List of advanced options

disableNmoSiteManagementDialog

If set to "1", the site management dialog is unavailable to non-master operators (NMOs).

disableNmoComments

If set to "1", NMOs cannot add comments. NMOs will still be able to view comments.

disableNmoManualGroups

If set to "1", NMOs cannot add or remove computers from manual groups, and see manual groups that none of their computers are members of.

disableGlobalRelayVisibility

If set to "1", NMOs cannot see relays in the relay-selection drop-downs in the console that don't belong to them. The exception is if they view a machine that is currently configured to report to a relay not administered by them, in this case that relay appears in the list as well.

disableNmoRelaySelModeChanges

If set to "1", NMOs cannot toggle automatic relay selection on and off.

disableDebugDialog

If set to "1", the keyboard sequence CTRL-ALT-SHIFT-D cannot be used to open up the console's debug dialog.

disableComputerNameTargeting

If set to "1", the third radio option "target by list of computer names" is removed on the targeting tab of the take action dialog.

allowOfferCreation

If set to "0", the 'Offer' tab in the Take Action Dialog is disabled. Offer presets in Fixlets are ignored by the console.

disableNmoCustomSiteSubscribe

If set to "1", the "Modify Custom Site Subscriptions" menu item is disabled for all NMOs

passwordComplexityRegex

Specifies a perl-style regular expression to use as a password complexity requirement when choosing or changing operator passwords. These are some examples:

• Require a 6-letter or longer password that does not equal the string 'bigfix'.

  (?![bB][iI][gG][fF][iI][xX]).{6,}

• Require a 6-letter or longer password containing lowercase, upper case, and punctuation.

  (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]]).{6,}

• Require an eight-character or longer password that contains 3 of the following 4 character classes: lowercase, uppercase, punctuation, and numeric.

  ((?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]])|
  (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:digit:]])|
  (?=.*[[:lower:]])(?=.*[[:digit:]])(?=.*[[:punct:]])|
  (?=.*[[:digit:]])(?=.*[[:upper:]])(?=.*[[:punct:]])).{8,}

Note: The Site Administrator passwords are not affected by this complexity requirement.

passwordComplexityDescription

Specifies a description of the password complexity requirement. This string is displayed to the user when a password choice fails the complexity requirements set using the passwordComplexity option. An example of password complexity description is "Passwords must have at least 6 characters." If you do not set this value but you set passwordComplexityRegex setting, the description set in passwordComplexityRegex is displayed to the user.

passwordsRemembered

Specifies the number of unique new passwords that can be set for an user account before an old password can be reused. The default value is "0".

maximumPasswordAgeDays

Specifies the number of days that a password can be used before the system requires the user to change it. The default value is "0" (no maximum).

minimumPasswordLength

Specifies the least number of characters that a password for a user account can contain. The default value is "6". This is an usage example of this option:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=LOCATION
-sitePvkPassword=PASSWORD -update minimumPasswordLenth=9

enforcePasswordComplexity

If set to '1' or 'true', the passwords must meet the following minimum requirements:

• They must not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
• They must be at least six characters long.
• They must contain characters from three of the following four categories:

      English uppercase characters (A through Z) 
      English lowercase characters (a through z) 
      Base 10 digits (0 through 9) 
      Non-alphabetic characters (for example, !, $, #, %)

If you specify also the minimumPasswordLength setting, then the effective minimum password length will be the higher value between six and the value of minimumPasswordLength.

Complexity requirements are enforced when passwords are changed or created. The default value is "0".

accountLockoutThreshold

Specifies the number of incorrect logon attempts for a user name before the account is locked for accountLockoutDurationSeconds seconds. The default value is "5".

accountLockoutDurationSeconds

Specifies the number of seconds that an account gets locked after accountLockoutThreshold failed log on attempts. The default value is "1800".

targetBySpecificListLimit

Specifies the maximum number of computers that can be targeted by individual selection. The default value is 10000.

Note: This option is also used to set the target limit for the REST API request. If the restriction is exceeded, the Server responds to the request with error code "413 - Content too large".

targetBySpecificListWarning

Specifies the threshold for the number of computers that can be targeted by individual selection before the console displays a warning message. The default value is 1000.

targetByListSizeLimit

Specifies the maximum number of bytes that can be supplied when targeting by textual list of computer names. The default value is 100000.

targetBySpecificListLimit => SpecificListLimit
targetBySpecificListWarning => SpecificListWarning
targetByListSizeLimit => ByListSizeLimit

{[HKEY_CURRENT_USER\Software\BigFix\Enterprise Console\Targeting] 
"SpecificListLimit"=dword:00002328}

loginTimeoutSeconds

Specifies the amount of idle time in seconds before the console requires the user to authenticate again to take certain actions. The timer is reset every time the user authenticates or does an action that would have required authentication within the idle time threshold. The default value is infinity.

loginWarningBanner

Specifies the text to show to any user after he/she logs into the Console or Web Reports. The user must click OK to continue. This is a usage example of this option:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk 
-sitePvkPassword=pippo000 -update loginWarningBanner='new message'

timeoutLockMinutes

Specifies how many idle time minutes must elapse before the console requires to authenticate again. This setting is different from loginTimeoutSeconds because timeoutLockMinutes hides the entire console to prevent any other user to see or use it. The idle time refers to the lack of any type of input to the session including key buttons, mouse clicks, and mouse movements.

