What is new in BigFix 11 Platform
BigFix Platform 11 delivers three major changes in the security area by adding support for OpenSSL3, SHA-384 and TLS 1.3. This releases also delivers new features, an updated list of supported platforms, and several upgraded libraries.
- Patch 3
-
- Added filtering capability to BigFix Explorer component
- In Patch 2 the new "BigFix Explorer" component was added to allow
easier REST API access to BigFix data (see Explorer). When evaluating
the Session Relevance using the BigFix Explorer, it is now possible
to filter the Session Relevance results.
For details, see Session Relevance.
- It is now possible to start/stop/restart VMs on AWS, Google and Azure via BigFix
- The BigFix cloud plugins now have the ability to manage the cloud
instances using power commands.
For details, see Cloud plugins Commands.
- AWS cloud plugin connection now available in FIPS mode
- The Amazon Web Services (AWS) cloud plugin can be configured to
leverage the FIPS mode connection, to comply with encryption
algorithms prescribed by the FIPS standard.
For details, see Configuring cloud plugins.
- You can now configure a persistent connection for a Relay to Relay communication
- BigFix Platform allows you to establish a persistent connection for
a Relay with its parent Relay; this will facilitate the BigFix
operations in complex network environments.
For details, see Relay-Relay persistent connection.
- Enabled Microsoft Control Flow Guard on BigFix Server
- The BigFix Server leverages the Microsoft Control Flow Guard (CFG)
security feature on Windows systems.
For details, see Enabling Microsoft Control Flow Guard on BigFix Server.
- Added Subject Alternative Name field to the Client Certificate
- The Subject Alternative Name X509v3 standard extension is added to the client certificate of the BigFix Agents. Its value corresponds to the hostname of the computer where the BigFix Agent runs. This allows the BigFix client certificates to adhere to industry standards as it relates to Subject Alternative Name.
- Added BESAdmin command to return the BigFix certificate bundle
- With the
getcertificatebundle
BESAdmin command, you can export the complete BigFix certificate bundle. In the bundle, there are all the certificates for all authorized chains in the masthead. This allows you to provide the full certificate chain to tools or entities that request it for validation.For details, see BESAdmin Windows Command Line and BESAdmin Linux Command Line.
- CVEs details in the Server, Relay, Client and Console Upgrade Fixlets
- Starting From BigFix Version 11.0.3, the Fixlets in the BES Support site which upgrade the BigFix Console and BigFix Platform components (Server, Relay and Client) will show a list of CVE IDs. These refer to the vulnerabilities affecting the previous level of the component, and resolved by the current one. This information will be found on the Details Tab, in the CVE ID field.
- Microsoft Entra ID configuration using certificates
- Starting from BigFix Version 11.0.3, BigFix Platform allows you to
configure Microsoft Entra ID as Identity Provider using a
certificate in addition to a client secret.
For details, see Integrating with Microsoft Entra ID.
- Enhanced Agent log file records with date/time stamps
- BigFix Platform allows you to specify the desired Agent log file
format, by using a new setting
named
_BESClient_Log_TimestampsDetail
. This will include timestamps in every line of the agent log file.For details, see List of settings and detailed descriptions.
- Limit number of targets when submitting action via REST API
- When issuing an action via REST API, the maximum number of targets set in the “targetBySpecificListLimit” parameter (default value 10000) is considered; if exceeded, an “HTTP 413 Content Too Large” error response is returned. For details, see action.
- On new clients, avoid the creation of client settings referring to deleted NMO's
- New clients will no longer create settings that refer to Non-Master Operators that have already been deleted, reducing the workload on these clients and avoiding useless references in their log file.
- Audit Trail Cleaner update
- The Audit Trail Cleaner tool was updated to allow you to remove the
old files uploaded by the Archive Manager on the BigFix
Server.
For details, see Audit Trail Cleaner.
- Improved user experience in Web Reports as it relates to reauthentication
- The number of reauthentication operations needed in Web Reports is
now reduced. The behavior can be controlled via a new configuration
setting named
ReAuthenticationEnabled
.For details, see Performing the reauthentication.
