Access Controls: Limit the max number of remotely imaged machines?

Hello all,
I was wondering if anyone knows a way to limit the number of simultaneous computers that a user group can re-image at once? Historically our helpdesk has had access to BigFix and we have limited their ability to cause too much harm by not allowing them to see certain suites, but were trying to spool up Image Deployment, and want to give them this feature, but do not want them to do say more than 50 computers at a time. Does anyone know if there is a way to do this? Or should we just pray we don’t become Emory College.

I don’t know much about it, so I’m not certain if this will work, but you might be able to do something like the following:

Have a client setting that marks machines as being eligible for remote imaging. If the client setting does not exist, or is set to false, then they cannot be imaged due to relevance that checks this setting.

Do not allow the untrusted staff access to the Fixlet/Task that marks systems as eligible for imaging directly by putting it into a custom site they do not have access to.

Once a computer has been re imaged, it should no longer have this custom setting, so it will no longer be eligible for imaging.


In a more general case, you could also have a mechanism that only gives helpdesk staff access to machines that are mentioned in a currently open ticket. You would have a program that would get notified of all open tickets, and/or poll all open tickets very frequently. It would then refine the definition of an automatic group using the REST API based upon the uniquely identifying information on computers within those open tickets. The helpdesk staff would then have computer management rights over that group.

The automatic group would be something like: (this is not real relevance)

all computers with MAC addresses ("…" OR “…” OR “…”)

OR

all computers with names ("…" OR “…” OR “…”)

OR

all computers with Public/InternallyRoutable IP address ("…" OR “…” OR “…”)

OR

all computers with SerialNumbers ("…" OR “…” OR “…”)

Where the actual values of “…” would be parsed / scraped from open tickets’ text & fields.

Thats a really good idea except for the fact that our enterprise is so large it often has planned refreshes. Ideally I wish bigfix had a client or security setting to limit this when deploying the action

It would still work fine in the case of a planned refresh, you would just tag all of the computers that should be apart of the planned refresh with the client setting, making them available for reimaging.

If the planned refresh is going to happen in sets, you could tag one set with an action, then tag the next set with a new action at the same time with a delayed start time so that it won’t happen right away.

I’m suggesting you could use both the method of tagging machines as available for reimaging, plus the idea of otherwise only allowing helpdesk staff access to machines referenced in open tickets.


BigFix can limit users from taking action on too many specific endpoints, but that only works if they use the specific endpoint method, it will not work if they target by property, or by “All Computers”

I just feel that there should be some sort of user definable setting that prevents more than X number of computers from being re-imaged. Ideally I don’t want to be like this: http://thenextweb.com/shareables/2014/05/16/emory-university-server-accidentally-sends-reformat-request-windows-pcs-including/

And while I agree that tagging would prevent this from occurring, tagging and un-tagging systems may prove to be more work than simply limiting who can push images.

You shouldn’t need to untag systems at all.

You tag them, you reimage them… the reimaging process removes the tag. (unless client settings are preserved somehow, in which case, tag the machine with something that won’t be preserved, or delete the tags from all newly imaged machines, which is easy to do.)

The tagging process could be automated somewhat in many different ways. (including those I’ve mentioned above, and others)

You could even make it so that the helpdesk staff can tag the machines themselves through a website that validates them, checks how many machines they already have access to with the REST API and lets them tag up to a maximum more machines by deploying a task with the REST API.

If you implement something like giving HelpDesk staff access based upon tickets automatically, then they could just create a ticket for imaging, populate it with the computers they are going to image, and then the system would give them access, up to a maximum number of computers simultaneously, then then they can image them and keep track of their progress in the ticket, plus have their activities auditable through both BigFix & the Helpdesk.


The safest option is to just not give those you don’t trust access to systems they don’t need access to at all, and BigFix/IEM is flexible enough to allow for this in most cases.

Also, I think in most cases, helpdesk staff might actually prefer only seeing the computers they need to see at a given time instead of needing to see lots of computer they don’t need to care about. They could have read only access to all computers through WebReports and/or the computer browser if that was needed and desired by them and the organization.