List of advanced options

The following lists show the advanced options that you can specify in the Advanced Options tab of the BigFix Administrative tool on Windows systems, or in the BESAdmin.sh command on Linux systems using the following syntax:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk>
[-sitePvkPassword=<password>]  
{ -list | -display 
| [ -f ] -delete option_name 
| [ -f ] -update option_name=option_value }
Note: The notation <path+license.pvk> used in the command syntax stands for path_to_license_file/license.pvk.

These options are typically supplied by your HCL Software Support.

Advanced options for disabling functions

Use these options if you want to disable specific capabilities on the console.
disableNmoSiteManagementDialog
If set to "1", the site management dialog is unavailable to non-master operators (NMOs).
disableNmoComments
If set to "1", NMOs cannot add comments. NMOs will still be able to view comments.
disableNmoManualGroups
If set to "1", NMOs cannot add or remove computers from manual groups, and see manual groups that none of their computers are members of.
disableGlobalRelayVisibility
If set to "1", NMOs cannot see relays in the relay-selection drop-downs in the console that don't belong to them. The exception is if they view a machine that is currently configured to report to a relay not administered by them, in this case that relay appears in the list as well.
disableNmoRelaySelModeChanges
If set to "1", NMOs cannot toggle automatic relay selection on and off.
disableDebugDialog
If set to "1", the keyboard sequence CTRL-ALT-SHIFT-D cannot be used to open up the console's debug dialog.
disableComputerNameTargeting
If set to "1", the third radio option "target by list of computer names" is removed on the targeting tab of the take action dialog.
allowOfferCreation
If set to "0", the 'Offer' tab in the Take Action Dialog is disabled. Offer presets in Fixlets are ignored by the console.
disableNmoCustomSiteSubscribe
If set to "1", the "Modify Custom Site Subscriptions" menu item is disabled for all NMOs

Advanced options for password policies

Use these settings to enforce password policies in your BigFix environment.
passwordComplexityRegex
Specifies a perl-style regular expression to use as a password complexity requirement when choosing or changing operator passwords. These are some examples:
  • Require a 6-letter or longer password that does not equal the string 'bigfix'.
    (?![bB][iI][gG][fF][iI][xX]).{6,}
  • Require a 6-letter or longer password containing lowercase, upper case, and punctuation.
    (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]]).{6,}
  • Require an eight-character or longer password that contains 3 of the following 4 character classes: lowercase, uppercase, punctuation, and numeric.
    ((?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]])|
    (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:digit:]])|
    (?=.*[[:lower:]])(?=.*[[:digit:]])(?=.*[[:punct:]])|
    (?=.*[[:digit:]])(?=.*[[:upper:]])(?=.*[[:punct:]])).{8,}
Note: The Site Administrator passwords are not affected by this complexity requirement.
passwordComplexityDescription
Specifies a description of the password complexity requirement. This string is displayed to the user when a password choice fails the complexity requirements set using the passwordComplexity option. An example of password complexity description is "Passwords must have at least 6 characters." If you do not set this value but you set passwordComplexityRegex setting, the description set in passwordComplexityRegex is displayed to the user.
passwordsRemembered
Specifies the number of unique new passwords that can be set for an user account before an old password can be reused. The default value is "0".

This option was introduced with BigFix V8.2.

maximumPasswordAgeDays
Specifies the number of days that a password can be used before the system requires the user to change it. The default value is "0" (no maximum).

This option was introduced with BigFix V8.2.

minimumPasswordLength
Specifies the least number of characters that a password for a user account can contain. The default value is "6". This is an usage example of this option:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=LOCATION
-sitePvkPassword=PASSWORD -update minimumPasswordLenth=9

This option was introduced with BigFix V8.2.

enforcePasswordComplexity
If set to '1' or 'true', the passwords must meet the following minimum requirements:
  • They must not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
  • They must be at least six characters long.
  • They must contain characters from three of the following four categories:
        English uppercase characters (A through Z) 
        English lowercase characters (a through z) 
        Base 10 digits (0 through 9) 
        Non-alphabetic characters (for example, !, $, #, %)
If you specify also the minimumPasswordLength setting, then the effective minimum password length will be the higher value between six and the value of minimumPasswordLength.

Complexity requirements are enforced when passwords are changed or created. The default value is "0".

This option was introduced with BigFix V8.2.

accountLockoutThreshold
Specifies the number of incorrect logon attempts for a user name before the account is locked for accountLockoutDurationSeconds seconds. The default value is "5".