- Removal of obsolete Fixlets and Tasks from BES Support
- Obsolete Fixlets and Tasks were removed from the BES Support
content.
For details, see Removal of obsolete Fixlets and Tasks from BES Support content.
- Inspector Updates
-
- New client inspectors named "case insensitive posix regex", "case insensitive posix regular expression", "posix regex" and "posix regular expression" were added to fully support POSIX compliant Regular Expressions. They will use the Boost library version 1.78.0, both for Windows and UNIX operating systems, since Boost is declared to be POSIX-Extended compliant. For details, see regular expression.
- New client inspector properties:
- "rtt of": the round-trip time (RTT) of the TCP socket connections in the "ESTABLISHED" state. For details, see socket.
- Added Support for BigFix Agent
- Added support for BigFix Agent running on:
- macOS 15 ARM/x86 64-bit
- Ubuntu 24.04 LTS
- Raspberry Pi OS 12 32-bit
- Red Hat Enterprise Linux 9 on s390x
- Windows Server 2025 x86 64-bit
- Library and driver upgrades
-
- The libcURL library was upgraded to Version 8.9.1.
- The Microsoft ODBC Driver was upgraded to Version 17.10.6.
- The OpenSSL library was upgraded to Version 3.2.2.
- Patch 2
-
- New BigFix Explorer component to extend the power of BigFix
- With this release BigFix Platform introduces BigFix Explorer.
This new component provides REST API access to BigFix data in an easier, more scalable and more resilient way.
It is designed to detach the datastore engine from BigFix Console and Web Reports and use it as a standalone service to query the BigFix Server data using Session Relevance expressions.
For details, see Introduction and Explorer.
- Added Microsoft Entra ID as Identity provider
- BigFix Platform now allows to use Microsoft Entra ID (formerly known
as Microsoft Azure AD) as Identity Provider, to support the
Single-Sign-On and Multi-Factor-Authentication use cases. This
allows the user directory on Entra ID to be used for accessing the
BigFix Console, Web Reports and WebUI.
For details, see Integrating with Microsoft Entra ID and Identity Provider Permissions.
- IPv6 validation completion
- Extensive validation scenarios were run, and problems addressed, to
ensure that BigFix Platform components run both in IPv6-only and
concurrent IPv6+IPv4 configuration.
For details, see IPv4 and IPv6 protocols concurrent support.
- Removed init.d dependencies for RHEL and SUSE platforms
- With this release BigFix services are no longer dependent on init.d
for RHEL, SUSE and derived platforms.
For details, see Managing the BigFix Services.
- Enhanced Archive Manager capabilities
- A new set of REST APIs named "Archive Manager" is available to list,
retrieve or remove the files uploaded by the Archive Manager on the
BigFix Server. Additional customization is also possible with
respect to Archive Manager file cleanup policy.
For details, see Archive Manager and Automatic Server Clean Up.
- VMware Plugin enhancements
- The VMware Plugin has been extended with inspectors and action
commands to improve the management capabilities for both host and
guest systems.
For details, see Introduction to Cloud Plugins, Configuring cloud plugins, VMware Asset Discovery Plugin Inspectors and VMware Plugin Commands.
- Inspector Updates
-
- Added client inspector type to support 128-bit signed
integers
- A new client inspector type named "large integer" was created to support the 128-bit signed integers. For details, see large integer.
- Added client inspector constructor to support BigFix
Explorer
- A new client inspector constructor named "explorer service" was created to provide access to the BESExplorer service, if available on the local system. For details, see service.
- Added client inspector properties
- New client inspector properties named "display name of" and "linux of" were added to return the OS name in a human readable format and to verify if the computer is running Linux. For details, see operating system.
- Added client inspector type to support 128-bit signed
integers
- Added Support for BigFix Server on Windows and Linux with Google Cloud SQL for Microsoft SQL Server 2022 database
- Starting from Patch 2, BigFix Server on Windows Server (2019 or later) and on Linux Red Hat 9 supports Google Cloud SQL for Microsoft SQL Server 2022 database.
