BigFix

WebUI User's Guide

Special notice
Before using this information and the product it supports, read the information in Notices (on page
134).
Edition notice
This edition applies to version 10.0.1 of BigFix Insights and to all subsequent releases and
modifications until otherwise indicated in new editions.
Contents

Chapter 1. Welcome.............................................................................................................................1
Chapter 2. Meet the WebUI............................................................................................................... 2
Overview Page............................................................................................................................... 2
Navigation Bar............................................................................................................................... 3
List Views...................................................................................................................................... 4
Document Views............................................................................................................................ 5
Filters and Search Tools................................................................................................................ 6
Text Search.....................................................................................................................................7
List Controls...................................................................................................................................8
Select All........................................................................................................................................ 9
Permissions and Their Effects..................................................................................................... 10
WebUI Workflow and Deploy Sequence.................................................................................... 10
Reports..........................................................................................................................................11
Chapter 3. Get Started with Devices............................................................................................... 14
The Device List............................................................................................................................14
Device Documents....................................................................................................................... 16
Send a File................................................................................................................................... 18
Send Messages to Devices...........................................................................................................21
Chapter 4. Get Started with Patches............................................................................................... 23
The Patch List.............................................................................................................................. 23
Patch Documents..........................................................................................................................25
Chapter 5. Get Started with Patch Policy.......................................................................................27
Patch Policy Overview.................................................................................................................27
The Patch Policy List...................................................................................................................28
Create a Patch Policy...................................................................................................................29
Patch Policy Documents.............................................................................................................. 36
Monitoring Deployed Policies..................................................................................................... 38
Patch Policy Operations: Task Reference................................................................................... 39
Chapter 6. Get Started with Software.............................................................................................44
The Software Package List.......................................................................................................... 44
 Contents | v

Software Documents.................................................................................................................... 45
Software Catalog Operations....................................................................................................... 46
Add a Software Package......................................................................................................47
Edit a Software Package...................................................................................................... 51
Delete a Software Package.................................................................................................. 51
Chapter 7. Get Started with Custom Content................................................................................ 52
The Custom Content List.............................................................................................................52
Custom Content Documents........................................................................................................ 52
Creating Custom Content.............................................................................................................53
Editing Custom Content...............................................................................................................56
Chapter 8. Get Started with BigFix Query.....................................................................................58
Running a sample query.............................................................................................................. 64
Building a query...........................................................................................................................67
Managing parameters in queries.................................................................................................. 68
Chapter 9. Take Action: The Deploy Sequence..............................................................................71
Deploy Sequence Summary......................................................................................................... 71
Deploy Procedure......................................................................................................................... 71
Configuration Options..........................................................................................................73
Chapter 10. Get Started with Deployments.................................................................................... 76
The Deployment List................................................................................................................... 76
Deployment Documents............................................................................................................... 78
Monitoring Deployments: State, Status, and Result....................................................................78
Device Results......................................................................................................................78
Deployment Status............................................................................................................... 80
Deployment State................................................................................................................. 80
Evaluating Deployments With Multiple Actions.................................................................81
Stop A Deployment......................................................................................................................81
Chapter 11. Get Started with the Content App..............................................................................83
Chapter 12. Getting Started with the Modern Client Management............................................. 90
Managing BigFix MDM.............................................................................................................. 91
Health Checks...................................................................................................................... 91
MDM Permissions................................................................................................................93
Device Inventory.................................................................................................................. 94
Contents | vi

Deploying MDM policies.................................................................................................... 96

Deploying MDM actions..................................................................................................... 98
Deploying BigFix Agents.................................................................................................. 101
Managing MDM policies................................................................................................... 103
MDM Use Cases........................................................................................................................ 110
Chapter 13. Extending BigFix management capabilities............................................................. 113
Managing cloud plugins.............................................................................................................114
Installing the plugin portal.................................................................................................114
Installing cloud plugins......................................................................................................115
Working with cloud plugins.............................................................................................. 115
Installing BigFix Agent on cloud discovered devices....................................................... 117
Chapter 14. Glossary....................................................................................................................... 121
Chapter 15. Support........................................................................................................................ 133
Notices................................................................................................................................................ 134
Index.............................................................................................................................................
Chapter 1. Welcome
Welcome to BigFix WebUI. The WebUI delivers a powerful set of functions for BigFix operators.
It simplifies BigFix workflow, speeds access to data, and improves flexibility, visibility, and
performance.
Only minimal BigFix experience is needed to learn and use the WebUI. A browser, the WebUI URL,
and a BigFix user name and password are all that is required. Supported browsers include the latest
versions of Edge, Safari, Firefox, and Chrome.
Administrators and operators familiar with the BigFix console will find a useful introduction to the
WebUI in this guide. For information about installing and administering the WebUI, see the BigFix
WebUI Administration Guide.
To open the WebUI use the URL provided by your administrator and enter your BigFix user name
and password. Single Sign On users will bypass the BigFix login screen and authenticate through
their service provider. Following a successful login the BigFix Overview displays.

Note: The look of the BigFix interface is changing. We are in the process of updating the
graphics in this guide to reflect the new colors and theme. Thank you for your patience as we
complete this work.
Chapter 2. Meet the WebUI
Take a quick tour of the WebUI screens, controls, and workflow.
A detailed description of each of the main WebUI screens, including the Deploy Sequence and its
options, begins in Get Started with Devices (on page 14). For an introduction to BigFix terms and
concepts, see the Glossary (on page 121).

Overview Page
The WebUI Overview provides a summary of your environment. Its interactive charts and rich set of
links make it easy to move quickly to areas that require immediate attention.
Refresh the screen to see the latest data. In WebUI, the Overview page is the default landing page.
Display it from any WebUI screen by clicking on the BigFix logo on the WebUI navigation bar.

Operator permissions and site and role assignments govern which page and data elements display
on WebUI pages. For example, an operator who does not have access to the Software Distribution
component will not see the Add Software button on the Overview. Only Master Operators can edit
the active dashboard to customize. For more information, see Permissions and Their Effects (on page
10).
 BigFix WebUI User's Guide | 2 - Meet the WebUI | 3

The Executive Dashboard provides information of particular interest to IT Officers, Security

Officers, and Analysts. To display it click the Overview button beneath the navigation bar and
select Executive Dashboard. Use the Overview button to move between dashboards. For more
information about the Executive Dashboard and its tiles, see the WebUI Administration Guide.
After installing the cloud plugins and discovering the cloud resources, you can see the summary of
your cloud devices in WebUI Overview under Cloud Dashboard. To display the dashboard, click the
Overview button beneath the navigation bar and select Cloud Dashboard. This dashboard contains
tiles for monitoring the amount of cloud resources in your environment, with or without an agent
installed, and their distribution by type and region. Click any bar chart to open the Devices (on page
14) page, which lists that subset of resources, where the filters BigFix Agent Status and Managed
by are pre-selected.
WebUI sessions close automatically after a period of inactivity. If your session expires, you will be
returned to the page that you were on the next time you log in.

Note: When a tile on a dashboard takes over 10 seconds to load, load time details appear on the
tile. Click Close to clear the message. Factors that can influence response times include changes to
hardware, to the number of endpoints, and the amount of data you have access to.

Navigation Bar
Use the navigation bar to access the Overview, Device, and Deployment screens as well as to access
different applications under Apps. Use the controls in the filter panel to refine list results.
Following is a list of patches – a flexible, searchable index of every patch document.
BigFix WebUI User's Guide | 2 - Meet the WebUI | 4

Links throughout the WebUI provide shortcuts between views.

List Views
List views show your BigFix environment in directory form: a flexible, searchable index of devices,
deployments, and content.
Click the title on a card to open the corresponding document. (To preview a title too long for its card,
hover over it with the mouse.) To take an action, for example, to deploy a patch or target a device,
highlight its card and click the Deploy button. For more information, see Take Action: The Deploy
Sequence (on page 71).
 BigFix WebUI User's Guide | 2 - Meet the WebUI | 5

Document Views
The WebUI’s document views present detailed information about a particular device, deployment, or
piece of content. Use document navigation links to drill down into the data on associated views. The
diagram shows a patch document.

Key details are summarized in the right side panel; the Deploy button appears on all device and
content documents.
The following is an image of a device document Properties view. Use the tabs to display additional
views.

• Deploy: Click this button to deploy content to the device

• More: Click this button to issue a query, send a file, or send a message to this device
BigFix WebUI User's Guide | 2 - Meet the WebUI | 6

Filters and Search Tools

Use the WebUI filters to reduce a long list to a short list of specific items.
For example, filter the Software list by Operating System to see software for OS X computers.
Combine filters, for example, to find expired deployments issued by a specific operator at particular
time.

• Click Collapse All to collapse the filters or Expand All to expand the filters and view all the sub
filters
• Click Reset Filters to clear all selected filters
• Combine filters to speed up a search
• Click in a text field to select from a list of options or type the first few letters of your search
string
 BigFix WebUI User's Guide | 2 - Meet the WebUI | 7

The list of active filter groups are displayed across the top of the list.

Text Search
Use a text search to find items based on words or characters they contain. For example, search the
Device list for “2” to find every device with the character “2” in its name.
BigFix WebUI User's Guide | 2 - Meet the WebUI | 8

Use a multiple word search to find any items that contain those terms. For example, results for a
search for “MS13-035 Vista” would include the patch “MS13-035 MSHTML Security Vulnerability
Vista”. Searches are not case-sensitive. For example, a patch list search for the word “advisory”
returns patches with either “advisory” or “Advisory” in their name.
Wildcard searches, and searches for text within the body of a document, are not currently supported.

List Controls
Sort a list, adjust the number and appearance of list items, and move between pages with the list view
controls.

• Sort by – Place items you want to see first at the top of the list
• View – Adjust the number of records shown
• Show/Hide Details – Fit more items on a page
• Pagination controls – see the current page number, number of pages, and move between pages
 BigFix WebUI User's Guide | 2 - Meet the WebUI | 9

Select All
The Select All check box selects or clears every item on a page.

• Select or clear all items on a single page

• Select or clear every item on a page
• Deploy button shows your cross-page total
• Selections remain in effect when move between pages
BigFix WebUI User's Guide | 2 - Meet the WebUI | 10

Permissions and Their Effects

The elements that are shown on a WebUI screen reflect the permission levels of the user, and the
device, site, and group assignments set for them by the BigFix administrator.
For example, an operator responsible for patching Windows machines might not see Linux patches
in their patch list or Linux machines in their device list. An operator who deploys software but does
no patching might not see the Patch content or Custom content options in the Content submenu. For
more information about permissions and their influence on WebUI screens and data elements, see the
BigFix WebUI Administrators Guide.

WebUI Workflow and Deploy Sequence

To deploy means to dispatch content to one or more endpoints for execution. You can start a
deployment two ways: by selecting content and targeting one or more devices, or by selecting
devices and targeting the content that you want to deploy.
Start a deployment from any device or content screen, or from the Overview page.
Here is an overview of the process. For details, see Take Action: The Deploy Sequence (on page
71).

1. Select devices or content for deployment.

2. Select content or device targets.
3. Configure any deployment options.
4. Review selections and deploy.
 BigFix WebUI User's Guide | 2 - Meet the WebUI | 11

• Track your progress through the different tabs of the Deploy sequence
• Target specific devices by name, DNS, or IP addresses by clicking the link Manually Target
Devices
• Review your selected patches and make changes by clicking the link Selected Patches
• Review your selections and make changes by clicking the link Targeted Devices
• Use the search, sort, and filtering tools to locate devices and content.

Reports
With WebUI Reports, you can create custom reports to obtain more specific information about
devices, patches, and deployments of the endpoints.

Important:

• Master Operators and Non-Master Operators can create and save reports.
• Master Operators can view/edit/delete all reports, including the private reports created by other
users.
• Non-Master Operators can:
◦ view all the public reports and their own private reports
◦ edit/delete their own reports

Creating a report
To create a new report

1. Open Devices, Deployments or Patches page.

2. Select the desired filters; a list of relevant items matching your filter criteria is
displayed.
BigFix WebUI User's Guide | 2 - Meet the WebUI | 12

3. Click Save Report.

4. In the Save Report window:
a. Enter the Report Name.
b. Enter Description of the report (optional).
c. Set the Visibility as Private or All Users to restrict who can view your
reports.
d. A link for the report is auto-generated. Click Copy Link to copy the link
and directly access the report through a browser.
5. Click Save.

Working with saved reports

 BigFix WebUI User's Guide | 2 - Meet the WebUI | 13

• View: You can view the list of saved public and private reports depending on the
user role. To view, from the WebUI main page, click Reports.
• Favorites: Mark a report as your favorite report and quickly access it from the

Devices, Deployments or Patch page as applicable. To do that, click next to

the desired report.
• Sort: You can sort the reports by Name, Content, Last Accessed, Last Modified,
or Owner.
• Edit: You can edit report name, description, and/or visibility. To edit, select the

desired report and click . To edit the visibility of multiple reports, select the
desired reports and click the Edit button.

• Delete: To delete a single report, just click . To delete multiple reports,

select the reports that you want to delete and click the Delete button.

• Undo delete: You can retrieve the last deleted report by clicking that appears
immediately after deleting the report.

Note: This option appears only for a short time, and you can retrieve only
during this time.
• Update:
1. Click on a report to view it.
2. Modify the filters, sort by, or view properties; the Update button appears.
3. Click Update. The report is updated and saved.
Chapter 3. Get Started with Devices
Use the Device screens to view and manage all the devices in your environment as determined by
your permission levels. You can find specific devices, access device documents, select devices for
deployment, generate and export device reports and do much more.
Cloud devices
BigFix 10 brings you the capability to manage your physical and virtual endpoints on
cloud (public, private, and hybrid) securely and cost-effectively. If you have the cloud
plugins enabled, you can view cloud resources with or without the native BigFix
Agent installed.
Modern Client Management (MCM) devices
BigFix 10 enables you to control modern clients in your environment with enhanced
security through MCM policies and actions. If you have the MCM plugin enabled,
you can enroll the devices for MCM and manage through BigFix WebUI. For more
information, refer to Getting Started with the Modern Client Management (on page
90).
To avoid duplication and to streamline management of devices, when BigFix discovers a device,
it determines if it is unique and adds an icon representing the type of the device (native, cloud, or
MCM). If a device has more than one representation/icon, it is called a correlated device.

Related concepts

• The Device List (on page 14)

• Device Documents (on page 16)

The Device List

View a list of BigFix managed devices, create customized device reports, and review the detailed
information about each device to effectively and proactively monitor the health and activity of
endpoints.
To access the Devices page, from the WebUI main page, click Devices.
Operator permission settings, connected devices, and site assignments govern the list contents.
 BigFix WebUI User's Guide | 3 - Get Started with Devices | 15

• Search: Use the Search feature to search devices by name.

• Sort: You can sort the list by:
◦ Relevant Count
◦ Last Seen
◦ Device Name
• Refine results:
◦ Relevant Devices: See a list of relevant devices with or without critical patches.
◦ Status: A machine with a BigFix lock on it does not run BigFix actions until it is
unlocked.
◦ Most Recent User: See a list of devices used by a specific person with the Most Recent
User filter. If a device has one user account, the device holder is listed. If a device has
multiple user accounts the last person to log on is listed.
• Save Report
◦ Save the report for future reference and edit, update, or delete as required. For more
information, see Reports (on page 11).
• Show Summary
1. In the Devices page, select the required filters.
2. Click Show Summary. You can view the summary of all the filtered devices as charts and
tables. Mouse over the interested areas on the chart to get more details about the respective
data point and the percentage data. Mouse over on any truncated labels to see the full
text in the tooltip. You can change filters or enter search text and the report dynamically
displays the relevant information.
◦ Device Type By Report Time: Displays the total number of unique devices reported
over a period of time against every device type.
◦ By Operating System: Displays total number of devices from each operating system.
The table is sorted alphabetically by OS names.
◦ By Largest Group: Displays up to the 10 largest computer groups along with the
device counts that are relevant as per filter and search criteria.
• Export
1. In the Devices page, select the required filters.
2. Click Export To.
3. Select CSV to save the report as a CSV file or XLSX to save as an Excel spreadsheet.
BigFix WebUI User's Guide | 3 - Get Started with Devices | 16

◦ By default, the report gets downloaded into your Downloads folder with the default
file name (Device_Report_mm_dd_yyyy_username). You can change the download
settings in your browser to change the file name and download it into a preferred
location. You can save the report to review it later and/or share it with interested
stakeholders.
◦ The exported device report contains key details about your managed devices that you
have selected through the filters and search criteria. The details include the operating
system, device type, IP address along with all the other details that you can see on the
screen when you expand every device. A sample report is shown below:

Device Documents
Click a device name to see its properties, status, relevant content, deployment status, and history.
Drill further into device details by using the associated views.
As a BigFix Operator, you can view the Device document. Device document provides information
gathered from various devices. If it is a cloud instance, you see data related to cloud as well on this
page. To narrow down the search to cloud devices, you can use filters such as BigFix Agent Status
(Installed or Not installed) or Managed by (Cloud and which Cloud provider).

The Device document views:

 BigFix WebUI User's Guide | 3 - Get Started with Devices | 17

• Properties – Detailed description of the device.

• Custom – Custom content relevant to this device.
• Patches – Patches relevant to this device.
• Software – Software relevant to this device.
• Deployments – Deployment history for this device.

An operator’s permission settings govern the views that are displayed. For example, an operator
without access to custom content cannot see the Custom view. An operator without access to the
Query application cannot access the Query option on clicking More.

• Critical Vulnerabilities – High severity patches available for this device.

• Last Seen – The amount of elapsed time (minutes, hours, days) since a device last reported to
BigFix.
• Add/Remove Properties – Display the list of available properties and select the ones that you
want to appear in the device properties view.

• Add Property Group – Customize the Device Properties view by adding or removing sets of
property data from the page.

• Filter Deployment by Status – On the Deployments view, filter the list using Status.
BigFix WebUI User's Guide | 3 - Get Started with Devices | 18

Send a File
You can upload, list, delete your files and send a file to multiple devices from your file system.

• The operator must have the following permissions:

◦ Can Create Actions
◦ Custom Content
• SWD must be running and the operator must have access to it.

