevant again for the selected profile, the profile is automatically reapplied, except if the current configuration on the target is more restrictive than the configuration enforced in the profile.
Important:
  • The profile is automatically reapplied indefinitely when it becomes relevant again. This behavior is always valid unless you stop the deployment, or clear the open-ended deployment option, in which case, the profile is reapplied only until the specified End Time.
  • If a deployment fails for any reason, the status of the associated task remains in Waiting in the WeBUI. This behavior is implemented by the "Retry on Failure" mechanism, explained in Retry on failure.
For information about troubleshooting deployments, see Troubleshooting profile deployments.

Retry on failure

BigFix Profile Management implements a "Retry on Failure" mechanism. If a deployment fails, the corresponding task remains in Waiting state in the WebUI, and every 15 minutes the feature attempts to reapply the profile for 999 times. The deployment state changes when profile is reapplied successfully or when the retry interval counter expires. In the first case, the deployment status changes to Fixed, while in the second case the deployment status changes to Failed.

To check what is happening when the deployment status is still in Waiting, you can log in to the BigFix Console. There are exit codes for the failed action that is associated to the deployment. For exit codes relative to Mac OS X profile deployments, see Troubleshooting profile deployments.

Stop a deployment

From the deployments view, select the open deployments that you want to stop and click the corresponding action. You can apply one or more filters to the deployments list, such as by Failure rate, issuer, deployment type, and others. You are asked to confirm the stop request.