Where does the BES Client store which Automatic Groups it is a member of?

We are in the process of implementing a Network Access Control (NAC) solution. The group that is implementing the NAC solution would like to link some of the NAC controls to BigFix Group memberships if possible. But to do this without additional actions in BigFix, I need to determine where the BigFix client keeps track of which Groups it has decided it is a member of, assuming it keeps that information in a non-volatile state.

For now, the focus is Windows computers.

Operating off the assumption that the GroupID would be used to reference anything stored, I’ve found the Group {groupid}.fxf files that define the Automatic Groups in the BES Client folder, but I’ve not located anything that looks like it records that a client thinks it’s a member of any of the groups.

This seems like a case for the BigFix client compliance API.

Is that an option?
-jgo

If only the NAC client was that smart.

If I can’t find where Group Membership information is stored, I’ll just use a Client Setting.

you can check membership using relevance or fixlet applicability using relevance for the same.

The client compliance API will expose this.

The client doesn’t “store” automatic groups only if it is applicable or not.

So perhaps an action writing a setting based off of group applicability.

Why not just have a single property to define the “group membership” for NAC?

I wish there were better examples for using this. I know this is how the fixlet debugger talks to the bigfix client… but I don’t entirely get it.

Have you looked at the Bigfix Client Compliance site?
Their is a wizard or dashboard in there. that builds compliance rules.
These rules are then evaluated using the client compliance API.
These more complex rules will evaluate true/false and an action will be automatically taken based on your threshold for variance from what is an acceptable config.

https://developer.bigfix.com/other/cc-api/cc_an_example.html