Watermarking Computer Assets from Different Sites


BigFix Noob here. My company has no computer naming convention and we are trying to find a way to watermark assets. Here are some things we are restricted by that make this an interesting problem for us (probably more because we are BF Noobs).

  1. Due to certain business requirements, each site manages their own software and thus not all software applies to all the computers in all sites.

  2. People from certain sites travel to other sites and when they do their computers get a lot of data (patches/actions,software, etc) from other sites via BigFix that might not apply to them.

  3. Each site is managed by their own team via BigFix and we are trying to provide them an action/task that can allow them to watermark their assets so that when someone from their site travels to another site those travelers do not get all the data from the site they are travelling to.

  4. Unfortunately, due to certain business restrictions we cannot use IP/OUs as that is a challenge too (We are working on fixing that)



What we usually do is define a custom client setting to track ownership, in my case “ManagementScope”. You can build a custom client installer to predefine the ManagementScope value, and give different custom installers to each group of system owners so when they install the client it automatically has the right scope.

You can use the client value to populate automatic computer groups, custom site subscriptions, or even operator rights assignments - so an operator does not see, and cannot send actions to, a client outside of their management rights.

You can also set up tasks to set the client value to tag machines that are not known/don’t have the value set, to “move” the machine from one scope to another.

1 Like

You should be looking a Roles for the Console Operators.

As @JasonWalker mentioned, Automatic Groups are your Friend here.

For Computers that are members of our Windows Active Directory, we use the OU that the computer is under.

Because we also support Linux, Mac, AIX, etc, I also use a Client Setting, in our case it’s “Owner”. To simplify setting it, we have a Task with an Open Ended Action that when it finds a particular file in a particular location “BESClient” folder I believe, it reads the first line from the file, sets the Owner property to that value and renames the file (after deleting any previously renamed file). This Action is submitted by a Master Operator and comes from a site where All Computers are subscribed.

My organization has something around 35 different Roles. In general, no two roles share any of the 50k systems in our environment. Actions submitted by members of one Role do not take effect on any other computers, even if they target All Computers. It only impacts “All of their Computers”.

1 Like