(imported topic written by MichaelWGoves91)
I want to run BigFix for Asset Discovery only with no privlidges to push out software.
However, the service will not start unless run as Local System or if the local user is a member of the Administrators group.
Is it possible to achieve this?
(imported comment written by BenKus)
Can you help explain more of what you want to do? Asset Discovery is the part of BigFix that will have BigFix Agents scan the local networks using NMAP to find agents… How does that relate to running as local users?
Ben
(imported comment written by MichaelWGoves91)
We want to use BigFix for audit purposes only. So to see what software Workstations and servers are running and also to ensure patches are being applied. I do not want the administrator to be able to deploy software etc. So I’m looking for a read only installation.
Thanks
Michael
(imported comment written by BenKus)
Does this help: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=207
Ben
(imported comment written by MichaelWGoves91)
Unfortunatly not, I think this relates to giving an Operator read Only access on the console. I need to run the client in Read Only mode, but thanks for trying.
(imported comment written by SystemAdmin)
Hi Michael,
The client is, practically, in read-only mode all the time. The only time it goes into ‘write’ mode is if someone issues an Action from the console. Therefore, if you remove the ability to create actions by following Ben’s link and not giving the console operator their credentials they won’t be able to create any actions.
Mark.
(imported comment written by MichaelWGoves91)
It looks to me from the link Ben sent that the console operator could easily revert this change themself and then happily push out changes. I need to be sure this is not possible. The only way I can see to do this is to install the client on the workstation as a local user with limited resources.
Although this is based on very limited knowledge so I am keen to hear other alternatives.
(imported comment written by BenKus)
Michael,
The agent won’t work properly if you install as a normal user.
But… there is an easy solution for you… You can just “lock” the agents so that it won’t take actions (even if an operator accidentally sends them an action).
Ben
(imported comment written by MichaelWGoves91)
Ben,
BINGO…exactly what I was looking for.
Can you point me in the right direction on how to do this?
Thanks
Michael
(imported comment written by BenKus)
Hi Michael,
The easiest thing to do is to right-click on computers in the console and go to “Edit Settings” and to choose to “lock” the computers… Operators (except the “read-only” operators as mentioned above) will be able to unlock the computers if they wish, but each lock/unlock action is recorded in the action list and in the agent logs so you can see the people if they do it.
Ben
(imported comment written by MichaelWGoves91)
Ben
Thanks, my problem with this is the Operator can unlock, push a change then lock again.
I need a way to stop the Operator completly without the approval of the local IT team.
So can you lock the wotrkstation locally?
Michael
(imported comment written by BenKus)
Michael,
If what you want is for users to be unable to take any action to change the computers, then you should look again at: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=207
The basic idea with this approach is that you are not giving the console users private key files (which are required to sign actions so the agents will accept them). Without private keys, the console users can’t take actions.l
Ben
(imported comment written by MichaelWGoves91)
Ben
I think the a combination of both will suit. Do I have to “lock” each computer individually or can I do this globally?
Michael