Can someone from BigFix explain how the Unmanaged Assets works? We have a few machines that were missing the BigFix agent, but were not showing up in Unmanaged Assets, yet NMAP is configured properly for the site (same as other working sites).
I am wanting to know at a technical level how does BigFix determine if a machine is a managed or unmanaged asset? If I know the chronological order of the whole process, it will also help me schedule the scans more efficientally so the results returned are more accurate.
I will try to answer what I think the core part of your question is:
The NMAP scanner will do a UDP scan on your BigFix port number (default is 52311). If the port is “Open”, then it means that the agent is installed and in this case the computer is ignored by the unmanaged asset importer. If the port is “Closed”, then it means that the agent isn’t installed.
Here are some things that can go wrong:
UDP scans rely on the OS sending back a “closed” message, which can get blocked or lost.
Firewalls (network or personal) can mask the existence of the computer from the scanner (that is the job of the firewall) in which case, the scan won’t work.
You might look at the NMAP logs on the server to see what the results of the NMAP scan were on that computer. You can look in the NMAP subfolder of the BigFix Server, find the scan point and search for the IP address of the computer. If you find it, you can post the XML for that computer and it will help us figure out what NMAP was thinking.
Second question: Some machines will show up as unmanaged assets, but then later get the BigFix agent and become managed assets. Is there a way to automatically purge the unmanaged asset record once the machine becomes a valid agent, so we don’t need to perform manually cleanup of these records?
I believe the unmananaged asset importer is supposed to do that manually the next time it runs the scan and detects the agent is installed… Are you seeing them stay in unmanaged assets?
Yes it is common where we will see a system show up in unmanaged assets AND as a BES agent. I have not checked to see how old the unmanaged asset record was though to confirm that second scan has occured which should be purging it. I will check into that and see if we are just seeing duplicates because it hasn’t had a chance to purge yet.
So what I figured out was if the system was discovered as an unmanaged asset with a certain IP address, and then the system became a BES Agent with a different IP address, it doesn’t delete the unmanaged asset, even if the MAC address and hostname are the same.
Is there a way we can tell unmanaged assets to delete the record if there is a match on the MAC address as well?
I believe it is supposed to delete it if the MAC address is the same… do you have a Fixlet that asks you to upgrade your unmanaged asset importer by any chance?
I don’t have any fixlets showing any needed updates for “asset” or “unmanged”. I have the nmap scan action to kick off each day. I confirmed again this morning that I have an unamanaged asset of a new server we recently built that had a DHCP address at the time it was scanned. I also have a BES Agent computer with the same hostname and MAC, with it’s current static address (the same system). The unmanaged asset record shows a “Last seen” date of 2/26, which would have been when it had that old DHCP address. It doesn’t appear to be purging. Either that or it’s not scanning daily like the action is configured:
"Execution
This action will never expire.
It will run at any time of day, on any day of the week, .
If the action becomes relevant after it has successfully executed, the action will be periodically reapplied an unlimited number of times, waiting 1 day between reapplications."
Hey rmnetops, Can you tell me if, for those assets that should be purged - do they have the MAC Address field and/or Hostname field populated under the unmanaged assets tab?
If not, then it will be considered as a unique asset by the Importer. Nmap can only grab data from endpoints that allow it (i.e. not being blocked by a firewall, etc…).
Otherwise, if you’re able to, I’d like to see the output of the initial scan XML file (that discovered the asset that isn’t being purged) and the subsequent scan XML output file (that proves that said asset should be purged). In particular, the objects.
So what might be happening in my case is a new machine is picked up as part of a scan, before it has a chance to get it’s initial restart after joining the domain (to have BigFix installed). In other words, it’s scanned when it doesn’t have the BF agent, but eventually gets the agent loaded. It would be nice if an unmanaged asset was auto-purged after a matching BES client shows up in the database.
Right – but if all we have to go on is an IP address that is totally unique, and no other information about that asset is returned, we can’t match it with a known BigFix Client.
If, initially, Nmap picked up more information (like the MAC address), then the importer could correlate that asset and purge it once it determines a client has been installed (which is the current behavior).