Writing relevance for Automatic Computer group

(imported topic written by pcaprio91)

Good Morning All,

I wrote a new Master Operator site which looks for IP Addresses that contain the following ranges.

(more will be added in the future when we expand)

This way when a new BES client is added in one of these 3 IP address ranges, it will appear in the computers listing.

This is the problem I am running into at this time.

We have multiple BES admins at our different locations within our company. These admins are responsible for particular systems (servers, workstations and laptop) within these IP ranges.

We currently have to create individual Master Operator sites IE: “John Smith Master Site” for each of these admins and enter in

“Computer name” - “Equals” -

And the Admin will create their own operator site with their system information.This way the BES admins will be ONLY be able to manage their given systems that we specify in their own master site .“John Smith Master Site”.

But when the BES admin wants to push the BES client to a new system, we must go into their Master Operator site and enter in the new system name.

This is creating alot of extra overhead for us.

Currently I am testing with the clientsettings.cfg file to put a reg key and value _BESClient_OperatorName=, and the BES admin will put this .cfg file into their ClientDeploy directory.

So when they push the BES Client to a new PC, this key will go into the registry.

In their Master Operator site, I wrote the relevance to look for the value of this specific key.

Would anyone have Any other ideas on how I can set this up?

(imported comment written by BenKus)

Hey pcaprio,

I am a bit confused on the setup you described… Are the console users master operators? Or non-master operators?

Ben

(imported comment written by pcaprio91)

Sorry for the confusion.

Let me try to explain this better.

in our BES environment we have 1 Master Operator (Administrator) and 12 Operators (with Show None for Unamaged Assets) with 711 BES clients.

Out of these 12 Operators only 6 can create Custom Content.

3 of these users have created their own Operator Sites, so they can manage their specific systems.

EX: John Smith, Bob Smith, Mike Smith

But in order for these users to have their systems populate to their respective site, we MUST create an individual Master Operator sites and set the name of the system they are going to manage with BES.

EX: John Smith Master Site, Bob Smith Master Site and Mike Smith Master Site.

Once we create the individual Master Operator Site with their specific systems assigned, those systems will then appear in their own personal Operator site.

The reason why we are doing this, is Bob might have 3 systems he manages that are in the same IP / Subnet address range as John and Mike.

We want Bob to only see and manage his systems and not Mike’s or John’s.

If Bob was going to install the BES client on 4 other systems, I (BES Master Operator) MUST physically enter in the name of these 4 new systems into Bob Smith Master Site.

This creates extra administrative overhead for myself.

And once we start expanding BigFix into more of our organization, we will have more Operators and need to create more individual Master Operator sites for the individual operators.

I am trying to find a way to simplify our design and make it less administrative for myself.

I was thinking of creating a type of hierarchy structure.

1 Master Operator site which will cover our IP address range.

Example:

Main Master Site

Includes computers with ANY of the following properties:

IP Address - contains - 10.

IP Address - contains - 172.

IP Address - contains - 199.

This will cover all clients and upcoming clients within these IP Address ranges.

Then create individual Master Operator sites for the different site Operators using relevance and Registry Keys for their individual clients. And assign the Operators rights to their Master Operator sites.

Example:

Bob Smith Master Site

Includes computers with the following properties:

Relevance Expression - is true -

exists key whose (exists value “value” whose (it as string as lowercase contains “bobsmith” of it) of it) of key “HKLM\SOFTWARE\BigFix\EnterpriseClient\Settings\Client” of registry

When Bob uses his BESClientDeploy tool, he will have a clientsettings.cfg file with the following lines.

__RelaySelect_Automatic=1

_BESClient_OperatorName=bobsmith

All of Bob’s clients will automatically fall into his Master Operator site then to his individual Operator site.

But if Bob requires another team member (Dave) to start using BES to administer his boxes, how can I give Dave as a standard BES Operator, permissions to view and administer systems in each of Bob’s individual operator sites?

---

Main master site

---

---

---

---

---

---

Bob’s Master Site

Mike’s Master Site

John’s Master Site

My Master Site

use relevance

use relevance

use relevance

use relevance

to llook for reg key

to look for reg key

to look for reg key

to look for reg key

---

---

---

---

|_ __________ |_________ |_ |

Bob’s Operator site

Mike’s Operator Site

John’s Operator site

My Operator site

for servers

for servers

for servers

for servers

search by name

search by name

search by name

search by name

---

---

---

---

|_ | |_ _|

Bob’s site

Mike’s site

John’s site

My site

for wkstns

for wkstns

for wkstns

for wkstns

by name

by name

by name

by name

---

---

---

---

on my team, there are 3 of us who administer servers, wkstns, laptops for our department. We broke up the systems into individual Master Operator sites and gave each of our operator accounts management rights to the Master Sites to have some type of structure between the types of systems. But we have to create all of these master sites.

we want to reduce the amount of master operator sites down to the individual departments and assign the department members rights to their master operator site.

right now we have over 24 Master Operator sites. These are broken down to types of systems and their locations.

DMC’s, Florida Workstations, Florida Servers, Florida laptops, Critical servers, Exchange servers, etc…

does this clarify things?

(imported comment written by BenKus)

Hey pcaprio,

Thanks for the detailed information, but I am getting hung up on terminology… when you say “Master Site”, do you mean “Custom Site”?

Ben

(imported comment written by pcaprio91)

I mean to create one main Computer Group as the Master Operator site named “Master Site”.

(imported comment written by choro)

Try this solution.

Create an Automatic group based on, lets say, AD OU membership. (MYDOMAIN\MIAMI\WORKSTATIONS). So, you will have a Automatic Group, lets say, called WORKSTATIONS - MIAMI.

Go to the Console Operators Tab in the BigFix Console, right-click on the operator responsible for these computers and click on Assign User management Rights. Remove everything listed. Then, click on the add button drill down to All Computers | By Group and select the WORKSTATIONS - MIAMI group. then click OK. In the Assign User Management Rights you should only see the WORKSTATIONS - MIAMI group. click OK and propagate the permissions.

The user will have access to ONLY computers that fall into the WORKSTATIONS - MIAMI Automatic group. To populate the group just add the computers to the AD OU tied to the group.

The only issue that will arise is if the client cannot get the AD Path. To stop these computers and deal with them I have another Automatic group that will catch computers not in ANY of my security groups.