The site has only a subset of computers subscribed to it.
An action is taken on the Fixlet and Dynamically Targeted to all computers (created in All Content domain)
The result is that all computers evaluate the source Fixlet even though many are not subscribed to the Fixlet’s source site.
Is this expected behavior? If so it’s a very poor execution. I would expect that only those endpoints that can see the source content (i.e. subscribed to the source site of the Fixlet) would be able to see this action as it is created from that site.
If the operator wants to create the Action as a policy that includes only computers that may be subscribed to this site in the future he/she would have to enable the “subscribed sites” property and then select the “By Retrieved Properties >> By Subscribed Sites >> Select only the site where the desired targets are subscribed”
I’m asking because I’ve never seen this behavior. In many cases where I’ve deployed, say a Windows Patch Fixlet this way, the Fixlet relevance clauses keep it from becoming relevant to non-Windows computers. And since it’s expected that all Windows computers will be subscribed to the “Patches for Windows” site it’s just eluded detection.
So I think I’ve answered my own question about this behavior, but I would definitely welcome anyone to confirm my assumption or tell me what I’m missing.
I haven’t found anything addressing this specifically in the BigFix documentation.
Where do you see that the computer is evaluating the action? Is it reporting back an action status to the Console, or are you seeing it in a client log or debugger?
Technically, when an action is created it is in one of only three sites -
actionsite - a dynamic action sent by a Master Operator
opsiteX - a dynamic action sent by a non-Master Operator
mailboxsiteX (or multiple mailboxsites) - for statically-targeted actions, each computer’s mailboxsites is updated.
Built-in to the action is a “site-context” header that should cause the client to skip evaluating the action when the client is not subscribed to the source site; but depending on your logging level you may in fact be able to tell that the action exists.
Where do you see that the computer is evaluating the action? Is it reporting back an action status to the Console
Yes! The action reports more computers are evaluating the action than are subscribed to the Fixlet’s source site.
Built-in to the action is a “site-context” header that should cause the client to skip evaluating the action when the client is not subscribed to the source site
This was always my understanding of the action mechanics. In fact for the specific actions I’m talking about you can see the “Site” column in the Console shows the name of the Fixlet’s source site; however, more computers show up in the “Complete” column than are subscribed to that specific site.
I haven’t gone to logs yet because I can see what’s happening by just looking at the Console. But I’m confused as to why it’s happening this way.
Yeah…that shouldn’t be happening.
What version of Server and Client are you running? You should probably open a support incident so we can collect logs and check your environment, because this is not expected behavior
Reproduced on mine, they give an Error with a message of “Invalid site context”. This implies they are not evaluating the relevance (in fact mine was an empty task with just relevance “true”), but I’d still expect those results to not be visible in the console.