I am trying to create a Fixlet for use as an ongoing POLICY in our bigfix deployment (9.5.10)
The fixlet I have so far works well and removes all versions of Java from windows machines. The Action script I have created for this works as expected however I want to fine tune the relevancy so that it will never target specific devices which are added to a manual group in BigFix called: "Java Exclusion Group"
I know I could use the relevancy to say target “all computers unless they are in this one group” however then I would loose my existing relevancy statement which is setup to determine devices which have java installed (see below)
exists key whose (value “DisplayName” of it as string contains “Java 8”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 8”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry or exists key whose (value “DisplayName” of it as string contains “Java 7”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 7”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry or exists key whose (value “DisplayName” of it as string contains “Java 6”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 6”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry
Since all my current lines are connected via “or” I would like to include a single “and” line which could determine if the device is in the “Java Exclusion Group” and if so then return False for the relevancy, even if the Java lines above are still true.
I have been experimenting with various commands and I cannot seem to get this working, I could use some help determining the best way to accomplish this, Thanks in advance!
Based on your existing relevance, you could combine @baynes74’s logic with yours in two ways. Either your Fixlet could have a separate relevance clause so your two clauses are
(NOT (exists true whose (if true then (member of group 484818 of site “actionsite”) else false)))
exists key whose (value “DisplayName” of it as string contains “Java 8”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 8”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry or exists key whose (value “DisplayName” of it as string contains “Java 7”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 7”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry or exists key whose (value “DisplayName” of it as string contains “Java 6”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 6”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry
or you could combine the two together in a single clause as
(NOT (exists true whose (if true then (member of group 484818 of site “actionsite”) else false))) AND ( exists key whose (value “DisplayName” of it as string contains “Java 8”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 8”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry or exists key whose (value “DisplayName” of it as string contains “Java 7”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 7”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry or exists key whose (value “DisplayName” of it as string contains “Java 6”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry or exists key whose (value “DisplayName” of it as string contains “Java 6”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of native registry )
(substituting in your own group ID and group site name as appropriate)
You could also make the whole thing a bit more efficient and readable as
(NOT (exists true whose (if true then (member of group 484818 of site "actionsite") else false))) AND (exists values "DisplayName" whose (it as string contains "Java" and (it as string contains "Java 6" or it as string contains "Java 7" or it as string contains "Java 8")) of keys of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x32 registries; x64 registries))
So just to make sure I am formatting this correctly:
The custom site this lives in is called: IT GENERAL DEPLOYMENT
The Automatic Group is under this site and named exactly: Java Exclusion
(this group is populated via a list of hostnames I have setup.)
This is how I have formatted the relevance clause:
(NOT (exists true whose (if true then (member of group Java Exclusion of site “IT GENERAL DEPLOYMENT”) else false))) AND (exists values “DisplayName” whose (it as string contains “Java” and (it as string contains “Java 6” or it as string contains “Java 7” or it as string contains “Java 8”)) of keys of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x32 registries; x64 registries))
Unfortunately it does not appear to be working and continues to report True, even when a device is listed in the Java Exclusion group under the IT GENERAL DEPLOYMENT custom site.
You won’t be able to use the group name in relevance, you need to use the numeric id of the group. You can find that on the group’s properties page, for instance if the group id is “00-12345”, you’d reference ‘group 12345’
Jason, Thanks for this info! So I am still not having any luck. The group id was “00-2486” so changed the Relevance to:
(NOT (exists true whose (if true then (member of group 2486 of site “IT GENERAL DEPLOYMENT”) else false))) AND (exists values “DisplayName” whose (it as string contains “Java” and (it as string contains “Java 6” or it as string contains “Java 7” or it as string contains “Java 8”)) of keys of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x32 registries; x64 registries))
And it is still returning “True” every time on a device which is in that group.
I think your membership is backwards. The inside should return true if its a member else false, so you are NOT’ing that value. Also all groups are inside the master actionsite or an operator site so thats not helping either.
Thanks for the comment Alan, What do you mean when you say “all groups are inside the master actionsite or an operator site”? Do you mean that when I specify the of site “IT GENERAL DEPLOYMENT” that I should be targeting it differently?
Also I have tested with removing the NOT at the front and it does switch the relevance from True to False, however it seems to have the same problem where the relevance just stays false forever and does not change based on the actual membership in the group or existence of the registry keys I am targeting.
Actually, Automatic Groups can be in any custom site. But when referencing the group, it uses the same nomenclature for the site name as in the BES Client\__BESData folder - Custom Sites are prefixed with “CustomSite_” and the name is encoded; it’s not exactly percent-encoded, but spaces are replaced with underscores and some other special characters are translated as well.
When I check for a group in “Jason SWD Site” I end up with
(exists true whose (if true then (member of group 1825 of site "CustomSite_Jason_SWD_Site") else false))
The easiest way to retrieve the right clause is to create a new Automatic Group in the same site, base its members on “Member of group”, and look at the relevance that gets generated for it. You can copy that same relevance into your baseline
Well, I finally got this working with a MANUAL group. Which is good enough for now:
(not (exists true whose (if true then (exists setting “__Group_0_Java Exclusion Group” whose (value of it is “True”) of client) else false))) AND (exists values “DisplayName” whose (it as string contains “Java” and (it as string contains “Java 6” or it as string contains “Java 7” or it as string contains “Java 8”)) of keys of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of (x32 registries; x64 registries))
Oddly i still cannot seem to target an automatic group but I will fight that battle another day lol
Thanks again for all the assistance Jason and Alan.
