Updating 3rd party applications

New to BigFix and was wondering if there’s an easy way to use it to update 3rd party applications such as 7-zip, adobe reader etc. I tried to use Software Distribution Wizard and point the relevance to the installation path on the servers but when BigFix scanned the environment it found that every server was relevant not just the ones needing the update. So clearly I’m doing something wrong. So my questions are as follows:

  1. How can I setup a fixlet to scan the environment correctly to find just the servers in need of the update?
  2. Could we create a baseline to scan for updates for software and push it to relevant servers for multiple applications without having to upload a new file every time? Meaning can BigFix automatically download the updates needed and install them without us having to keep track of if there’s an update for a file?

There are two aspects to creating a fixlet - making the desired update and identifying the targets.

If you have a command-line that makes the change without needing user input or displaying dialogs, then you are most of the way to creating the actionscript that invokes the change, and bringing that information into this forum will soon find someone who can guide you on the way to writing the actionscript.

Identifying the targets is done using the relevance clauses. You need a combination of relevance statements that will all evaluate to ‘TRUE’ on the clients that need the change. One or more of those relevance statements needs to evaluate to ‘FALSE’ when the install is complete. As above, once you have a clear idea of what the indicators are, this forum can help you with the relevance.

One good place to start if you are looking for software installation on Windows is in the registry, in ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall’ (both 64- & 32-bit sections of the registry).

2 Likes

To add to what @trn has advised, 7-Zip is actually one of those applications that register to the OS with an “App Path” (basically means you can type the name of executable into the Windows “Run” command box and the OS knows how to find the path to the executable) and these are what Bigfix sees as registered application via its regapp inspector. That makes detection a bit easier as you can simply check for the regapp as one of the relevance clauses to detect an undesired state.

Q: exists regapps "7zFM.exe" whose (version of it < "19.0.0.0")
A: False
T: 1.042 ms
I: singular boolean

Any endpoint that does not have 7-Zip or has v19.0.0.0 or later will evaluate as False so only those that has a version of 7-Zip installed that is below the current stable release would be applicable and therefore be targetable by the fixlet. You’d also want to add other factors such as if the OS ins Windows, maybe even down to specific OS version, depending on what your specific use case is.

1 Like

awesome thanks! I think I have a working relevance now. I’m now wondering how to make these installations silent. If we are using 7zip still as an example I found this to be run via CMD Run comand “start /wait (7zipname.exe) /S”. Do I insert that into the action script somehow?

Assuming you have downloaded this via a prefetch (or equivalent) and run any required extract:

override wait
hidden=true
wait __Download\7zipname.exe /s

Is that a blanket statement I can use with all applications I’m installing?

It is a template you can re-use for simple installs - other stuff may need more complex command lines.

See https://developer.bigfix.com/action-script/reference/ to see what each of those statements does and the range of additional possibilities there are.

Also look at the Windows Software Distribution Wizard (in the Bes Support site - it will upload the installer to your Bigfix server and write the prefetch & extract lines for you and also help with the ‘wait’ statement.

If you are using the MSI this should also work

prefetch 7z1900-x64.msi sha1:d0dc016df5f9f9bf1a57b57db0e9e82f097b02b6 size:1748480 https://d2.7-zip.org/a/7z1900-x64.msi
waithidden msiexec.exe /i __Download\7z1900-x64.msi /qn

Thanks everyone, I’ll give it a try.

Here is my action script, I tried the MSI and EXE for the install both are stuck at PendingDownloads. We don’t have any other issues pushing patches to servers otherwise so not sure where it’s getting hung up. I verified that they’re already uploaded to the BigFix server and verified there is no connection issues to the environment itself from the BigFix server.

waithidden msiexec.exe /i __Download\7z1900-x64.msi /qn

override wait
hidden=true
wait __Download\7z1900-x64.exe /s

You haven’t included the line that does the download, so I can’t comment on that.

If you look at the action in the console you will find a ‘Downloads’ section which should give you more information. It should tell you the payload is cached, but might be displaying an error there.

