Welcome
Configuration Guide
Learn how to configure BigFix according to your needs.
Four Eyes Approval Capability
Enabling Four Eyes Approval Capability on the BigFix Server.

BigFix Documentation Homepage
BigFix 11 Platform Documentation
Welcome to the BigFix Platform documentation, where you can find information about how to install, maintain, and use BigFix.
Detailed system requirements
The content of this page has moved to the HCL Support site. You will be redirected shortly. If the auto-redirect fails for some reason, use this link: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0104120.
Platform guides in PDF format
Following is a list of links to the BigFix Platform user guides in PDF format:
Common Criteria Certification
Getting Started
Use this section to become familiar with BigFix infrastructure and key concepts necessary to understand how it works.
HTTPS across BigFix applications
This topic describes how the SSL/HTTPS communication works in BigFix applications and links the tasks on how to configure it.
Installation Guide
Learn the system requirements, licensing and installation instructions, and how to configure and maintain BigFix.
Configuration Guide
Learn how to configure BigFix according to your needs.
- Introduction
  This guide explains additional configuration steps that you can run in your environment after installation.
- BigFix Site Administrator and Console Operators
  In BigFix there are two basic classes of users.
- Integrating with LDAP or Microsoft Entra ID
  You can add Identity Providers associations to BigFix.
- Enabling SAML V2.0 authentication for identity provider operators
  BigFix supports SAML V2.0 authentication via LDAP-backed SAML identity providers.
- Disabling local operators
  Starting from BigFix Version 10.0.8, this feature provides a mechanism where the creation and use of any local operator is prohibited in favor of LDAP-based operators.
- Disaster Server Architecture
  BigFix Distributed Server Architecture (DSA) has a highly sophisticated built-in ability to install multiple servers that will replicate information from each other for the purpose of disaster recovery. When configured and in the event of a failure of one server, other servers will automatically takeover as fully-functional servers (will receive data from the relays and clients and accept console connections). When the failed server is restored, it will automatically receive updated information.
- Using multiple servers (DSA)
  Some important elements of multiple server installations.
- Server object IDs
  The BigFix server generates unique ids for the objects that it creates: Fixlets, tasks, baselines, properties, analysis, actions, roles, custom sites, computer groups, management rights, subscriptions.
- Using the DHE/ECDHE key exchange method
  By default, BigFixVersion 11 components use the DHE/ECDHE key exchange method if the version of the BigFix component on the other side of the SSL communication allows it.
- Configuring secure communication
- Configuring bearer token authentication
  Starting with BigFix Platform v11.0.6, operators can authenticate to BigFix services (BigFix Server REST APIs, BigFix Explorer REST APIs and the IEM CLI) using personal bearer tokens.
- Real Time AV Exclusions
  BigFix Console, Server and Relay components of the architecture perform high volume file operations. This activity is a substantial part of the functionality that these BigFix architecture components provide.
- Downloading files in air-gapped environments
  In air-gapped environments, to download and transfer files to the main BigFix server, use the Airgap utility and the BES Download Cacher utility.
- Getting client information by using BigFix Query
  The BigFix Query feature allows you to retrieve information and run relevance queries on client workstations from the WebUI BigFix Query Application or by using REST APIs.
- BES Server Plugin Service
  For the BigFix Server Plugin Service installation and setup, see BigFix Server Plugin Service installation and configuration.
- The Plugin Portal
  The Plugin Portal is a new component introduced in BigFix 10 to help manage cloud devices as well as modern devices such as Windows 10 and MacOS endpoints enrolled to BigFix. For details on modern client management, see Modern Client Management and BigFix Mobile.
- Extending BigFix management capabilities
  BigFix 11 delivers a few significant new functions for enhancing the visibility and management of devices on your network regardless of whether the devices are physical or virtual.
- Persistent connections
  The capability to establish persistent connections was added to the product.
- Relays in DMZ
  The capability to establish a persistent TCP connection between the parent relay in the more secure zone and its child relay inside the DMZ network was added to the product. This allows you to manage systems in a demilitarized zone (DMZ network).
- Working with PeerNest
  The BigFix Client includes a new feature named PeerNest, that allows to share binary files among Clients located in the same subnet. The feature is available starting from BigFix Version 9.5 Patch 11.
- Archiving Client files on the BigFix Server
  You can collect multiple files from BigFix clients into an archive and move them through the relay system to the server.
- BigFix Configuration Settings
  A number of advanced BigFix configuration settings are available that can give you substantial control over the behavior of the BigFix suite. These options allow you to customize the behavior of the BigFix server, relays, and clients in your network.
- Additional configuration steps
  These topics explain additional configuration steps that you can run in your environment.
- Migrating the BigFix Server (Windows/MS-SQL)
  This section details the steps and operational procedures necessary for migrating the BigFix Server from existing hardware onto new computer systems.
- Migrating the BigFix Server (Linux)
  This section provides basic information on migrating your BigFix Server from existing Linux hardware onto new systems.
- Migrating the BigFix Server from Windows to Red Hat 9 with SQL Server
  Starting from BigFix Version 11.0.1, you can migrate BigFix Platform from a Windows operating system to a Red Hat 9 operating system with Microsoft SQL Server 2022 Database, both using a local or a remote database.
- Configuring logs
  This page describes how to enable, disable, and configure the logs of the various BigFix components and the audit log files.
- List of advanced options
  The following lists show the advanced options.
- Security Configuration Scenarios
  Starting from Version 11, BigFix provides the capability to configure several security options.
- Enabling Microsoft Control Flow Guard on BigFix Server
  Starting from BigFix version 11.0.3, the BigFix Server implements the Microsoft Control Flow Guard (CFG) security feature on Windows systems; the BigFix Server executables:
- Client certificate
  To comply with the modern industry standards, starting from product version 10.0.7, the client certificate of the BigFix Agent will have a validity period of 13 months.
- Client Authentication
  Client Authentication (introduced in version 9) extends the security model used by BigFix to encompass trusted client reports and private messages.
- Four Eyes Approval Capability
  Enabling Four Eyes Approval Capability on the BigFix Server.
- Representative Computers Selection Wizard
  Representative Computers Selection Wizard selects certain BigFix Clients in each subnet as representative computers based on custom criteria. Designated representative computers can be used for targeting tasks that require only a few reliable or high end machines within a subnet or group, such as for selecting BigFix Relays or NMAP scan points.
- Maintenance and Troubleshooting
  If you are subscribed to the Patches for Windows site, you can ensure that you have the latest upgrades and patches to your SQL server database servers.
Console Operator's Guide
Learn how to work with the BigFix Console.
Asset Discovery User's Guide
Learn how BigFix Asset Discovery works.
Web Reports Guide
Learn how the Web Reports feature extends the power of BigFix.
BigFix Explorer Guide
Learn how the BigFix Explorer feature extends the power of BigFix.
WebUI User's Guide
Read this guide for an introduction to the WebUI tools, concepts, and terminology.
WebUI Administration Guide
Read this guide for information about installing and administering the WebUI.
Glossary
This glossary provides terms and definitions for the BigFix software and products.