This section explains you on how to upload a file, send a file to target devices, and delete a file from
the list.
Upload files
To upload a new file into the server:

1. From the Devices page, click More and select Send file.
 BigFix WebUI User's Guide | 3 - Get Started with Devices | 19

The Files page is displayed that lists all the files that are already uploaded by the
user.
2. Click Upload, navigate to and select the file you want to upload, and click Open.
• The file upload starts and you can see the status of the upload in the
progress bar.
• If you want to cancel the upload, click the red x icon next to the progress
bar.
Once the file is uploaded, the file list is updated and the uploaded file becomes
available to be sent on target devices.

Note: If you are using Microsoft Edge browser to upload a file, ensure
you are using the MS Edge version 18.18218 or later. With earlier versions of
Microsoft Edge, the progress bar does not show the file upload status; however,
the file list gets updated with the uploaded file.

When the file is uploaded, it is saved in the default path. To change the default
path:
a. Click the link DEFAULT_PATH against the file for which you want to
change the default path.
b. In the Destination file path window:

i. Enter the desired path

ii. Select the option Overwrite if the file already exists on target if
necessary.
c. Click Ok.
The specified path is set as the destination path.
BigFix WebUI User's Guide | 3 - Get Started with Devices | 20

Send a file
You can select a file and send it to one or more selected devices.
Prerequisites: The user permission required to send a file are Create Action and
Custom Create
To send a file to one or more destination devices:

1. In the Devices (on page 14) page, from the list of devices, select one or more
destination devices to which you want to send a file.

Important:
• Select at least one destination device.
• If you want to select more than one device, then select devices that belong
to the same operating system.
2. Click More and select Send file.
3. From the list of files, select a file to transfer.

Important: You can send only one file at a time.

Note: You can search and find a file; sort by upload date, file name, or file
size.

a. Devices Targeted – This displays the number of devices selected. Click this
button if you want to modify your device selection.
b. Settings – Click this button to define file transfer settings:

• Request expires in – Select a time period from the drop-down list

within which the file can be transferred to the destination devices.
After this time period, the file transfer request expires and the file
cannot be transferred.
• Stagger deployment start times to reduce network load – Select this
option if you want to reduce network load.
• Default destination path – Specify the default destination path where
you want to transfer the file in all selected devices.
4. Click Send.

After successful transfer, the file becomes available in the destination devices at the
default path set.
 BigFix WebUI User's Guide | 3 - Get Started with Devices | 21

Delete
To delete files from the server, from the list of files, select one or more files and click
Delete.

Note: When a file is removed, only the reference of the file is removed.

Send Messages to Devices

Using Send Messages feature, you can send a short message notification to multiple selected devices.
You can determine if the message is read by the end user and also configure to automatically delete
messages from the target devices after a specified number of days.

• The operator must have the following permissions:

◦ Can Create Actions
◦ Custom Content
• SWD must be running and the operator must have access to it.
• Target devices must have SSA 3.1.0 or later installed with Messages tab setting enabled.

To send message notifications to selected target devices, perform the following steps.

1. Open the Devices tab.

2. In the Devices page, from the list of devices, select one or more devices to which you want to
send the message.

3. Click More and select Send message from the drop-down.

4. In the Send message window, enter your subject and message in the relevant sections.
BigFix WebUI User's Guide | 3 - Get Started with Devices | 22

Note:
• You can enter up to 240 characters including the subject line.
• You can format your content using the formatting options in the toolbar.
• You can copy/paste HTML code into the editor and/or save your message as HTML code.

5. Click Send.
• When the message is sent, a success message is displayed and the relevant action is created
for the message sent. If the target device is not installed with SSA 3.1.0 or later, then the
message cannot be delivered and the status of this action becomes not relevant.
• When the user reads the message, the status of the action becomes completed. With this,
the operator can determine if the message is read by the end user.
• To automatically delete messages from the target device user's SSA Message tab after a
specified number of days, message expiration days can be set through the WebUI Server
setting _WebUIAppEnv_NOTIFICATION_EXPIRATION_DAYS.
Chapter 4. Get Started with Patches
Use the Patch screens to list patches, find specific patches, and view detailed patch information
including known issues, vulnerable devices, and deployments.

The Patch List

View a list of all patches, create customized patch reports to obtain patching intelligence, make smart
patch decisions, report patch compliance, and communicate risks. You can also download and install
missing patches using the links in the report.
To access the Patches page, from the WebUI main page, click Apps > Patch.
Operator permission settings, connected devices, and site assignments govern the list contents.

• Search: Use the Search feature to search patches by name and CVE IDs.
• Sort: You can sort the list by:
◦ Vulnerability Count
◦ Release Date
◦ Open Deployments
◦ Patch Name
• Refine results:
◦ See patches for the most critical threats or a specific threat level using the Severity filters.
Patch Severity is assigned by the patch vendor (for example, Microsoft), not the BigFix.
■ Critical
■ Important
■ Moderate
■ Low
BigFix WebUI User's Guide | 4 - Get Started with Patches | 24

■ Unknown - patch has no vendor-assigned rating.

◦ See patches required by many devices by entering a value in the Vulnerable Devices field.
◦ Show Hidden Patches – Control the display of audit, corrupt, and superseded patches in the
patch list.
◦ See the latest patches using the Release Date field. Specify a date range to see patches that
were issued during a specific time period.
◦ See patches associated with a specific task using the Category filters:
■ Security – Apply a software change to address a vulnerability.
■ Service Pack – Apply patches to installed software. A collection of updates, fixes,
or enhancements delivered in a single installable package. Typically used to update
existing files, but can also be used to fix bugs, close security holes, or add new
features.
■ Audit – Type of BigFix patch that is used to detect conditions that cannot be
remediated and require the attention of an administrator.
■ Enhancement – Apply a change that provides new features.
■ Bug Fix – Apply a change that fixes one or more bugs.
■ Configuration – Apply a change that addresses a configuration issue.
◦ Supported Patch Sites - Only patches from these sites appear in the WebUI; future releases
will include more patch sites.
■ Windows
■ Red Hat Linux
■ Mac OS X
■ CentOS
■ Windows Applications (Adobe Acrobat, Adobe Flash Player, Adobe Reader, Adobe
Shockwave, Google Chrome, ImgBurn, Mozilla Firefox, Notepad++, Nullsoft, Oracle,
Real Networks, Skype, Winamp, Winzip)
■ Debian
■ Oracle Linux
■ SUSE
■ Ubuntu
• Save Report
◦ Save the report for future reference and edit, update, or delete as required. For more
information, see Reports (on page 11).
• Show Summary:
1. In the Patches page, select the required filters.
2. Click Show Summary. You can view the summary of all the filtered patches as charts and
tables. Mouse over the interested areas on the chart to get more details about the respective
data point and the percentage data. Mouse over on any truncated labels to see the full
text in the tooltip. You can change filters or enter search text and the report dynamically
displays the relevant information.
◦ Severity By Release Date: Displays the total number of patches by severity level
from the patch release date for a period of time.
◦ By OS Family: Displays applicable patches for every operating system. The table is
sorted alphabetically by OS names.
◦ By Categories: Displays category wise patch count.
• Export:
 BigFix WebUI User's Guide | 4 - Get Started with Patches | 25

1. In the Devices page, select the required filters.

2. Click Export To.
3. Select CSV to save the report as a CSV file or XLSX to save as an Excel spreadsheet.
◦ By default, the report gets downloaded into your Downloads folder with the default
file name (Patch_Report_mm_dd_yyyy_username). You can change the download
settings in your browser to download the report into your preferred location. You can
save the report to review it later and/or share it with interested stakeholders.
◦ The exported patch report contains key details about your patches that are displayed
after applying the filters and search criteria. The details include the patch name,
number of vulnerable devices, severity, CVE IDs along with all the other details that
you can see on the screen when you expand every patch. A sample report is shown
below:

Patch Documents
Click a patch name to see its description, vulnerable devices, and deployment history. Drill further
into patch details using the links to associated views.
Pay particular attention to the Notes and Important Notes in a content document: they contain
valuable information, including known issues associated with the content.
BigFix WebUI User's Guide | 4 - Get Started with Patches | 26

The Patch Document views:

• Overview – Detailed description of the patch.

• Vulnerable Devices – Machines eligible for this patch.
• Deployments – Patch deployment history.

The information in the Available Actions section is pulled directly from the BigFix database, so
options and formatting can vary. A link to the vendor’s release notes is often included. For example,
"Click here to see the release notes for Windows XP SP3."
Chapter 5. Get Started with Patch Policy
A patch policy is a set of criteria that defines a patch list; that is, a collection of Fixlets that meet the
patching criteria of a specific set of endpoints.
Use the Patch Policy application to establish continuous patching across your enterprise. Create
patching schedules for different groups of machines and assign different deployment behaviors to
each. Set patch timing, frequency and duration, pre-caching and retry behavior. Stagger start times,
bypass errors, and notify device owners when a restart is pending.
Implement a patching strategy that meets your organization’s patching cycles and security guidelines.
Use patch policies to establish and maintain a process of continuous security and compliance for your
organization. Patch Policies currently supports the sites listed under Supported Patch Sites (on page
24).

Requirements

• BigFix Platform version 9.5.5 or above.

• BigFix WebUI installed and running.
• Subscriptions to all applicable BigFix patch sites.

From the BigFix Console, enable any patch sites that are relevant to your deployment and subscribe
all computers to those sites.

Patch Policy Overview

To open the Patch Policy application, from the WebUI Apps menu, select Patch Policy.
Creating a patch policy is straight forward.

1. Enter a name for the policy and select the types of patches it should include. For example, create
a policy that includes important service packs for operating system updates.
2. Create a roll out schedule for the policy, including deployment timing, frequency, and behavior.
3. Select policy targets: the devices to be patched.
4. Activate the policy.
The process is described in detail in Create a Patch Policy (on page 29).

Keeping Policies Current

The Patch Policy app notifies you when new patches that meet policy criteria become available.
The delta icon next to a policy name on the Policy List tells you patch content has been added or
changed. Refresh a policy to include the new material. Refresh policies manually or use the Auto-
refresh option to keep policies up-to-date.
BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 28

Exclusions
You can exclude patches from a policy that otherwise meet its inclusion criteria. For example,
manually exclude a patch you know causes problems in a custom application. Or set a dynamic
exclusion to automatically exclude Microsoft Office updates from a policy that updates Windows.
Once set exclusions remain in effect until you remove them. Patch policies never include patches
used for auditing, corrupt patches, or patches without a default action.
Use the WebUI Deployment views to monitor policy-based patching results. See [link]: Get Started
with Deployments, for more information.

Permissions and Patch Policy

BigFix Master Operators (MOs) have full access to all Patch Policy functions. MOs can create, edit,
delete, activate, and suspend polices, manage patch rollouts and schedules, and refresh policies when
new patches are released. Non Master Operators (NMOs) can add, edit or delete a policy and they
can add targets to an existing schedule, and remove targets from a schedule if they have relevant
permissions.

The Patch Policy List

Policies are listed alphabetically. Use the Sort, Search, View, and filter controls to find policies
quickly. Click a policy name to open its document. Click the Add Policy button to create a new
policy.

Important: Non-Master operators need relevant permissions to perform different actions in the
Patch Policies app. For more information on permissions, see The WebUI Permissions Service (on
page ).
 BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 29

Out of Date Policies

A Delta icon appears against every new patch that meets the patch inclusion criteria and that
becomes available since the policy was created or updated. Policies can also fall out of date when
their patches have been modified or replaced.
Refresh a policy to include the new content. Active out of date policies continue to run, though they
are not particularly effective. For example, say you create a new policy that runs daily at 3 pm. On
the first day it runs, patches are deployed to its designated targets. On the second day new patches
become available and the policy falls out of date. On the third and subsequent days the policy runs
but does nothing, since the patches it knows about have already been deployed. As soon as you
refresh the policy it will deploy the new patches.
Patches that have been superseded by the new content are no longer be deployed.

Use the Show/Hide Details control to toggle between the Detail and List views.

• Patches: number of patches in the policy.

• Devices: number of targeted computers and computer groups.
• OS: Operating system of patches in the policy.
• Patch Type: OS update, Application update, or 3rd Party application update.
• Policy Status: Active or Suspended.
• Patch Updates: number of Fixlets changed since date and time of creation, or last refresh.
• Next Refresh: date of next scheduled Auto-refresh, if enabled.
• Site: associated site with a patch policy.

Policy Status: Active or Suspended

Patch policies have two states: Active or Suspended. Suspend an Active policy to refresh it, add a
new schedule, or make other changes. You do not have to suspend a policy to add or remove targets.
New policies remain suspended until you active them.

Create a Patch Policy

In this page, steps for creating a patch policy, selecting patches to include, setting deployment
options, and designating targets are provided in detail.
BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 30

To open the application, select Patch Policy from the WebUI App menu. For a summary of Patch
Policy tasks, see Patch Policy Operations (on page 39).

1. On the Policies page, click Add Policy.

Note: A non-master operator needs Create/Edit Policy and Delete Policy permissions to
add, edit or delete policy. For more information on permissions, see The WebUI Permissions
Service (on page ). Non-Master operators cannot edit definition of the policy stored in the
Master Action Site despite having the permission to Create/Edit Policy. Currently, non-master
operators are not allowed to access the Master Action Site and they can access only their custom
site.
2. On the Add Policy page, enter a name and description for the new policy.

3. Select the Master Action Site or a custom site from the drop-down to store the policy and its
schedules.
4. Select patch inclusion criteria, one or more items from each column.
• Severity: Critical, Important, Moderate, Low, Unspecified.
• Category: Bug Fix, Enhancement, Security, Service Pack.
• Operating System (choose one): CentOS, Oracle Linux, Red Hat Enterprise Linux (RHEL),
SUSE, or Windows.
• Update Type: OS Updates, OS Application Updates, 3rd Party Updates.
Refine your operating system selections as required.
• RHEL versions:
 BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 31

• CentOS versions:

• Oracle Linux versions:

• SUSE versions:

• Windows versions:
BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 32

5. Specify any patch exclusions. Type a keyword or phrase from the patch title in the Exclude
field, and press Enter to add more. The Exclusion field is not case-sensitive so capitalization
can be ignored.
Use an exclusion to prevent patches that would otherwise meet policy criteria from being
included. For example, exclude all Microsoft Office patches from a policy that updates
Windows with a dynamic exclusion. Or exclude a patch that causes problems in a custom
application with a manual inclusion. Dynamic exclusions are set here or on the Edit Policy
page. Set manual exclusions on the Patches list, once the policy has been created.
Exclusions remain in place until canceled. To remove an exclusion clear its keywords from the
Edit Policy screen or the Exclude box from the Patches list. Non-Master Operators can view
exclusions, but cannot add to or modify them.
6. Specify Auto-refresh behavior. Use the optional Auto-refresh feature to automatically include
new patch content in your policy. To control update timing and frequency, set a refresh interval.
Auto-refresh is disabled by default.

• Frequency (daily, weekly, monthly), on a specific day (of week/month) at (hour).

• Day After: use the optional Day After controls to schedule Auto-refresh updates relative
to a monthly event, such as patch Tuesday. The second Tuesday of the month often falls
in the second week—but not always. (For example, in August of 2018, Patch Tuesday fell
on the 14th.) Use the Day After options to coordinate refreshes with events whose dates
change month to month.
• Time Zone: defaults to time zone of logged in user. The default time zone is the one the
operator is in.
7. Click Add to save policy settings and display the policy document.
 BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 33

The Schedules and Patches tabs appear at the upper left, beneath the policy name. A policy
summary appears on the right. Once established, policy schedules will display on the left. The
Edit Policy and Delete Policy controls appear at the lower right.
8. Click the Add Schedule button to set policy deployment timing, behavior, and targets. A
policy can have multiple schedules, each with its own deployment options and targets. A policy
without a schedule does not deploy.
Scheduling adds predictability to patching and can help minimize errors. It also ensures that
your environment meets company security policies in time for compliance audits. Some vendors
follow a regular patch release schedule, which can tailor your policy schedule to meet. You
may want to roll out a policy in a test environment prior to deploying to production. Consider
defining separate patch rollouts for Test, QA, and production stages, each with their own timing
and duration.

Note: Non-Master operators need Create/Edit Schedule and Delete Schedule permissions
to add or edit or delete a schedule. For more information on permissions, see The WebUI
Permissions Service (on page ). Non-Master operators also need write access to the site
where the policy is stored to add or edit or delete a schedule.
9. Enter a name for the schedule and set the deployment interval.
BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 34

a. This event repeats (daily, weekly, monthly), on (day of week/month).

b. Day after - Use the optional Day after controls to schedule patching relative to a monthly
event, such as Patch Tuesday. The second Tuesday of the month often falls in the second
week—but not always. (For example, in August of 2018, Patch Tuesday fell on the 14th.)
Use the Day after options to coordinate patching with events whose dates change month to
month.
c. At (Start time).
d. Time Zone. Use Client time to initiate a process relative to its time zone, for example, to
initiate patching in the overnight maintenance window where each endpoint resides. Use
UTC time when you want all endpoints to act simultaneously across all time zones.
• Client Time - the local time on each endpoint; the time on the device where the
BigFix Agent is installed.
• Universal Time - Coordinated Universal Time (UTC) is the global standard used to
regulate clocks and time worldwide.
e. Patching Duration (minutes, hours, or days, up to 30 days). The amount of time the policy
will attempt to install patches on a target device that is not responding.
f. Maintenance Window - Maintenance Window allows you to run patch policies during
maintenance activities. You can use this dashboard to schedule maintenance activities run
by BigFix. For detailed information, click the Maintenance Window icon and view the
Maintenance Window dashboard.
10. Set deployment and post-deployment behavior.
• Pre-caching: To download required files before patching starts, set the in minutes, hours, or
days up to 5 days.
• Stagger patching start time, for example, to reduce network load. Set an unlimited number
of minutes or hours.
• Bypass patch errors and continue patching. Patch policies are Multiple Action Groups
(MAGs). MAGs run sequentially and stop on the first action that fails. Use the Bypass
patch errors option to ignore failures and proceed to the next action. Use this option
when the actions in a MAG do not depend on the actions that precede them. For more
 BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 35

information about policies and Multiple Action Group (MAG) processing, see Monitoring
Deployed Policies (on page 38).
• Retry up to n times (unlimited). If a patch fails to install on a device, for example, due to
lack of space on the hard drive, set a retry value and the wait period between attempts.
◦ Wait n (minutes, hours, up to 30 days) between attempts to install.
◦ Wait until device has rebooted to install.
• Force a Restart - Force a restart on completion. Notify device owners when a restart is
required and provide options for restarting at a convenient time. (1, 7, 15 days). Use the
default message or type in your own.
11. Click OK to save the schedule and return to the policy document.
12. The new schedule appears at the top of the list. Click Add Targets.

