BigFix 9.5 Patch 6 is now available

flecciso 2017-07-13 17:38:31 UTC #1

The IBM BigFix team is pleased to announce the release of version 9.5 Patch 6 (9.5.6.63) of the BigFix Platform.

The main features of this release include:

Resigning of Mac Clients with new certificates
Console Qualification for Windows 10 Creators Update
Security enhancements, including:
- Relay Diagnostics page is now disabled, by default
- Ability to password-protect Relay Diagnostics page
- Ability to block unsigned client reports
- Ability to enforce secure client registration
- Console warning when importing dynamic content
APAR and defect fixes

This release includes all Platform components.

Please read further details in the 9.5.6 Release Notes document at: https://www.ibm.com/developerworks/community/wikis/home/wiki/Tivoli%20Endpoint%20Manager/page/IBM%20BigFix%209.5.6%20Release%20Notes

Get more information by reading the full technical changelist at: https://support.bigfix.com/bes/changes/fullchangelist-95.txt

Useful Links:

IBM BigFix downloads and release information: http://support.bigfix.com/bes/release/9.5/patch6

Upgrade Fixlets are available in BES Support version 1351 (or later).

flecciso 2017-07-13 17:47:50 UTC #2

dkolt 2017-07-13 19:36:35 UTC #3

I see one the APARs mentions that the console will not work with TLS1.2 only, does this update cover both scenarios where TLS1.2 or TLS1.2 &TLS1.0 are used in parallel? We saw the removal of older ciphers would prevent the console from opening after we disabled them. Does this make it so that only TLS1.2 is available?

Thanks,

Dan

itsmpro92 2017-07-14 00:07:12 UTC #4

Relevance 5 in Fixlet 3043 is incorrect:

It is:

(it >= "9.2.3" AND it < "9.5.5") of version of main gather service

Shouldn't this be:

(it >= "9.2.3" AND it < "9.5.6") of version of main gather service

elisa 2017-07-14 09:29:30 UTC #5

The Apar fixes the issue that ODBC driver bundled within the BigFix installers don't work with TLS 1.2 only sql server instances.
Starting from 9.5.6 the new ODBC driver will be installed during a fresh install so that the console will work correctly also with TLS1.2 only sql server instances.
The upgrade to 9.5.6 will instead keep the existing ODBC driver already present on the machine.
The update to 9.5.6 will cover scenarios where TLS1.2 or TLS1.2 &TLS1.0 are used in parallel.

elisa 2017-07-14 13:53:05 UTC #6

The relevance is correct, in fact the manual upgrade fixlet should became relevant only if the system is at a level lower than 9.5.5, in fact in this case manual steps are required.
If the system is at a level upper or equal to 9.5.5 you need to use the non manual upgrade fixlets.

patchingout 2017-07-19 14:36:42 UTC #7

How is it possible to not replace the driver on the 9.5.6 upgrade but still have full support? I am in the middle of disabling older protocols in my environment and are curious about the changes going on in 9.5.6. I am seeing FIPS mode also mentioned in this upgrade and wanted to make it known that with FIPS enabled it will allow TLS 1.0 to be used as some of the exchanges are FIPS compliant.

elisa 2017-07-20 11:43:52 UTC #8

We decided to not replace the ODBC driver during the upgrade because they could also be used also by other applications.
In addition the ODBC driver update can be easily accomplished following these steps:
1. stop BigFix services
2. download and install the new driver from https://www.microsoft.com/en-us/download/details.aspx?id=50402 (amd64 version).
3. start BigFix services