Considering BigFix Patch. Opinion on 3rd party apps


We are currently looking at BigFix Patch (i.e. none of the other modules initially), along with other products.

BigFix looks pretty impressive, but I’m a little concerned about the out-of-the-box third party application patching available. I understand that it’s possible to roll-your-own fixlets for missing apps. Still, the number of the default app support (per!/wiki/Tivoli%20Endpoint%20Manager/page/Supported%20Applications%20and%20Languages) appears pretty minimal.

We are a relatively small team, so I was wondering if anyone can share their experience in having to maintain fixlets for third party apps (e.g. 7zip, WinSCP, etc.). How much effort is involved? Is there another resource for getting these in an automated fashion?

Thanks in advance

Assuming you have the files and the command line needed to run the install/update/patch silently then creating the fixlet is normally fairly easy.
Ask a question in here (include the information you have) and someone will convert it to actionscript for you. Once you’ve seen a couple it becomes routine.


Using the Software Distribution app in the WebUI makes it very easy to create custom fixlets. For MSI’s, it auto-fills most of the info including the install string. You can easily modify it with upgrade flags instead.

1 Like

Thanks. We have the trial, so we’ll give it a go.

@steve - we are looking at only getting the patch moduleAre the screenshots you provided available in BigFix Patch, or are these part of the other modules (e.g. LifeCycle)?

Thanks, Assi.

The Software Distribution app referenced above is part of BigFix Lifecycle.

I have used older guis to do this same thing, but I actually find that I like creating them myself. The GUIs generally work, but there is usually some type of modification that needs to be done either for corporate standards or because the app needs some type of non-default setting.

The two pieces of information you require are:

  1. Install command line. This has to be silent
  2. What identifies the application is installed. Use this for the relevance (is it installed or not)

Once you have that, almost every fixlet is the same (ish).

As an example, for Symantec Endpoint Protection in my environment
Command Line:
C:\WINDOWS\SYSTEM32\MSIEXEC.EXE -I “c:\sysmgmt\media\SEP14.0.1-MP2x64\Sep64.msi” PRODUCTINSTALLDIR=“E:\Apps\Symantec\Symantec Endpoint Protection” /qn ALLUSERS=1 ADDLOCAL=Core,SAVMain,Download REBOOT=ReallySuppress REBOOTPROMPT=S /L*V c:\sysmgmt\logs\Install.SEP14.0.1-MP2x64.LOG

Application identifier
Does the key HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion whose value PRODUCTVERSION <= 14.0.3929.1200 exist

This last part in relevance looks like:
if (exists key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion” of native registry) then (exists value “PRODUCTVERSION” whose(it as string as version < “14.0.3929.1200” as version) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion” of native registry) else (true)

I am attaching the BES file that I use for this.

Deploy_ Symantec_Enpoint_Protection.14.0.1-MP2_Win64.001.bes (10.0 KB)

Other tools you need are the bfarchive.exe and sha1.exe. You can get these from Legacy Communities - IBM TechXchange Community


1 Like

Another option would be the Lifecycle ‘starter kit’ - that includes Patch + Software Distribution

1 Like