Note: Non-master operators need Add/Remove Your Own Targets permission to add or
remove the self created targets. Non-master operators need Remove Other Operator's Targets
permission to delete the targets that are created by other operators. Non-Master operators can
target only the permitted number of devices and cannot exceed the limit. In case of violation,
WebUI app will display an error message and the non-master operators cannot proceed further.
For more information on permissions, see The WebUI Permissions Service (on page ).
Non-master operators need read access to the site where the policy is stored to add/remove the
targets.
13. Select devices or computer groups from the Target By Device or Target By Group tabs. Note
that you cannot target both devices and groups in a single schedule. A schedule without targets
does not deploy. Use the Sort, Search, View, and filter controls to find targets quickly. Click
anywhere in a card to select or deselect it. Click a device or group name to open its document.
Use your browser’s Back button to return to the Patch Policy app.
14. Click OK to save targets and return to the Policy document.
15. To set a manual exclusion, click the Patches tab.
BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 36

a. Check the Exclude box next to patches you want to exclude. The Exclude button tallies
your selections.
b. Click the Exclude button.
16. When you are ready, click Activate to activate the policy and commence patching. Activating
a policy activates each of its schedules. Suspend an active policy at any time to halt patch
deployment.

To monitor policy-based patching activity, use the WebUI’s Deployment views (on page 76)

Patch Policy Documents

Use the Patch Policy Document to view and manage policy settings. Policy information appears on
the right.

• Status – Active or Suspended.

• Updates – Number of patch updates available.
• Policy ID – unique identifier for this policy.
• Severity, Category, OS, Type – inclusion criteria.
• Site - name of the site where the policy is stored.
• Next Refresh (Active policies) – Time of next Auto-refresh, if enabled.
• Modified – time policy was last changed.
• Created by: operator name.

Schedules Tab
The Schedules tab displays a list of policy schedules in order of creation. Click a schedule name to
display it's Summary page.
 BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 37

• Name – Schedule name.

• Repeat – Deployment interval.
• Targets – Number of targeted devices or computer groups. Click the link to display the target
list. The Add Targets control appears when a schedule has no targets; click the link to add
them.
• Next Deployment: The time the schedule's Multiple Action Groups will be issued to the BigFix
root server. It is subsequently adjusted to accommodate endpoints in all time zones, ensuring the
policy executes at the correct time in each location.

Click the Suspend button to refresh or edit an Active policy. Some Schedules tab controls are
inactive until the policy is Suspended.
Schedules Tab controls:

• Add Schedule
• Activate/Suspend
• Refresh Now
• Edit Policy
• Delete Policy

Note: Non-master operators need Activate/Suspend Policy permission to activate or suspend

the policy and they need Refresh Policy permission to refresh the policy. For more information on
permissions, see The WebUI Permissions Service (on page ). Non-master operators also need
write access to the site where the policy is stored to activate/suspend or refresh the policy.

Schedule Summary Page

Click a schedule to display the Schedule summary and its controls. To make changes to a schedule
you must suspend its policy. This is not required when adding or removing targets.

• Pre-cache Downloads – The time when policy patches are pre-cached.

• Stagger Start Time – Amount of time to stagger patching time to reduce network load.
• Bypass errors – Ignore Multiple Action Group (MAG) failures and proceed to the next action.
For more information about patch policies and MAG processing, see Monitoring Deployed
Policies (on page 38).
• Retry on Failure – number of times to retry if a patch fails to install, and the retry interval.
• Force Restart – Force a restart on completion, and the interval to wait before restarting.

Schedule Summary controls:

• Edit Targets
• Edit Schedule
• Remove Schedule
BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 38

Patches Tab
Displays patches for the selected policy. Patches used for auditing, corrupt patches, and patches with
no default action are not included in patch policies. Superseded patches are flagged but not deployed;
they will be removed from the patches list once the policy has been refreshed.
To exclude individual patches from the policy, check the Exclude box to the left of the title. A
device that has been targeted using a computer group (either a manual or dynamic group), cannot be
individually excluded.
Filters:

• Included – displays included patches.

• Excluded – displays excluded patches, including both dynamic and manual exclusions.
• New – displays patches that will be added to the policy once it is refreshed.
• Applicable Patches – lists patches associated with the devices the logged in user has permission
to operate on. For example, suppose a Non-Master Operator (NMO) is authorized to patch
Windows machines, but not Linux machines. When viewing a policy that includes both
Windows and Linux patches:
◦ When the Applicable patches box is checked the NMO will see only Windows patches.
◦ When the Applicable box is clear the NMO will see both Windows and Linux patches.
◦ Master Operators, with unlimited permissions, will see the same patches whether the
Applicable Patches filter is selected or not.

Patches Tab controls:

• Activate/Suspend
• Refresh Policy
• Edit Policy
• Delete Policy

Note: Buttons in the policy document appears only when the respective permissions are granted
to the non-master operators.

Monitoring Deployed Policies

Use the WebUI’s Deployment (on page 76) views to monitor policy-based patching activity.

Working with Multiple Action Groups

A policy is a package of Fixlets and schedules. At the time indicated by the schedule, all patches
meeting policy criteria are collected to create a BigFix Multiple Action Group (MAG). If a patch is
not relevant on a particular device, no individual action will be taken.
 BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 39

A single policy may contain hundreds of patches, and its MAG may contain hundreds of
components. To improve performance, when the number of patches in a policy exceeds 200 it is
divided into Multiple Action Groups.
Default behavior of a Multiple Action Group (MAG)

• Staggers deployment start time over the course of an hour to reduce network load.
• Retries three times with a one hour interval on each try.
• Uses default action.
• Expires in 2 days (48 hours).
• The targeting method depends on the target type, whether it is: a) a static endpoint, b) a manual
computer group, or c) an automatic computer group.

Patch Policy Operations: Task Reference

The Patch Policy operations are summarized in this page. If you suspend an Active policy to make
changes, re-activate it when you are done to resume patching.
Add a Policy (on page 39)
Activate a Policy (on page 40)
Suspend a Policy (on page 40)
Refresh a Policy (on page 40)
Edit a Policy (on page 40)
Add a Schedule to a Policy (on page 41)
Edit a Policy Schedule (on page 41)
Add Targets to a Schedule (on page 41)
Remove Targets from a Schedule (on page 41)
Delete a Policy Schedule (on page 41)
Exclude Individual Patches from a Policy (Manual Exclusions) (on page 42)
Exclude Patch Types from a Policy (Dynamic Exclusions) (on page 42)
Enable Auto-refresh (on page 42)
Adjust Auto-refresh Schedule (on page 42)
Disable Auto-refresh (on page 42)

Add a Policy

1. On the Policy List, click Add Policy.

2. Enter a policy name and description.
BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 40

3. Select policy inclusion criteria: Severity, Category, OS, and Type.

4. Add dynamic exclusions and set Auto-refresh options, as required. Click Add.
5. On the policy document, click Add Schedule.
6. Enter a schedule name. Select options for deployment frequency, and behavior. Click OK.
7. On the policy document, click the Add Targets link for the new schedule.
8. Select patching targets from the Target By Device or Target By Group tab. Click OK.
9. On the policy document, click Activate.

Activate a Policy

1. From the Policy List, open the policy document.

2. Click the Activate button

Suspend a Policy

1. From the Policy List, open the policy document.

2. Click the Suspend button.

Refresh a Policy

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click the Refresh Now button.

Edit a Policy

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click the Edit Policy link.
4. Make required changes, and Save.

Delete a Policy

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click the Delete Policy link.
 BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 41

Add a Schedule to a Policy

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click Add Schedule.
4. Enter a schedule name, and set scheduling and execution options. Click OK.
5. Click the schedule's Add Targets link.
6. On the Target By Device or Target By Group tab, select devices or groups to add. Click OK.

Edit a Policy Schedule

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click the schedule name.
4. Click Edit Schedule.
5. Make changes and click OK

Add Targets to a Schedule

1. From the Policy List, open the policy document.

2. Click the schedule's Targets link.
3. On the Target By Device or Target By Group tab, select devices or groups to add. Click OK.

Remove Targets from a Schedule

1. From the Policy List, open the policy document.

2. Click the schedule's Targets link.
3. On the Target By Device or Target By Group tab, select devices or groups to remove. Click
OK.

Delete a Policy Schedule

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Remove all target devices or groups.
a. Click the schedule's Targets link.
b. On the Target By Device or Target By Group tab, click Deselect All. Click OK.
4. On the Schedules tab, click the schedule name.
5. Click Remove Schedule. Click OK.
BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 42

Exclude Individual Patches from a Policy (Manual Exclusions)

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click the Patches tab.
4. Check the Exclude box next to the patches you want to exclude.
5. Click the Exclude button.

Exclude Patch Types from a Policy (Dynamic Exclusions)

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click Edit Policy.
4. Type a keyword or phrase in the Exclude field and press Enter; repeat as required. Exclusions
keywords are not case-sensitive.
5. Click Save.

Enable Auto-refresh

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click Edit Policy.
4. Click Auto-refresh Enable, and set refresh timing and frequency.
5. Click Save.

Adjust Auto-refresh Schedule

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click Edit Policy.
4. Adjust Auto-refresh timing and frequency.
5. Click Save.

Disable Auto-refresh

1. From the Policy List, open the policy document.

2. If the policy is active, click the Suspend button.
3. Click Edit Policy.
4. Click Auto-refresh Disable.
 BigFix WebUI User's Guide | 5 - Get Started with Patch Policy | 43

5. Click Save.
Chapter 6. Get Started with Software
A BigFix software package is the collection of Fixlets used to install software on a device. The
package includes the installation files, the Fixlets that install them, and information about the
package itself.
Use the Software-related screens to list software packages, find specific software, and view detailed
package information.
Use the Software app screens to add, edit, and remove packages from your organization’s software
catalog. Use the multiple task feature to create packages with more than one action. For example,
create a single package that can both install and uninstall a piece of software, or install it multiple
ways, using different options.

The Software Package List

• List contents reflect the operator’s device and site assignments, and whether a particular
package was shared, or marked private by the owner.
• Add Software to your catalog with the Add Software link. The link does not display if the
operator does not have permission to add software.

Use the Export and Import functions to transfer software packages from one BES server to another.
These tools are useful if you are running multiple BigFix deployments or want to make a backup.
 BigFix WebUI User's Guide | 6 - Get Started with Software | 45

• Export - Click to export software packages on the BES server as a zip file. The browser will
prompt you to specify a directory. Multiple packages selected for export are placed in a single
zip file.
• Import - Click to import packages created with the Export function. Operators who do not
have permission to import packages do not see this button.

Note: Importing software packages that include text-based files may sometimes fail. The import
process can change the file’s SHA value and when the SHA validation check fails, the import fails.
This is a known BigFix Platform bug.

Software Documents
Click a software package name to see its description, applicable devices, and deployment history.
Drill further into package details using the links provided in the sidebar, and associated views.
The Software Document views:

• Overview – Detailed description of software package.

• Applicable Devices – Machines eligible for this software.
• Deployments – Software deployment history.
BigFix WebUI User's Guide | 6 - Get Started with Software | 46

• Click Deploy Software to deploy the package.

• Edit or remove a software package from your catalog using the Edit Software link.
• Export the package using the Export Software link.
• Click a deployment task link to edit it. To learn more about task editing see, Editing Custom
Content (on page 56).

Software Catalog Operations

This section shows how to add software to your catalog, edit software packages, and delete packages
from the catalog.
Note that the permissions used for adding software to the catalog and the permissions used for
editing and deleting software are calculated differently.
A single BigFix console setting determines whether or not an operator has permission to add
software. Permission to edit and remove software from the catalog is also affected by who owns the
 BigFix WebUI User's Guide | 6 - Get Started with Software | 47

software package, whether it was created using the BigFix console or the WebUI, and whether a
package created in the WebUI was later modified using the console. If you run into permission issues
attempting to edit a software package, talk with your BigFix administrator.

Add a Software Package

To simplify package creation and editing, installation and uninstallation commands are generated
automatically for supported file types. Feel free to edit these defaults, or type your own. For
unsupported file types, enter the commands you want to use.

• Supported installation file types: .appv, .appx, .bat, dmg, .exe, .msi, .msp, .msu, .pkg (Mac and
Solaris), .rpm.

• Supported uninstallation file types: .appv, .msi, .rpm.

Add a Software Package

1. On the Software Package List click Add Software to open the Upload Software Package
dialog.

2. Choose a local file or enter a URL to download a package. Upload the file to place it on the
BigFix server, where it will remain until the package is deleted. Check the Download file at
Task runtime box to have the file cached when the package is deployed, a useful alternative if
you do not want to permanently store the file.
3. Click Upload.
4. Complete the catalog record. Verify, enter, or select:
• Software Name
• Version number
• Publisher
• Package Icon - To replace the default icon for the package click Change icon, and upload
a .ico or .png file.
• Operating System - Linux, OS X, Solaris, Windows, or Other.
• Category - Type of software. Select one or more existing categories or type a new category
name to create one.
• Description - Describe the package and any instructions that will aid others responsible for
deploying it.
BigFix WebUI User's Guide | 6 - Get Started with Software | 48

• Configuration - Configuration in this context includes two operations: Install and Uninstall
(optional).
◦ To add a configuration:
a. Click + Add the configuration.
b. Enter the Name of the configuration.
c. From the Site list, select the BigFix site where the Fixlet is stored.
◦ To remove the configuration, select the configuration tab you want to remove and
click Delete. The Delete button will be hidden if there is only one configuration tab.
• On Windows systems, you can run the commands as a System User, Current User, or as a
Local User. Commands that are run by BigFix Clients default to System User (On OS X,
UNIX, and Linux computers, the software is installed as root). In some cases, you might
want to install by using the credentials and local context of the Current User or a Local
User. For details on how to set various parameters associated with Local User, see Running
deployment commands as a Local User (on page 48).
• Select from the list of installation parameters provided, or click Use Command Line to
edit the installation command. Use the Command Line Preview to verify that it is correct
and complete.
5. Click Save to add the package.

Running deployment commands as a Local User

This section explains the various parameters you can configure when you run a command as a local
user that is different than the logged-in user.
 BigFix WebUI User's Guide | 6 - Get Started with Software | 49

• Username: Name of a user who is different than the user that is currently logged in, in either of
the following formats:
1. user@domain. Example: "[email protected]"
2. domain\user. Example: "TEM\myname"
• Password mode: Defines the mode of authentication. The following options are available:
1. Required: The application prompts you to enter a password, and the value you enter is
passed on to the agent as a Secure Parameter.
2. Impersonate: The agent searches for a session running for the user specified in Username
and runs the command in the session of that user.
3. System: The command is run as the local system account. For this option to work, the user
specified in Username must be logged in to the system when the command is run.
• Interactive: Select the checkbox. The command opens the user interface of the user specified in
Username and runs in that user’s session.
BigFix WebUI User's Guide | 6 - Get Started with Software | 50

• Target user: Optional. This option becomes active when you select Interactive. The command
opens the user interface in the session of the user you specify in this field and runs in that
session. The command runs with the primary user privileges, but the target user must be logged
in to the system for the command to work.
• Completion: specifies whether the command must wait for the process to end.
1. None: The command does not wait for the process to end. The user must be logged in to
the system before the command starts running. The SWD_Download folder is retained if
this option is selected. Deploy the SWD_Download folder cleanup fixlet to clean up the
client computer, after the process ends.
2. Process: The command waits for the process to end. This option does not require the
specified user to be logged in to the system.
3. Job: The command waits for the process to end. This option expects the process to do its
own job control management and does not require the specified user to be logged in to the
system.

Enable Uninstallation
Learn how to enable uninstallation option in the software package that you have added.

To enable the option to uninstall:

1. Complete the steps 1 through 4 under Add a Software Package (on page 47)

2. In your configuration tab, under Action, click Uninstall and select On.

3. Run command as: Select an available option.

• System User
• Current User
• Local User

4. Click Use Command Line.

Automatic: If the server and the client have the same operating systems, the string in the
command line is automatically generated. Hence, after you save this configuration and deploy
uninstall action in the client machine, uninstallation takes place automatically.
Manual: If the client has a different operating system than the server (for example, Windows
client and Linux server) and that supports two different extension files (for example: *.rpm and
*.msi), then enter the string manually. If not entered manually, after you save this configuration
and deploy uninstall action in a client machine, uninstallation does not take place automatically
even if the status of this action on the console shows 'Completed.'

5. Click Save.
The uninstallation configuration is saved to uninstall the software.
 BigFix WebUI User's Guide | 6 - Get Started with Software | 51

Edit a Software Package

To simplify package creation and editing, installation and uninstallation commands are generated
automatically for supported file types. Feel free to edit these defaults, or type your own. For
unsupported file types, enter the commands you want to use.

• Supported installation file types: .appv, .appx, .bat, dmg, .exe, .msi, .msp, .msu, .pkg (Mac and
Solaris), .rpm.

• Supported uninstallation file types: .appv, .msi, .rpm.

Edit a Software Package

1. Open the software package document that you want to update.

2. Click the Edit Software link in the right side panel.
3. Make any wanted changes to the package data or deployment options. For more information
about each field and its options, see Add Software Package (on page 47).
4. Click Save.

Note: Packages edited in the SWD Dashboard such that the package no longer contains a file or
Fixlet, cannot be edited in the WebUI.

Delete a Software Package

1. Open the Software Package document you want to delete.

2. Click the Edit Software link, located in the right side panel.
3. Click Delete in the lower left corner of the dialog, and confirm at the prompt.
Chapter 7. Get Started with Custom Content
Use the Custom Content pages to view custom content, edit tasks, and view related information,
including applicable devices and deployments.

The Custom Content List

Use the filters to see specific types of content. Click a title to open a content document.

Common categories often include installation, configuration, software distribution, security updates,
and uninstallation. The site filters display content stored in a particular site.