- Added Support for BigFix Relay
- Added support for BigFix Relay running on:
- Amazon Linux 2023 x86 64-bit.
- Rocky Linux 9 x86 64-bit.
- Added Support for BigFix Agent
- Added support for BigFix Agent running on OpenSUSE Leap 15.6 x86 64-bit.
- Library and driver upgrades
-
- The jQuery library was upgraded to Version 3.7.1.
- The libcURL library was upgraded to Version 8.6.0.
- The Microsoft ODBC Driver was upgraded to Version 17.10.5.1.
- The OpenSSL library was upgraded to Version 3.1.5.
- The sqlite library was upgraded to Version 3.45.1.
- The zlib library was upgraded to Version 1.3.1.
- Patch 1
-
- Added support for BigFix Server on Linux with Microsoft SQL Server database
- Starting from Patch 1, BigFix Server on Linux Red Hat 9 supports
Microsoft SQL Server 2019 and 2022 (Enterprise and Standard are
recommended). Only the SQL Authentication is supported. DSA
environments are not supported on the BigFix Linux Server with
Microsoft SQL database.
For details, see Installing the Server with MS SQL, Installing and configuring MS SQL, Installing Web Reports Standalone with MS SQL and Installing the WebUI Standalone with MS SQL.
- Added support for BigFix Server on Red Hat Linux 9 with DB2 database
- Red Hat Linux 9 is now supported with minimum BigFix Server version 11.0.1 and DB2 11.5.9.
- Added support for BigFix Plugin Portal on Linux RHEL 9
- Added support for BigFix Plugin Portal running on Red Hat Enterprise Linux (RHEL) 9 x86 64-bit.
- License Overview dashboard "Device subscription by product" section changes
- The "Device subscription by product" section of the dashboard now
shows, for each product, the labels "Allocated" and "Actual". An
Info Button is present next to each label.
For details, see License Overview dashboard.
- Manual synchronization of the license updates
- On Windows server, a new option named "syncmastheadandlicense" is
provided to synchronize the updated license with the masthead using
the BigFix Administration Tool.
For details, see BESAdmin Windows Command Line.
- Added client inspector type to support for unsigned integers
- A new client inspector type named "uinteger" was created to support
the unsigned integers.
For details, see uinteger.
- Added support for the new "Device" and "User" metrics available for BigFix Workspace licenses
- When BigFix Workspace licenses are allocated on any serial number,
the "Device" and "User" tags are now reported in the license.crt
file and properly managed in the License Overview Dashboard.
For details, see bes product.
- Added support for BigFix Agent
- Added support for BigFix Agent
running on:
- Windows 11 ARM64
- Windows 11 23H2 ARM64
- Windows 11 24H2 ARM64
- VIOS 3.1.3
- Library upgrades
-
- The ICU library was upgraded to Version 73.2 (54.2 on Tiny Core Linux).
- The libcURL library was upgraded to Version 8.4.0.
- The libssh2 library was upgraded to Version 1.11.0.
- The OpenSSL library was upgraded to Version 3.1.4.
- Version 11
-
- OpenSSL v3
- BigFix Platform 11 uses OpenSSL v3 in all its components to ensure
maximum protection of network traffic. More in detail, the version
of the library is 3.1.1. Aside from the general benefits in the
security area, the presence of OpenSSL v3 has the two following
major consequences:
- Any HTTPS communication in which at least one of the two parties is represented by a BigFix Platform 11 component must use TLS 1.2 as minimum protocol version.
- SHA1 is no longer used as hashing signature algorithm to validate TLS communication as well as all BigFix content and actions (SHA1 is still supported as hashing for file downloads).
For more details, see BigFix Platform V11 Overview Page.
- SHA-384 support
- BigFix 11 uses a stronger hash based on SHA-384 as cryptographic
digest algorithm for all digital signatures to validate TLS
communication and all BigFix content and actions at every step. This
change does not affect the hash used to verify downloaded files
which can still be SHA-1 or SHA-256.
SHA-256 hash signatures are still supported but you have also the option of enforcing usage of SHA-384 only to comply with specific security requirements.
