What is new in V9.5
BigFix Platform Version 9.5 provides new features and enhancements.
- Patch 25:
-
- Security vulnerabilities and library upgrades
-
- The libcURL library was upgraded to Version 8.6.0.
- Patch 24:
-
- Security vulnerabilities and library upgrades
-
- The libcURL library was upgraded to Version 8.5.0.
- Patch 23:
-
- Use “Microsoft Print to PDF” printer driver for exporting PDF reports in Web Reports
- Starting from BigFix Platform 9.5.23, Web Reports can generate PDF reports using the “Microsoft Print to PDF” printer driver. BigFix recommends that you take advantage of this driver by running Task ID 5436. Refer to On Windows Systems for more information.
- Security vulnerabilities and library upgrades
-
- The libcURL library was upgraded to Version 8.1.2.
- The OpenSSL library was upgraded to Version 1.0.2zh.
- The Xerces library was upgraded to Version 3.2.4.
- Patch 22:
-
- Security vulnerabilities and library upgrades
-
- The libcURL library was upgraded to Version 7.88.1.
- The OpenSSL library was upgraded to Version 1.0.2zg.
- Patch 21:
-
- Security vulnerabilities and library upgrades
-
- The libcURL library was upgraded to Version 7.86.0.
- The JQuery UI library was upgraded to Version 1.13.2.
- The ICU library was upgraded to Version 54.2.
- Patch 20:
-
- Added support for BigFix Agent
- Added support for BigFix Agent running on Red Hat Enterprise Linux 9 x86 64-bit.
- Library upgrades
-
- The libcURL library was upgraded to Version 7.83.1.
- Patch 19:
-
- Added support for BigFix Agent
- Added support for BigFix
Agent running on:
- Windows Server 2022.
- Windows 11 21H2.
- Windows 11 22H2.
- Added support for Active Directory 2016
- Added support for Active Directory 2016 with Forest functional level Windows Server 2016 and Enterprise Certification Authority for BigFix Server running on Windows only.
- Library upgrades
-
- The libcURL library was upgraded to Version 7.79.1.
- The OpenSSL library was upgraded to Version 1.0.2zd.
- The jQuery UI library was upgraded to Version 1.13.1.
- The zlib library was upgraded to Version 1.2.12.
- Patch 18:
-
- Security vulnerabilities and library upgrades
-
- The SQLite library was upgraded to Version 3.34.1.
- The OpenLDAP library was upgraded to Version 2.4.56.
- The OpenSSL library was upgraded to Version 1.0.2y.
- Added support for BigFix Relay, Console and Agent
-
Added support for BigFix Relay, Console and Agent running on Windows 10 Version 22H2.
- Added support for BigFix Relay, Console and Agent
-
Added support for BigFix Relay, Console and Agent running on Windows 10 Version 21H2.
- Added support for BigFix Relay, Console and Agent
-
Added support for BigFix Relay, Console and Agent running on Windows 10 Version 21H1.
- Added property to the operating system inspector
- A new property named
display version
was added to theoperating system
inspector. This property returns the Windows operating system version and returns valid information only for Windows 10 20H2 and later Windows 10 versions.
- Patch 17:
-
- Library upgrades
- The Curl library was upgraded to Version 7.73.0.
- Added support for BigFix Server and Console
- Added support for BigFix Server and Console running on Windows Server 2019.
- Added support for BigFix Agent
- Added support for BigFix
Agent running on:
- MacOS 11 x86 64-bit.
- Windows 10 Enterprise for Virtual Desktops.Note: For Windows 10 Enterprise for Virtual Desktops, the relevance expression "product info string of operating system" returns “Server RDSH”.
- Added support for new database levels
-
- DB2 Version 11.5.4 / 11.5.5 / 11.5.6 / 11.5.7 / 11.5.8 / 11.5.9 Stardard Edition
support.Note: Ensure that you upgrade BigFix to Version 9.5 Patch 17 or higher, before upgrading DB2 11.5.0 to 11.5.4 / 11.5.5 / 11.5.6 / 11.5.7 / 11.5.8 / 11.5.9.
- Microsoft SQL Server 2019 support.
- DB2 Version 11.5.4 / 11.5.5 / 11.5.6 / 11.5.7 / 11.5.8 / 11.5.9 Stardard Edition
support.