Custom Content Documents

Click a custom content name to see its description, list of applicable devices, and deployment history.
Use the links to see details provided in the associated views.
 BigFix WebUI User's Guide | 7 - Get Started with Custom Content | 53

The Custom Content views:

• Overview - detailed description of custom content.

• Applicable Devices - machines eligible for this content.
• Deployments - list of deployments for this piece of content.

If a piece of custom content involves multiple actions, as for a baseline, for example, the names of its
components are listed in the Overview. For information about the differences between Single tasks
and Baselines, see the Glossary (on page 121).

Creating Custom Content

Use the Custom Content Wizard screen to create custom content.
The WebUI application allows operators with the appropriate permissions to create new Fixlet
content within the WebUI. The operator can create custom content by filling the required fields in
the custom content creation wizard. The below listed fields in the custom content creation wizard are
mandatory to create custom content:

• Name: Enter a desired name for the custom content.

• Relevance: Enter the required relevance.
• Action: Enter the action script.

Note: Though all the fields are not mandatory, it is recommended to enter the details in non-
mandatory fields.
BigFix WebUI User's Guide | 7 - Get Started with Custom Content | 54

Creating Custom Content

• To get to the custom content creation page in the global navigation, click Apps > select Custom
from the drop-down, and then click Create Custom Content button.
• On the Create Custom Content Wizard screen, enter the name, add the task description,
relevance, and actionscript accordingly.
Add Task Descriptions
Add task descriptions using the Rich Text Format (RTF) or HTML editors; the
Use HTML Editor/Use Rich Text Editor link toggles between them. The two
editors are not kept in sync. In other words, changes made in one will not be
replicated when you switch to the other. Click Save to save the contents of the
active editor; any changes made in the other editor will be lost.

To protect against cross-site scripting attacks, text entered in the Rich Text editor
is checked before it is saved. For example, style and script tags will be removed,
and URLs and class/ID values might be modified or removed. Content that is
created in the console is rendered accurately in the HTML editor, but might not
be rendered accurately by the Rich Text editor.

Add Task Relevance

Click the boxed + and – controls to insert or remove a clause. An asterisk next to
a tab name indicates that a change was made on that tab. Changes made on this
page to Relevance created in the BigFix console using the Conditional Relevance
option will subsequently appear in the console as Relevance clauses.

For more information about adding Relevance, see the BigFix Console Operators
Guide.
Add Task Actions
Use the editor on the Custom Content Wizard page to modify an action. A
bolded tab name marks the default action. Actions cannot be added or removed
using this editor.
 BigFix WebUI User's Guide | 7 - Get Started with Custom Content | 55

Add Task Properties

Use the property fields on the Custom Content Wizard page to add or change
property information. Add information appropriate to the task, for example,
Common Vulnerabilities and Exposures (CVE) ID for patch-related tasks.

◦ Category - Type of task, for example, patch or software distribution.

◦ Download size - Used when a file is distributed with the task (as for
software, or a patch).
◦ Source - Source of associated file, for example, a patch from Microsoft.
◦ Source Release Date - Date a piece of software or patch was released.
◦ Source Severity - Describes the level of risk associated with the problem
fixed by a patch.
◦ CVE IDs - The CVE ID system number of a patch.
◦ Site – Custom content is saved to the selected site.
BigFix WebUI User's Guide | 7 - Get Started with Custom Content | 56

Important: Non-Master Operators can only save to their operator site

and to the custom content sites that they have write permission.

Important: Master Operators can only save to custom site and the
master action site.

Editing Custom Content

Use the Edit Task screen to edit custom content.
You can also,

• Add or change an icon.

• Edit Relevance - add and remove Relevance clauses.
• Edit Action Script - add or change an action and success criteria.
• Delete a task.

The link to the Edit Task page appears on custom content and software package documents when an
operator has permission to edit tasks. The Edit Task page does not currently provide the full editing
capabilities of the BigFix console. For example, it cannot be used to add actions, change script type,
or include action setting locks. Use the BigFix console to edit baselines. Tasks that are created in the
Profile Management application must be edited by using the Profile Management application.

Edit Task Descriptions

Edit task descriptions using the Rich Text Format (RTF) or HTML editors; the Use HTML Editor/
Use Rich Text Editor link toggles between them. The two editors are not kept in sync. In other
words, changes made in one will not be replicated when you switch to the other. Click Save to save
the contents of the active editor; any changes made in the other editor will be lost.
To protect against cross-site scripting attacks, text entered in the Rich Text editor is checked before
it is saved. For example, style and script tags will be removed, and URLs and class/ID values might
be modified or removed. Content that is created in the console is rendered accurately in the HTML
editor, but might not be rendered accurately by the Rich Text editor.

Edit Task Relevance

Use the editor on the Edit Task page to edit Relevance. Click the boxed + and – controls to insert
or remove a clause. An asterisk next to a tab name indicates that a change was made on that tab.
Changes made on this page to Relevance created in the BigFix console using the Conditional
Relevance option will subsequently appear in the console as Relevance clauses.
For more information about editing Relevance, see the BigFix Console Operators Guide.
 BigFix WebUI User's Guide | 7 - Get Started with Custom Content | 57

Edit Task Actions

Use the editor on the Edit Task page to modify an action. A bolded tab name marks the default
action. Actions cannot be added or removed using this editor.

Edit Task Properties

Use the property fields on the Edit Task page to add or change property information. Add
information appropriate to the task, for example, Common Vulnerabilities and Exposures (CVE) ID
for patch-related tasks.

• Category - Type of task, for example, patch or software distribution.

• Download size - Used when a file is distributed with the task (as for software, or a patch).
• Source - Source of associated file, for example, a patch from Microsoft.
• Source Release Date - Date a piece of software or patch was released.
• Source Severity - Describes the level of risk associated with the problem fixed by a patch.
• CVE IDs - The CVE ID system number of a patch.
Chapter 8. Get Started with BigFix Query
Use the BigFix Query feature to retrieve data from endpoints through a dedicated query channel,
where the memory available on each Relay minimizes the impact to normal BigFix processing.
You can use BigFix Query to:

• Query individual computers, manual computer groups and dynamic computer groups
• Test Relevance expressions as you develop the content
• Export query results to a comma-separated value (.csv) file
• Create a library of custom queries and keep the collections private or share them with others

Users and roles

The Master Operator creates custom sites to host queries, and assigns access to BigFix Query
Operators and Content Creators. This allows Content Creators to save queries on the custom site,
group queries in to categories, and make them available to operators.
Content Creator
As a Content Creator, you can use BigFix Query to do the following tasks:

• Filter queries by selecting or unselecting system and local queries

• Load, hide, delete, or reload sample queries into your operator site
• Customize queries and build your own queries
• Save queries on a new site or with a new name and make them available to the
operators to access it
• Select and filter target devices to run the query
• Switch to Operator View to enter values for the parameters used in the Relevance
expression of a query
• View the results of the query and save them to a .csv file
• Open a device document from query results to investigate or apply a fix

The following graphic shows the main Query editor page for a Content Creator or
Master Operator:
 BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 59

Operator
As an Operator, you can use BigFix Query to do the following tasks:

• View the queries that a Content Creator shared with you

• Filter, search, or select a query
• View query descriptions
• Filter and select target devices
• Run a query
• Enter values for the parameters used in the Relevance expression of a query
• View query results and save them to a .csv file, if you have the required
permission
• Open a device document from query results to investigate or apply a fix

Operators cannot create or delete queries and cannot view Relevance expressions.
The following graphic shows the main Query editor page for a Non-Master Operator:
BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 60

For details on the editor and how to use custom queries, see Building a query (on page
67).
For information about the different types of users that can use BigFix Query, see
Permissions for BigFix Query (on page ).

About Accordions
The sections in BigFix Query page is organized with accordions to provide a better visibility of the
tasks to retrieve data from endpoints.

• Query edit - create/edit query: This section allows you to view, edit, and create a query; search
and filter queries
• Select device: This section allows you to select your target/endpoints
• Run: This section allows you to run the selected query on the selected target and fetch results

About Search
You can search for queries by using basic Search and Advanced Search features.
To perform a basic search, enter a search string and click Search. This lists the queries that contain
the specified string in the query title.

Note: The application displays entries from your previous searches if they match the current
search string. If the number of entries in the search history is more than four, click More to view
additional search results.
 BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 61

To perform an advanced search and find a string in Relevance expressions along with the query
titles:

1. Enter the search string, and click Advanced Search.

2. Select the categories from the list to refine the search.

Note: All categories are selected by default. To refine your search, clear check boxes
against unwanted categories.
3. Click Save to save your selection for future searches.

This lists the queries that contain the specified string in the query titles and/or in the Relevance
expressions.

About Filters
Filter the queries based on creation type.
Select the System check box to view only the sample queries loaded from the database.
Select the Local check box to view only the custom queries.

Note:

• To view both sample and custom queries, select both System and Local check boxes.
• If you clear both System and Local check boxes, the query app displays both sample and
custom queries.

About Categories
With Categories, Content Creators can group queries according to their needs. Content Creators can
create, populate, and delete categories, while Operators can only show or hide categories. To add the
sample queries to individual categories, click Load Sample Queries.
BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 62

• The category tabs display alphabetically from left-to-right, row by row. Query titles are listed
alphabetically in each category.
• Each query must be saved in at least one category and each category can contain queries hosted
by different sites.
• To delete a category, a Content Creator must delete all queries in the category.
• To create a category, a Content Creator must specify a name for the category name when saving
a query.
 BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 63

• To filter queries by category, click Filter categories, select the desired categories, and
click Save. Only queries that are relevant to the selected categories are displayed.

About queries and sites

Each query is uniquely identified by the combination of its title and the name of the site that is
hosting the query. If you change either of these two values, a copy of the query is automatically
created. If you create a copy of a query in a different site, you must apply subsequent updates to each
copy individually.
You can save queries only to sites to which you have access as assigned by a Master Operator. These
sites can be either of the following:

• Custom sites created by a Master Operator to share it with Operators.

• Operator sites, if the Content Creator is a Non-Master Operator.

Note: Preexisting queries are not automatically imported into the current BigFix Query release.
However, they are still available as dashboard variables. You can access them using the REST API
dashboard variable resource, as documented on the following page https://developer.bigfix.com/rest-
api/api/dashboardvariable.html.

To learn more about BigFix Query, visit the following links:

• Getting client information by using BigFix Query

• BigFix Query requirements
• BigFix Query restrictions
• Who can use BigFix Query
• How to run BigFix Query from the WebUI
• How BigFix manages BigFix Query requests
BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 64

Running a sample query

System queries are sample queries that are marked with the BigFix icon. As Content Creators, you
can load, hide, delete, and reload sample queries in operator sites.
BigFix provides sample queries under the categories Applications, Files, Devices, Networks,
Processes, Registry, Policies, and Users.

Note: If multiple content creators save a copy of query with the same name and category in
different sites, the application creates multiple instances of the query.

To run a sample query, do the following steps:

1. Click on a category (on page 61)tab.

2. From the listed queries, select a query to display it in the editor.
3. If the query has parameters, enter the parameter values or accept the default values, if provided.
You must use the Operator View to specify parameter values at run time. For more information,
see Managing parameters in queries (on page 68).
4. In the Select Device pane, click Devices Targeted to open the target list. To select the list of
targets to display, click either Target By Device or Target By Group.

5. Specify the target in which you want to run the query.

 BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 65

• You can select individual devices, manual computer groups or dynamic computer groups.
The targets are listed as per the permissions of the user. Master Operators see all devices
and groups. Non-Master Operators might see a subset of the complete list. Use the sort,
search, and filtering functions to quickly locate targets. For a detailed description, see Meet
the WebUI (on page 2).
◦ Manually Target Devices: If you know the device name, DNS, or IP address, click
this button, enter the detail, and click Add.
◦ To find a specific device or group, enter its name in the Search field.
◦ Sort a list of devices by device name or the time last seen. Sort a list of groups by
group name, or member count.
◦ Use filters to locate devices with specific properties. Click Expand All to open and
Collapse All to close the filter panel.
When the device or group selection is complete click OK to return to the editor. The Devices
Targeted button displays the total number of devices selected.

Note: When pairing queries and targets, keep in mind that queries that are concise and
limited in scope run most efficiently. Broad queries return larger data sets and use more
resources.
6. To limit the polling time taken by the server to fetch the results, you can set Query timeout. The
default time is 300 sec and the maximum limit is 900 sec. To change the default time, click the
link on the default time, and in the Change Query TimeOut popup, enter the required number
of seconds. For broader queries, server stops polling the results when it reaches the specified
polling time.

7. To run the query, click Run. If you want to cancel the query, you can do it while the results are
loading.
8. Review your results. Devices report in real time, and new arrivals are appended to the list as
clients report in.
BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 66

• To switch to full screen mode and see more results, click the Expand icon. Click the icon
again, or press the Escape key, to exit from full screen mode.
• The icons in the lower right corner of the list show the row totals, and the number of
devices that reported so far.

• To save the results to a file in comma-separated values (.csv) format, click the Download
button. For easy identification of the file, consider including the date and some descriptive
information in the file name.
• To open a device's document, click the device name.

• From the device document, click More and select Query to return to the query editor with that
device targeted for a query.
• From the query editor, in the Select Device pane, click Device Targeted to view the device list.
 BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 67

Building a query
Working with local/custom queries. The queries created by Content Creators are local/custom queries
and are marked with the operator icon. Content Creators can create, load, run, hide, delete, and reload
local queries in their operator sites.

Creating or editing a query

A Content Creator can create a new query in the following ways:

• Enter the Relevance expression in the Query editor and save it

• Create a copy of an existing query and edit as needed

To create or edit a query:

1. In the query editor, ensure you are in Admin View (on page 58).
2. Enter the Relevance expression in the editor.
a. To edit an existing query, select the desired query under a category. This displays the
Relevance expression in the editor which you can edit. You can also click Clear Query to
enter your Relevance expression.
3. Add parameters to the Relevance expression, if required. For details about parameters, see
Managing parameters in queries (on page 68)
4. Click Save.

a. Enter a descriptive title for the query

b. Select a site that you are allowed to access and host the query on.
c. Specify at least one category for the query. If you enter a new name in the Categories field,
a new category is created.
d. Click Save.

Note:

• It is recommended to be familiar with the Relevance language to build queries. To learn more
about the Relevance language, see BigFix Developer.
BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 68

• Writing Relevance expression in the query editor is similar to writing Fixlets in the BigFix
Console using the Relevance language. Concise queries that are limited in scope run most
efficiently. Broad, general queries that return large data sets consume more resources. Problems
associated with poorly performing Relevance in the Console can also occur in the Query editor.

Create copy of an existing query

A query is uniquely identified by its title and the site on which it is saved. To create a copy of a
query, change either the title or the site of the query.

Note: If multiple content creators save a copy of a query with the same name and category in
different sites, Master Operators might see multiple instances of the same query under a category.

To see who last edited a query, hover the cursor over the operator icon of the query.

Deleting a query
To delete a query, select the query and click the Delete Query icon against it.

Note:

• Operators cannot delete queries.

• Master operators/Content Creators can delete the custom queries only and not the system
queries.

Using Client Context

As a content creator, you can enable the Evaluation by Agent flag to save a specific query and use
the client context. Enabling the Evaluation by Agent flag and running a query helps you to retrieve
accurate data from the client.
By default, the Queries are evaluated by Client Debugger. You can change it by using the
_WebUIAppEnv_USE_CLIENT_CONTEXT client setting . If this setting is set to 1, the Evaluation by
Agent flag is enabled. The value for each query can be overwritten only by the content creator. You
can save the individual query by enabling the Evaluation by Agent flag, which allows an operator to
use the client context.

Note: Evaluation by Agent flag is available only in BigFix Platform version 9.5.13 and later.

Managing parameters in queries

As a Content Creator, you can add parameters to a query to customize it at run time. Operators
are prompted to assign values to the parameters when they run the query, but they cannot see the
Relevance expression.

• To add a parameter, do the following steps:

 BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 69

1. In the query editor, ensure you are in Admin view for the + Parameter button to be
enabled.
2. In the Relevance expression, place the cursor at the point where you want to add the
parameter and click + Parameter.

3. Enter Parameter ID, Parameter Label, and Default Value and click Save.
The parameter is added to the Relevance expression.
• To reuse a parameter, do the following steps:
1. Click + Parameter and enter the Parameter ID that you want to reuse; the Parameter Label
and Default Value fields are populated automatically.
2. To insert that parameter into the Relevance expression, click Save .
• To see the definition of a parameter, click on the parameter in the query editor.
• To delete a parameter from a query, select the parameter in the query editor, and press the
Backspace or Delete key.
• To assign a value to a parameter (that does not have a default value) at run time as a Content
Creator, click Operator View.

The following graphic shows how a Content Creator sees a query with parameters in the Admin
view:
BigFix WebUI User's Guide | 8 - Get Started with BigFix Query | 70

To review what Operators see when they select the query, click .

To return to the query editor, click .

Chapter 9. Take Action: The Deploy Sequence
To deploy means to dispatch content to one or more endpoints for execution, for example, to update a
patch, install software, or restart a machine.
Collectively, the screens that are used to create deployments are collectively called the Deploy
Sequence. The workflow is straightforward; you might find it similar to making a purchase online.

Deploy Sequence Summary

In summary:

1. Select devices or content for deployment.

2. Select content or device targets.
3. Configure deployment options.
4. Review and deploy.

Prompts, status information, and selection tallies are shown in the side panel. At the top of the page
the status bar reflects your location in the deploy sequence. Embedded help (question mark icon) is
available for some options.

• Target Limits. An administrator can limit the amount of content that can be deployed at one
time, and the number of devices you can deploy to or query at the same time. If you exceed
it, a message displays until you reduce your selections to within the acceptable range. The
message includes the target limit, for example, “You have exceeded the maximum of 3 devices
per deployment.”
• Not all content can be deployed. If non-deployable content (such as an audit action) is
selected, you will be prompted to remove it from the deployment.
• No Default Action – If content without a default action is selected, you will be prompted to
choose one.
• Action Parameters Required – If content that requires a parameter is selected, you will be
prompted to supply one.

