The BigFix Team is pleased to announce the release of version 11 Patch 3 (11.0.3.82) of BigFix Platform.
The main features in this release are as follows:
Added filtering capability to BigFix Explorer component!
In Patch 2 the new “BigFix Explorer” component was added to allow easier REST API access to BigFix data (see Explorer). When evaluating the Session Relevance using the BigFix Explorer, it is now possible filter the Session Relevance results. For details, see Session Relevance.
It is now possible to start/stop/restart VMs on AWS, Google and Azure via BigFix!
The BigFix cloud plugins now have the ability to manage the cloud instances using power commands. For details, see Cloud plugins Commands.
AWS cloud plugin connection now available in FIPS mode!
The Amazon Web Services (AWS) cloud plugin can be configured to leverage the FIPS mode connection, to comply with encryption algorithms prescribed by the FIPS standard. For details, see Configuring cloud plugins.
You can now configure a persistent connection for a Relay to Relay communication!
BigFix Platform allows you to establish a persistent connection for a Relay with its parent Relay; this will facilitate the BigFix operations in complex network environments. For details, see Relay-Relay persistent connection.
Enabled Microsoft Control Flow Guard on BigFix Server!
The BigFix Server can now leverage the Microsoft Control Flow Guard (CFG) security feature on Windows systems. For details, see Enabling Microsoft Control Flow Guard on BigFix Server.
Added Subject Alternative Name field to the Client Certificate!
The Subject Alternative Name X509v3 standard extension is added to the client certificate of the BigFix Agents. Its value corresponds to the hostname of the computer where the BigFix Agent runs. This allows the BigFix client certificates to adhere to industry standards as it relates to Subject Alternative Name. For details, see Subject Alternative Name.
Added BESAdmin command to return the BigFix certificate bundle!
With the getcertificatebundle BESAdmin command, you can export the complete BigFix certificate bundle. In the bundle, there are all the certificates for all authorized chains in the masthead. This allows the user to provide the full certificate chain to tools or entities that request it for validation. For details, see BESAdmin Windows Command Line and BESAdmin Linux Command Line.
CVEs details in the Server, Relay, Client and Console Upgrade Fixlets!
Starting From BigFix Version 11.0.3, the Fixlets in the BES Support site which upgrade the BigFix Console and BigFix Platform components (Server, Relay and Client) will show a list of CVE IDs. These refer to the vulnerabilities affecting the previous level of the component, and resolved by the current one. This information will be found on the Details Tab, in the CVE ID field.
Microsoft Entra ID configuration using certificates!
BigFix Platform also allows you to configure Microsoft Entra ID as Identity Provider using a certificate instead of a client secret.
For details, see Integrating with Microsoft Entra ID.
Enhanced Agent log file records with date/time stamps!
BigFix Platform allows you to specify the desired Agent log file format, by using a new setting named _BESClient_Log_TimestampsDetail. This will include timestamps in every line of the agent log.
For details, see List of settings and detailed descriptions.
Limit number of targets when submitting action via REST API!
When issuing an action via REST API, the maximum number of targets set in “targetBySpecificListLimit” parameter (default 10000) is considered; if exceeded, a “HTTP 413 Content Too Large” error response is returned. For details, see Action .
On new clients, avoid the creation of client settings referring to deleted NMO’s!
New clients will no longer create settings that refer to Non-Master Operators that have already been deleted, so reducing the workload on these clients and avoiding useless references in their log.
Audit Trail Cleaner update!
The Audit Trail Cleaner tool was updated to allow you to remove the old files uploaded by the Archive Manager on the BigFix Server.
For details, see Audit Trail Cleaner.
Improved user experience in Web Reports as it relates to reauthentication!
The number of reauthentication operations needed in Web Reports is now reduced.
The behavior can be controlled via a new configuration setting named ReAuthenticationEnabled. For details, see Performing the reauthentication.
Removal of obsolete Fixlets and Tasks from BES Support!
Obsolete Fixlets and Tasks were removed from the BES Support content.
For details, see Removal of obsolete Fixlets and Tasks from BES Support content.
Inspector Updates
• New client inspectors named “case insensitive posix regex”, “case insensitive posix regular expression”, “posix regex” and “posix regular expression” were added to fully support POSIX compliant Regular Expressions. They will use the Boost library version 1.78.0, both for Windows and UNIX operating systems, since Boost is declared to be POSIX-Extended compliant. For details, see regular expression.
• New client inspector propertie “rtt of” was added to the round-trip time (RTT) of the TCP socket connections in the “ESTABLISHED” state. For details, see socket.
Added Support for BigFix Agent
Added support for BigFix Agent running on:
- macOS 15 ARM/x86 64-bit
- Ubuntu 24.04 LTS
- Raspberry Pi OS 12 32-bit
Library and driver upgrades
- The libcURL library was upgraded to Version 8.9.1.
- The Microsoft ODBC Driver was upgraded to Version 17.10.6.
- The OpenSSL library was upgraded to Version 3.2.2.
Additional information about this release
- The standalone BigFix tools are published under the 11.0 Utilities section in BigFix Enterprise Suite Download Center
- A Non-Functional Requirements checklist, covering both performance and security management of your BigFix deployment, is available at BigFix Performance & Capacity Planning Resources
References
- See the full technical changelist
Pre-Upgrade Considerations
Important considerations to keep into account before upgrading to BigFix Platform Version 11 are:
- BigFix Version 10.0.7 is the minimum version supporting the upgrade of the BigFix server components to Version 11
- You must enable the “Enhanced Security” before upgrading BigFix Platform to Version 11
- The minimum TLS supported protocol in BigFix V11 is TLS 1.2
- The SHA1 hashing algorithm for content and action signature will no longer be supported. SHA1 is still supported for file download in actionscript. For details, see the BigFix Platform V11 Overview Page
- The unixODBC RPM package is a prerequisite for the Server components on Linux systems. This applies to installations with a DB2 database.
- The msodbcsql17 RPM package is a prerequisite for the Server components on Linux systems. This applies to installations with a MSSQL database. For details, see Upgrade paths (Windows) and Upgrade paths (Linux)
- For detailed information on the specific changes to minimum supported versions of operating systems and databases for BigFix 11, see Detailed system requirements.
- Before getting started with the upgrade process, stop any active application that is connected to the BigFix database (such as Web Reports, WebUI, BigFix Inventory, or BigFix Compliance).
Useful links
- BigFix downloads and release information
- BigFix 11 Platform Documentation
- Upgrade Windows considerations
- Upgrade Linux considerations
- Detailed system requirements
A blog that discusses the benefits of BigFix 11 is available here
Upgrade Fixlets are available in BES Support version 1495 (or later).
– HCL BigFix – Platform Team