- New RPM package required
- Note: Starting from Version 9.5 Patch 17, the unixODBC RPM package must be installed for the Server component on Linux systems.
- Patch 16:
-
- Security vulnerabilities and library upgrades
-
- The Codejock library was upgraded to Version 19.2.0.
- The YUI library was upgraded to Version 2.9.0.
- The Curl library was upgraded to Version 7.69.1.
- Added support for BigFix Relay running on:
-
- Red Hat Enterprise Linux Version 8 x86 64-bit on Intel.
- CentOS 8 x86 64-bit.
- Enhanced security of TLS connections with support of Diffie-Hellman (DHE) and ephemeral Elliptic Curve Diffie-Hellman (ECDHE)
- BigFix Platform Version 9.5 Patch 16 HTTPS servers now allow ephemeral Diffie-Hellman (DHE) and ephemeral elliptic curve Diffie-Hellman (ECDHE) for key exchange while keep leveraging on RSA for authentication. With this feature, new, random asymmetric keys are chosen for each TLS connection that are never written to persistent storage. When the TLS connection terminates, keys are securely erased, ensuring in this way that, if an RSA private key is ever divulged, that key cannot be used to decrypt any secret exchanged during the TLS sessions.
- Patch 15:
-
- Security vulnerabilities and library upgrades
-
- The OpenSSL toolkit level was upgraded to Version 1.0.2u.
- Added support for BigFix Agent
-
Added support for BigFix Agent running on Oracle Enterprise Linux 8 on Intel.
- Patch 14:
-
- Security vulnerabilities and library upgrades
-
- The libssh2 external library level was upgraded to Version 1.9.0.
- The OpenLDAP external library level was upgraded to Version 2.4.48.
- Added support for new database levels
- IBM DB2 Standard Edition Version 11.5 GA.
- Added support for BigFix Relay
- Added support for BigFix Relay running on Windows 10 Version 20H2.
- Added support for BigFix Console
- Added support for BigFix Console running on Windows 10 Version 2004 and Windows 10 Version 20H2.
- Added support for BigFix Agent
-
Added support for BigFix Agent running on:
- SUSE Linux Enterprise 15 PPC 64-bit.
- Red Hat Enterprise Linux 8 x86 64-bit.
- Red Hat Enterprise Linux 8 PPC 64-bit LE on Power 8 and 9.
- Red Hat Enterprise Linux 8 on s390x.
- Ubuntu 18.04 LTS PPC 64-bit LE on Power 8.
- MacOS 10.15.
- Windows 10 Version 1909.
- Windows 10 Version 2004.
- Windows 10 Version 20H2.
- CentOS 8.Note: On CentOS 8, the Client UI might fail to launch.
- Patch 13:
-
- Relays in DMZ
- You can configure parent relays outside a demilitarized zone (DMZ) to initiate connections to
child relays that are within the DMZ network. This means that relay-to-relay communication
is always initiated from the parent relay. You can use this feature to avoid opening
firewall ports from the DMZ to the internal secure network which in turns helps toughen the
security of your environment.
For details, see Relays in DMZ.
- Troubleshoot issues more efficiently by persisting the relay chain on the BigFix Client
- The Relay chain is identified for each client and it consists of a set of Relays involved in the
registration between the client and the server to which the client is registered. With this
feature, you can allow the client to trace the relay chain for each registration and ensure
that the relay information is available on the client side. This helps you troubleshoot
issues related to client-to-server communications more efficiently, and improve the data
reported by the BES Client Diagnostics task.
For details, see Viewing the relay chain on the client.
- Install BigFix agent with IPS format (.p5p package) on Solaris 11
- On Solaris 11, the BigFix agent
installation package is now available as IPS (Image Packaging System), which is the latest
Solaris packaging technology. The old version of the installation package is also still
available. You can therefore choose an installation option that best suits your
requirements.
For details, see Installing the Client on Solaris 11.
- Delete registry keys by using actionscript
- You can now delete not just the values of the registry keys set on the clients, but the keys
themselves as a whole by using actionscripts. This operation also has a 64-bit equivalent. This
feature helps you maintain the Windows registry keys, for example by removing the keys that are no
longer used.
For details, see regkeydelete and regkeydelete64.