Deploy Procedure

1. Select devices or content for deployment; click Deploy.

• Use the List views, filter, and search tools to find the records you want.
• Review the content documents to ensure that you understand their effects.
BigFix WebUI User's Guide | 9 - Take Action: The Deploy Sequence | 72

2. Select content or device targets, respectively; click Next.

• Use the lists, filters, and search tools, and review device and content documents as needed.
• Alternatively, you can deploy an action directly from the Software Document as described
in Software Documents (on page 45).
3. If the "Require decision" or "Non-deployable" prompts display, one or more actions require
input.
• One or more actions require attention
• The Selected actions link indicates Tasks, Patches or Software depending on the App you
are working with

a. Click the Selected actions link (Tasks, Patches, or Software) to open the Decision dialog.

Note: Multiple Action Groups can be reordered by clicking and dragging individual
actions. This is a feature of the BigFix® WebUI that cannot be performed in the traditional
BigFix console.

i. Specify any missing default actions.

• Fixlets with no default and multiple actions:
 BigFix WebUI User's Guide | 9 - Take Action: The Deploy Sequence | 73

1. Select an action from the drop-down list. For example, a single software
package might be used to both install and uninstall an application.
• Fixlets with no default and a single action:
1. Review the content document. The Fixlet® author is saying, "Proceed with
caution." Pay close attention to any Notes®, Warnings, or Known Issues in
the document and make an informed decision.
2. To remove the action, click the x next to its name. To deploy the action,
select "Click here to initiate the deployment process" from the drop-down
list.
ii. Enter action parameters as required.
1. Select the action that is presented in the drop-down list to display the Enter
Parameters link.
2. Click Enter Parameters and type in the required information, such as a path
name or service name.
iii. Remove any non-deployable actions, such as audits or superseded patches.
b. Click Apply to return to the deploy sequence.
c. Click Next to open the Configuration page.
4. Select configuration options for the deployment; click Next. See Configuration Options (on
page 73) for descriptions of each option.

5. Review your selections. Use the Edit icon to make any adjustments.
6. Click Deploy.
7. Monitor deployment results with the Deployment views.

Configuration Options
The deployment options are listed below. Some options may not be available on your system,
depending on how your BigFix administrator has configured it.
Set Start and End Time
Schedule a deployment to start at a specific time, for example, to reduce network
load and device-holder inconvenience. When scheduling across time zones you can
schedule actions to start in the past, relative to your own time zone.
BigFix WebUI User's Guide | 9 - Take Action: The Deploy Sequence | 74

Open-ended deployment
An open-ended deployment has no end date. It runs continuously and checks whether
endpoints comply. For more information, see the Glossary (on page 121).
Client time or UTC time
Further refine when a deployment runs. Client Time is the local time on a BigFix
client's device. Coordinated Universal Time is the primary standard for regulating
clocks and time worldwide.
Stagger deployment times to reduce network load
Enter an interval in hours and minutes.
Send this as an offer
Allow device owners to accept or decline an action, and to control when it runs. For
example, whether or not to install an application, or to run an installation at night
rather than during the day.

Note: Do not send an offer as an open-ended deployment. Open-ended offers can

cause problems for device owners, such as an optional piece of software they cannot
permanently remove.

Offer options:

• ONLY to the Software Distribution Client dashboard - Display software

offers on the Client UI’s Software Distribution Client Dashboard when it is
enabled on the device, and the Self-Service Application is not enabled. When the
Self-Service Application is enabled, all offers display there.
• Notify users of offer availability - Include a notification on the endpoint that a
new offer is available.
• Offer Description - Defaults to the Fixlet description, which can be amended
or changed. If the offer contains multiple actions the name of each component is
included.

Download required files now

Pre-cache deployment-related files, transferring them from a vendor's server to a
BigFix server before deployment. Save time when working with large files or a tight
maintenance window by completing this part of the job first.
Send a Notification
Trigger an email alert when a deployment fails or completes. Enter one or more
recipients in the To: field, separating multiple addresses with a comma.

• Send on Failure - enter a threshold value (1 - 250,000) to receive an email if the

deployment fails on the specified number of devices.
 BigFix WebUI User's Guide | 9 - Take Action: The Deploy Sequence | 75

• Send on Completion - check the box to receive an email when the deployment
completes on all targets. Note: this notification option is not available when
targeting computer groups.

Force restart
Force a restart on an endpoint following a deployment, and offer the device holder a
chance to restart the device themselves at convenient time. Set the restart to occur:

• Immediately (following completion of the deployment)

• 1 day later
• 7 days later
• 15 days later

Send a default message or enter your own. For example, “Your system administrator
requests that you restart your computer, please save your work and restart. Your
device will restart automatically in 7 days.”
Run all member actions of action group regardless of errors
Multiple Action Groups only. Actions in a multiple action group run sequentially
and stop on the first action that fails. Check this box to instruct the MAG to ignore a
failure and proceed to the next action. Use this option when the actions in a MAG do
not depend on the actions that precede them.
Chapter 10. Get Started with Deployments
Use the Deployment views to monitor and verify completion of BigFix deployments.

The Deployment List

View a list of all deployments, create customized deployment summary reports to review the detailed
information about each deployment.
To access the Deployments page, from the WebUI main page, select Deployments.
WebUI deployment screens list every deployment irrespective of the permission settings. While
operators can see all deployments, permissions continue to govern the actions they can take. For
example, an operator who cannot access the WebUI patch screens would see all patch deployments,
but cannot stop the one that was running.
The WebUI displays all actions initiated from the WebUI, the BigFix console, and external sites,
including BES Support.

The colored bars on the Deployment list summarize the status of each deployment.

• Search: Use the Search feature to search deployments by name.

• Sort: You can sort the list by:
◦ Issued Date
◦ Failure Rate
◦ Device Count
 BigFix WebUI User's Guide | 10 - Get Started with Deployments | 77

◦ Start Date
◦ End Date
◦ Deployment Name
• Refine results:
◦ Failure Rate: Filter deployments with more or fewer than a specified failure rate.
◦ Deployment State: Filter all open, expired or stopped deployments.
◦ Deployment Type: Filter all deployments targeted for a single device or a group of
devices.
◦ Application Type: Filter deployments that belong to a particular application type.
◦ Issued By: Filter the deployments issued by the logged in user or a specified user.
◦ Issued Date: Filter the deployments issued on a specific date or between a date range.
◦ Deployment Date Range: Filter all the deployments that start and end on the specified
date range.
◦ Additional Behaviors: Filter deployments with a specific behavior.
• Save Report
◦ Save the report for future reference and edit, update, or delete as required. For more
information, see Reports (on page 11).
• Show Summary:
1. In the Deployments page, select the required filters.
2. Click Show Summary. You can view the deployment data as charts and tables. Mouse
over the interested areas on the chart to get more details about the respective data point and
the percentage data. Mouse over on any truncated labels to see the full text in the tool tip.
You can change filters or enter search text and the report dynamically displays the relevant
information.
◦ Deployment State By Deployment Date: Displays total number of deployments
against their deployment state since the start date of deployment for a period of time.
◦ By Failure Rate (%): Displays total number of deployments against their failure rate
under different categories from 0 to 100.
◦ By Application Type: Displays total number of deployments against each application
type.
• Export:
1. In the Deployments page, select the required filters.
2. Click Export To.
3. Select CSV to save the report as a CSV file or XLSX to save as an Excel spreadsheet.
◦ By default, the report gets downloaded into your Downloads folder with the default
file name (Deployments_Report_mm_dd_yyyy_username). You can change the
download settings in your browser to change the file name and download it into
a preferred location. You can save the report to review later and/or share it with
interested stakeholders.
◦ The exported deployment report contains key details about your deployments that
you have selected through the filters and search criteria. The details include such as
deployment ID, deployment name, state of the deployment along with all the other
details that you can see on the screen when you expand every deployment. A sample
report is shown below:
BigFix WebUI User's Guide | 10 - Get Started with Deployments | 78

Deployment Documents
Click a deployment name to see its deployment status, behavior (set at configuration), and targeting
information. Drill further into deployment details using the links to associated views.

The Deployment Document views:

• Overview – detailed description of this deployment: status, behavior, targeting, and more.
• Device Results – target status – the state of the deployment on each endpoint.
• Component Results – for content with multiple actions: the deployment status of each
component on targeted devices, expressed as a percentage of success.

Monitoring Deployments: State, Status, and Result

Interpret deployment results correctly by understanding the difference between Device Results,
Deployment Status, and Deployment State.

Device Results
Device Results describe the state of a deployment on a particular endpoint. There are many different
BigFix Device Result codes. The most common ones seen in the WebUI include:

• Fixed, or Completed – The deployment succeeded (on this device).

• Failed – The deployment failed (on this device).
• Pending Restart – Eventual success is implied.
• Not Relevant – The action is not relevant to this device.
• Running
• Evaluating
• Pending Download
 BigFix WebUI User's Guide | 10 - Get Started with Deployments | 79

Software deployments might have an associated log file. This log can be viewed in the Device
Results screen. The presence of a viewable log file is denoted by an icon. Note that log files are only
available for software deployments.

Click the log icon to display the associated log data. The entire log can be downloaded by clicking
the log file name.
BigFix WebUI User's Guide | 10 - Get Started with Deployments | 80

Note: Log files can only be viewed for software deployments. In addition, to view log files
in the BigFix WebUI, the current user must be subscribed to the Software Distribution Site in the
traditional BigFix Console, and Analysis 11 of the Software Distribution Site must be activated.

Deployment Status
Deployment Status is formulated using Device Results.

• For deployments with single actions, Deployment Status is the cumulative deployment status of
each targeted device, expressed as a percentage of success.
• For deployments with multiple actions, Deployment Status is the cumulative deployment status
of each component on each targeted device, expressed as a percentage of success.

• Green – Fixed (patches), or Completed (software, custom content).

• Dark gray – Other. The category can include Pending Restart, Running, Evaluating,
• Pending Download, and more.
• Light gray – Not yet reported, or not relevant.
• Red – Failed.
• No Status Bar – No relevant devices.

Deployment State
Deployment State describes the eligibility of a deployment to run on endpoints. It is not involved in
calculating Deployment Status.
Deployment State has three values:
 BigFix WebUI User's Guide | 10 - Get Started with Deployments | 81

• Open – The deployment is eligible to be run by endpoints.

• Expired – The deployment is no longer eligible to run because the end time has passed for all
possible endpoints in all time zones. The default expiration time for an action is 2 days.
• Stopped – The deployment is no longer eligible to run because an operator or administrator
stopped it.

In summary: Device Result is the result of a particular deployment on a specific device. Deployment
State describes the eligibility of a deployment to run. Deployment Status provides the cumulative
results of a deployment on targeted endpoints.

Evaluating Deployments With Multiple Actions

To obtain an accurate picture of the state of a deployment with multiple actions, such as those
involving a group or baseline, check the status of its individual components. In other words, if a
deployment group’s status is less than 100%, check to see which of its components has not yet
completed.

1. Open the Deployments list.

2. Use the Deployment Type filter to display a list of Group deployments.
3. Select the Deployment that you want and open its document.
4. Click Component Results.

Stop A Deployment
Not every deployment completes successfully the first time. Use the Stop Deployment button on any
Deployment list or document view to terminate a deployment, if needed.
Reasons to stop a deployment include:

• Starting to see failures on many devices.

• Starting to get blue screens on the targeted devices.
• You have updated a baseline (or Fixlet) and need to stop the old one.

Use the Deployment views and the custom tools provided by your BigFix administrator to diagnose
and fix deployment problems. Work with them to learn more about why deployments fail and
effective methods for resolving issues when they arise. Reasons a deployment can fail include:

• A computer is offline.
• A computer is being rebuilt or reimaged.
• A computer has insufficient disk space.
• A computer is not communicating with the BigFix update server.
• The BigFix agent is not running on the computer.
BigFix WebUI User's Guide | 10 - Get Started with Deployments | 82

• The computer is missing some dependent software.

Chapter 11. Get Started with the Content App
Use the Content App to work with Fixlets, tasks, and baselines on the BigFix sites. Search, filter, and
deploy content using standard WebUI tools.

Note:

• The sites listed in the Content App depends on the sites subscribed and the permissions given to
the logged in user.
• It also lists the sites that are not yet associated with a WebUI application.

New sites, new applications, and apps with new features are highlighted in the Featured Content
section. Click the tiles in the WebUI Apps section to open WebUI applications. Operators see sites
on the Content application's white list of permissible sites. Master operators see all sites that are not
part of the WebUI App collection.

Note: Not all Fixlets are deployable. Do not use the Content App to deploy Fixlets that:

• Contain or employ JavaScript, for example, JavaScript that takes action or secure action.
• Use Session Relevance.
BigFix WebUI User's Guide | 11 - Get Started with the Content App | 84

• Use specialized Console APIs.

The Fixlets will not run, and you will receive no errors or any other indication that something is
wrong until devices start reporting back that there is a problem. If you are not sure whether a Fixlet is
deployable or not, run it from the BigFix Console to avoid unpredictable behavior.
Operator Access
The below list associates the activities that an operator can perform with the type of
operator.

• Non-master operators cannot access BES support in the WebUI application as it

is intended only for the Master Operators.
• Master operators can view all the external sites, except for the two below listed
sites in Table 1.
• Non-master operator can only access the external sites that they have visibility.
See the accessible Whitelist sites listed in Table 2.
Table 1. List of external sites that cannot be accessed by the Master operator
Site ID Site Name
8361 OS Deployment and Bare Metal
Imaging
8363 OS Deployment and Bare Metal
Imaging Beta
Table 2. List of whitelist sites that can be accessed by the Non-master
operator
Site ID Site Name
12249 Advanced Patching
3107 BES Asset Discovery
3073 BigFix Client Compliance (IPSec
Framework)
3043 BigFix Client Compliance
Configuration
9287 BigFix Labs
8253 BitLocker Management (Labs)
11316 CIS Checklist for AIX 5.3 and 6.1
11316 CIS Checklist for AIX 5.3 and 6.1
11522 CIS Checklist for AIX 7.1 - RG03
12070 CIS Checklist for Apache HTTP Server
2.2 on Linux
12391 CIS Checklist for CentOS Linux 6
12410 CIS Checklist for CentOS Linux 7
11535 CIS Checklist for DB2 on Linux
11536 CIS Checklist for DB2 on Windows
15106 CIS Checklist for Internet Explorer 10
12337 CIS Checklist for Internet Explorer 11
 BigFix WebUI User's Guide | 11 - Get Started with the Content App | 85

Site ID Site Name

12339 CIS Checklist for Mac OS X 10.10
12354 CIS Checklist for Mac OS X 10.11
12425 CIS Checklist for Mac OS X 10.12
11313 CIS Checklist for Mac OS X 10.6
12389 CIS Checklist for Mac OS X 10.8
11566 CIS Checklist for MS IIS 7
12509 CIS Checklist for MS IIS 8
11568 CIS Checklist for MS SQL Server 2005
11570 CIS Checklist for MS SQL Server 2008
R2
11574 CIS Checklist for MS SQL Server 2012
DB Engine
11539 CIS Checklist for Oracle Database
11-11g R2 on Linux
11540 CIS Checklist for Oracle Database
11-11g R2 on Windows
11537 CIS Checklist for Oracle Database
9i-10g on Linux
11538 CIS Checklist for Oracle Database
9i-10g on Windows
12373 CIS Checklist for Oracle Linux 6
12364 CIS Checklist for Oracle Linux 7
11318 CIS Checklist for RHEL 5
11366 CIS Checklist for RHEL 6
12181 CIS Checklist for RHEL 7
12187 CIS Checklist for SLES 10
12518 CIS Checklist for SLES 11
11317 CIS Checklist for Solaris 10
11526 CIS Checklist for Solaris 11 - RG03
12465 CIS Checklist for SUSE 12
12453 CIS Checklist for Ubuntu 12.04 LTS
Server
12439 CIS Checklist for Ubuntu 14.04 LTS
Server
12429 CIS Checklist for Ubuntu 16.04 LTS
Server
12288 CIS Checklist for Windows 10
11356 CIS Checklist for Windows 2003 DC
11358 CIS Checklist for Windows 2003 MS
13083 CIS Checklist for Windows 2008 DC -
RG03
13085 CIS Checklist for Windows 2008 MS -
RG03
BigFix WebUI User's Guide | 11 - Get Started with the Content App | 86

Site ID Site Name

13075 CIS Checklist for Windows 2008 R2
DC
13077 CIS Checklist for Windows 2008 R2
MS
12064 CIS Checklist for Windows 2012 DC
12066 CIS Checklist for Windows 2012 MS
12057 CIS Checklist for Windows 2012 R2
DC
12061 CIS Checklist for Windows 2012 R2
MS
12469 CIS Checklist for Windows 2016 DC
12471 CIS Checklist for Windows 2016 MS
11491 CIS Checklist for Windows 7
12093 CIS Checklist for Windows 8
15107 CIS Checklist for Windows 8.1
11360 CIS Checklist for Windows XP
9342 Client Manager Builder
8151 Client Manager for Application
Virtualization
75 Client Manager for Endpoint Protection
9318 Client Manager for TPMfOSD
11035 DISA STIG Checklist for AIX 5.1
11036 DISA STIG Checklist for AIX 5.2
11434 DISA STIG Checklist for AIX 53 -
RG03
11436 DISA STIG Checklist for AIX 61 -
RG03
11354 DISA STIG Checklist for AIX 7.1
11040 DISA STIG Checklist for HPUX 11.11
11460 DISA STIG Checklist for HPUX 11.23
- RG03
11462 DISA STIG Checklist for HPUX 11.31
- RG03
11458 DISA STIG Checklist for Internet
Explorer 10 - RG03
12068 DISA STIG Checklist for Internet
Explorer 11 - RG03
11454 DISA STIG Checklist for Internet
Explorer 8 - RG03
11456 DISA STIG Checklist for Internet
Explorer 9 - RG03
12309 DISA STIG Checklist for Mac OS X
10.10
 BigFix WebUI User's Guide | 11 - Get Started with the Content App | 87

