List of advanced options
The following lists show the advanced options that you can specify in the Advanced
Options tab of the BigFix
Administrative tool on Windows systems, or in the BESAdmin.sh
command on
Linux systems using the following syntax:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk>
[-sitePvkPassword=<password>]
{ -list | -display
| [ -f ] -delete option_name
| [ -f ] -update option_name=option_value }
<path+license.pvk>
used in the command syntax
stands for path_to_license_file/license.pvk
.These options are typically supplied by your HCL Software Support.
Advanced options for disabling functions
- disableNmoSiteManagementDialog
- If set to "1", the site management dialog is unavailable to non-master operators (NMOs).
- disableNmoComments
- If set to "1", NMOs cannot add comments. NMOs will still be able to view comments.
- disableNmoManualGroups
- If set to "1", NMOs cannot add or remove computers from manual groups, and see manual groups that none of their computers are members of.
- disableGlobalRelayVisibility
- If set to "1", NMOs cannot see relays in the relay-selection drop-downs in the console that don't belong to them. The exception is if they view a machine that is currently configured to report to a relay not administered by them, in this case that relay appears in the list as well.
- disableNmoRelaySelModeChanges
- If set to "1", NMOs cannot toggle automatic relay selection on and off.
- disableDebugDialog
- If set to "1", the keyboard sequence CTRL-ALT-SHIFT-D cannot be used to open up the console's debug dialog.
- disableComputerNameTargeting
- If set to "1", the third radio option "target by list of computer names" is removed on the targeting tab of the take action dialog.
- allowOfferCreation
- If set to "0", the 'Offer' tab in the Take Action Dialog is disabled. Offer presets in Fixlets are ignored by the console.
- disableNmoCustomSiteSubscribe
- If set to "1", the "Modify Custom Site Subscriptions" menu item is disabled for all NMOs
Advanced options for password policies
- passwordComplexityRegex
- Specifies a perl-style regular expression to use as a password
complexity requirement when choosing or changing operator passwords.
These are some examples:
- Require a 6-letter or longer password that does not equal the
string 'bigfix'.
(?![bB][iI][gG][fF][iI][xX]).{6,}
- Require a 6-letter or longer password containing lowercase, upper
case, and punctuation.
(?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]]).{6,}
- Require an eight-character or longer password that contains 3
of the following 4 character classes: lowercase, uppercase, punctuation,
and numeric.
((?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]])| (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:digit:]])| (?=.*[[:lower:]])(?=.*[[:digit:]])(?=.*[[:punct:]])| (?=.*[[:digit:]])(?=.*[[:upper:]])(?=.*[[:punct:]])).{8,}
Note: The Site Administrator passwords are not affected by this complexity requirement. - Require a 6-letter or longer password that does not equal the
string 'bigfix'.
- passwordComplexityDescription
- Specifies a description of the password complexity requirement. This string is displayed to the user when a password choice fails the complexity requirements set using the passwordComplexity option. An example of password complexity description is "Passwords must have at least 6 characters." If you do not set this value but you set passwordComplexityRegex setting, the description set in passwordComplexityRegex is displayed to the user.
- passwordsRemembered
- Specifies the number of unique new passwords that can be set for
an user account before an old password can be reused. The default
value is "0".
This option was introduced with BigFix V8.2.
- maximumPasswordAgeDays
- Specifies the number of days that a password can be used before
the system requires the user to change it. The default value is "0"
(no maximum).
This option was introduced with BigFix V8.2.
- minimumPasswordLength
- Specifies the least number of characters that a password for a
user account can contain. The default value is "6". This is an usage
example of this option:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=LOCATION -sitePvkPassword=PASSWORD -update minimumPasswordLenth=9
This option was introduced with BigFix V8.2.
- enforcePasswordComplexity
- If set to '1' or 'true', the passwords must meet the following
minimum requirements:
- They must not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
- They must be at least six characters long.
- They must contain characters from three of the following four
categories:
English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created. The default value is "0".
This option was introduced with BigFix V8.2.
- accountLockoutThreshold
- Specifies the number of incorrect logon attempts for a user name
before the account is locked for accountLockoutDurationSeconds seconds.