Below is the entire Action Script for both the MSI and the exe I tried to install.

prefetch 06297ed842c33a6296daaaff1633ed63a9a44944 sha1:06297ed842c33a6296daaaff1633ed63a9a44944 size:1697739 http://(server Name).com:52311/Uploads/06297ed842c33a6296daaaff1633ed63a9a44944/7z1900-x64.msi.tmp sha256:341d9494d0fabc780268906c18b94bbb5d78081a0fa49821de29747538875669
extract 06297ed842c33a6296daaaff1633ed63a9a44944
wait msiexec.exe /i __Download\7z1900-x64.msi /qn

prefetch 6209bada614dfcb6d3d67f4c98756748d425ee92 sha1:6209bada614dfcb6d3d67f4c98756748d425ee92 size:1431349 http://(server Name).com:52311/Uploads/6209bada614dfcb6d3d67f4c98756748d425ee92/7z1900-x64.exe.tmp sha256:964ab153ef924451ff73a794d75bfabe2bb019d9925dbd05482f25b036013524
extract 6209bada614dfcb6d3d67f4c98756748d425ee92
override wait
hidden=true
wait __Download\7z1900-x64.exe /s

In the Action Status tab, what does it say about the download status (should be “Cached on Server”, otherwise a download failure message).

The Root Server performs the downloads, so make sure the download url hostname resolves correctly on the server itself.

If the server uses a proxy for downloads, ensure it has an exception to bypass the proxy when downloading from its own hostname (using BESAdmin.exe /setproxy )

Download source is ericv’s server and it does an extract, so looks like using the software distribution wizard, not direct download from 7zip.

The questions about the download status in the action are still pertinent though. If the action reports it being cached then the passage of the download through the chain of relays needs to be checked.

Alright, so I figured it out. I forgot to hide the initial push of the patches so there was a interface up waiting for the user to confirm the installation. I hide the installation and repushed patches and it looks to of completed. Thanks for the help everyone.

I had a follow up question. We will be pushing 20 or so apps to around 250 servers, is there a way to automate this a bit? Like can I use a public mirror for the download point that BigFix uses to download the file or do I need to download and create a fixlet for each update of the software that is released? Is there a way to have BigFix initiate updates on any installed application on the server?

You could add your Fixlets to a Baseline and target all of your servers with the Baseline. If you include the proper Relevance in the Baseline it could target any new servers that showed up with any of the apps missing from them.

You would still have to manually create the Fixlets and add/update them in the Baseline and re-deploy the baseline each time.

If you REALLY wanted to automate the updating of the Fixlets, you could use scripting in something like Python to monitor the publishers sites to see when their software changes, then update the Fixlets via the RestAPI.

By the way, i DON’T recommend something like that be “fully automatic”, ever. I think you want to have a human in the loop somewhere. Maybe use a python script to monitor the publishers site for changes and create a new Fixlet for the App that includes the new Version of the software via the BigFix RestAPI, then notify someone of the update. Then someone needs to test the new App and it’s Fixlet and later deploy the updated App to your servers at an appropriate time of day.

I think there is enough flexibility in the RestAPI to allow you to fully automate the entire process, but I don’t recommend it.

1 Like

Capture

Update on this. Still having some issues with the Client user Interface popping up and the updates not being installed. Below are the 2 action statements I’ve been using for MSI and exe files. Is there something else I need to do so this dialog doesn’t open?

(pre fetch)
waithidden __Download\ChromeStandaloneSetup64.exe /s

(prefetch)
waithidden msiexec.exe /i __Download\7z1900-x64.msi /qn /norestart

The BES client user interface process launches at user login - it’s responsible for the tray icon and showing any pre-action messages and reboot messages. If it is actually popping up and displaying something, check whether your actions have user messages configured on the action settings or whether they’re offers.

Generally I wouldn’t deploy the GoogleStandalone installer - check for their Enterprise installer, which installs for all users and can be managed with GPOs later. It’s also an MSI installer.

Alright, I’ll use the MSI and see if this fixes the issue. So using exe files just doesn’t work for a silent installation? Also is there another way to install these programs besides the Software Distribution Wizard?

Also I’m working to replace the exe’s with MSI files but the last few auto generated action scripts that look like this, Is this normal? Or do I need to edit these?


wait “{pathname of system folder & “\msiexec.exe”}” /i “{(pathname of client folder of current site) & “__Download\Firefox Setup 95.0.msi”}” /qn /norestart

It’s not that EXE’s don’t work, it’s just that Chrome is easier to distribute via MSI.

MSI’s usually have standard setup switches, where with EXE’s all the silent parameters are up to the vendor.

Those .MSI parameters you showed look good to me, those are the normal, standard parameters for MSI silent installs. But if you have an MSI package that needs more, like license keys, our wizard can’t guess that, you have to find the vendor’s reference on silent installations and add parameters in the wizard as needed.