Site ID Site Name

12427 DISA STIG Checklist for Mac OS X
10.11
12225 DISA STIG Checklist for Mac OSX
10.8
12346 DISA STIG Checklist for Mac OSX
10.9
12497 DISA STIG Checklist for Oracle Linux
6
11042 DISA STIG Checklist for RHEL 3
11043 DISA STIG Checklist for RHEL 4
11430 DISA STIG Checklist for RHEL 5 -
RG03
11440 DISA STIG Checklist for RHEL 6
RG03, CentOS Linux 6 RG03
12412 DISA STIG Checklist for RHEL 7,
CentOS Linux 7
11432 DISA STIG Checklist for Solaris 10 -
RG03
12281 DISA STIG Checklist for Solaris 11
11045 DISA STIG Checklist for Solaris 8
11046 DISA STIG Checklist for Solaris 9
11048 DISA STIG Checklist for SUSE 10
11059 DISA STIG Checklist for SUSE 11
11058 DISA STIG Checklist for SUSE 9
12289 DISA STIG Checklist for Windows 10
11141 DISA STIG Checklist for Windows
2003 DC
11142 DISA STIG Checklist for Windows
2003 MS
11143 DISA STIG Checklist for Windows
2008 DC
11144 DISA STIG Checklist for Windows
2008 MS
11145 DISA STIG Checklist for Windows
2008 R2 DC
11146 DISA STIG Checklist for Windows
2008 R2 MS
11575 DISA STIG Checklist for Windows
2012 DC
11577 DISA STIG Checklist for Windows
2012 MS
12467 DISA STIG Checklist for Windows
2016
11140 DISA STIG Checklist for Windows 7
BigFix WebUI User's Guide | 11 - Get Started with the Content App | 88

Site ID Site Name

11564 DISA STIG Checklist for Windows 8
11147 DISA STIG Checklist for Windows
Vista
11148 DISA STIG Checklist for Windows XP
11120 FDCC Checklist for Internet Explorer 7
11123 FDCC Checklist for Windows Vista
11124 FDCC Checklist for Windows Vista
Firewall
11121 FDCC Checklist for Windows XP
11122 FDCC Checklist for Windows XP
Firewall
13013 IBM License Reporting (ILMT) v9
8506 MaaS360 Mobile Device Management
12380 Managed Vulnerabilities
8150 Patching Support
8102 Power Management
15105 QRadar Vulnerabilties
8110 Remote Control
6113 SCM Reporting
9188 Software Distribution
8032 Tivoli Endpoint Manager for Software
Usage Analysis v1.3
9072 Trend Common Firewall
9095 Trend Core Protection Module for Mac
11119 USGCB Checklist for Internet Explorer
7
11113 USGCB Checklist for Internet Explorer
8
12106 USGCB Checklist for RHEL 5
11110 USGCB Checklist for Windows 7
11112 USGCB Checklist for Windows 7
Energy
11111 USGCB Checklist for Windows 7
Firewall
11116 USGCB Checklist for Windows Vista
11114 USGCB Checklist for Windows Vista
Energy
11115 USGCB Checklist for Windows Vista
Firewall
11118 USGCB Checklist for Windows XP
11117 USGCB Checklist for Windows XP
Firewall
8346 Virtual Endpoint Manager
 BigFix WebUI User's Guide | 11 - Get Started with the Content App | 89

Site ID Site Name

5040 Vulnerabilities to Windows Systems
9112 Windows 7 Migration
9173 Windows Point of Sale
8232* Updates for Mac Applications
5095* Updates for Windows Applications

Attention: * The content from these sites is available in the Patches app.
Chapter 12. Getting Started with the Modern
Client Management
This section introduces the Modern Client Management (MCM) concepts, terminology, and explains
how to get started with using the feature.
With MCM for BigFix 10, you can extend the management capabilities to modern devices by
leveraging MDM technology. BigFix 10 provides visibility into modern devices that do not have
a BigFix Agent installed along with traditional devices that have BigFix Agent installed by using
a single tool. You can control the security and configuration settings through MDM policies and
actions.
BigFix 10 facilitates the management of modern clients in your environment in the following ways:
Device inventory
With BigFix 10, you can view critical device information in the device list, regardless
of whether the information is pulled from the native BigFix Agent, MDM, or cloud
instances.
Simplified Device Representations
On the WebUI, an icon indicates the type of each device on your network (native

, cloud , or MDM ). When an

endpoint has more than one representation, it shows multiple icons. A device that has
multiple representations is called a correlated device.
Device Management
MDM provides additional capabilities and policies to help manage modern desktops
such as macOS® and Windows™ 10. You can apply these policies and capabilities
that are captured in new BigFix artifacts called Policies.
Policy Management
MDM allows you to set common passcode policies across your Windows 10 and
macOS devices. You can also manage full disk access and kernel extensions policies
in macOS devices.
Management of MDM devices
MDM supports actions such as lock, wipe, restart, shutdown, and remove policies.
For details on administering Modern Client Management (MCM), see the BigFix Modern Client
Management Admin Guide.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 91

Managing BigFix MDM

After Windows and macOS devices are enrolled, the devices report to BigFix as MDM devices, and
they are listed on the BigFix WebUI Devices page. Use the MDM application in the WebUI to view,
manage, and control these Windows and macOS devices and policies.
To access the MDM page, from the WebUI main page, select Apps > MDM.

Note: A Master Operator can configure access to the MDM application for a user by using the
WebUI PPS (on page 94) app. Only users who have access to the MDM application through
BigFix WebUI can deploy MDM policies.

Health Checks
As a Master Operator, use the Health Checks page in the MDM application to monitor the health
of your BigFix MCM deployments. This makes it easier for you to determine the status of your
deployments and to identify what is not set up properly.

Note: This functionality is not applicable for Non-Master Operators.

To access the Health Checks page:

1. From the WebUI main page, select Apps > MDM.

2. On the MDM main page, click on the Health Checks button. The Health Checks page is
displayed as follows.
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 92

This page is organized into macOS MDM Servers, Windows MDM Servers, and MDM Plugin
Status sections to track important health indicators.

• Activate or deactivate all the relevant BESUEM analyses by clicking the Activate All or
Deactivate All button depending on the activation status. When activated, a green tick mark is
displayed next to the relevant analysis.

macOS MDM Servers

• Server Name: Reports the list of macOS MDM servers that are detected. If there
are no macOS MDM servers, ‘No servers detected’ is displayed. For information
on setting up the MDM Server, see Install BigFix macOS MDM Server.
• Running: If the Mac MDM service (BESmacmdm) is running on the MDM server,
users can see a green tick mark. If MDM service is not running, to install the
MDM service, see Install BigFix macOS MDM Server.
• Package: Indicates whether a BigFix OSX installer pkg has been prestaged on
the MDM server. This is needed to successfully deploy a BigFix Agent on OSX
devices via MDM. If the package has been prestaged correctly, users can see a
green tick mark. If the package is missing and if you want to add the package,
see Staging BigFix Agents for Delivery.
• Version: Shows the current version of the macOS MDM server installed.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 93

• URL: Displays the MDM URL of the configured sever. If the server URL is not
detected, ensure the server is set up properly. To set up the server, see Install
BigFix MacOS MDM Server.

Windows MDM Servers

• Server Name: Reports the list of Windows servers that are detected. If there are
no Windows servers, displays ‘No servers detected’. For information on setting
up the Windows MDM Server, see Install BigFix Windows MDM Server.
• Running: If the Windows MDM service (BESwindowsmdm) is running on the
MDM server, users can see a green tick mark. If MDM service is not running, to
install the MDM service, see Install BigFix Windows MDM Server.
• Package: Indicates whether a BigFix Windows .msi installer package has been
prestaged on the MDM server. This is needed to successfully deploy a BigFix
Agent on Windows devices via MDM. If a package has been prestaged correctly,
the check shows a green tick mark against the relevant sever. If the package
is missing and if you want to add the package, see Staging BigFix Agents for
Delivery
• Version: Shows the current version of the Windows MDM server installed.
• URL: Displays the MDM URL of the configured sever. If the server URL is not
detected, ensure the server is set up properly. To set up the server, see Install
BigFix Windows MDM Server.

MDM Plugin Status

Reports the list of all the installed Plugin Portal names, versions along with the
versions of the installed macOS MDM Plugin and/or Windows MDM Plugin. If there
is none installed, it displays ‘None.’

MDM Permissions
Use the WebUI Permissions service to provide increasingly fine-grained control over permissions
and preferences in WebUI MDM.
To go to Permissions page, as a Master Operator click on the gear icon, and from the dropdown
menu, select Permissions.
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 94

Master Operator can configure two things with the Permissions and Preferences Services (PPS) with
MDM:

1. Configure visibility of the MDM app based on the role

• For example, users with mdm allow all role and mdm custom policy roles can see the MDM
application; but users not in those roles do not have access to MDM application.

2. Configure specific MDM permissions

• Create, Edit and Delete Non-Custom Policies permission allows users to manipulate
policies (passcode policies, kernel policies, and full disk access policies) that WebUI
natively supports.
• Create, Edit, and Delete MCM Custom Policies permission allows users to manipulate
custom policies that users come up on their own.

Permissions in WebUI work just like console permissions in that a user’s permissions is the union of
all of their role permissions and global permissions. For example: If a user is part of four different
roles and only one of them has access to MDM specific permission, that user has access to MDM. If
a user is not part of any role that has any MDM specific permissions, but the Global Permissions of
MDM has been set, that user also has access to MDM despite not having access through roles.

Device Inventory
You can use the Devices page in BigFix WebUI to view the list of all devices (as determined by
permission levels). The list will contain devices that are managed by MDM and devices that are not
managed by MDM.
Click Show Summary button in the upper right hand side of the device list page to view the
summary of devices, operating systems, and groups.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 95

Click Export To button in the upper right hand side of the device list page to export the devices list
report in either .csv or .xlsx format.

Note:

• The laptop and Mobile Phone icon next to the device name indicates that the
device is managed by the MDM, and you can deploy MDM actions and MDM Profiles and
Send Client Refresh and Deploy BigFix Agent actions only on these devices.

• BigFix icon next to the device name indicates that the device is managed by a
BigFix native agent. You can also send client refreshes to BigFix native agent devices.
• The Cloud icon next to the device name indicates that the device is
managed by the cloud.
• If you find more than one icon next to the device name, it indicates that the
device is correlated and can be managed in multiple ways.

With BigFix 10 MDM, additional deployment options appear on the Deploy dropdown menu. Non
master operators require the Can Create Actions permission to be able to see this dropdown menu.
For more information about User permissions, see the BigFix Platform Guide.
The users who have visibility to the WebUI MDM App (on page ) have the following deploy
options that are available with WebUI MDM:

• Deploy MDM Action: Allows users to deploy MDM specific actions like the lock, wipe, and
restart, etc.
• Deploy MDM Policy: Allows users to deploy MDM policies to lock down password settings or
add kernel / full disk access exceptions to macOS devices.
• Deploy BigFix Agent: Allows users to deploy the BigFix agent on MDM devices that don't have
the BigFix agent deployed on it.

Clicking a device in the device list will lead you to the device doc where you can view properties,
status, relevant content items, and deployment history. Additionally, if the device is an MDM device
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 96

or if the device is a correlated device that has an MDM representation, you can view additional
analysis information about MDM devices.

Note: If the device is correlated, the device doc will generate different device reports that
contain common properties like IP address, Name, and Operating System name, Analysis etc. BigFix
will generally display properties from the native agent over property information that originates from
MDM. For some fields like device type, BigFix WebUI will display the aggregation of different
device reports.

Deploying MDM policies

Deploying MDM policies in BigFix 10 MDM allows administrators to lock down and configure
MDM devices. MDM policies are deployed to manage the devices effectively through MDM.

Note:

• Master Operators can perform all actions. The following notes applies only to non master
operators:
◦ Only users that have access to the MDM application via BigFix WebUI can deploy MDM
policies. Access can be configured by going to the to WebUI PPS app (on page 93) as a
Master Operator.
◦ Only non master operators with permission Create,Edit, and Delete Non-Custom Policies
can create native MDM policies (Kernel Extensions, Passcode Policy, Full Disk Access).
◦ Only users with permission Can Create Actions in the BigFix Console can deploy MDM
policies. These users also need permissions in the BigFix custom sites associated with
view/edit/deploy the policies unless the policies were created in the master action site. For
more information about permissions, see MDM Permissions (on page 93).
◦ You can deploy an MDM policy only to MDM managed endpoints. Deploying MDM
policies to device groups with non-MDM devices will fail.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 97

◦ WebUI will prevent users generating actions that do not apply to the right device type.
For example, WebUI prevents deploying MDM policies to native BigFix agent devices or
cloud devices.
◦ If you attempt to deploy an MDM policy on a correlated device with both a native BigFix
representation and an MDM representation, it will result in deploying the MDM policy
only to the MDM device.

Follow these steps to deploy MDM policies:

1. Go to the Devices list.

2. Select the device(s) to which you want to deploy the MDM policies.
3. Click Deploy button.
4. Select Deploy MDM Policy from the dropdown list.

5. Click Edit Policies to select the pre-configured policies.

6. Click Deploy to deploy the MDM policy to the selected device(s).

Note: Non-master operators need visibility on the sites where policies were created. If non-
master operators don't see the right MDM policies in this deployment workflow, they should
check their BigFix site permissions.
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 98

Deploying MDM actions

With BigFix 10 MDM, you can perform various actions like Lock Device, Wipe, Restart, Shutdown,
Deploy BigFix Agent, and Remove Policy using MDM Actions.

Note:

• You can deploy MDM actions only to the MDM managed devices.
• You can also deploy MDM actions to correlated devices that have an MDM representation.
• Certain actions are operating system specific, and each action has an operating system logo on it
to notify the users. If you find both Windows™ and macOS logo, it represents that action can be
applied to both the operating systems.
• Deploying the Deploy BigFix Agent action requires installer packages to be prestaged to work
properly. For Mac, run Stage Mac OS X Client Fixlet in BESUEM. For Windows, make sure an
msi package that installs BigFix exists in /var/opt/BESUEM/packages directory of the
MDM Server.

To perform different MDM Actions, follow these steps:

1. Open the application.

2. Click Apps and select MDM from the list.

Lock Device
This action is used only to lock the remote devices that are stolen or lost. The Lock
action helps you to safeguard the lost or stolen devices, and in case the device is
found, the device can be unlocked using the recovery pin.

Note: Lock action is available only to the macOS devices. Lock action invoked
against Windows MDM device will not lock the device.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 99

1. Select the Lock Device action.

2. Click Edit Devices to add/remove the devices.
3. Set Recovery Pin and Enter Lock Message.
4. Click Deploy to deploy the action to the targeted devices.

Wipe
This action is used to erase the data on the remote device, even if the device is
locked. The Wipe action helps you to completely erase the device(s) from the BigFix
management without warning the end-user.

Note:

• The recovery code only applies to macOS devices. Windows devices will
execute the Wipe action while ignoring the recovery pin.
• Users are only able to wipe one device at a time and cannot execute wipe on
device groups.

1. Select the Wipe action.

2. Click Edit Devices to add/remove the devices.
3. Set Recovery Pin.
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 100

4. Click Deploy to deploy the action to the targeted devices.

Restart
This action is used to restart the targeted devices.

1. Select the Restart action.

2. Click Edit Devices to add/remove devices.
3. Click Deploy to deploy the action to the targeted device.

Shutdown
This action is used to shutdown the targeted devices.

1. Select the Shutdown action.

2. Click Edit Devices to add/remove the devices.
3. Click Deploy to deploy the action to the targeted devices.

Note: Shutdown action is available only for macOS and not for Windows.

Remove Policy
You can remove policies from selected devices using this action. You can only
remove policies on devices that are enrolled in MDM.

Note: Deploying remove policies on macOS devices that don't have the selected
policy installed will result in a failed action.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 101

1. Select the Remove Policy action.

2. Click Edit Devices to add/remove the devices.
3. Click Edit Policies to select the policy that needs to be removed.
4. Click Deploy to deploy the action to the targeted devices.

Deploying BigFix Agents

By deploying the BigFix Agent to devices, BigFix administrators can use all the capabilities of
BigFix on those devices.

• Master operators can deploy a BigFix Agent on an MDM device

• Non master operators who have the Can use WebUI, Can Create Actions, and Custom Content
permissions can deploy a BigFix Agent on MDM devices.

To deploy the BigFix Agent, follow these steps:

1. Select at least one device that is managed only by an MDM agent. (Users can also get a list of
devices that don’t have the BigFix Agent installed by using the BigFix Agent Status > Not
Installed filter.

Note: The devices that are managed by only MDM are indicated by the MDM symbol
next to it.
2. Click Deploy.
3. From the list, select Deploy BigFix Agent.
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 102

4. To add or remove devices, on the Deploy BigFix Agent page, click Edit Devices.

5. Configure Relay authentication options.

a. Mac Relay Authentication Options: This section is displayed if Mac endpoints are
selected.
• Configure Relay: Enter an IP address or a DNS name.
• Password: Enter the password.
• Include BigFix full disk policy: Select this check box to grant full-disk access
privileges to BigFix.
b. Windows Relay Authentication Options: This section is displayed if Windows endpoints
are selected.
• Select MSI to deploy: From this list, select the msi file that you have prestaged on the
MDM server.
6. To deploy the BigFix Agent, click Deploy.

Note:
• After the action is complete, both MDM and the BigFix Agent can manage the device.
• The IP address and password that are entered as part of configuring a relay are used only
by macOS MDM endpoints. Windows MDM devices must have a prestaged MSI with a
relay authorization that is already configured as part of the MSI.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 103

• Deploying the BigFix Agent works only if the installers for BigFix Agents are prestaged
on the MDM server. The BigFix WebUI requires at least one .pkg file for macOS and
one .msi file for Windows devices. If installation packages are not on the MDM server,
users receive a warning that says BigFix Agent actions will fail." The WebUI checks
for .msi and .pkg files in the /var/opt/BESUEM/packages folder by default to see
whether BigFix Agent packages are prestaged correctly.

Managing MDM policies

You can manage the MDM policy of both macOS and Windows devices using BigFix WebUI.

Note:

• Master operators and non-master operators that have the WebUI permission to view the MDM
application, and permissions to Create, Edit, and Delete Non-Custom Policies can create or
manage Passcode Policies, Kernel Policies, or Full Disk Access Policies. Users that have the
Create, Edit, and Delete MDM Custom Policies permission will see an additional option when
creating policies to help them create custom policies.
• Non-master operators must have the following permissions to manage MDM policies and
actions:
◦ Appropriate permissions to create, edit and delete MDM custom and non-custom policies
◦ The "custom content" permissions to deploy MDM actions and policies
◦ Write permissions to specific custom content sites to have them be an option in the site
dropdown when associating an MDM policy with a custom site.
◦ Read permissions or be part of a role that has read permissions to the BESUEM site to get
accurate device counts of the policies.
• You cannot deploy multiple non-custom polices of same type to the targeted devices. You can
deploy multiple custom policies to the targeted devices in one action.