The default value is "5".
This option was introduced with BigFix V8.2.
- accountLockoutDurationSeconds
- Specifies the number of seconds that an account gets locked after accountLockoutThreshold failed
log on attempts. The default value is "1800".
This option was introduced with BigFix V8.2.
Advanced options for targeting restrictions
Use these advanced options to specify the targeting restrictions globally. If you to set them for a specific user, add those settings in the registry key of the BigFix Console computer under the hive HKEY_CURRENT_USER\Software\BigFix\Enterprise Console\Targeting as a DWORD.
- targetBySpecificListLimit
- Specifies the maximum number of computers that can be targeted by individual selection. The default value is 10000.
- targetBySpecificListWarning
- Specifies the threshold for the number of computers that can be targeted by individual selection before the console displays a warning message. The default value is 1000.
- targetByListSizeLimit
- Specifies the maximum number of bytes that can be supplied when targeting by textual list of computer names. The default value is 100000.
targetBySpecificListLimit => SpecificListLimit
targetBySpecificListWarning => SpecificListWarning
targetByListSizeLimit => ByListSizeLimit
{[HKEY_CURRENT_USER\Software\BigFix\Enterprise Console\Targeting]
"SpecificListLimit"=dword:00002328}
Advanced options for authentication
- loginTimeoutSeconds
- Specifies the amount of idle time in seconds before the console requires the user to authenticate again to take certain actions. The timer is reset every time the user authenticates or does an action that would have required authentication within the idle time threshold. The default value is zero on upgrade from a deployment earlier than V8.2, the default value is infinity on a clean install of V8.2 or later.
- loginWarningBanner
- Specifies the text to show to any user after he/she logs into
the Console or Web Reports. The user must click OK to continue.
This is a usage example of this option:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=pippo000 -update loginWarningBanner='new message'
This option was introduced with BigFix V9.1.
- timeoutLockMinutes
- Specifies how many idle time minutes must elapse before the console requires to authenticate
again. This setting is different from loginTimeoutSeconds because timeoutLockMinutes
hides the entire console to prevent any other user to see or use it. The idle time refers to the
lack of any type of input to the session including key buttons, mouse clicks, and mouse movements.
This option does not take any effect on the console if an operator accesses it using the Windows session credentials (Windows authentication).
This option was introduced with BigFix V9.1.
- timeoutLogoutMinutes
- Specifies how many idle time minutes must elapse before the console is closed. This setting is
different from loginTimeoutSeconds and timeoutLockMinutes, because
timeoutLogoutMinutes closes the console completely. The idle time refers to the lack of any
type of input to the session including key buttons, mouse clicks, and mouse movements.
This option was introduced with BigFix V9.5.11.
Advanced options for customizing computer removal
By defaults, inactive computers are not automatically managed by BigFix, they continue to be displayed in the console views, unless you mark them as deleted by deleting their entries from the Computers list view, and their data is always kept in the database filling in tables with unused data.
You can modify this behavior by specifying advanced options that mark inactive computers as deleted, hiding them in the console views, and remove their data from the BigFix database.
In this way the console views show only the computers that reported back to the BigFix server within a specified number of days and the database runs faster because you free more disk space.
- inactiveComputerDeletionDays
- Specifies the number of consecutive days that a computer does not report back to the BigFix server before it is marked as deleted. When the computer reports back again, the computer is no more marked as deleted and an entry for it is shown again in the console views. The default value for this option is 0, which means that inactive computers are never automatically marked as deleted.
- inactiveComputerPurgeDays
- Specifies the number of consecutive days that a computer does not report back to the BigFix server before its data is deleted from the BigFix database. When the computer reports back again, it is requested to send back a full refresh to restore its data in the database and it is no more marked as deleted. The default value for this option is 0, which means that computer data is never automatically removed from the database.
- inactiveComputerPurgeBatchSize
- On a daily basis, BigFix runs
an internal task that removes from the database the data of the computers
for which inactiveComputerPurgeDays elapsed. The task deletes
the computer data, including he computer's hostname, in buffers to
avoid potential load to the database. The inactiveComputerPurgeBatchSize value
specifies how many computers are cleaned up in the database in each
buffer. The default value for this option is 1000. If the computer
reports back again, the matching with its entry in the database is
done using the computer ID.Note: Specify the option inactiveComputerPurgeBatchSize if you assigned a value different from 0 to inactiveComputerPurgeDays.