This option was introduced with BigFix V8.2.

accountLockoutDurationSeconds
Specifies the number of seconds that an account gets locked after accountLockoutThreshold failed log on attempts. The default value is "1800".

This option was introduced with BigFix V8.2.

Note: Web Reports has similar password controls, but they have to be set separately ('Users'->'User Options').

Advanced options for targeting restrictions

Use these advanced options to specify the targeting restrictions globally. If you to set them for a specific user, add those settings in the registry key of the BigFix Console computer under the hive HKEY_CURRENT_USER\Software\BigFix\Enterprise Console\Targeting as a DWORD.

The options listed in the following table take effect only if the corresponding registry keys are not set on the consoles or if the keys are set to the default values.
targetBySpecificListLimit
Specifies the maximum number of computers that can be targeted by individual selection. The default value is 10000.
targetBySpecificListWarning
Specifies the threshold for the number of computers that can be targeted by individual selection before the console displays a warning message. The default value is 1000.
targetByListSizeLimit
Specifies the maximum number of bytes that can be supplied when targeting by textual list of computer names. The default value is 100000.
Here is the correspondence between the name of the advanced option and the name of the related registry setting:
targetBySpecificListLimit => SpecificListLimit
targetBySpecificListWarning => SpecificListWarning
targetByListSizeLimit => ByListSizeLimit
The following example restricts to 9000 = 0x2328 the SpecificListLimit setting (correspondent to the targetBySpecificListLimit advanced option):
{[HKEY_CURRENT_USER\Software\BigFix\Enterprise Console\Targeting] 
"SpecificListLimit"=dword:00002328}
Note: Do not increase the default values.

Advanced options for authentication

Use these settings to manage user authentications to the console.
loginTimeoutSeconds
Specifies the amount of idle time in seconds before the console requires the user to authenticate again to take certain actions. The timer is reset every time the user authenticates or does an action that would have required authentication within the idle time threshold. The default value is zero on upgrade from a deployment earlier than V8.2, the default value is infinity on a clean install of V8.2 or later.
loginWarningBanner
Specifies the text to show to any user after he/she logs into the Console or Web Reports. The user must click OK to continue. This is a usage example of this option:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk 
-sitePvkPassword=pippo000 -update loginWarningBanner='new message'

This option was introduced with BigFix V9.1.

timeoutLockMinutes
Specifies how many idle time minutes must elapse before the console requires to authenticate again. This setting is different from loginTimeoutSeconds because timeoutLockMinutes hides the entire console to prevent any other user to see or use it. The idle time refers to the lack of any type of input to the session including key buttons, mouse clicks, and mouse movements.

This option does not take any effect on the console if an operator accesses it using the Windows session credentials (Windows authentication).

This option was introduced with BigFix V9.1.

timeoutLogoutMinutes
Specifies how many idle time minutes must elapse before the console is closed. This setting is different from loginTimeoutSeconds and timeoutLockMinutes, because timeoutLogoutMinutes closes the console completely. The idle time refers to the lack of any type of input to the session including key buttons, mouse clicks, and mouse movements.

This option was introduced with BigFix V9.5.11.

Note: Non efficient mime advanced option is no longer supported by the BigFix V9.5 server. Existing actions continue to run on clients but the server is no longer able to generate non efficient mime actions.

Advanced options for customizing computer removal

By defaults, inactive computers are not automatically managed by BigFix, they continue to be displayed in the console views, unless you mark them as deleted by deleting their entries from the Computers list view, and their data is always kept in the database filling in tables with unused data.

You can modify this behavior by specifying advanced options that mark inactive computers as deleted, hiding them in the console views, and remove their data from the BigFix database.

In this way the console views show only the computers that reported back to the BigFix server within a specified number of days and the database runs faster because you free more disk space.

Use the following options to automatically remove computers from the console and delete their data from the database:
inactiveComputerDeletionDays
Specifies the number of consecutive days that a computer does not report back to the BigFix server before it is marked as deleted. When the computer reports back again, the computer is no more marked as deleted and an entry for it is shown again in the console views. The default value for this option is 0, which means that inactive computers are never automatically marked as deleted.
inactiveComputerPurgeDays
Specifies the number of consecutive days that a computer does not report back to the BigFix server before its data is deleted from the BigFix database. When the computer reports back again, it is requested to send back a full refresh to restore its data in the database and it is no more marked as deleted. The default value for this option is 0, which means that computer data is never automatically removed from the database.
inactiveComputerPurgeBatchSize
On a daily basis, BigFix runs an internal task that removes from the database the data of the computers for which inactiveComputerPurgeDays elapsed. The task deletes the computer data, including he computer's hostname, in buffers to avoid potential load to the database. The inactiveComputerPurgeBatchSize value specifies how many computers are cleaned up in the database in each buffer. The default value for this option is 1000. If the computer reports back again, the matching with its entry in the database is done using the computer ID.
Note: Specify the option inactiveComputerPurgeBatchSize if you assigned a value different from 0 to inactiveComputerPurgeDays.