To create an MDM policy to manage MDM settings, follow these steps:

1. Open the MDM app.

2. Click Create Policy.

BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 104

The following are the policies that can be configured using BigFix WebUI:

1. Passcode
2. Kernel Extensions
3. Full Disk Access
4. Upload Custom Policy

Note: Certain MDM Policy types are operating system specific. Each policy type has the
applicable operating system logos underneath to notify the users. If you find both Windows and
macOS logos, it represents that the policy can be applied to both the operating systems.

Passcode
Passcode policies allow BigFix administrators to lock down various password/
inactivity settings on both Windows and macOS MDM devices.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 105

1. Open the MDM app.

2. Click Create Policy.
3. Select Passcode to create a passcode policy.
4. Click Settings.
5. Enter the details in General Settings

Note: Select a site from the dropdown to Assign Policy to Site. Non master
operator can see only those sites in the dropdown to which they have access.
6. Set the Policy Removal Settings.

Note: This is an optional setting.

7. Set the Passcode Complexity.
8. Set the Passcode Security.
9. Click Save.

Note: You have optional settings specific to macOS settings and Windows 10
settings.

• macOS settings (optional):

BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 106

• Windows 10 Settings (optional):

Kernel Extensions
Kernel Extensions provide developers the ability to load code dynamically into the
macOS Kernel. This allows access to internal kernel interfaces allowing complex
apps to function properly. For more information on Kernel Extensions, see Kernel
Extension Overview.
If the Kernel Extensions associated with specific applications are whitelisted
via macOS MDM, those applications can be installed seamlessly without user
intervention or approval.
You can create macOS MDM policies for Kernel Extension Whitelisting of specific
applications. You must apply the created Kernel Extension Whitelisting policies
before attempting to install those specific applications with kernel extensions.
To create a Kernel Extension Whitelisting policy:

1. Open the MDM app.

2. Click Create Policy.
3. Select Kernel Extensions.
4. Click Settings.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 107

5. Under Generic Settings, enter the details.

• Name: Enter a name for the kernel extension whitelisting policy.
• Description: Enter description for your policy.
• Operating System: Cannot be changed as this is applicable only to macOS.
• Assign Policy to Site: Select a site from the dropdown menu to assign the
policy to the selected site. Non-master operators can see only those sites in
the dropdown menu to which they have access.
6. Policy Removal Settings is an optional setting. To automatically remove the
policy on a specific date and time, select Allow Removal checkbox and in the
Auto Removal Date (UTC) text box, enter a date and time.
7. Under Kernel Extension, enter the Team ID and the Bundle ID.
• Team ID: Team ID is unique to a specific development team. It is an
alphanumeric string, which is the developer’s or vendor’s Developer ID for
signing KEXTs certificate identifier.
• Bundle IDs: Bundle ID is an alphanumeric string that uniquely identifies an
application from a specific vendor. You can specify more than one Bundle
ID separated by a comma for any given Team ID.
To identify Team ID and Bundle IDs using sqlite3:
a. Install the target product on a machine running a supported macOS version.
b. Let the user manually approve installation of any extensions that are
flagged.
c. Check the SQLite database with the following commands to get Team ID
and Bundle ID:
sqlite3 /var/db/SystemPolicyConfiguration/KextPolicy
SELECT * FROM kext_policy;

This command will show all the kernel extensions in effect on the machine
across all products. You need to locate the ones of interest for whitelisting
and create a policy or policies that cover everything you wish to whitelist.
The output might look similar to: EQHXZ8M8AV|
com.google.dfsfuse.filesystems.dfsfuse|1|Google, Inc.|8"
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 108

Where EQHXZ8M8AV is the Team ID and

com.google.dfsfuse.filesystems.dfsfuse is the bundle ID.

Note:
• To whitelist the kernel extension of an application from a specific vendor,
you must specify both the Team ID and the Bundle ID.
• Do not add multiple entries with the same Team ID, as only the last one in
the list will actually be used. If you have multiple apps to whitelist with the
same Team ID, add all the Bundle IDs in one entry separated by commas.
For example:
Bundle IDs: BundleID1,BundleID2,BundleID3
8. Add Extension: If you want to whitelist more than one product from different
vendors within a single policy, click Add Extension to add additional Team ID
and Bundle IDs to the same policy.
9. Click Save.

Full Disk Access

You can create a Full Disk Access policy using this section. Creating a Full Disk
policy allows the BigFix Agent (and other applications) to function smoothly on OSX
devices. Applications configured with a full disk policy will be granted complete disk
access on OSX.

1. Click Full Disk Access link.

2. Enter the details in Generic Settings

Note: Select a site from the dropdown to Assign Policy to Site. Non master
operator can see only those sites in the dropdown to which they have access.
3. Set the Policy Removal Settings.

Note: This is an optional setting.

 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 109

4. Enter the details of Full Disk Access.

5. Click Save.

Upload Custom Policy

You can create a custom policies using this wizard.

Note:

• For macOS, you can use profile creator to create custom policy and upload the
.mobileConfig file to Custom Policy Wizard.
• For Windows, see Policy CSP for more information on creating custom policy.
• Once an appropriate .syncml or .xml file has been created using the Microsoft
docs as a reference, users can upload the file in the Custom Policy Wizard.

1. Click Upload Custom Policy link.

2. Enter the details in Generic Settings.

Note:
• You can select only one operating system checkbox at a time.
• You can only create policies and assign them to sites where you have the
write permission.
• Select a site from the dropdown to Assign Policy to Site. Non master
operator can see only those sites in the dropdown to which they have access.
• Policies can be assigned to specific sites using Assign Policy to MDM
devices.
3. Click Choose File to upload a .xml or .mobileconfig or .syncml policy
file.
4. Click Upload.
5. Click Deploy Policy to deploy the custom policies to site.
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 110

MDM Use Cases

Checking the number of MDM devices registered
You can check the number of MDM registered devices in the Devices page using
device filters.

1. Open the Devices page.

2. Navigate to the Refine My Results section.
3. Click Managed By filter.
4. Select MDM checkbox to filter only MDM registered devices.

Determining Windows MDM only devices

You can determine Windows MDM only devices using filters.

1. Open the Devices page.

2. Navigate to the Refine My Results section.
3. Click Managed By filter.
4. Select Windows checkbox under MDM section to filter only Windows MDM
devices.
 BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 111

Identifying Correlated Devices and MDM Devices

You can identify MDM and correlated devices using the icons next to the device name
on the Devices page.

Open the Devices page. If devices only have the Laptop and Mobile Phone icon, it
is a device managed only by MDM. If a device has more than one icon, it means the
device is managed by multiple sources.

Manage MDM Devices with MDM specific actions

Non master operators with the can create actions permission can do multiple
deployment options on the Devices page and the Device Document page. They can
deploy specific MDM actions like Deploy MDM Policy, Deploy MDM Action, and
Deploy BigFix Agent.

1. Open the Devices page.

2. Select Device checkbox.
3. Click Deploy.
4. Select the deploy option from the dropdown.

Note: You are allowed to select only one deployment option at a time.
BigFix WebUI User's Guide | 12 - Getting Started with the Modern Client Management | 112

Manage MDM Devices with MDM specific actions in the Device Document
Non master operators with the can create actions permission can do multiple
deployment options on the Devices page and the Device Document page. They can
deploy specific MDM actions like Deploy MDM Policy, Deploy MDM Action, and
Deploy BigFix Agent.
Send Client Refresh
You can use this action to send client refresh to devices. By deploying the Send
Client Refresh action, you will send a full client refresh request to devices, and it is
equivalent to performing Send Refresh on the BigFix Console.

In BigFix 9.5, send client refresh creates an action against targeted devices with the
ActionScript notify client ForceRefresh.

In BigFix 10 the BigFix 10 WebUI sends a direct API call to force clients to perform
full refresh.

All devices, regardless of whether the device is managed by MDM, by a BigFix

Native agent, or through cloud plugins, respond appropriately to a Send Client Refresh
action.
Chapter 13. Extending BigFix management
capabilities
BigFix 10 delivers a few significant new functions for enhancing the visibility and management of
devices on your network regardless of whether the devices are physical or virtual.

Challenges faced in managing modern IT infrastructures

Managing their infrastructures is growing more and more challenging and complex for IT
organizations. With the advent of multiple types of servers, different operating systems, software,
cloud computing and services, and technology that is changing almost every minute, it becomes
difficult to track, control, and manage the IT environments.

• Technologies such as cloud computing and mobility change the IT landscapes fast and it
becomes difficult to stay current.
• Catering to new compliance and regulatory requirements while still complying with the old ones
has mandated the need for a cost-effective solution.
• As IT organizations continue to increase operations around latest technologies, security
becomes a major concern.
• Sophisticated IT infrastructures that support high computing and data analysis need efficient and
cost-effective data extraction and data storage techniques.

BigFix 10 features
To achieve transparency across your heterogeneous IT environments, you need a more automated,
comprehensive, and robust solution like BigFix 10. This all-new version of BigFix provides you with
an accurate view of the resources in your network, key analytics, and detailed insights that can enable
your decision makers to make faster and informed decisions about IT management.

Related concepts

• Managing cloud resources (on page )

• Managing cloud plugins in WebUI (on page 115)

Related information

• Modern Client Management

• Insights
BigFix WebUI User's Guide | 13 - Extending BigFix management capabilities | 114

Managing cloud plugins

BigFix 10 Platform includes a plugin for every cloud provider supported, namely Amazon Web
Services (AWS), Microsoft Azure, VMware and Google Cloud Platform (GCP). Each of these cloud
providers has its own uniqueness, capabilities, and ways to interface with an external program and
they handle access to data and capabilities differently.
To be able to install the plugin portal and the cloud plugins, Master Operator (MO) privilege is
required.
The multicloud management features are available for use in both BigFix Console and WebUI.

Related tasks

• Installing the plugin portal (on page 114)

• Installing cloud plugins (on page 115)

Installing the plugin portal

The Plugin Portal is a new component introduced in BigFix 10 to help manage cloud devices as well
as modern devices such as Windows 10 and MacOS endpoints enrolled to BigFix. For details on
modern client management, see the Modern Client Management documentation.

Plugin portal is a scalable component introduced in BigFix 10 for supporting the management of
cloud instances and modern clients.

1. Click the gear icon at the top right corner.

2. Click Plugin Management.

The Plugin management portal opens.

3. Install a plugin portal if you have not done so yet.

a. Click Install in the Plugin portals section. The Install BigFix Plugin Portal opens.
b. Click Deploy Content.
 BigFix WebUI User's Guide | 13 - Extending BigFix management capabilities | 115

Installing cloud plugins

Install and manage cloud plugins.

To install cloud plugins, complete the following steps.

1. Click Install in the Plugins section.

The Install cloud plugin page opens.

2. Specify the Cloud Provider. For example, Azure.

3. Specify the Hosting Portal.

4. Specify a value, in minutes, for the Discovery frequency.

5. Enter the Account alias information.

Depending on which cloud provider you are using (AWS, Azure, VMware or GCP), the list
of the following required parameters changes. For example, if you specified Azure as Cloud
Provider in step 2, you must enter the following information: Tenant ID, Subscription ID, Client
ID (Application ID) and Password (Client Secret).

6. Click Install.

Working with cloud plugins

If you have the cloud plugins enabled and they have discovered cloud instances in your environment,
you can access those cloud devices from the Devices (on page 14) page and work with them.
The Devices page enumerates all the devices in your environment, indicates whether they are
physical or virtual, how many in either category, and whether they have BigFix agent installed or not.
To display the device card that provides more details, expand the Device entry.
The objective of device correlation is to avoid duplication of resources and streamline the device
management. When BigFix discovers devices on the cloud (either private or public), it determines
whether these are already known or tracked in the system. The advantage of asset correlation is
that if there are multiple representations of a single endpoint, they are all aggregated and presented
on the Devices page as a single endpoint. You as an operator can then select any group (of such
representations) to target actions, and then any representation within the group as target for each
specific action. You can also limit the operators' access to only manage specific representations of a
device.
After installing the cloud plugins and discovering the cloud resources, you can see the summary of
your cloud devices in WebUI Overview under Cloud Dashboard. To display the dashboard, click the
Overview button beneath the navigation bar and select Cloud Dashboard. This dashboard contains
tiles for monitoring the amount of cloud resources in your environment, with or without an agent
BigFix WebUI User's Guide | 13 - Extending BigFix management capabilities | 116

installed, and their distribution by type and region. Click any bar chart to open the Devices (on page
14) page, which lists that subset of resources, where the filters BigFix Agent Status and Managed by
are pre-selected.
As a BigFix Operator, you can view the Device document. Device document provides information
gathered from various devices. If it is a cloud instance, you see data related to cloud as well on this
page. To narrow down the search to cloud devices, you can use filters such as BigFix Agent Status
(Installed or Not installed) or Managed by (Cloud and which Cloud provider).

Viewing and editing the cloud plugin properties

1. Log in to the WebUI.

2. Expand the cloud plugin entry in the Plugins section. The following properties are displayed:
• The name of the host.
• When the last discovery was performed.
• The plugin version.
• The status of the plugin.
3. Under Actions, click Edit plugin.
4. You can modify, for example, the credential sets or the discovery frequency.
5. Click Save.

Plugin settings
The following configurations are set using the SetPluginSettingsIntoStore function exported
by the Plugin Portal common header. These settings retrieve all the plugin store settings that are used
to populate the console dashboards and the dashboard in WebUI.

Table 3. SetPluginSettingsIntoStore Settings

Plugin Name Description
Credentials_LoginSuccess<useralias> Avoids credential locking if lockout policies are
in place.
Values: Set to “1” when the login succeeds. Set to
“0” if the cloud provider refuses the credentials.
For example, HTTP error 401 sets this setting to
“0” that indicates that a password is no longer
valid. If the login fails for something different
form HTTP 401 (for example, network error or
any other HTTP error code) nothing is set.
Discovery_LastScan Contains the timestamp (unix time) of the last
discovery attempt.
Discovery_LastScanNoErrors Contains the timestamp (unix time) of the last
discovery attempt completed with no errors.
This is to support multicredentials. For example,
if you have 10 credential sets, the discovery
is attempted for each one. If one credential set
 BigFix WebUI User's Guide | 13 - Extending BigFix management capabilities | 117

Plugin Name Description

fails due to password expiration, the LastScan
is set because one discovery is already done,
but LastScanNoErrors is not set. If no error
occurred, LastScanNoErrors and LastScan are
set to the same value.
Discovery_LastError Contains the last error message (whatever it is)
that a full discovery finds during its execution.
It is reset when the full discovery terminates
with no errors. In other words, this is set if
LastScanNoErrors != LastScan; this is set to
“” when LastScanNoErrors == LastScan.

Installing BigFix Agent on cloud discovered devices

From BigFix WebUI, you can install the BigFix Agent code on the devices that have been discovered
by cloud plugins.

• You can install BigFix Agent on the cloud discovered devices if only they have Windows or
Linux x86 64bit Operating System.
• You need to have a CDT infrastructure set up. CDT documentation and log files can also be
used for troubleshooting. For more information, see https://help.hcltechsw.com/bigfix/10.0/
platform/Platform/Installation/c_using_the_cdt.html

WebUI leverages the Client Deployment Tool (CDT) technology that is already available in BigFix.
Compared to the CDT wizard, WebUI offers a simplified and streamlined process. To deploy BigFix
Agent through WebUI perform the following steps:

1. From the landing page of the WebUI, click Overview and from the dropdown menu select
Cloud Dashboard.
2. The Cloud resources by provider dashboards summarizes all the devices discovered with and
without the BigFix Agent. Click on the bar that represents the devices without BigFix Agent
that belong to a desired cloud provider.
BigFix WebUI User's Guide | 13 - Extending BigFix management capabilities | 118

Now, the Device (on page 14) page is displayed filtered by the following properties:
• Managed by: <the selected cloud provider>
• BigFix Agent Status: Not installed
3. Select one or more devices from the filtered list in which you want to install the BigFix Agent.
4. Click the Deploy dropdown button and select Deploy BigFix Agent. Now, you can customize
the parameters required to install the BigFix Agent through the existing CDT infrastructure.
Before specifying the settings, you can still revise and modify the list of target devices by
clicking the Edit Devices button on top right of the page.
Deployment settings
BigFix Agent Settings: This setting is optional, and it is related to the relay
connection. If not specified, once the BigFix Agent starts, it connects to the root
server or top level Relay, according to the deployment configuration. If a Relay
is specified, either with the hostname or the IP, there is also the possibility to
include the password in case the selected Relay is configured for authentication.

Deployment point settings: This setting enables you to choose the CDT
Deployment Point (among the available Windows Deployment points) from
which you want to distribute the agent code to the targets.
 BigFix WebUI User's Guide | 13 - Extending BigFix management capabilities | 119

Note: You can have only one Deployment Point for all the distributions.
You cannot assign multiple Deployment points to different buckets of targets.
Username and Password of the computer is also required.

When you select the Deployment Point, ensure that the target device and the
deployment point ping each other (can connect), because unlike the CDT wizard
in the BigFix Console, here it is not possible to set a proxy to guarantee the
communication.
The process installs a predefined version of the BigFix Agent. If newer versions
are available, agent can then be upgraded via the usual upgrade fixlets available
in BigFix Support site.
Specify Target credentials: This setting enables you to set credentials for
the target machines to allow the installation of the BigFix Agent code. You
can select multiple devices at the same time and assign the same credentials
(if required) or do it one by one to assign different credentials. Devices are
identified by their IPs (this is why even if you have selected computers by names,
CDT connects to these devices through the IP). If the computer has multiple IPs,
CDT tries to connect to all of them until the first response.

Search field lets the user to look for a specific machine in this list, if needed.
Once the selection is done, click Set credentials to include either the username/
password combination or an SSH private key in the popup.
5. Once all the required configuration is done, click Deploy button to begin the deployment.
BigFix WebUI User's Guide | 13 - Extending BigFix management capabilities | 120

Now, the Deployment page appears to indicate the status of the action to start CDT processing.

