Unlock Client Script Help

Good evening all.

Trying to unlock clients that I locked using an action script.

LOCK SCRIPT BELOW:
Relevance:
version of client >= “6.0” AND
if exists property “in proxy agent context” then ( not in proxy agent context ) else true AND
lock string of action lock state != "Yes”

Action:
action lock indefinite “{parameter “action issue date” of action}” continue if { lock string of action lock state = “Yes” }

UNLOCK and it does not work.
Relevance the same except an extra line #3
(lock string of action lock state != “”) OR (lock string of action lock state = “Yes”)

Action:
action unlock “{now}”

2nd Action:
//User input
action parameter query “Time” with description “Please enter a number in days to lock the BigFix client”
// Lock Client X Days
action lock until “{now + {parameter “Time” of action} *days}” “{now}”

Have you tried using the built-in Task “BES Client Setting: Unlock Computer” to unlock?

1 Like

There is an obvious conflict in having clients locked to prevent them running actions and trying to unlock them using an action.

Help is at hand in the form of the inbuilt fixlet in the BES Support site.

There is an option to enable actions from a site other than BES Support, but you need to be aware of the risks in doing that. Sorry, I don’t have the details to hand, but a quick search will provide more info (quite probably from this forum)

2 Likes

Thanks a bunch for pointing me in the right direction. Worked like a champ.
The difference was the action script. So much still to learn.

domo arigato

1 Like

@BlaxSwan interested in what you did specifically here. From what I am gathering you were able to write a custom action to unlock/lock without using the default action from the Bigfix Support site? We have a hurdle as our help desk is not a MO and strictly uses the WebUI. The problem there is WebUI doesn’t expose the Bigfix Support site and it’s fixlets like unlock/locking unless you are a MO.

Look forward to your feedback mate!

The BES Support site is the only site by design where action locks are not enforced by BigFix, and of course, all computers are subscribed to it, so you can always unlock any client.

Following up on @trn’s comment, you can specify one additional site where action locks are not enforced. Using the BigFix Administration tool, choose the Edit Masthead option, and check the box next to Exempt the following site URL from action locking:, and enter the site URL (starts with http://). Then, unlock actions created in this site will be honored by any subscribed computer.

This is typically used to allow a site like BFI or ILMT to do its work, regardless of the client’s lock state. But any site URL is allowed. For example, a custom site URL might look like: http://bigfixroot.acme.com:52311/cgi-bin/bfgather.exe/CustomSite_Custom_Content

2 Likes

Good Morning and sorry for the wait. So yes I was able write a lock and unlock Fixlet for the BigFix Console.
I think I left the source code for the lock in the previous thread, and then tcass2k2 and trn helped me track down the unlock action script that is basically it.

NOTE this can be done manually.
Right-click and select Edit Computer Settings from the menu, or select Edit Computer Settings from the Edit menu. The Edit Settings dialog opens. Click the checkbox to either lock or unlock the computer.

hope that helps.

We are more interested in the ability to utilize the lock/unlock from a fixlet/task perspective. If I am understanding correctly, we can edit the masthead, add a custom site, and export the BES lock/.unlock fixlets to work from this custom site? Is that correct or am I misunderstanding?

Yes, you can do that; or take an action from the Lock/Unlock fixlets in the BES Support site (that site is what we call ‘locking-exempt’, so actions from the BES Support site can run on Locked computers)

Thanks for the feedback! So I went ahead and tested this out. Opened Administration Tool -> Masthead Management -> Edit Masthead -> Checked Exempt the following site URL from action locking -> Entered Custom Site
http://bigfix.site.com:52311/cgi-bin/bfgather.exe/CustomSite_Windows_Patches

  • Actual site name was entered above. Amended fake one for demonstration purposes.

Clicked Okay and exited out the Admin Tool. Went to the BES Support Site -> Exported the BES Unlock and Lock actions -> Imported them into the the custom site we referenced in the admin tool. Attempted to run the unlock action from the custom site at a subscribed computer to this custom site. The endpoint simply returns “Locked” as the status. Am I missing something?

Has the client gathered the new masthead and site? The client has to be aware that the custom site is exempt from locking.

Good point. Ill issue a regather to ensure all endpoints are updated and report back.

No dice. Attempted to issue a gather/updated masthead as well as restarted the BES client on an end server, but running the exported BES Support Unlock Acton into the custom exempted site still results in the end server reporting back a status of locked.

Used the following link to update the masthead - https://www.ibm.com/support/knowledgecenter/en/SS63NW_9.1.0/com.ibm.tivoli.tem.doc_9.1/Platform/Adm/c_upgrading_the_masthead_on_windows.html

Any other thoughts?

A bit more insight after troubleshooting further… the BES Unlock action in our custom site does with when issued by a M), but when we use a non-MO that has owner permission to the custom site the end server just comes back with a “locked” status. Hopefully that helps in identifying the issue here.

At the end of the day we need our support staff that are non-MO the ability to issue unlock actions from WebUI. You cannot see the BES Support site actions in WebUI without being a MO so running across this post is what sparked the idea that this may be possible to add the exclusion to the Masthead -> Export the BES Unlock action from the BES Support site -> Import into our excluded custom site and ultimately allowing them the ability to unlock without having to jump from WebUI and console to perform basic actions. I will note that we can see the Unlock task that was imported into the customer site as a non-MO in WebUI, but just end up with a locked status from the endpoint when it’s attempted to be ran.

@dexdexdex is there an issue using custom locking-exempt sites from WebUI actions?

@Austin4778 can you try the same action from the thick console, using your custom site as a non-Master Operator?

It did work with a non-MO in the BF console so looks like it is an issue with WebUI specifically. Any work around here to have a non-MO unlock from WebUI?