Session relevance results into BigFix computer property?

jimmym 2018-06-11 16:27:59 UTC #1

I have a fairly simple analysis I need to create. I’m looking at the OS on the endpoint and then designating it as either a Server level OS or Workstation level OS so it can be exported to BFI and used in a computer property field.

I’ve already written up a version that uses client relevance. Here’s a snippet (which still needs some refinement):

if ( name of operating system contains "Win7" OR name of operating system contains "Win8" OR name of operating system contains "WinXP" OR name of operating system contains "Win10") then "Workstation" else (if (name of operating system contains "AIX" OR name of operating system contains "Linux Red Hat Enterprise Server") then "Server" else "Unknown"))

The issue with this approach is it will require check-in from the client when the OS information is already in the BigFix database.

So I’m assuming I need to write session relevance to avoid the need for client communication. I have the start of something I was able to put together in the session debugger:

(names of it, operating system of it) of members of bes computer groups whose (name of it = "Group1")

I still have work to do there, to convert OS name to OS category.

But my question here: How do I write the relevance I need so I can put it in an analysis that queries the BigFix DB and avoids hitting the client?

jgo 2018-06-12 03:47:23 UTC #2

Where do you want the data to end up?

If you want it in a report, then session relevance is your path forward.

If this is a property you would like to populate in BigFix inventory, then I think you will benefit from taking the client relevance path and perhaps if you wish, you could utilize a _BESClient_DeviceTypeOverride, possibly more elegant…

Perhaps something in an action script like:
setting "_BESClient_DeviceTypeOverride"="Desktop" on "{now}" for client

This relevance has been helpful to me in the past:
(if(it starts with “Mac OS X”)then(if(it contains “Server”)then “Server” else (if(((exists key whose(it as string as lowercase contains “battery”) of entries of dictionaries of nodes of it) OR (exists node “AppleACPIPlatformExpert/SMB0/AppleECSMBusController/AppleSmartBatteryManager” of service plane of iokit registry)of it)of service plane of iokit registry)then “Laptop” else “Desktop”))else (if(it starts with “Win”)then if (string value of selects “Model from Win32_ComputerSystem” of wmi) as lowercase contains “Virtual” as lowercase as string AND (value “ProductType” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” of registry = “WinNT”) then “Desktop” else if (string value of selects “Model from Win32_ComputerSystem” of wmi) as lowercase contains “Virtual” as lowercase as string AND (value “ProductType” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” of registry != “WinNT”) then “Server” else (if(it as lowercase contains “mobile”)then “Mobile” else(if(it = “Win95” OR it = “Win98” OR it = “WinME”)then “Desktop” else(if(nt workstation product type != product type of operating system)then “Server” else(if ((exists active device whose((class of it as lowercase = “battery” OR class of it as lowercase = “system”) AND service key value name of it as lowercase = “compbatt”)) AND (exists active device whose(class of it as lowercase = “battery” AND service key value name of it as lowercase = “cmbatt”))) then “Laptop” else “Desktop” ))))else(if (it contains “Linux” OR it contains “AIX” OR it contains “Sun” OR it contains “HP-UX” OR it contains “VMware”) then (“Server”) else(if((it contains “ios” OR it contains “android” OR it contains “ipad” OR it contains “iphone” OR it contains “ipod” OR it contains “smartphone” OR it contains “msft-” OR it contains “nokia” OR it contains “palm” OR it contains “pocketpc” OR it contains “htc”)of(it as lowercase)) then “Mobile” else “Unknown”)))) of name of operating system

and altogether:
setting "_BESClient_DeviceTypeOverride"="{(if(it starts with “Mac OS X”)then(if(it contains “Server”)then “Server” else (if(((exists key whose(it as string as lowercase contains “battery”) of entries of dictionaries of nodes of it) OR (exists node “AppleACPIPlatformExpert/SMB0/AppleECSMBusController/AppleSmartBatteryManager” of service plane of iokit registry)of it)of service plane of iokit registry)then “Laptop” else “Desktop”))else (if(it starts with “Win”)then if (string value of selects “Model from Win32_ComputerSystem” of wmi) as lowercase contains “Virtual” as lowercase as string AND (value “ProductType” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” of registry = “WinNT”) then “Desktop” else if (string value of selects “Model from Win32_ComputerSystem” of wmi) as lowercase contains “Virtual” as lowercase as string AND (value “ProductType” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions” of registry != “WinNT”) then “Server” else (if(it as lowercase contains “mobile”)then “Mobile” else(if(it = “Win95” OR it = “Win98” OR it = “WinME”)then “Desktop” else(if(nt workstation product type != product type of operating system)then “Server” else(if ((exists active device whose((class of it as lowercase = “battery” OR class of it as lowercase = “system”) AND service key value name of it as lowercase = “compbatt”)) AND (exists active device whose(class of it as lowercase = “battery” AND service key value name of it as lowercase = “cmbatt”))) then “Laptop” else “Desktop” ))))else(if (it contains “Linux” OR it contains “AIX” OR it contains “Sun” OR it contains “HP-UX” OR it contains “VMware”) then (“Server”) else(if((it contains “ios” OR it contains “android” OR it contains “ipad” OR it contains “iphone” OR it contains “ipod” OR it contains “smartphone” OR it contains “msft-” OR it contains “nokia” OR it contains “palm” OR it contains “pocketpc” OR it contains “htc”)of(it as lowercase)) then “Mobile” else “Unknown”)))) of name of operating system}" on "{now}" for client

-jgo

relevance taken from here:

jimmym 2018-06-12 13:23:00 UTC #3

@jgo Thanks for the response and for the extensive relevance.

My goal was to avoid the need to hit the client for this query, but still have the field show up in the BigFix Console (and then be imported into BFI). Using client relevance, I have to wait for clients to check in before I get the “Server” or “Workstation” designation, even though the OS is available directly in the database.

I suspect it’s a limitation of BigFix that properties from analysis that appear in the console have to use client relevance which must be executed at the endpoint. Not too concerning, but I just wanted to make sure I had the right understanding, and there wasn’t a way to get better responsiveness through another method.

jgo 2018-06-12 23:12:50 UTC #4

You could achieve this in a web report or in a Dashboard. Would either of these fit your use case?

JasonWalker 2018-06-13 01:10:02 UTC #5

That’s the rub…an Analysis is actually a fixlet, evaluated by the client, and a result is returned from the client.

The result of the analysis, like other properties, can be reported through Session Relevance (usually in a Web Report, a Console Dashboard/Wizard, or via the API).

A Session Relevance result is not a computer property, and probably could not be imported into BFI as a property.

I’m not sure whether BFI allows us to arbitrarily set a property/value for an imported endpoint; if it does, there may be an API allowing you to write an integration. The API is meant to allow integrations with other products but there might be a way to bend it into doing this.

But writing an API integration will be a lot more work than adding a client property would be.

JasonWalker 2018-06-13 01:18:33 UTC #6

Also, when setting up a client property, I’d avoid listing the OS names if possible. For Windows, you can use product type of operating system

If (windows of operating system) then (if product type of operating system = nt domain controller product type or product type of operating system = nt server product type then "Server" else if product type of operating system = nt workstation product type then "Workstation" else "Unknown Windows") else /* do aix and linux types */