- Removal of Adobe Flash Player dependency in Web Reports component
- As a preparatory step to deal with end of support (EOS) of Adobe Flash Player in the year 2020, the Adobe Flash Player dependency was removed from the Web Reports functionality. However, your experience of viewing the graphs remains the same.
- Run queries in client context
- BigFix extends the ability of the
Agent to run queries when submitted through the Fixlet Debugger or REST API. This allows you to run
any relevance for tasks such as troubleshooting or investigations directly from these
interfaces.
For details, see BigFix Query.
- Added support for BigFix Agent on Raspberry Pi
- Added support for running Agent on Raspbian 9 and 10 Raspberry Pi 3 models B and B+.
For details, see Raspbian Installation Instructions.
- Added support for BigFix Agent SLES 15 on Intel
-
Added support for BigFix Agent running on SUSE Linux Enterprise 15 x86_64 on Intel.
- Security vulnerabilities and library upgrades
-
- The OpenSSL toolkit level was upgraded to Version 1.0.2r.
- The libcURL file transfer library level was upgraded to Version 7.64.0.
- Patch 12:
-
- Security vulnerabilities and library upgrades
-
In this version, security vulnerabilities were addressed and some libraries were upgraded.
- The OpenSSL toolkit level was upgraded to Version 1.0.2q.
- The jQuery library level was upgraded to Version 3.0.0.
- The jQuery UI library level was upgraded to Version 1.12.1.
- The jqPlot (jQuery plugin) level was upgraded to Version 1.0.9.
- Patch 11:
-
- Reduce network traffic and relay infrastructure costs by exchanging cached files with peers (PeerNest)
- This version introduces peer-to-peer configuration which will help you reduce the relay infrastructural costs. In a peer-to-peer setup, endpoints in a subnet coordinate their download activities in order to download binaries only once from the relay, thus reducing the network traffic outside of the subnet. With this setup, you can facilitate a faster and direct exchange of binaries between endpoints and remove the need for every client to download the same binary from a relay, allowing the removal of dedicated relays from branch offices.
- Improve real-time visibility by delivering notifications to clients across firewalls through client-established, persistent connections
- The BigFix Query function relies on a UDP based notification where the relay notifies the clients of a new query. Firewalls or NAT may block this notification mechanism. Through the new persistent connection feature, a persistent connection initiated by the client is used by the relay to manage the UDP based notification. This allows the delivery of any type of notification, thus offering a faster alternative to command polling. A persistent connected client also acts as a UDP notification forwarder (proxy) for the other clients in the same subnet which can reduce the number of connections and optimize relay performance. The relay can deliver notifications to clients through client-established, persistent connections.
- Prevent BES server overload and network congestion by defining a fallback relay
- You can now define a fallback relay for your clients when they fail to connect to any relay specified in their settings.
- Simplify the installation and upgrade of the WebUI component including it as part of the BigFix Platform installation
- The installation of the BigFix Platform (both evaluation and production versions) on both Windows and Linux now includes the option to install the WebUI component as well, offering a convenient alternative to the fixlet-based installation. The upgrade of the WebUI component will be executed as part of the platform components update process, and as noted in 9.5.10, the WebUI can now scale to manage 120,000 endpoints from either a Linux or Windows BES Server installation.
- Enhance corporate security by specifying the TLS ciphers that can be used in network communications between the BigFix components and the internet
- Starting in this version, master operators can control which TLS ciphers should be used for encryption. A master operator can set a deployment-wide TLS cipher list in the masthead by using BESAdmin.
- Enhance security and reduce load on the BES root server by automatically shutting down the BigFix Console after a period of inactivity
- Starting in this version, you can control the maximum amount of time to keep an inactive session of BigFix console alive. After the timeout, the BigFix console is closed.
- Enhance the security of your BigFix Server by optionally disabling access to the Internet
- Starting in this version, you can control whether your server accesses the Internet for updating the license and gathering the sites or not by using a configuration setting.
- Gather WebUI content more securely through HTTPS and in an optimized manner
-
- WebUI: Gather BES sites with HTTPS by default
You can gather license updates and external sites by using the HTTPS protocol on a BigFix server or in an airgapped environment. For details, see Customizing HTTPS for Gathering.
