Accessing remote file shares from the BigFix Agent
Can not access remote file share
Resolving the problem
The BigFix Agent runs as the SYSTEM account, which means that it has full access to the local computer, but generally does not have access to files and shares on remote computers. If you have files on shares that you would like to access with the BigFix Agent, you have a few options:
- Deliver files to agent (recommended) -- Rather than have the files streamed to the agent during runtime from the share, it is generally a better idea to have the agent download the files before it runs the action. This allows you to utilize the relay infrastructure for delivery and you have the benefit of download restart/retry. The easiest way to package files for delivery to the agent is to use the Software Distribution Wizard to package a folder or files for the agent.
- Use a null session share -- A Windows null session share will allow any computer to access a file share and thus the BigFix Agent running as SYSTEM will be able to access the share files. More information about setting up null session shares can be found at: https://www.ibm.com/developerworks/community/wikis/home?lang=en#/wiki/Tivoli%20Endpoint%20Manager/page/Creating%20a%20Null%20Session%20Share. Note that null session shares are generally frowned upon by security teams.
- Access the file as the currently logged in user -- If the currently logged in user has access to the file share, you can tell the agent to run as the currently logged in user rather than the SYSTEM account. To do this, you can use the RunAsCurrentUser tool: http://www-01.ibm.com/support/docview.wss?uid=swg21506033. Note that this approach requires the user to be logged in with the appropriate rights to access the share AND to execute it locally on the computer.