I am hoping I am missing something and someone can give me an idea how to get something like this done. Background - whenever we have OOB (out-of-band) patching (decided by our Security team), we set-up policy actions against our patching baselines that target all devices over certain period of time; once that is up, we activate “normal policy actions” against the same set of patching baselines that are dynamic and controlled by client settings that each device will have populated with different windows/frequency/etc, so the “normal patching policies” just become relevant to different devices at different times...
The two type of policy actions do seem redundant though - we have about 15 different patching baselines so activating 2 per baseline each month is a bit of pain. What I was thinking is creating system-level setting/option/config that will mandate overall OOB window and during that window I will put the OOB relevance; outside of it will put the “normal” relevance. Question is - is there anything like that I can use?
I gave “Advanced Options” a go and it does accept any kind of name/value pair but how do I get that available/readable by the client? I was hoping that maybe adding those will add them to the masthead that will get distributed down but it doesn’t as far as I can tell… I searched the inspectors but can’t seem to find one that reads them. Anyone has any ideas how to get this done?
The BES Admin tool, Advanced Options, is used for special name/value pairs of settings in the console and server.
This link below is for BigFix 11, and lists those values you can use in the BES Admin tool, advanced options.
I am not sure I fully understand what your trying to accomplish but I think what you want is a special property. You do that by going to the console and adding a new property. These become properties on the endpoints. Once it is on the endpoint, you can read them via relevance or change them with action script.
Dean, I do know what it is but it is the closest thing I can think of doing something similar to what I am after.
Speaking of which, I am trying to set-up system-wide key/value pair that each device/client can then use/evaluate without having to jump through a ton of hoops (i.e. set-policy actions to distribute text files or set-up client settings on each device, or anything like that).
So I understand this correctly, when you do an out-of-band patching, you're really doing an out-of-schedule patching - i.e. you're not doing a special action for a single set of high-priority fixlets or a single baseline, you're re-actioning your normal set of patching baselines with an alternate schedule?
Kind-of, yes. The “normal” patching have clauses - that related to “is the devices within its patch window and is this device subscribed to get patches from this baseline”; where within OOB there are essentially no windows - all servers need to be patched within one weekend; From there the two type of jobs have different relevances and different start window, so the two do not overlap (i.e. OOB policies are set from Friday 8pm until Monday 6am; normal patching resumes from Monday 6am). Hence, if I had system-level parameters to configure when one starts and the other picks up, I can handle it within the same relevance clause and reduce complexity and man-management overhead (setting up all the policies).
I know you prefer to not use text files, etc. but if you want to get data down to the client you’re going to have to have some kind of action running to do it. Adding a file to a custom site or using the utility cache are probably your best bets.
Thanks, Duncan, that’s actually a better option that I was thinking (adding it to a site with “distribute to clients”) - at least it will take care of the easy changing of the value (I was initially thinking of submitting policy actions to change values against all devices, etc, which would be painful).
For what it is worth it, it does seem to work ok with files in sites. Quite easy to overwrite the settings, if anyone is interested I can post an example file & respective analysis I built.