- Optimize Gathering from Synch Servers
The Gathering process has been optimized with more effective handling of Gather errors.
- WebUI: Gather BES sites with HTTPS by default
- Establish an increased level of security when creating new users by assigning them minimal permissions
- When you create users, they are assigned minimum permissions (read-only) by default, which offers an additional level of security.
- Enhanced security and visibility with more detailed server audit logs
- The server audit logs now include the following items:
- Messages for deletion of computers from the console or through API
- Messages for deletion of actions
- Audit entries are presented in a single line and contain the same number of field delimiters. Field delimiters are present even if no value exists for a specific field. Since the format of the audit fields is subject to change over time, each line has a version number as the first entry. The current format includes texts from existing audit log messages (which are in old format) and presents them in the last field.
The server generates audit logs for two new events: the deletion of an action and the removal of a computer.
- Reduce the costs of managing relay infrastructure through a new Dashboard that summarizes relay health across the entire network
- You can now monitor the status of your relays across the entire network by using the Relay Health dashboard. The Relay Health Dashboard shows you specific details about the relays in your BigFix environment.
- Configure the default behavior of Timeout Override on clients
- Starting in this version, you can define the default behavior for timeout and disposition on a specific client for all the programs or processes triggered by any wait or waithidden commands, unless it is specified differently in an override section of that specific wait or waithidden command definition.
- Optimize and accelerate Platform REST API interactions
- You can now control and reduce the number of fields returned by a REST request by using the
?fields=
parameter to limit the fields returned for a given resource when using the API resources/api/actions
and/api/action/{action id}/status
. - Accelerate fixlet creation and testing by using the FastQuery interface in Fixlet Debugger
- Fixlet Debugger is extended to use FastQuery interface in addition to Local Fixlet Debugger Evaluator and Local Client Evaluator. You can choose a remote endpoint to evaluate relevance.
- Save time when working in tight maintenance windows by enabling group actions to start before sub action downloads are available
- Group actions with pre-cached downloads now start without requiring all sub-action downloads to be available on the client, provided the downloads for the first relevant sub-action are available. Additionally, the server and relay caches are primed by continuing with as many download requests as possible even under a 'disk limited' constraint.
- Other Enhancements
-
- Improved documentation on configuration settings. For details, see BigFix Configuration Settings.
- Added changes to the client component for enabling a new version of the self-service application (SSA).
- Added support for running Agent and Relay on Windows Server 2019.
- Patch 10:
-
- CDT Key file option and custom installation path
- When installing the BigFix clients
from the Client Deploy Tool (CDT) Wizard, you can access the target computers through the SSH key
authentication. You can also specify for the Windows target computers a custom installation path, if
you do not want to use the default installation path.
For more information, see Deploying clients from the console.
- TLS-encrypted SMTP connection for Web Reports
- When setting up an email address from Web Reports, you can upgrade the SMTP connection to
TLS.
For more information, see Setting Up Email.
- Windows authentication leveraged in command line utilities
- You can use your Windows credentials to authenticate to BigFix utilities such as the PropagateFiles.exe
tool and the IEM CLI.
For more information, see Creating special custom sites whose name begins with FileOnlyCustomSite.
- Windows performance, efficiency, and maintenance improvements
-
- The FillDB configuration was modified to permit more efficient database bulk insert and update operations. Given that FillDB is responsible for pushing client reports into the database, this results in a more responsive and more efficient BigFix.
- The Microsoft SQL Server configuration was updated to provide improved concurrency and scalability options for BigFix.
- The BigFix provided Microsoft SQL Server index management scripts were rewritten to ensure indexes are better managed, with improved fault tolerance while consuming fewer system resources and reducing application impact. This has a positive impact on the long term performance, scalability, and stability of BigFix.
- Added support for BigFix Agent SLES 11 and 12 on Power 9
-
Added support for the following BigFix Agents:
- SUSE Linux Enterprise 11 PPC on Power 9 (P8 compatibility mode)
- SUSE Linux Enterprise 12 PPC on Power 9 (P9 mode)
- Added support for BigFix Agent on Mac OS 10.14
-
Added support for BigFix Agent on MacOS 10.14.Note: On Mac OS Mojave Version 10.14 or later, some default security settings restrict access to certain folders in the user's library which in turn might affect custom content. For more information, see Client requirements.
