Hello,everybody.
One question puzzled me.
I originally set an action at one o’clock in the morning.
But I stopped it before the action started, and I removed it for safety reasons. However, by the appointed time, part of the clients still run the action.
Is it because I deleted the action too early, some clients have not yet responded?
That would imply that the clients got a version of the action site containing the action, but did not gather again to find that the action had been stopped/deleted.
That can happen if a client gathers, finds the action, and then disconnects from the network; or cannot reach a relay; or does not run a gather after the action was stopped & deleted.
Normally a client will be informed by the Relay when you change an action. This is done via a UDP message on port 52311 from the Relay to the Clients. If there is a client firewall or other firewall between the relay and the client, the client might not receive those UDP messages. You can check the client log for “GatherHashMV” messages to see whether it is receiving the notifications. If the client is not receiving notifications, you need to configure Command Polling on the client, else the client will only gather at something like 12-hour intervals.
1 Like
This is the reason.
Clients run actions autonomously. Actions get started and stopped by the server, but once a client knows about an action, it will run it even if it is not connected to any network at all… especially if the downloads are already cached. This is how bigfix can enforce security policy through existing policy actions no matter what.
If you create an action, clients won’t know about it right away. There will be a delay of seconds to minutes for UDP notifications, or an hour or so for command polling, or many hours for gathering. Once the action is stopped, the clients have a similar delay to be notified of that being the case as they did when it was started.
Generally I recommend all clients have command polling enabled for something like once every 3 hours, and for devices that do not get UDP notifications, something like once every hour, which helps with this delay.
1 Like