This option does not take any effect on the console if an operator accesses it using the Windows session credentials (Windows authentication).

timeoutLogoutMinutes

Specifies how many idle time minutes must elapse before the console is closed. This setting is different from loginTimeoutSeconds and timeoutLockMinutes, because timeoutLogoutMinutes closes the console completely. The idle time refers to the lack of any type of input to the session including key buttons, mouse clicks, and mouse movements.

This option was introduced with BigFix V9.5.11.

inactiveComputerDeletionDays

Specifies the number of consecutive days that a computer does not report back to the BigFix server before it is marked as deleted. When the computer reports back again, the computer is no more marked as deleted and an entry for it is shown again in the console views. The default value for this option is 0, which means that inactive computers are never automatically marked as deleted.

inactiveComputerPurgeDays

Specifies the number of consecutive days that a computer does not report back to the BigFix server before its data is deleted from the BigFix database. When the computer reports back again, it is requested to send back a full refresh to restore its data in the database and it is no more marked as deleted. The default value for this option is 0, which means that computer data is never automatically removed from the database.

inactiveComputerPurgeBatchSize

On a daily basis, BigFix runs an internal task that removes from the database the data of the computers for which inactiveComputerPurgeDays elapsed. The task deletes the computer data, including he computer's hostname, in buffers to avoid potential load to the database. The inactiveComputerPurgeBatchSize value specifies how many computers are cleaned up in the database in each buffer. The default value for this option is 1000. If the computer reports back again, the matching with its entry in the database is done using the computer ID.

Note: Specify the option inactiveComputerPurgeBatchSize if you assigned a value different from 0 to inactiveComputerPurgeDays.

queryHoursToLive

Determines how many hours the BigFix Query requests are kept in the database. The default value for this option is 1440, which corresponds to 60 days. Valid values are from 0 to 8760, that means 1 year.

queryResultsHoursToLive

Determines how many hours the BigFix Query results are kept in the database. The default value is 4 hours, and the valid values are from 1 to 336 (two weeks). If you enter value that lies outside this range, the default value is used.

queryPurgeBatchSize

The entries in the database that represent requests and results for which queryHoursToLive or queryResultsHoursToLive elapsed, are deleted from the database in buffers. This advanced option determines the number of database entries contained in each of these buffers. The default value for this option is 100000 bytes, which means 100 KB.

queryPerformanceDataPath

Defines the path of the log file that stores the performance information about FillDB - server interaction when running BigFix Queries. The default value for this option is none.

_Enterprise Server_ BigFix Query_MaxTargetsForGroups

Determines the highest number of targets that a BigFix Query request, targeted by group, can be addressed to. If the number of targets exceeds the specified value, the BigFix Query request is sent to all clients and each client determines whether or not it is a member of the targeted group. If the number of targets does not exceed the specified value, the BigFix Query request is sent only to clients that are member of the group. You can configure this setting on the BigFix console by selecting the server in the Computers list and clicking Edit settings. The default value for this option is 100.

automaticBackupLocation

If set to an existing path, accessible both by root and by the database instance owner, by default db2inst1, this option enables the BigFix Server to run automatically the backup of the BFENT and BESREPOR databases before and after running the upgrade process.

This option is available only for Linux BigFix Servers V9.5.3 and later.

For more information, see Automatic DB2 databases backup upon upgrade.

clientIdentityMatch

This advanced option can help you to avoid having duplicate computer entries when the endpoints are detected as possible clones by the BigFix Server. The BigFix Server can use the existing computer information to try to match the identity of a Client and reassign the same ComputerID to computers that might have been rolled back or restored.

If clientIdentityMatch=0, the BigFix Server performs strict clone detection. This means that, if the BigFix Server receives a registration request from a Client that was rolled back or restored, the Server invalidates the old ComputerID, resets the old Client definition, and assigns a new ComputerID to the registering Client. This is the default behavior and is the same way the BigFix Servers earlier than V9.5.7 operate.

If clientIdentityMatch=100, the BigFix Server performs an additional check before assigning a new ComputerID to a registering Client to avoid creating cloned computer entries. This means that the BigFix Server tries to determine if the information about the rolled-back Client sufficiently matches the data held for that ComputerID. If the identity of the Client is matched, the Client keeps using the old ComputerID and its identity is not reset.

