I want to use the Rest API to populate an automatic group based upon a custom property that contains a given value. These values will be gathered from an external data source so the script will simply look for matches and then add the computer to the automatic group if it has the matched value.
The name of the property is Owner that is in the form of user1@domain.com
REST API isnât going to âpopulate the Groupâ, itâs going to let you create the Automatic Computer Group with the Relevance you want to use. Assuming the Group is created in a Site that the computers are subscribed to, they will decide if they should join the group or not.
Maybe I didnât explain it right. I want to create the relevance for the automatic group with the Rest API call. So in the PowerShell script I will be looking at a list of email addresses from an outside data source:
user1@domain.com
user2@domain.com
user3@domain.com
If the Property âOwnerâ of the computer matches one of the values in the list then add that computer id to the automatic group relevance.
Similar to how the following works for dynamically populating an automatic group:
exists (12345678) whose (it = computer id)
The relevance for the Automatic group is evaluated locally on the client. If I understand you correctly, you want to call the REST API to create an automatic group. The relevance defining the constraints of the automatic group would be populated from an external list of email addresses?
What local property are you evaluating the email address against?
Creating the initial automatic group would be fairly straightforward. You could use PowerShell to modify the xml document with your data source values, before hitting the REST API to submit the request.
https://developer.bigfix.com/rest-api/api/computergroup.html
How often is the source data modified after that?
Would be also interesting to know about the overall use case, in case thereâs a way to use session relevance to achieve what you need without having to create a group.
Data mapping could also be an option - where you match external source data to client properties so you can use the data points for groups, targeting, reporting etc.
We have a local property called Owner. This is the users email address. We use OKTA and want to put users in groups there to define which software they receive so in the event they get a new computer they get their software installed automatically. One of our biggest provisioning delays for our team is determining which software the user needs and then getting that to them in a timely manner.
So translating user to computer is the theme here. We already have a working PowerShell script to do this however it has to do 2 API calls. The first to determine whether the âOwnerâ is a member of the OKTA software group (leâts say Adobe Acrobat XI Standard as an example) and the second to get the computer ID using the Owner property as the search criteria. Itâs a little bit inefficient this way though. We would like to gather both in one API call if possible.
This works:
(ids of computer of it, values whose (it as lowercase contains "email@domain.com") of it) of results from (bes properties
whose (name of it = âOwnerâ)) of members of bes computer groups whose (name of it = âCorporateâ)
But returns both the Owner property (email@domain.com) and the computer ID and only for a single email address. I would like it to only return the computer IDs for multiple computers with the Owner property.
It seems you want to use the REST API to create an Automatic Group and you want to dynamically generate the Client relevance used in that Automatic Group by running a second REST API query that pulls Property Results from a Computer Property named Owner.
Will your automation be creating dozens of Automatic Groups, or hundreds, or thousands? Automatic groups will incrementally add to the length of your BigFix client loop. Thousands of them might slow your clients down more than you are comfortable with.
The Session Relevance to get those computer IDs to feed into the creation of your automatic groups might need to look like this:
(ids of computer of it) of (results from (bes properties whose (name of it = âOwnerâ))) whose (value of it as lowercase contains "email@domain.com" )Yes you are correct I want to create the relevance for the groups via script.
We will likely have 10âs of groups not hundreds or thousands as we donât have that much software to deploy anyway.
I tried the session relevance you provided in the Session Relevance Tester and got an error:
Error: The operator âresults fromâ is not defined
Any idea of the cause of this error?
Try this:
(ids of computer of it) of (results of (bes properties whose (name of it = "Owner"))) whose (value of it as lowercase contains "email@domain.com" )First of all thank you to everyone that has responded so far in helping to troubleshoot my Rest API question!
This works in the relevance debugger and returns the computer ID however it does not make the computer relevant to the automatic group. I tried adding exists and that returned true in the debugger but also did not add the computer to the automatic group.
The below relevance statement adds 2 computers to the group successfully:
exists (12345678;87654321) whose (it = computer id)
Do we need to add an if then else statement to first check if the computer has the criteria email address as itâs owner then simply provide the computer IDs?
Also how would I add a group of Owner email addresses: email1@domain.com, email2@domain.com, etc. to the group? I tried finding a separator like the semicolon above but that didnât work and I got syntax type errors.
If you want to go another way:
For computer subscriptions:
exists local computer whose (exists group whose (name of it = âAcrobatSubscriberâ) of it) of active directory
AD group, of which your user is a member. (Following your Acrobat example)
(exists logged on user whose (exists group whose (name of it = âAcrobatUsersâ) of it) of active directory)
Evaluates locally for membership and can be used on installation fixlets.
We tried AD groups but the problem with them is you need to be connected to the network for the membership to be evaluated. We have some users that NEVER connect via VPN or locally. This is becoming more common as more apps move to the cloud which is why we chose OKTA as our source of truth instead of AD.
Shame on me for not testing before posting⌠I should have used results of not results from
Thanks @rgangemi for the tweak!
BigFix client does not process session relevance.
You have to do the session relevance query from the REST API to get the computer IDs out.
(ids of computer of it) of (results of (bes properties whose (name of it = "Owner"))) whose (value of it as lowercase contains "email@domain.com" )
12345678
87654321
Then use a second REST API query to insert those computer IDs into your Automatic Computer Group definition.
https://developer.bigfix.com/rest-api/api/property.html
(post method - with relevance exists (12345678;87654321) whose (it = computer id) )
Once the updated Automatic Group is posted via REST, then the Clients will gather the updated Automatic Group with the client relevance exists (12345678;87654321) whose (it = computer id) and adjust their group membership based on the client relevance.
Thanks so much! This at least confirms why we canât combine it all into one relevance statement.
Iâm not entirely clear on how you are using your external data source, but you might be able to one-step it if we are getting close.
Instead of a session relevance to get the results of the âOwnerâ property, you could duplicate the relevance that generates the âOwnerâ property into your new group. For instance if âOwnerâ is based on a client setting, you could create the group with relevance
exists settings "Owner" whose (value of it = "user1@example.com") of client
Youâd use the external data source to determine group names and the email address values, but you donât necessarily need to find the existing property results or computer IDs to create the new group.
That actually works when I set the key as a client setting instead of a different registry key setup as a property.
Would there be an efficient way to look for multiple Owners (email addresses) other than using a lot of OR statements?
If youâre storing that in a registry key, you should be able to put the registry key lookup relevance into the group. Something like
exists keys "Owner" whose (value of it as string = "username@example.com") of keys "HKLM\Software\MyCompanyKeys" of native registry
For multiple owners, you could use a lot of OR, or you could compare to a set
exists keys "Owner" whose (value of it as string is contained by set of ("username1@example.com";"username2@example.com";"username3@example.com")) of keys "HKLM\Software\MyCompanyKeys" of native registryNeither of these evaluates in the fixlet debugger.