We’re trying to Lock specific clients within our organization based on group membership. I have read the existing threads and the few KB articles that are referenced, but I’m not able to piece together a solution from that information. Maybe I’m missing something…
I have created a dynamic group in BigFix based on attributes of the Active Directory Path.
Devices within specific OUs need to be exempt from patching.
From what I have read, I need to create a custom setting from the console.
Right-Click the device, Edit Computer Settings, check the box for Custom Setting, etc.
Can I create a “policy” fixlet that creates this setting automatically? For me to identify devices as they are added to BigFix in order to create the custom setting isn’t very practical. I might as well select devices within the group and lock them manually. The problem would be that if they were removed from the group, the clients would remain locked.
Once the setting exists on the client, it seems like I can change Lockstate based on group membership, which would satisfy my requirement. Syntax for this action would be greatly appreciated.
You are correct that “dynamic setting” is what you are looking for (the key is that you want it to lock, then unlock based on the relevance rather than just do the one-time lock)…
Generating the relevance to be tied to an automatic group is the slightly tricky part… You will notice if you target an action to an automatic group, the console will generate targeting relevance for your action that looks like this:
exists true whose (if true then (member of group 48 of site “actionsite”) else false)
You can substitute the group ID by looking in the console “computer groups” (you need to right click and add this header).
So using this method with dynamic setting, you can set (in the Edit Settings) using your group ID:
Name: __Lockstate
Value: {exists true whose (if true then (member of group 48 of site “actionsite”) else false)}
Now target this setting to all computers that you want to tie the lockstate policy to your AD group (note that it will override any lockstates that are currently out there).
I recommend you test extensively to make sure I didn’t make a mistake here…
I’m having difficulty with the logic behind the targeting.
Since any device in the enterprise could theoretically find its way into the group, I think the target could be All Computers. That doesn’t seem very efficient, and I would only be targeting devices that are currently in BigFix.
If I target devices within the group, I’m only setting devices that are currently included in the group. This is helpful because the Lock will disable if the device is removed from the group, but it will not enable the Lock as devices are added.
We have some fixlets that define various client settings, and they target All Computers. Is this something that could be applied at the same level?
If any computer could be added to the group, then you want to target all computers… I don’t think there is much of an efficiency concern, but it more of a concern if you have other lock policies in place (because the latest lock policy would win).
