I have 2 server based groups defined in the BigFix Console, “prod” and “non-prod”. The _environment property looks at the existence of a tag (AWS) and if the tag exists, the value of it. If tags do not exist, it looks at the value of a client setting. The goal is to be able to identify the environment of a computer so that it can be either in the early group (non prod) of BigFix Client agent upgrade vs the later group (production).
However, I’m seeing computers that have a property value for production showing up in the non-prod group. Just one of many examples:
non-prod group definition:
prod group definition:
Computer Groups of computer object 1 (i.e. correlated) = “Non-prod” & “prod”
Computer Groups of computer object 2 (i.e. Proxy) = none
Computer Groups of computer object 3 (i.e. native) = “Non-prod” & “prod”
In this example above, it should only be in the production group based on the sever-based group definition. Why is it in “non-prod” ?
Is there a configuration that the Correlated computer takes the property values from the Native? I would rather it take it from Proxy in this example. Maybe there is a better way to do this?
I do not think you can control “who to take the value from” at all. In fact, in my own testing Server-Based groups the only way to make it work with Proxy-based properties is IF you return the non-existent criteria returns “non-defined” from native client… If it returns anything else, it just doesn’t work! It looked a bit “buggy” to me at the time but my use case went away so really didn’t have a reason to push it…
The following example only worked IF “else is undefined”, if it was producing some other value it didn’t work (it was always treating it as True it doesn’t matter what value I was checking for… if (exists property "tag") then (if exists tags whose (key of it = "backupPolicy" and value of it != "None") then "TRUE" else "FALSE") else undefined
I tried using server-based groups in the past and I never made it to work as expected. I ended up using automatic groups for my needs.
I opened an IDEA (Please vote if you think you can benefit from it) with my observations and I got a confirmation from HCL that what I was describing was the expected behavior.
Maybe I need a new approach. I want to push bigfix agent upgrades phased by environment (non prod, then prod). To identify the environment of the computer, I can reference a tag (from the proxy agent cloud plugin) OR a client setting (from a Native).
As pointed out above, server-based group Membership takes into consideration devices as a whole, therefore all the representations of a device will belong to the Group. So I cannot have an evaluation of the native and the proxy because they could conflict.
Correlated proxy and native devices are the logical representation of the same “computer”. If you want to push upgrades (or patches), you will probably use the native agent. So, you can rely on a property defined on the native to identify your prod/non-prod and forget the proxy… If I correctly understood your use case
and you can use automatic groups as the property is evaluated on the client and you don’t need to ask the server any evaluation
Right, I want to target the Native agent but the proxy agent (and the correlated) has the Tags to identify if cloud computer is prod or non-prod. The native doesn’t have that data (but I guess the Correlated does…)
I am using Automatic Groups for my use cases, in the automatic group I read the AWS tag values directly and use that as the Relevance for the Groups in that way I can also read the Native agent Data for cases when the aws data is not coming though or not set. The disadvantage of that is that we need to wait until the aws plugin refreshes its data so the groups can populate properly.
For example:
(it as trimmed string as lowercase starts with "NON-PROD" as lowercase) of (IF(proxied of hardware) THEN(IF (Exists first "||Environment||" of (concatenation of (( "||" & key of it & "||" & value of it & "||") of tags))) THEN(preceding text of first "||" of following text of first "||Environment||" of (concatenation of (("||" & key of it & "||" & value of it & "||") of tags))) ELSE("Environment Tag not defined")) ELSE ("Native Agent"))
non-prod: (it != "production" and it != "prod") of (IF(proxied of hardware) THEN(IF (Exists first "||environment||" of (concatenation of (( "||" & key of it & "||" & value of it & "||") of tags))) THEN(preceding text of first "||" of following text of first "||environment||" of (concatenation of (("||" & key of it & "||" & value of it & "||") of tags))) ELSE(nothing)) ELSE (if (exists setting "deploy" of client) then (value of setting "deploy" of client as string as lowercase) else nothing))
prod: (it = "production" or it = "prod") of (IF(proxied of hardware) THEN(IF (Exists first "||environment||" of (concatenation of (( "||" & key of it & "||" & value of it & "||") of tags))) THEN(preceding text of first "||" of following text of first "||environment||" of (concatenation of (("||" & key of it & "||" & value of it & "||") of tags))) ELSE(nothing)) ELSE (if (exists setting "deploy" of client) then (value of setting "deploy" of client as string as lowercase) else nothing))
Unfortunately, I’ve found that over 50% of the computers are members of both groups.
sample: Correlated computer: has the deploy client setting but with value of suspect_ci AND has the environment tag with a value of Production native: has the deploy setting but with value of suspect_ci proxy: has the environment tag with a value of Production
This makes sense that non-prod group definition matches because of the deploy setting is not production, but also the tag does have Production in the value. I really don’t want non-prod definition to be explicit. I wanted it to be everything that isn’t prod but maybe that isn’t easily manageable.
EDIT:
I updated the non-prod group relevance to: NOT ((exists true whose (if true then (member of group <ID OF THE PROD GROUP> of site "actionsite") else false)))
Will let that churn and check later if it helps the numbers.
I still am getting a huge number of computers in the prod group that shouldn’t be. I created a managed property with this relevance to see what the evaluation is :
(IF(proxied of hardware) THEN(IF (Exists first "||environment||" of (concatenation of (( "||" & key of it & "||" & value of it & "||") of tags))) THEN(preceding text of first "||" of following text of first "||environment||" of (concatenation of (("||" & key of it & "||" & value of it & "||") of tags))) ELSE(nothing)) ELSE (if (exists setting "deploy" of client) then (value of setting "deploy" of client as string as lowercase) else nothing))
For many thousand results, the property value is <none>. How can that “<none>” return True evaluating i on (it = “production” or it = “prod”) and causing group membership?
Prod group definition: (it = "production" or it = "prod") of (IF(proxied of hardware) THEN(IF (Exists first "||environment||" of (concatenation of (( "||" & key of it & "||" & value of it & "||") of tags))) THEN(preceding text of first "||" of following text of first "||environment||" of (concatenation of (("||" & key of it & "||" & value of it & "||") of tags))) ELSE(nothing)) ELSE (if (exists setting "deploy" of client) then (value of setting "deploy" of client as string as lowercase) else nothing))
Yeah I don’t understand why that’s happening either. The unexpected machines that end up in the group, are they native clients, proxied agents, or both?
Can you provide the example values for things that end up in the group but shouldn’t? For proxied agents,
concatenation of (( "||" & key of it & "||" & value of it & "||") of tags)
For native agents, (value of setting "deploy" of client as string as lowercase)
May need to open a support ticket and collect some debug information.
I created a managed property for the deploy setting evaluation and the tags. Here is one (of 10s of thousands) that are in the prod automatic group but shouldn’t be:
Again, the relevance of the prod computer group is: (it = "production" or it = "prod") of (IF(proxied of hardware) THEN(IF (Exists first "||environment||" of (concatenation of (( "||" & key of it & "||" & value of it & "||") of tags))) THEN(preceding text of first "||" of following text of first "||environment||" of (concatenation of (("||" & key of it & "||" & value of it & "||") of tags))) ELSE(nothing)) ELSE (if (exists setting "deploy" of client) then (value of setting "deploy" of client as string as lowercase) else nothing))