- 64-bit enablement for the Mac OS agent
-
The Mac OS agent binaries are now 64-bit applications.
- Changes in the disaster recovery, hardware migration and roll back procedures
-
The changes introduced by some of the security enhancements have an impact on the disaster recovery, hardware migration and roll back procedures. For more details about these procedures, see:
- Changed signing key for the Red Hat installation packages
- Starting from BigFix Version 9.5.10,
the Red Hat RPM packages for Server, Agent and Relay are signed with a new PGP key, different than
the one used in Version 9.5.9. Also the CentOS BigFix Agent and Relay use the same Red Hat
binaries. The same applies to Oracle Linux BigFix Agent.
For more information, see Red Hat Installation Instructions.
- Patch 9:
-
- Added signature to the Red Hat installation packages
- Starting from BigFix Version 9.5.9,
the Red Hat RPM packages for Server, Agent and Relay are signed with a PGP key. Also the CentOS
BigFix Agent and Relay use the same Red
Hat binaries. The same applies to the Oracle Linux BigFix Agent.
For more information, see Red Hat Installation Instructions.
- Ability for endpoints to constrain the download action if the Agent is not connected to the designated (preferred) Relay
- BigFix 9.5.9 introduces the
capability to prevent starting actions requiring downloads when the BigFix Agent is not connected to a preferred
Relay. In such scenario, you can avoid that actions are executed if the total size of the downloads
associated to the action exceeds a configurable value.
For more information, see Download.
- Ability for Web Reports to restrict access to some properties
- BigFix 9.5.9 introduces a new client
setting that allows to configure a list of properties that will be blacklisted for Web Reports. In
such scenario, you can prevent reporting on large or privacy sensitive data and you can limit the
memory usage.
For more information, see the
_WebReports_Properties_Blacklist
setting in Web Reports. - Improved Relay scalability by supporting 5000 endpoints per Relay
- BigFix leaf relays for the Windows
and Linux platforms can be configured now to manage up to 5000 endpoints.
For the implementation guidelines, see the BigFix capacity planning guide: BigFix Performance and Capacity Planning.
- Added support for AIX 7.2 on Power 9
-
Added support for BigFix Agent and Relay on AIX 7.2 on Power 9.
- Patch 7:
-
- New database offered during the installation
-
When performing a fresh installation of BigFix Server Version 9.5 Patch 7, if no database engine is detected, you can choose whether to install Microsoft SQL Server 2016 SP1 Evaluation or to manually install another SQL Server version. The provided evaluation version is valid for 180 days.
- Patch 6:
-
- Security enforcement enhancements
- Two new masthead parameters,
minimumSupportedClient
andminimumSupportedRelay
are added to enforce a higher level of security in the deployment. For more information, see BESAdmin Windows Command Line for Windows servers, or BESAdmin Linux Command Line for Linux servers. - New security check on Fixlet/task content
- A new security check was added to parse the content of the imported or generated Fixlet and tasks, and identify the existence of possible script content. If such content is detected, a Warning Panel is displayed to the Console Operator.