For more details, see BigFix Platform V11 Overview Page.
- TLS 1.3 support
- BigFix Platform now supports TLS 1.3 for HTTPS communications among
the BigFix components, maintains the support of TLS 1.2 and no
longer supports TLS versions lower than 1.2.
By default, BigFix Platform 11 supports both TLS 1.2 and TLS 1.3, while – due to the upgrade to OpenSSL v3 – it does no longer support TLS 1.1 or below.
For more details, see BigFix Platform V11 Overview Page.
- Relay Drive Space Protection From Downloads
- BigFix Platform adds now the capability to prevent the BigFix Relay
ActiveDownloads folder from filling up, by using a new setting
named
_BESRelay_Download_ActiveDownloadsMaxSizeMB
, which represents the maximum size, specified in MB, that the folder can reach.For details, see Managing Downloads.
- Perl Regular Expressions for non-Windows platforms support
- The Perl Compatible Regular Expressions (PCRE) syntaxes, introduced
with BigFix Platform 10.0.8 and available on the Windows client, are
now also supported on several non-Windows platforms such as Debian,
Mac, Raspbian, Red Hat, SUSE, Solaris Intel and Ubuntu.
For details, see regular expression.
- Plugin Portal - Optimized devices data serialization
- Plugin Portal optimization in terms of memory usage of the plugin portal machine as well as in the evaluation time of fixlet and analysis, with this leading to an increased responsiveness in returning data and executing actions on discovered devices.
- New set of REST APIs
- BigFix Platform 11.0 now supports a new set of Rest APIs that enable
exploiters such as the BigFix WebUI to access the Download status of
the actions. These Rest APIs allow also to re-submit failed
downloads.
For details, see Action.
- Added support for BigFix Console
- The BigFix Console Version 11.0 adds support for:
- Windows 11 23H2
- Windows 11 24H2
- Added support for BigFix Relay
- The BigFix Relay Version 11.0 adds support for:
- AIX 7.3
- Raspbian 11
- Tiny Core 13
- Tiny Core 14
- Windows 11 23H2
- Windows 11 24H2
- Added support for BigFix Agent
- The BigFix Agent Version 11.0 adds support for:
- Debian 12 x86-64
- MacOS 14 ARM/x86 64-bit
- OpenSUSE Leap 15.4 x86-64
- OpenSUSE Leap 15.5 x86-64
- Windows 11 23H2 x86-64
- Windows 11 24H2 x86-64
- Added support for new database level
-
- Microsoft SQL Server 2022 support
- Microsoft SQL Server 2022 deployed in a docker container
For details, see Installing a server with remote database deployed in a docker container and Database requirements.
- Note also that, on BigFix Platform 11.0:
-
- The minimum supported SQL Server version is 2014 as Microsoft SQL Server 2012 is no longer supported.
- DB2 is a prerequisite for the installation of the BigFix Server on Red Hat Linux. DB2 is not distributed with BigFix 11. For existing BigFix 9 and 10 customers with a DB2 entitlement, the entitlement remains. For new customers on BigFix 11, a DB2 license must be acquired. The BigFix team is considering adding, in the near term, the possibility to utilize Microsoft SQL Server for BigFix deployments on Linux.
For information about database requirements, see Installation requirements for DB2 database products and Database requirements for information about the DB2 versions supported by BigFix.
- Operating systems support matrix has been updated
- In particular, for some platforms the minimum operating system version supported has changed. To see which operating system versions are supported, refer to the V11 system requirements page available at: BigFix Support Matrix.
- Several libraries are upgraded to a newer version:
-
Library V11 Library Version jQuery Version 3.6.4 libcURL Version 8.1.2 Microsoft Visual C++ Redistributable library Version 2019 OpenSSL Version 3.1.1 OpenLDAP Version 2.6.4 SQLite Version 3.41.2 zlib Version 1.2.13 AWS SDK Version 1.44.165 Azure SDK Version 1.0.0 (with azidentity v1.2.0) GCP SDK Version 0.105.0 VMWare SDK Version 0.30.0