Advanced options for customizing BigFix Query

You can optionally set some parameters to customize the BigFix Query feature.

To avoid using too much space available in the database to store the BigFix Query requests and their results, you can customize the following advanced option in the administration tool on the BigFix server:
queryHoursToLive
Determines how many hours the BigFix Query requests are kept in the database. The default value for this option is 1440, which corresponds to 60 days. Valid values are from 0 to 8760, that means 1 year.
queryResultsHoursToLive
Determines how many hours the BigFix Query results are kept in the database. The default value is 4 hours, and the valid values are from 1 to 336 (two weeks). If you enter value that lies outside this range, the default value is used.
queryPurgeBatchSize
The entries in the database that represent requests and results for which queryHoursToLive or queryResultsHoursToLive elapsed, are deleted from the database in buffers. This advanced option determines the number of database entries contained in each of these buffers. The default value for this option is 100000 bytes, which means 100 KB.
These are other configuration settings available to customize the BigFix Query feature:
queryPerformanceDataPath
Defines the path of the log file that stores the performance information about FillDB - server interaction when running BigFix Queries. The default value for this option is none.
_Enterprise Server_ BigFix Query_MaxTargetsForGroups
Determines the highest number of targets that a BigFix Query request, targeted by group, can be addressed to. If the number of targets exceeds the specified value, the BigFix Query request is sent to all clients and each client determines whether or not it is a member of the targeted group. If the number of targets does not exceed the specified value, the BigFix Query request is sent only to clients that are member of the group. You can configure this setting on the BigFix console by selecting the server in the Computers list and clicking Edit settings. The default value for this option is 100.

Other advanced options

Use these options to customize other aspects of your BigFix environment.
automaticBackupLocation
If set to an existing path, accessible both by root and by the database instance owner, by default db2inst1, this option enables the BigFix Server to run automatically the backup of the BFENT and BESREPOR databases before and after running the upgrade process.

This option is available only for Linux BigFix Servers V9.5.3 and later.

For more information, see Automatic databases backup upon upgrade.

clientIdentityMatch
This advanced option can help you to avoid having duplicate computer entries when the endpoints are detected as possible clones by the BigFix Server. Starting from BigFix Version 9.5.7, the BigFix Server can use the existing computer information to try to match the identity of a Client and reassign the same ComputerID to computers that might have been rolled back or restored. To guarantee the correct applicability of this option, it is necessary that the following components are at least at 9.5.7 level:
  • The BigFix Server.
  • All Clients that will apply the option.
  • All Relays that are in the configuration tree between the Clients and the Server.

If clientIdentityMatch=0, the BigFix Server performs strict clone detection. This means that, if the BigFix Server receives a registration request from a Client that was rolled back or restored, the Server invalidates the old ComputerID, resets the old Client definition, and assigns a new ComputerID to the registering Client. This is the default behavior and is the same way the BigFix Servers earlier than V9.5.7 operate.

If clientIdentityMatch=100, the BigFix Server performs an additional check before assigning a new ComputerID to a registering Client to avoid creating cloned computer entries. This means that the BigFix Server tries to determine if the information about the rolled-back Client sufficiently matches the data held for that ComputerID. If the identity of the Client is matched, the Client keeps using the old ComputerID and its identity is not reset.