- OpenSSL Initialization changes
- Starting from 9.5.6, each BigFix
component initializes OpenSSL in FIPS Mode based on the existence of the client setting
_BESClient_Cryptography_FipsMode
, and the client masthead. - Default status of Relay Diagnostic page changed
- On both the Server and the Relay components, the Relay Diagnostic page is now disabled by
default. The Relay Diagnostic page can be enabled again by setting
_BESRelay_Diagnostics_Enable = 1
on those components. - Additional changes
-
- Resigning of Mac Clients with new certificates
- Console Qualification for Windows 10 Creators Update
- Patch 5:
-
- Enablement for the BigFix Detect application
- Client Deploy Tool enhancements
-
- Enabled the agents distribution on all supported platforms by using a new Fixlet
- Enabled the distribution of the old agent versions, including agent versions that are no longer supported in BigFix Version 9.5
- Added capability to run Fixlet actions as a specific user and to specify the context for the actions
- Specified under which specific user context a specific action must be run on the endpoint
- Airgap tool enhancements
-
- Added capability to gather information on external sites without accessing a BigFix server in a secure deployment
- Added file download capability
- Enhanced the FillDB component to process agent reports by using a multi-thread approach
- Improved BigFix Platform performance by leveraging multi-core server resources
- Added capability for a Non-Master Operator to stop other Non-Master Operator actions
- Enhanced the BigFix evaluation installation to avoid ripping and replacing the BigFix deployment if transition to production license is needed
- Improved the user experience for "Try and Buy" scenarios and promoted the evaluation environment to production environment without installing again
- Enhanced the REST API for Baseline support
- Enabled REST API to perform major baseline functionality available on the console
- Enhanced the BigFix agent application usage summary inspector
- Collected the process executable path
- Enhanced the Mac OS version of BigFix agent and inspectors
-
- Detected applications installed into the /Library path
- Improved Wi-Fi inspectors
- Leveraged spotlight search when using inspectors for searching Mac installed applications
- Enabled the process inspectors to report the process path name
- Improved the BigFix database layer to enable direct access from Web UI
-
- Enabled the Web UI not to depend on ETL and ensured backward compatibility with current Web UI versions still leveraging ETL
- Improved the Web UI scalability and performance
- Enhanced the Client UI end-user experience
-
- Made running message dialog optionally not dismissible
- Made running message dialog optionally topmost
- Enhanced the Self Service application enablement
-
- Allowed REST API blocking "action-ui-metadata" mime field included in the baseline and MAG definition
- Added timestamp information of when the offer was issued in the Offer Available message
- Security enhancements
-
- Changed non-FIPS OpenSSL Windows library to use ASLR
- Created native Red Hat Enterprise Linux (RHEL) Version 6 based agent and relay to allow the client installation when the operating system is in FIPS mode
- Patch 3:
-
- Enablement for Remote Web UI deployment
- You can deploy the Web UI on a remote endpoint rather than on the BigFix Server.
- Enablement for BigFix Query enhancements
- You can target BigFix Query requests to dynamic groups.
- Enablement for BigFix Software Distribution enhancements
- You can use the Self-Service catalog from the Client UI when using the SWD application.
- Enablement for DB2 HADR
- You can run the database backup without requiring the shutdown of the BigFix Server.
- Enablement for BigFix Patch enhancements
- A new inspector is added to the set of Client inspectors to allow the Patch application to discover broken filesets on AIX agents.
- Added support for new platforms and database levels
-
- Microsoft SQL 2016 support
- Tiny core Linux support for relay.
- BigFix agent now supported on:
- SUSE Linux Enterprise 12 on Power 8 Little Endian
- Ubuntu 16.04 on Power 8 Little Endian
- Windows Server 2016 and System Center 2016
- Windows 10 Anniversary Update
- Mac OS 10.12 (Sierra)
- Migrated BigFix Platform manuals to the new BigFix Developer site
- The content of the following manuals was reworked, improved, and migrated to the BigFix Developer
website, the new repository for the BigFix Platform development and
customization documentation:
- Relevance Guide
- Action Guide
- API Reference Guide
- Additional enhancements
-
- SHA-2 signing certificate for Windows binaries
- Capability to install and run the Web Reports as a non-administrative user.
- Patch 2:
-
- BigFix Query
- You can use this function to retrieve information and run relevance queries on client workstations from the WebUI BigFix Query Application or by using REST APIs. This function is available only for BigFix Lifecycle or BigFix Compliance Version 9.5 Patch 2 or later licenses. For more information, see Getting client information by using BigFix Query.
- Version 9.5
-
- Unicode support
- BigFix Platform V9.5 gathers data from BigFix clients deployed with different code pages and languages, encodes the data into UTF-8 format, and reports it back to the BigFix server.
- HTTPS gathering
- You can gather license updates and external sites via the HTTPS protocol on a BigFix server or in an airgapped environment.
- SAML V2.0 integration
- Single-sign-on and CAC/PIV authentication support for BigFix LDAP operators connecting to the console.
- Database cleanup tools
- You can use the BESAdmin interface or the BESAdmin command line to remove data about computers, custom Fixlets, properties, analyses, and actions and to update the PropertyIDMap table with changes.
- FillDB log rotation
- It is active by default with
LogFileSizeLimit
set to 100 MB.
For more information about the changes and the enhancements introduced with V9.5, see the https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/Change%20and%20Release%20Notes.