Advanced options for customizing BigFix Query
You can optionally set some parameters to customize the BigFix Query feature.
- queryHoursToLive
- Determines how many hours the BigFix Query requests are kept in the database. The default value for this option is 1440, which corresponds to 60 days. Valid values are from 0 to 8760, that means 1 year.
- queryResultsHoursToLive
- Determines how many hours the BigFix Query results are kept in the database. The default value is 4 hours, and the valid values are from 1 to 336 (two weeks). If you enter value that lies outside this range, the default value is used.
- queryPurgeBatchSize
- The entries in the database that represent requests and results for which queryHoursToLive or queryResultsHoursToLive elapsed, are deleted from the database in buffers. This advanced option determines the number of database entries contained in each of these buffers. The default value for this option is 100000 bytes, which means 100 KB.
- queryPerformanceDataPath
- Defines the path of the log file that stores the performance information about FillDB - server interaction when running BigFix Queries. The default value for this option is none.
- _Enterprise Server_ BigFix Query_MaxTargetsForGroups
- Determines the highest number of targets that a BigFix Query request, targeted by group, can be addressed to. If the number of targets exceeds the specified value, the BigFix Query request is sent to all clients and each client determines whether or not it is a member of the targeted group. If the number of targets does not exceed the specified value, the BigFix Query request is sent only to clients that are member of the group. You can configure this setting on the BigFix console by selecting the server in the Computers list and clicking Edit settings. The default value for this option is 100.
Other advanced options
- automaticBackupLocation
- If set to an existing path, accessible both by root and by the
database instance owner, by default
db2inst1, this option enables the
BigFix
Server to run automatically the backup of the
BFENT and
BESREPOR databases before and after
running the upgrade process.
This option is available only for Linux BigFix Servers V9.5.3 and later.
For more information, see Automatic databases backup upon upgrade.
- clientIdentityMatch
- This advanced option can help you to avoid having duplicate computer entries when the endpoints
are detected as possible clones by the BigFix Server.
Starting from BigFix Version
9.5.7, the BigFix Server can
use the existing computer information to try to match the identity of a
Client and reassign the same
ComputerID
to computers that might have been rolled back or restored. To guarantee the correct applicability of this option, it is necessary that the following components are at least at 9.5.7 level:- The BigFix Server.
- All Clients that will apply the option.
- All Relays that are in the configuration tree between the Clients and the Server.
If clientIdentityMatch=0, the BigFix Server performs strict clone detection. This means that, if the BigFix Server receives a registration request from a Client that was rolled back or restored, the Server invalidates the old
ComputerID
, resets the old Client definition, and assigns a newComputerID
to the registering Client. This is the default behavior and is the same way the BigFix Servers earlier than V9.5.7 operate.If clientIdentityMatch=100, the BigFix Server performs an additional check before assigning a new
ComputerID
to a registering Client to avoid creating cloned computer entries. This means that the BigFix Server tries to determine if the information about the rolled-back Client sufficiently matches the data held for thatComputerID
. If the identity of the Client is matched, the Client keeps using the oldComputerID
and its identity is not reset.For more information, see Avoiding duplicates when a Client is restored.
- includeSFIDsInBaselineActions
- If set to "1", it requires the console to include source Fixlet IDs when emitting baseline actions. Emitting these IDs is not compatible with 5.1 clients.
- defaultHiddenFixletSiteIDs
- This option allows to selectively change the default Fixlet visibility on a per-site basis. It only takes effect when global default Fixlet hiding is not in use. You specify a comma-separated list of all the site IDs to be hidden by default. The list of sites IDs is in the SITENAMEMAP table in the database.
- defaultOperatorRolePermissions
- This option allows you to change the default permissions that apply when you create operators
and roles. It can take the following values:
- 0: Operators and roles are created with the default permissions that applied until BigFix V9.5.10.
- 1: Operators and roles are created with minimum default permissions. The same default settings apply even when you do not set any value.
