Is it possible to have multiple sites exempt from Locked actions? I already have 1 site added to BES Admin tool > Edit Masthead > “exempt the following site URL from action locking”, and I’d like to know if I can add a second. Does anyone know? thanks
You could not use locking at all, and do the following:
You could have computers not subscribe to any custom sites unless something is run against the machine to cause it to join an automatic group and become provisioned.
This would prevent them from getting actions from any sites except for the Master Action Site.
You could have a set of custom sites that do not following the above exclusions and have all computers subscribe no matter what, which would expand the set of custom sites.
jgstew, locking our IEM clients prevents fixlets from being deployed (fixlets from various sites like Patches for Windows and other custom sites) while in blackout, so we need to keep using Locks.
The easiest and fastest method would be to just allow a second site to run on locked endpoints.
Yes, this is what my solution would do.
You create a way to cause the client to unsubscribe from the patching for windows site. This prevents it from running any actions in that site. You NEVER need to use locks to achieve what you are looking for.
Locking is intentionally an extreme measure. It is intended to make a client effectively unmanaged completely. You are not looking for extremes, you are looking for something in between.
What do you mean by In Blackout ?
If you deploy your patches using baselines, you could have the baselines themselves have relevance that would prevent it from running on a client while it is in “blackout”, which could be defined by something set on the client itself, or by group membership.
Locking and unsubscription from most sites are definitely the more heavy handed approaches, but less prone to accidental deployments by an operator. It would be ideal if you could rely on the baseline relevance having a statement that prevents it from running on clients when it should not, and there are many possibilities for this.
If i remove the clients from the Patch for Windows site, then I can’t audit on what patches are applicable.
“Blackout” is a term we use when we need to lock the servers to prevent any actions from running on them, during certain parts of the calendar year.
You’re right, locking is heavy handed, but more safe in my opinion, because it is all encompassing of the all sites (except those defined in the admin tool). Have the ability to leave clients subscribed to a site to report on relevant fixlets, but preventing them from inadvertently being applied, is the goal. With 2 sites is the goal.
The other thing you could do is target actions at automatic groups that have relevance to only contain servers that are NOT in blackout.
Regarding the original question, per http://www-01.ibm.com/support/knowledgecenter/SS63NW_9.2.0/com.ibm.tivoli.tem.doc_9.2/Platform/Config/c_editing_the_masthead.html%23c_editing_the_masthead?lang=en, only one site URL can be specified to be lock exempt.
thanks for the suggestions.