Trying to unlock clients that I locked using an action script.
LOCK SCRIPT BELOW:
Relevance:
version of client >= “6.0” AND
if exists property “in proxy agent context” then ( not in proxy agent context ) else true AND
lock string of action lock state != "Yes”
Action:
action lock indefinite “{parameter “action issue date” of action}” continue if { lock string of action lock state = “Yes” }
UNLOCK and it does not work.
Relevance the same except an extra line #3
(lock string of action lock state != “”) OR (lock string of action lock state = “Yes”)
Action:
action unlock “{now}”
2nd Action:
//User input
action parameter query “Time” with description “Please enter a number in days to lock the BigFix client”
// Lock Client X Days
action lock until “{now + {parameter “Time” of action} *days}” “{now}”
There is an obvious conflict in having clients locked to prevent them running actions and trying to unlock them using an action.
Help is at hand in the form of the inbuilt fixlet in the BES Support site.
There is an option to enable actions from a site other than BES Support, but you need to be aware of the risks in doing that. Sorry, I don’t have the details to hand, but a quick search will provide more info (quite probably from this forum)
@BlaxSwan interested in what you did specifically here. From what I am gathering you were able to write a custom action to unlock/lock without using the default action from the Bigfix Support site? We have a hurdle as our help desk is not a MO and strictly uses the WebUI. The problem there is WebUI doesn’t expose the Bigfix Support site and it’s fixlets like unlock/locking unless you are a MO.
The BES Support site is the only site by design where action locks are not enforced by BigFix, and of course, all computers are subscribed to it, so you can always unlock any client.
Following up on @trn’s comment, you can specify one additional site where action locks are not enforced. Using the BigFix Administration tool, choose the Edit Masthead option, and check the box next to Exempt the following site URL from action locking:, and enter the site URL (starts with http://). Then, unlock actions created in this site will be honored by any subscribed computer.
Good Morning and sorry for the wait. So yes I was able write a lock and unlock Fixlet for the BigFix Console.
I think I left the source code for the lock in the previous thread, and then tcass2k2 and trn helped me track down the unlock action script that is basically it.
NOTE this can be done manually.
Right-click and select Edit Computer Settings from the menu, or select Edit Computer Settings from the Edit menu. The Edit Settings dialog opens. Click the checkbox to either lock or unlock the computer.
We are more interested in the ability to utilize the lock/unlock from a fixlet/task perspective. If I am understanding correctly, we can edit the masthead, add a custom site, and export the BES lock/.unlock fixlets to work from this custom site? Is that correct or am I misunderstanding?
Yes, you can do that; or take an action from the Lock/Unlock fixlets in the BES Support site (that site is what we call ‘locking-exempt’, so actions from the BES Support site can run on Locked computers)
Actual site name was entered above. Amended fake one for demonstration purposes.
Clicked Okay and exited out the Admin Tool. Went to the BES Support Site -> Exported the BES Unlock and Lock actions -> Imported them into the the custom site we referenced in the admin tool. Attempted to run the unlock action from the custom site at a subscribed computer to this custom site. The endpoint simply returns “Locked” as the status. Am I missing something?
No dice. Attempted to issue a gather/updated masthead as well as restarted the BES client on an end server, but running the exported BES Support Unlock Acton into the custom exempted site still results in the end server reporting back a status of locked.
A bit more insight after troubleshooting further… the BES Unlock action in our custom site does with when issued by a M), but when we use a non-MO that has owner permission to the custom site the end server just comes back with a “locked” status. Hopefully that helps in identifying the issue here.
At the end of the day we need our support staff that are non-MO the ability to issue unlock actions from WebUI. You cannot see the BES Support site actions in WebUI without being a MO so running across this post is what sparked the idea that this may be possible to add the exclusion to the Masthead -> Export the BES Unlock action from the BES Support site -> Import into our excluded custom site and ultimately allowing them the ability to unlock without having to jump from WebUI and console to perform basic actions. I will note that we can see the Unlock task that was imported into the customer site as a non-MO in WebUI, but just end up with a locked status from the endpoint when it’s attempted to be ran.
It did work with a non-MO in the BF console so looks like it is an issue with WebUI specifically. Any work around here to have a non-MO unlock from WebUI?