Client API

The Client API allows you to use the client (also called the BES client) to interrogate your networked endpoints. Through the API, you gain access to thousands of client properties that you can then reuse in your own agent programs or pass on to other third-party programs. The interface is mediated by a rules document (XML) that defines your queries. The results are calculated in the execution environment of the client that typically has elevated privileges and access rights.

You define the values that are exposed by the Client API using relevance expressions and the complete set of inspectors available for clients. You can use expressions of arbitrary complexity to finely target your search. Note that inspectors are powerful and can also reveal sensitive data; take care to monitor the information that is exposed through this interface.

For the information to become available to the API, a console operator must propagate the program and the rules document to the client computers. Alternatively, another program that uses the Server API can propagate the required files.

The Client API is general-purpose, driven by a rules document and an agent to process the output of the API. However, it is largely used to support compliance of networked endpoints to various policies. As such, the rules document is typically called the compliance document, and both terms are used in this guide.

From a compliance point of view, the API offers many pertinent features. It can target just the computers that are out of compliance and use that same analysis to drive the remediation. Because the Tivoli BigFix client is under the control of the console, its network role can be modified based on feedback from the API. Among other things, this means you can quarantine any endpoint that is out of compliance. There are two ways to enforce quarantine:

  • Self Quarantine: Enables network access control software (such as VPN clients and firewalls) to quarantine the computer based on the compliance evaluation results from the client.
  • Network Enforced Quarantine: Enables network admission control frameworks and technologies (such as Cisco Network Admission Control, InfoExpress CyberGatekeeper, Sygate Secure Enterprise or ZoneLabs Integrity) to quarantine the computer based on the compliance evaluation results from the client.

Using either of these methods, you can specify a compliance policy that checks the following:

  • Security Configuration: Check that all security policies are in place and there are no security vulnerabilities (weak passwords, open shares, unauthorized USB/wireless devices, insecure settings, and so on).
  • Patch Status: Check that the computer has all the latest patches that are required by company policy.
  • AntiVirus Status: Check that the AntiVirus agent is installed and enabled, the definitions are up-to-date, and no viruses are currently detected.
  • AntiSpyware Status: Check that the computer has AntiSpyware protection installed and working.
  • Configuration Standards: Custom compliance checks can easily be added to allow for additional policies.

There is a software developer kit to help you implement these capabilities. The SDK can be found at: http://software.bigfix.com/download/bes/misc/BESClientSDK-6.0.21.5.zip.