It was recommended to us after we purchased and implemented bigfix not to set up actions that don’t expire (policies) but this really isn’t ideal in our environment. We need to be able to have techs put computers into groups or AD groups and have them automatically run fixlets and tasks.
Does anyone have any experience in this?
My thinking is that I will point several baselines at AD groups and have some automatic groups set up in bigfix looking for systems in these AD groups.
Using relevance is there any way to limit the amount of processing a computer does to realize it is not relevant to an action? For example if the computers you want to deploy to start with QA, is it a good idea to start your relevance with "computer name starts with “QA” … I’m thinking thats logical, but just want some confirmation or opinions from experienced users.
If you make a baseline that is only going to be deployed to your “QA” servers, then yes. In your baseline relevance, put “computer name as lowercase starts with “qa””. I would then make an automatic computer group in the console (same relevancy - computer name as lowercase starts with “qa”), then deploy your baseline as a policy to that group. Remember to choose the middle radio button on the target tab when deploying, so any new clients that become part of your automatic group will also get patched.
I’m not sure exactly where that recommendation came from, but we heard something similar when we implemented BigFix (TEM). The truth (IMO) is that this recommendation is too generic. It’s okay to use policy actions. However, it should only be done when you’re targeting computers
by property
(such as an OU or automatic computer group), not by
specific computers
. Misusing policy actions, especially when they’re targeted at specific computers, leads to lots of open actions that don’t need to be open any longer because they will never be applicable to the target again. I’ve been meaning to write up something about this, but I want to make sure it’s well articulated so that it doesn’t end up making our console operators more confused. As part of good TEM housekeeping, you should regularly review your policy actions to make sure they are still needed.
Personally, I don’t like to restrict the applicability of my tasks and baselines by arbitrary properties of a client, such as the computer name or OU. Instead, I’d make the applicability something that truly indicates that the task/baseline should be applicable, then target it at an automatic computer group that contains the computers that should apply the task/baseline (if applicable). This makes your tasks/baselines more reusable.
8.1 came with inspectors that look up AD groups for computers and user… Here is some relevance that you can put into a property to do targeting…
unique values of values of components whose (type of it=“CN”) of distinguished names (distinguished names of (groups of local computer of active directory;groups of local users of active directory))
Note that I think this will not work properly in QnA…