Internet based client management for Application Management Groups

Hi Folks,

We are in the process of testing an AD based deployment model and while brainstorming and creating the Standard Operating Procedure, I am stuck with the deployment model for internet based clients. Here is what I want to know.

I) Can we use IEM to distribute applications over the internet following the AD Based model. For instance I have application management groups for both installation and uninstallation. If I add a computer to that group and the user is currently on internet (Not through VPN or LAN) will we not be able to manage distribution for this computer.

  1. Is there a way this can be achieved? How can we authenticate an internet based user and get deployment done for him in this model. We have a whole bunch of estate who are mostly remote and don’t login to office network.

  2. Can we leverage Direct Access in some way?


Are these machines 100 percent internet-based and not registered with AD at any point?

Thanks for the prompt reply,
The consideration is that they wouldn’t log into the office network most of the times. So yes they are internet based.


The “show stopper” for this project is the fact that the client PC’s are not regularly accessing the Office Network, and presumably, the AD Domain. Until they do log into the Office, they won’t know about their updated Group Memberships and the BES Client won’t be able to query the Computers Group information either.

Even if your clients were logged into the Office Network all the time, the BES Client only refreshes AD information for it’s host, by default, every 43200 seconds (12 hours). That presumes that the BES Client can actually query an AD Domain Controller at the time. This means that after you add a computer to an AD Group, it can take up to 12 hours (worst case) for the BES Client to detect the change.

You can adjust this interval with the __BESClient_Inspector_ActiveDirectory_Refresh_Seconds setting. Don’t set it too low (keep it at several hours minimum!), because the client will beat itself up trying to keep the AD data updated. From the perspective of the BES Client, AD is painfully slow to respond, even under optimum conditions. Remember, the BES Client only “operates” for 10ms before sleeping for 480ms. (There are Client Settings for this that you really SHOULD consider changing, but do so with care).

Your question about “Direct Access” is intriguing. We don’t use it where I work, and I don’t know much about it. A lot will depend on how Direct Access works, and if it will automatically tunnel the BES Client AD queries to your Domain Controllers. Unless @dmccalla knows the answer, you might need to test this.

If Direct Access does allow endpoints to query a domain controller (seems that it might from what I read), then things might work similar to how they would if the user was on the normal LAN. If you cannot query the DC then you would have to figure out some other way to categorize the internet-based machines so that you can assign them to an application management group still. For example, you could use another property or client setting other than active directory OU like Department or Location, or some combination. You will have to set that yourself since BigFix would not be able to determine this alone. If you have a reliable CMDB or Asset Mgmt system you could get a feed from that system into BigFix (various methods to do that) and then use that info to tag computers. We do have customers who do this sort of thing so that they can target machines, create computer groups, run reports, etc. Long story short is that it is going to be pretty tough to follow the AD model if your machines are unable to connect to AD. Ping me offline if you need more info about the alternatives.

Another consideration might be to have an internet facing relay that is excluded from DirectAccess traffic. As in, don’t route the internet facing relay’s traffic through DirectAccess. AD traffic would then go through the VPN but TEM traffic would go over the internet.

Or you can do bandwidth throttling on the client side.

This prevents your clients from trashing your VPN to download content from TEM.

Thanks for all the help guys. I have prepared a proposal draft and sent it to the management. Will keep this post updated, if we move forward with this.