For more information, see Avoiding duplicates when a Client is restored.

includeSFIDsInBaselineActions

If set to "1", it requires the console to include source Fixlet IDs when emitting baseline actions. Emitting these IDs is not compatible with 5.1 clients.

defaultHiddenFixletSiteIDs

This option allows to selectively change the default Fixlet visibility on a per-site basis. It only takes effect when global default Fixlet hiding is not in use. You specify a comma-separated list of all the site IDs to be hidden by default. The list of sites IDs is in the SITENAMEMAP table in the database.

defaultOperatorRolePermissions

This option allows you to change the default permissions that apply when you create operators and roles. It can take the following values:

• 0: Operators and roles are created with the default permissions that applied until BigFix V9.5.10.
• 1: Operators and roles are created with minimum default permissions. The same default settings apply even when you do not set any value.
• 2: Operators and roles are created with minimum default permissions as in the previous case, except that Show Other Operators' Actions is set to Yes and Unmanaged Assets is set to By Scan Point (for operators). In the case of roles, however, Unmanaged Assets is always set to Show None. The Access Restriction for the operators is set to Always allow this user to log in. The login privilege Can use Console is set to Yes both for operators and roles.

This option was introduced with BigFix V9.5.11.

enableRESTAPIOperatorID

This option allows you to display operator resource URLs with the operator ID instead of the operator name. For example, https://BigFix_Server_URL:52311/api/operator/<Operator_ID>. To enable the option, set it to true or 1.

This option was introduced with BigFix V9.5.10.

showSingleActionPrePostTabs

If set to "1", the 'Pre-Action Script' and 'Post-Action Script' tabs of the Take Action Dialog shows up even on single actions.

propertyNamespaceDelimiter

Specifies the separator for retrieved properties. By default, retrieved properties are separated into namespaces by the character sequence '::'. The character sequence used to indicate a separator can be changed using this deployment option.

DefaultFixletVisibility

If set, this option allows you to specify either to make Fixlets, tasks and analysis gathered from external sites globally visible or to make them globally hidden. By default, they are globally visible to all Console operators.

Note: On Windows platforms only, this option is also available in the "System option" tab of the BigFix Administration Tool.

MinimumRefreshSeconds

If set, this option allows you to specify the minimum amount of time after which console operators are allowed to set their automatic refresh interval. This amount of time is specified in seconds. By default, it is set to 5 seconds.

Note: On Windows platforms only, this option is also available in the "System option" tab of the BigFix Administration Tool.

minimumConsoleRequirements

Specifies if the minimum requirements that must be satisfied by the machines running the database that the console connect to. Its value consists of a comma separated list of one or more of the following requirement strings:

"RAM:<min MB MO ram>/<min MB NMO ram>"

Requires that the console runs on a machine with at least the specified amount of physical RAM. Two different values must be supplied; one for master operators and another for non-master operators. Both values must be less than 2^32. For example, "RAM:2048/1024" .

"ClientApproval"

States that the BES Client must determine if a machine is suitable for login. A machine is considered suitable for login if one of the following settings is specified locally:

• "moConsoleLoginAllowed"
• "nmoConsoleLoginAllowed"

The console must run as an account with permissions to read the client registry keys stored under HKEY_LOCAL_MACHINE to log in when using the "ClientApproval" option.

actionSiteDBQueryTimeoutSecs

Specifies how long action site database queries can run before the console stops the query (to release its read lock and let any database writers through), and then restart the query where it left off. If not set, the default value is 60 seconds. If set to "0" the action site database queries never time out.

usePre70ClientCompatibleMIME

If set to "true", the console can create action MIME documents that pre-7.0 clients can understand. By default, it is set to "true" on upgrade and "false" for fresh installs.

disableRunningMessageTextLimit

If set to a value other than "0", the console users can enter more than 255 characters in the running message text in the Take Action Dialog.

useFourEyesAuthentication

If set to "true", you can set the approvers for user actions in console user document. The approver must confirm the action on the same console where the user is logged on.

masterDatabaseServerID

By default, the database with server ID 0 is the master database. This is the database that BESAdmin needs to connect to. Use this option to change the master database to a different machine.

enableWakeOnLAN

If set to "1", the console shows the "right click WakeOnLAN" functionality in the computer list. By default the functionality is not shown.

enableWakeDeepSleep

If set to "1", the console shows the "right click Send BESClient Alert Request" functionality in the computer list. By default the functionality is not shown. During Deep sleep, all UDP messages except this specific wake up message are ignored.

requireConfirmAction

If set to "1", every time an action is taken a confirmation pop-up window with a summary of the action details is displayed. The information listed in the pop-up window is:

Action Title
Estimated endpoints targeted
Start time
End time
Originated by or Source

The summary lists the need of doing a restart or a shutdown as well, if the action requires it. By default the confirmation window is not displayed.

Note: When you enable this option, the displayed value for the Estimated targeted computers might not be correct, if you performed the action from a wizard of a BigFix Application such as, for example, Server Automation or OSD.

You must restart the BigFix Console after configuring this option.