- 2: Operators and roles are created with minimum default permissions as in the previous case, except that Show Other Operators' Actions is set to Yes and Unmanaged Assets is set to By Scan Point (for operators). In the case of roles, however, Unmanaged Assets is always set to Show None. The Access Restriction for the operators is set to Always allow this user to log in. The login privilege Can use Console is set to Yes both for operators and roles.
- enableRESTAPIOperatorID
- This option allows you to display operator resource URLs with the operator ID instead of the
operator name. For example,
https://BigFix_Server_URL:52311/api/operator/<Operator_ID>
. To enable the option, set it to true or 1.This option was introduced with BigFix V9.5.10.
- showSingleActionPrePostTabs
- If set to "1", the 'Pre-Action Script' and 'Post-Action Script' tabs of the Take Action Dialog shows up even on single actions.
- propertyNamespaceDelimiter
- Specifies the separator for retrieved properties. By default, retrieved properties are separated into namespaces by the character sequence '::'. The character sequence used to indicate a separator can be changed using this deployment option.
- DefaultFixletVisibility
- If set, this option allows you to specify either to make Fixlets, tasks and analysis gathered
from external sites globally visible or to make them globally hidden. By default, they are globally
visible to all Console operators.Note: On Windows platforms only, this option is also available in the "System option" tab of the BigFix Administrative tool.
- MinimumRefreshSeconds
- If set, this option allows you to specify the minimum amount of time after which console
operators are allowed to set their automatic refresh interval. This
amount of time is specified in seconds. By default, it is set to 5
seconds.Note: On Windows platforms only, this option is also available in the "System option" tab of the BigFix Administrative tool.
- minimumConsoleRequirements
- Specifies if the minimum requirements that must be satisfied by the machines running the
database that the console connect to. Its value consists of a comma
separated list of one or more of the following requirement strings:
- "RAM:<min MB MO ram>/<min MB NMO ram>"
- Requires that the console runs on a machine with at least the specified amount of physical RAM. Two different values must be supplied; one for master operators and another for non-master operators. Both values must be less than 2^32. For example, "RAM:2048/1024" .
- "ClientApproval"
- States that the BES Client must determine if a machine is
suitable for login. A machine is considered suitable for
login if one of the following settings is specified locally:
- "moConsoleLoginAllowed"
- "nmoConsoleLoginAllowed"
- actionSiteDBQueryTimeoutSecs
- Specifies how long action site database queries can run before the console stops the query (to release its read lock and let any database writers through), and then restart the query where it left off. If not set, the default value is 60 seconds. If set to "0" the action site database queries never time out.
- usePre70ClientCompatibleMIME
- If set to "true", the console can create action MIME documents that pre-7.0 clients can understand. By default, it is set to "true" on upgrade and "false" for fresh installs.
- disableRunningMessageTextLimit
- If set to a value other than "0", the console users can enter more than 255 characters in the running message text in the Take Action Dialog.
- useFourEyesAuthentication
- If set to "true", you can set the approvers for user actions in console user document. The approver must confirm the action on the same console where the user is logged on.
- masterDatabaseServerID
- By default, the database with server ID 0 is the master database. This is the database that BESAdmin needs to connect to. Use this option to change the master database to a different machine.
- enableWakeOnLAN
- If set to "1", the console shows the "right click WakeOnLAN" functionality in the computer list. By default the functionality is not shown.
- enableWakeDeepSleep
- If set to "1", the console shows the "right click Send BESClient Alert Request" functionality in the computer list. By default the functionality is not shown. During Deep sleep, all UDP messages except this specific wake up message are ignored.
- requireConfirmAction
- If set to "1", every time an action is taken a confirmation pop-up window with a summary of the
action details is displayed. The information listed in the pop-up window
is:
The summary lists the need of doing a restart or a shutdown as well, if the action requires it. By default the confirmation window is not displayed.Action Title Estimated endpoints targeted Start time End time
Note: When you enable this option, the displayed value for the Estimated targeted computers might not be correct, if you performed the action from a wizard of a BigFix Application such as, for example, Server Automation or OSD.You must restart the BigFix Console after configuring this option.