Note: When this action is successful, it only means that the CDT has successfully started
the process and not that the agent is successfully installed on the target devices.

Once BigFix Agent is successfully installed on the devices:

• The devices connect to the BigFix Server through the BigFix Agent
• The device entries are correlated with the existing ones related to the cloud discovery
• The visualization of the device in the Device page canges from showing cloud icon

to showing BigFix logo and cloud icon. For example, to

You can also install the BigFix Agent on cloud devices from the Devices page by carefully selecting
the appropriate Managed by and BigFix Agent Status filters.

Note: The system returns an appropriate error message:

• If you choose a mixed set of cloud discovered and MDM devices to deploy BigFix Agent
• If you choose a device that already has a BigFix Agent installed and if you try to deploy BigFix
Agent through the Deploy dropdown action
Chapter 14. Glossary
This glossary provides terms and definitions for the Modern Client Management for BigFix software
and products.

The following cross-references are used in this glossary:

• See refers you from a nonpreferred term to the preferred term or from an abbreviation to the
spelled-out form.
• See also refers you to a related or contrasting term.

A (on page 121) B (on page 122) C (on page 122) D (on page 124) E (on page 125) F
(on page 125) G (on page 126) L (on page 126) M (on page 126) N (on page 127) O (on
page 127) P (on page 128) R (on page 128) S (on page 129) T (on page 130) U (on page
131) V (on page 131) W (on page 131)

A
action

1. See Fixlet (on page 125).

2. A set of Action Script commands that perform an operation or administrative
task, such as installing a patch or rebooting a device.

Action Script
Language used to perform an action on an endpoint.
agent
See BigFix agent (on page 122).
ambiguous software
Software that has an executable file that looks like another executable file, or that
exists in more than one place in a catalog (Microsoft Word as a standalone product or
bundled with Microsoft Office).
audit patch
A patch used to detect conditions that cannot be remediated and require the attention
of an administrator. Audit patches contain no actions and cannot be deployed.
automatic computer group
A computer group for which membership is determined at run time by comparing the
properties of a given device against the criteria set for group membership. The set
BigFix WebUI User's Guide | 14 - Glossary | 122

of devices in an automatic group is dynamic, meaning that the group can and does
change. See also computer group (on page 123).

B
baseline
A collection of actions that are deployed together. A baseline is typically used to
simplify a deployment or to control the order in which a set of actions are applied. See
also deployment group (on page 124).
BigFix agent
The BigFix code on an endpoint that enables management and monitoring by BigFix.
BigFix client
See BigFix agent (on page 122).
BigFix console
The primary BigFix administrative interface. The console provides a full set of
capabilities to BigFix administrators.

C
client
A software program or computer that requests services from a server. See also server
(on page 129).
client time
The local time on a BigFix client's device.
Cloud
A set of compute and storage instances or services that are running in containers or on
virtual machines.
Common Vulnerabilities and Exposures Identification Number (CVE ID)
A number that identifies a specific entry in the National Vulnerability Database. A
vendor's patch document often includes the CVE ID, when it is available. See also
National Vulnerability Database (on page 127).
Common Vulnerabilities and Exposures system (CVE)
 BigFix WebUI User's Guide | 14 - Glossary | 123

A reference of officially known network vulnerabilities, which is part of the National

Vulnerabilities Database (NVD), maintained by the US National Institute of Standards
and Technology (NIST).
component
An individual action within a deployment that has more than one action. See also
deployment group (on page 124).
computer group
A group of related computers. An administrator can create computer groups to
organize systems into meaningful categories, and to facilitate deployment of content
to multiple computers. See also automatic computer group (on page 121) and
manual computer group (on page 126).
console
See BigFix console (on page 122).
content
Digitally-signed files that contain data, rules, queries, criteria, and other instructions,
packaged for deployment across a network. BigFix agents use the detection criteria
(Relevance statements) and action instructions (Action Script statements) in content to
detect vulnerabilities and enforce network policies.
content relevance
A determination of whether a patch or piece of software is eligible for deployment to
one or more devices. See also device relevance (on page 125).
Coordinated Universal Time (UTC)
The international standard of time that is kept by atomic clocks around the world.
corrupt patch
A patch that flags an operator when corrections made by an earlier patch have been
changed or compromised. This situation can occur when an earlier service pack or
application overwrites later files, which results in patched files that are not current.
The corrupt patch flags the situation and can be used to re-apply the later patch.
custom content
BigFix code that is created by a customer for use on their own network, for example, a
custom patch or baseline.
CVE
See Common Vulnerabilities and Exposures system (on page 122).
CVE ID
See Common Vulnerabilities and Exposures Identification Number (on page 122).
BigFix WebUI User's Guide | 14 - Glossary | 124

D
data stream
A string of information that serves as a source of package data.
default action
The action designated to run when a Fixlet is deployed. When no default action is
defined, the operator is prompted to choose between several actions or to make an
informed decision about a single action.
definitive package
A string of data that serves as the primary method for identifying the presence of
software on a computer.
deploy
To dispatch content to one or more endpoints for execution to accomplish an
operation or task, for example, to install software or update a patch.
deployment
Information about content that is dispatched to one or more endpoints, a specific
instance of dispatched content.
deployment group
The collection of actions created when an operator selects more than one action for a
deployment, or a baseline is deployed. See also baseline (on page 122), component
(on page 123), deployment window (on page 124), and multiple action group (on
page 127).
deployment state
The eligibility of a deployment to run on endpoints. The state includes parameters that
the operator sets, such as 'Start at 1AM, end at 3AM.'
deployment status
Cumulative results of all targeted devices, expressed as a percentage of deployment
success.
deployment type
An indication of whether a deployment involved one action or multiple actions.
deployment window
The period during which a deployment's actions are eligible to run. For example,
if a Fixlet has a deployment window of 3 days and an eligible device that has been
offline reports in to BigFix within the 3-day window, it gets the Fixlet. If the device
comes back online after the 3-day window expires, it does not get the Fixlet. See also
deployment group (on page 124).
 BigFix WebUI User's Guide | 14 - Glossary | 125

device
An endpoint, for example, a laptop, desktop, server, or virtual machine that BigFix
manages; an endpoint running the BigFix Agent.
device holder
The person using a BigFix-managed computer.
device property
Information about a device collected by BigFix, including details about its hardware,
operating system, network status, settings, and BigFix client. Custom properties can
also be assigned to a device.
device relevance
A determination of whether a piece of BigFix content applies to applies to a device,
for example, where a patch should be applied, software installed, or a baseline run.
See also content relevance (on page 123).
device result
The state of a deployment, including the result, on a particular endpoint.
Disaster Server Architecture (DSA)
An architecture that links multiple servers to provide full redundancy in case of
failure.
DSA
See Disaster Server Architecture (on page 125).
dynamically targeted
Pertaining to using a computer group to target a deployment.

E
endpoint
A networked device running the BigFix agent.

F
filter
To reduce a list of items to those that share specific attributes.
Fixlet
BigFix WebUI User's Guide | 14 - Glossary | 126

A piece of BigFix content that contains Relevance and Action Script statements
bundled together to perform an operation or task. Fixlets are the basic building blocks
of BigFix content. A Fixlet provides instructions to the BigFix agent to perform a
network management or reporting action.

G
group deployment
A type of deployment in which multiple actions were deployed to one or more
devices.

H
Hybrid cloud
The utilization of distinct sets of cloud services (typically public and private) with
integration and/or orchestration across them.

L
locked
An endpoint state that prevents most of the BigFix actions from running until the
device is unlocked.

M
MAG
See multiple action group (on page 127).
management rights
The limitation of console operators to a specified group of computers. Only a site
administrator or a master operator can assign management rights.
manual computer group
 BigFix WebUI User's Guide | 14 - Glossary | 127

A computer group for which membership is determined through selection by an

operator. The set of devices in a manual group is static, meaning they do not change.
See also computer group (on page 123).
master operator
A console operator with administrative rights. A master operator can do everything
that a site administrator can do, except creating operators.
masthead
A collection of files that contain the parameters of the BigFix process, including
URLs to Fixlet content. The BigFix agent brings content into the enterprise based on
subscribed mastheads.
mirror server
A BigFix server required if the enterprise does not allow direct web access but instead
uses a proxy server that requires password-level authentication.
Multicloud
The utilization of distinct sets of cloud services, typically from multiple vendors,
where specific applications are confined to a single cloud instance.
multiple action group (MAG)
A BigFix object that is created when multiple actions are deployed together, as in a
baseline. A MAG contains multiple Fixlets or tasks. See also deployment group (on
page 124).

N
National Vulnerability Database (NVD)
A catalog of officially known information security vulnerabilities and exposures,
which is maintained by the National Institute of Standards and Technology (NIST).
See also Common Vulnerabilities and Exposures Identification Number (on page
122).
NVD
See National Vulnerability Database (on page 127).

O
offer
BigFix WebUI User's Guide | 14 - Glossary | 128

A deployment option that allows a device holder to accept or decline a BigFix action
and to exercise some control over when it runs. For example, a device holder can
decide whether to install a software application, and whether to run the installation at
night or during the day.
open-ended deployment
A deployment with no end or expiration date; one that runs continuously, checking
whether the computers on a network comply.
operator
A person who uses the BigFix WebUI, or portions of the BigFix console.

P
patch
A piece of code added to vendor software to fix a problem, as an immediate solution
that is provided to users between two releases.
patch category
A description of a patch's type and general area of operation, for example, a bug fix or
a service pack.
patch severity
The level of risk imposed by a network threat or vulnerability and, by extension, the
importance of applying its patch.

R
relay
A client that is running special server software. Relays spare the server and the
network by minimizing direct server-client downloads and by compressing upstream
data.
Relevance
BigFix query language that is used to determine the applicability of a piece of content
to a specified endpoint. Relevance asks yes or no questions and evaluates the results.
The result of a Relevance query determines whether an action can or should be
applied. Relevance is paired with Action Script in Fixlets.
 BigFix WebUI User's Guide | 14 - Glossary | 129

S
SCAP
See Security Content Automation Protocol (on page 129).
SCAP check
A specific configuration check within a Security Content Automation Protocol
(SCAP) checklist. Checks are written in XCCDF and are required to include SCAP
enumerations and mappings per the SCAP template.
SCAP checklist
A configuration checklist that is written in a machine-readable language (XCCDF).
Security Content Automation Protocol (SCAP) checklists have been submitted to and
accepted by the NIST National Checklist Program. They also conform to a SCAP
template to ensure compatibility with SCAP products and services.
SCAP content
A repository that consists of security checklist data represented in automated XML
formats, vulnerability and product name related enumerations, and mappings between
the enumerations.
SCAP enumeration
A list of all known security related software flaws (CVEs), known software
configuration issues (CCEs), and standard vendor and product names (CPEs).
SCAP mapping
The interrelationship of enumerations that provides standards-based impact
measurements for software flaws and configuration issues.
Security Content Automation Protocol (SCAP)
A set of standards that is used to automate, measure, and manage vulnerability and
compliance by the National Institute of Standards and Technology (NIST).
server
A software program or a computer that provides services to other software programs
or other computers. See also client (on page 122).
signing password
A password that is used by a console operator to sign an action for deployment.
single deployment
A type of deployment where a single action was deployed to one or more devices.
site
A collection of BigFix content. A site organizes similar content together.
BigFix WebUI User's Guide | 14 - Glossary | 130

site administrator
The person who is in charge of installing BigFix and authorizing and creating new
console operators.
software package
A collection of Fixlets that install a software product on a device. Software packages
are uploaded to BigFix by an operator for distribution. A BigFix software package
includes the installation files, Fixlets to install the files, and information about the
package (metadata).
SQL Server
A full-scale database engine from Microsoft that can be acquired and installed into the
BigFix system to satisfy more than the basic reporting and data storage needs.
standard deployment
A deployment of BigFix that applies to workgroups and to enterprises with a single
administrative domain. It is intended for a setting in which all Client computers have
direct access to a single internal server.
statistically targeted
Pertaining to the method used to target a deployment to a device or piece of content.
Statically targeted devices are selected manually by an operator.
superseded patch
A type of patch that notifies an operator when an earlier version of a patch has been
replaced by a later version. This occurs when a later patch updates the same files as an
earlier one. Superseded patches flag vulnerabilities that can be remediated by a later
patch. A superseded patch cannot be deployed.
system power state
A definition of the overall power consumption of a system. BigFix Power
Management tracks four main power states Active, Idle, Standby or Hibernation, and
Power Off.

T
target
To match content with devices in a deployment, either by selecting the content for
deployment, or selecting the devices to receive content.
targeting
The method used to specify the endpoints in a deployment.
task
 BigFix WebUI User's Guide | 14 - Glossary | 131

A type of Fixlet designed for re-use, for example, to perform an ongoing maintenance
task.

U
UTC
See Coordinated Universal Time (on page 123).

V
virtual private network (VPN)
An extension of a company intranet over the existing framework of either a public or
private network. A VPN ensures that the data that is sent between the two endpoints
of its connection remains secure.
VPN
See virtual private network (on page 131).
vulnerability
A security exposure in an operating system, system software, or application software
component.

W
Wake-from-Standby
A mode that allows an application to turn a computer on from standby mode during
predefined times, without the need for Wake on LAN.
Wake on LAN
A technology that enables a user to remotely turn on systems for off-hours
maintenance. A result of the Intel-IBM Advanced Manageability Alliance and part
of the Wired for Management Baseline Specification, users of this technology can
remotely turn on a server and control it across the network, thus saving time on
automated software installations, upgrades, disk backups, and virus scans.
WAN
See wide area network (on page 131).
wide area network (WAN)
BigFix WebUI User's Guide | 14 - Glossary | 132

A network that provides communication services among devices in a geographic area

larger than that served by a local area network (LAN) or a metropolitan area network
(MAN).
Chapter 15. Support
For more information about this product, see the following resources:

• BigFix Support Portal

• BigFix Developer
• BigFix playlist on YouTube
• BigFix Tech Advisors channel on YouTube
• BigFix Forum
Notices
This information was developed for products and services offered in the US.
HCL may not offer the products, services, or features discussed in this document in other countries.
Consult your local HCL representative for information on the products and services currently
available in your area. Any reference to an HCL product, program, or service is not intended to state
or imply that only that HCL product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any HCL intellectual property right may be used
instead. However, it is the user's responsibility to evaluate and verify the operation of any non-HCL
product, program, or service.
HCL may have patents or pending patent applications covering subject matter described in this
document. The furnishing of this document does not grant you any license to these patents. You can
send license inquiries, in writing, to:
HCL
330 Potrero Ave.
Sunnyvale, CA 94085
USA
Attention: Office of the General Counsel
For license inquiries regarding double-byte character set (DBCS) information, contact the HCL
Intellectual Property Department in your country or send inquiries, in writing, to:
HCL
330 Potrero Ave.
Sunnyvale, CA 94085
USA
Attention: Office of the General Counsel
HCL TECHNOLOGIES LTD. PROVIDES THIS PUBLICATION "AS IS" WITHOUT
WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do
not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement
may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new editions of the
publication. HCL may make improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-HCL websites are provided for convenience only and do
not in any manner serve as an endorsement of those websites. The materials at those websites are not
part of the materials for this HCL product and use of those websites is at your own risk.
HCL may use or distribute any of the information you provide in any way it believes appropriate
without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the
exchange of information between independently created programs and other programs (including this
one) and (ii) the mutual use of the information which has been exchanged, should contact:
HCL
330 Potrero Ave.
Sunnyvale, CA 94085
USA
Attention: Office of the General Counsel
Such information may be available, subject to appropriate terms and conditions, including in some
cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are
provided by HCL under terms of the HCL Customer Agreement, HCL International Program License
Agreement or any equivalent agreement between us.
The performance data discussed herein is presented as derived under specific operating conditions.
Actual results may vary.
Information concerning non-HCL products was obtained from the suppliers of those products, their
published announcements or other publicly available sources. HCL has not tested those products and
cannot confirm the accuracy of performance, compatibility or any other claims related to non-HCL
products. Questions on the capabilities of non-HCL products should be addressed to the suppliers of
those products.
Statements regarding HCL's future direction or intent are subject to change or withdrawal without
notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To
illustrate them as completely as possible, the examples include the names of individuals, companies,
brands, and products. All of these names are fictitious and any similarity to actual people or business
enterprises is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate
programming techniques on various operating platforms. You may copy, modify, and distribute
these sample programs in any form without payment to HCL, for the purposes of developing, using,
marketing or distributing application programs conforming to the application programming interface
for the operating platform for which the sample programs are written. These examples have not
been thoroughly tested under all conditions. HCL, therefore, cannot guarantee or imply reliability,
serviceability, or function of these programs. The sample programs are provided "AS IS," without
warranty of any kind. HCL shall not be liable for any damages arising out of your use of the sample
programs.
Each copy or any portion of these sample programs or any derivative work must include a copyright
notice as follows:
© (your company name) (year).
Portions of this code are derived from HCL Ltd. Sample Programs.
Trademarks
HCL Technologies Ltd. and HCL Technologies Ltd. logo, and hcl.com are trademarks or registered
trademarks of HCL Technologies Ltd., registered in many jurisdictions worldwide.
Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or
trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/
or its affiliates.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation
in the United States, other countries, or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other product and service names might be trademarks of HCL or other companies.

Terms and conditions for product documentation

Permissions for the use of these publications are granted subject to the following terms and
conditions.

Applicability
These terms and conditions are in addition to any terms of use for the HCL website.

Personal use
You may reproduce these publications for your personal, noncommercial use provided that all
proprietary notices are preserved. You may not distribute, display or make derivative work of these
publications, or any portion thereof, without the express consent of HCL.

Commercial use
You may reproduce, distribute and display these publications solely within your enterprise provided
that all proprietary notices are preserved. You may not make derivative works of these publications,
or reproduce, distribute or display these publications or any portion thereof outside your enterprise,
without the express consent of HCL.

Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted,
either express or implied, to the publications or any information, data, software or other intellectual
property contained therein.
HCL reserves the right to withdraw the permissions granted herein whenever, in its discretion, the
use of the publications is detrimental to its interest or, as determined by HCL, the above instructions
are not being properly followed.
You may not download, export or re-export this information except in full compliance with all
applicable laws and regulations, including all United States export laws and regulations.
HCL MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS.
THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED
WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A
PARTICULAR PURPOSE.