BigFix 9.5 Patch 7 is now available

The IBM BigFix team is pleased to announce the release of version 9.5 Patch 7 (9.5.7.90) of the BigFix Platform.

The main features included in this release are:

• Enhanced Client Deploy Tool - allows for simple “Right-Click & Deploy” of the BES Agent from unmanaged assets to any endpoint regardless of OS (including different agent versions)
• Enhanced agent registration to reduce / eliminate duplicated computers (clientIdentityMatch advanced option)
• Ability to elevate privileges for ‘Run as user’ command execution – for example to deploy software as “Admin”
• Added the ability to specify a timeout value for the “wait” actionscript command
• Actionscript extensions to allow reading the contents of Locked Files – including the current day BES Client Log file
• Improved Session Relevance to allow accessing the Action Start Time, End Time and Exit Code for improved reporting and troubleshooting
• Actionscript and relevance extensions to allow reading/writing of files in a specific encoding
• Support for SMTP Authentication for email notifications in Web Reports
• Replaced SQL Server Express 2008 with SQL Server Evaluation 2016 SP1 for Trial installations
• Other Enhancements
• Improved documentation regarding SSL configuration for BigFix Platform and applications
• Added setting to control the number of rotated BESRelay.log files
• Added support for deploying BigFix Agent / Relay on RHEL and Linux CentOS versions 6 and 7 with SELinux enabled
• Added support for BigFix Agent on Debian 9
• Full support for BigFix Agent on Mac High Sierra (addressed limitation from initial 9.5.5 support)
• APAR and defect fixes
• Security enhancements

See further details in the 9.5.7 Release Notes at: https://www.ibm.com/developerworks/community/wikis/home/wiki/Tivoli%20Endpoint%20Manager/page/IBM%20BigFix%209.5.7%20Release%20Notes

See the full technical changelist at: https://support.bigfix.com/bes/changes/fullchangelist-95.txt

Pre-Upgrade Considerations:

• All BigFix Platform components are being released in this patch.
• Ensure to STOP the WebUI and any other active application connecting to the BigFix database BEFORE starting the upgrade
• A manual Server upgrade is required if you upgrade from a version earlier than 9.5.5. Refer to the 9.5.5 release notes for more information: https://www.ibm.com/developerworks/community/wikis/home/wiki/Tivoli%20Endpoint%20Manager/page/IBM%20BigFix%209.5.5%20Release%20Notes

Useful links:

IBM BigFix downloads and release information: http://support.bigfix.com/bes/release/9.5/patch7

Upgrade documentation in IBM Knowledge Center

• BigFix Server on Linux: https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_upgrading1_linux.html
• BigFix Server on Windows: https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_upgrading1.html

Thanks much!

… how do I use it?!? The Release Notes page looks like maybe it’s missing a few sub-bullets? I don’t see how to use the new locked file inspector or wait command timeout…

You’re right, I don’t see the updates on https://developer.bigfix.com yet. Here’s some initial info.

For inspecting locked files, we have introduced 4 new inspectors to access data within the locked file: locked line, locked content, locked section, and locked key. So you would use something like

exists locked line whose (it as string starts with "Error") of file "C:\path\inusefile.log"

For command timeout, you will use the override option on the wait command with new keywords “timeout_seconds” set to the number of seconds until the command times out, and “disposition” set to either abandon or terminate. For example, to have a command timeout after 10 mins and allow the process to continue running in the background, use this actionscript:

override wait
hidden=true
timeout_seconds=600
disposition=abandon
wait installpkg.exe /q

Once the updates are published (probably in the next day or so), additional details will be available here:

• https://developer.bigfix.com/relevance/reference/file.html#locked-line-of-file-file-line
• https://developer.bigfix.com/action-script/reference/execution/override.html

Gotta say, I’m a little disappointed in that method for handling the ‘wait’ timeout. A lot of the things that hang are not my content (the JRE upgrades are a frequent culprit).

I was hoping for a client setting to handle ‘wait’ timeouts globally, to prevent the client from becoming unresponsive when a command is never going to terminate.

The new 'locked lines of file, inspectors are exciting, and so is the better performance I’m seeing from ‘lines of file’ generally.

Thanks much!

We were a bit concerned about people overusing this approach because of convenience and killing or abandoning processes excessively, but we are considering this enhancement for the next release. For now, you can still modify the actionscript during deployment for external content.

I am interested in a global timeout setting as well, that’d be great. Sucks when a machine is hung up on a certain thing and is never going to let go without intervention … move on to the next thing!

Much appreciated, please keep it under consideration. With sufficient warnings, I think this would be useful because once the BES client is tied up in an action, it won’t execute any new actions that we might send to take corrective actions. Even if we were to “stop” the offending action, the client is still tied up waiting for the external process. Nothing short of restarting the BES client can clear it, and even then we may have trouble with subsequent actions because the stuck external process has the __Download folder locked.

In my environment, I’ve already had to implement a process that is crude and I hate very much. I have a scheduled task running every half, checking with qna.exe to find processes that are child processes of besclient.exe, and have been running more than 2 hours, to kill them.

Just to clarify, you can regain control of the client by stopping the action, though you may have issues clearing the __Download folder as you described. Stopping an action will cause the client to detach from the process, which is what the new timeout option will do with disposition=abandon.

I can’t recall if this behavior changed at some point, but maybe in an earlier version you tested with, it didn’t behave this way. It does in 9.2+, though.

Where the Timeout would be helpful in our case, but which may not be what this update allows, is this:
We have a baseline that uninstalls older Office installs using those MS scrubber scripts. Most of the time, all is well, but sometimes, the scrubber will complete, but will remain running in BF; so it never moves on to the next component in the baseline (installing Office 365). A reboot will kick off the next component, but it would be great if after 30 minutes for example, the component would move on to the next.

Can you tell me if this feature will help with this scenario?

It may help, since it would allow the client to continue on with the action even if the scrubber stays running. But if the scrubber is running out of the __Downloads directory, then it would prevent later actions from starting their downloads. You can move the scrubber scripts to another temp directory and run it from there to prevent that problem.

I also added one feature missing from the original post which should be very helpful for those managing systems in different countries/encodings, or just files in different character set encodings.

This new feature will be described at the following links once the site is updated later today: https://developer.bigfix.com/relevance/reference/encoding.html
https://developer.bigfix.com/action-script/reference/execution/action-uses-file-encoding.html

For the feature update:

…
Enhanced agent registration to reduce / eliminate duplicated computers
…

Is there documentation / reference on how to set it?

Look for the clientIdentityMatch advanced deployment option, here: https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_list_of_advanced_options.html

Related Post: clientIdentityMatch / correlation Question

I can confirm that the BigFix Developer site now contains the 9.5.7 new content.
Ciao
Gabriella

Does this release include Auto Patch? I didn’t see in the release notes

That was part of the WebUI release here. You must be at 9.5.5 or higher and update your WebUI configuration to use the new Patch Policies app.

I’m upgrading from 9.5.2.56 to 9.5.7. So I guess it would be better to go to 9.5.5 first?

No, you can upgrade to 9.5.7 directly, but will have to do it manually (not via fixlet) since you’re below 9.5.5.

Got that part just wanted to be clear if we upgrade to 9.5.7 we should get the updated WEB UI and will be able to use auto patch

The updated WebUI configuration that directly accesses the database is available in 9.5.5 and higher platform versions. You need to use the task “Deploy WebUI Database Configuration” (ID #2687) (after upgrading the platform) to enable the new config for auto patch.