For more information, see Avoiding duplicates when a Client is restored.

includeSFIDsInBaselineActions
If set to "1", it requires the console to include source Fixlet IDs when emitting baseline actions. Emitting these IDs is not compatible with 5.1 clients.
defaultHiddenFixletSiteIDs
This option allows to selectively change the default Fixlet visibility on a per-site basis. It only takes effect when global default Fixlet hiding is not in use. You specify a comma-separated list of all the site IDs to be hidden by default. The list of sites IDs is in the SITENAMEMAP table in the database.
defaultOperatorRolePermissions
This option allows you to change the default permissions that apply when you create operators and roles. It can take the following values:
  • 0: Operators and roles are created with the default permissions that applied until BigFix V9.5.10.
  • 1: Operators and roles are created with minimum default permissions. The same default settings apply even when you do not set any value.
  • 2: Operators and roles are created with minimum default permissions as in the previous case, except that Show Other Operators' Actions is set to Yes and Unmanaged Assets is set to By Scan Point (for operators). In the case of roles, however, Unmanaged Assets is always set to Show None. The Access Restriction for the operators is set to Always allow this user to log in. The login privilege Can use Console is set to Yes both for operators and roles.
This option was introduced with BigFix V9.5.11.
enableRESTAPIOperatorID
This option allows you to display operator resource URLs with the operator ID instead of the operator name. For example, https://BigFix_Server_URL:52311/api/operator/<Operator_ID>. To enable the option, set it to true or 1.

This option was introduced with BigFix V9.5.10.

showSingleActionPrePostTabs
If set to "1", the 'Pre-Action Script' and 'Post-Action Script' tabs of the Take Action Dialog shows up even on single actions.
propertyNamespaceDelimiter
Specifies the separator for retrieved properties. By default, retrieved properties are separated into namespaces by the character sequence '::'. The character sequence used to indicate a separator can be changed using this deployment option.
DefaultFixletVisibility
If set, this option allows you to specify either to make Fixlets, tasks and analysis gathered from external sites globally visible or to make them globally hidden. By default, they are globally visible to all Console operators.
Note: On Windows platforms only, this option is also available in the "System option" tab of the BigFix Administrative tool.
MinimumRefreshSeconds
If set, this option allows you to specify the minimum amount of time after which console operators are allowed to set their automatic refresh interval. This amount of time is specified in seconds. By default, it is set to 5 seconds.
Note: On Windows platforms only, this option is also available in the "System option" tab of the BigFix Administrative tool.
minimumConsoleRequirements
Specifies if the minimum requirements that must be satisfied by the machines running the database that the console connect to. Its value consists of a comma separated list of one or more of the following requirement strings:
"RAM:<min MB MO ram>/<min MB NMO ram>"
Requires that the console runs on a machine with at least the specified amount of physical RAM. Two different values must be supplied; one for master operators and another for non-master operators. Both values must be less than 2^32. For example, "RAM:2048/1024" .
"ClientApproval"
States that the BES Client must determine if a machine is suitable for login. A machine is considered suitable for login if one of the following settings is specified locally:
  • "moConsoleLoginAllowed"
  • "nmoConsoleLoginAllowed"
The console must run as an account with permissions to read the client registry keys stored under HKEY_LOCAL_MACHINE to log in when using the "ClientApproval" option.
actionSiteDBQueryTimeoutSecs
Specifies how long action site database queries can run before the console stops the query (to release its read lock and let any database writers through), and then restart the query where it left off. If not set, the default value is 60 seconds. If set to "0" the action site database queries never time out.
usePre70ClientCompatibleMIME
If set to "true", the console can create action MIME documents that pre-7.0 clients can understand. By default, it is set to "true" on upgrade and "false" for fresh installs.
disableRunningMessageTextLimit
If set to a value other than "0", the console users can enter more than 255 characters in the running message text in the Take Action Dialog.
useFourEyesAuthentication
If set to "true", you can set the approvers for user actions in console user document. The approver must confirm the action on the same console where the user is logged on.
masterDatabaseServerID
By default, the database with server ID 0 is the master database. This is the database that BESAdmin needs to connect to. Use this option to change the master database to a different machine.
enableWakeOnLAN
If set to "1", the console shows the "right click WakeOnLAN" functionality in the computer list. By default the functionality is not shown.
enableWakeDeepSleep
If set to "1", the console shows the "right click Send BESClient Alert Request" functionality in the computer list. By default the functionality is not shown. During Deep sleep, all UDP messages except this specific wake up message are ignored.
requireConfirmAction
If set to "1", every time an action is taken a confirmation pop-up window with a summary of the action details is displayed. The information listed in the pop-up window is:
Action Title
Estimated endpoints targeted
Start time
End time
The summary lists the need of doing a restart or a shutdown as well, if the action requires it. By default the confirmation window is not displayed.
Note: When you enable this option, the displayed value for the Estimated targeted computers might not be correct, if you performed the action from a wizard of a BigFix Application such as, for example, Server Automation or OSD.

You must restart the BigFix Console after configuring this option.