Four Eyes Approval Capability

Enabling Four Eyes Approval Capability on the BigFix Server.

Description

The Four Eyes Approval feature is used to prevent console operators from unilaterally taking actions on the endpoints within their control. After this feature is enabled, operators taking console actions will require the approval of a console operator who is also a member of a specified "approvers" Role.

Access

Only System Administrators and Master Operators with access to the Site Administrator Private Key Password can access and configure this feature.

How to use it

Follow the steps below to enable this feature in your deployment:

To open the BigFix Administration Tool, click the Start menu on your computer and select BigFix >BigFix Administration Tool.
When the tool dashboard opens, click the Advanced Options tab and Click Add.
In the Name field, type “useFourEyesAuthentication”; in the Value field, type “true”; and then click OK.
Click OK to exit the BigFix Administration Tool.
Restart the BES Root Server service on your BigFix server and restart the BigFix Console.
From the Console, click the Tools>Create Role.
Enter a name for the role (e.g., Approvers) and click OK. Note: The Role does not require any additional/special permissions.
Make one or more BigFix operators members of the role. Note: The BigFix Operators can be Local or AD/LDAP.
Click the Operators node in the Console navigation tree. This will open an Action window. In the Details tab, select the Actions Require Approval check box and select the role created in the previous step from the drop-down list.
Click Save Changesat the top of the window.

NOTE: Do not require approval from your own console actions. As a best practice, ensure that another Master Operator sets this option for you.

LIMITATION: WebUI does not support the Four Eyes Authentication Capability. Operators that want to deploy actions from the WebUI must have Approval disabled in their configuration.