Additional administration commands
The installation automatically downloads the IBM Endpoint Manager Administration Tool program BESAdmin.exe, in the C:\Program Files (x86)\BigFix Enterprise\BES Server directory.
You can run the script BESAdmin.exe to perform additional operations. To run
this script from the command prompt, use the following
command:
.\BESAdmin.exe /service { arguments }
where
service can be one of the
following:converttoldapoperators
createuser
deleteuser
edituser
findinvalidsignatures
minimumSupportedClient
resignsecuritydata
rotateserversigningkey
setproxy
Note: The
notation <path+license.pvk> used in the command syntax displayed across this
topic stands for
path_to_license_file/license.pvk.
Each service has the following arguments :
- converttoldapoperators
- You can convert local operators to LDAP operators, so that they
can log in with their LDAP credentials. Optionally you can use the -mappingFile argument
to specify a file, the mapping file, where each line has the name
of the user to convert, followed by a tab, followed by the name of
the user in LDAP/AD. Specify the name using the same format that the
user will use to log into the console, domain\user, user@domain,
or user. If you do not specify a mapping file, all users are
converted assuming their name in LDAP/AD is the same as their local
user name.The syntax to run this service is:
.\BESAdmin.exe /convertToLDAPOperators [/mappingFile:<file>]
- createuser
- You can create accounts for operators that access the Console.
For security purposes, a password-protected public/private key is
also generated so the new operator can properly create and sign actions.The syntax to run this service is:
Optionally you can specify the following parameters:.\BESAdmin.exe /createUser:<UserName> /userPassword:<UserPassword> /masterOp:<yes|no> /customContent:<yes|no> /showotherusersactions:<yes|no> /unmanagedAssetPrivilege:<all|none|scanpoint>
- masterOp
- Specifies whether the user is a master operator. The default value is yes.
- customContent
- Specifies whether the user can create custom content. The default value is yes.
- showotherusersactions
- Specifies whether the user can see other user's actions that affect the computers they manage. The default value is yes.
- unmanagedAssetPrivilege
- Defines what unmanaged assets the user can see. The default value is scanpoint.
- deleteuser
- You can mark as deleted a non-master operator. When you run this
command the operator instance is removed from the database but the
content that the operator created is not removed.The syntax to run this service is:
.\BESAdmin.exe /deleteUser <UserName>
- editUser
- The syntax to run this service is:
Optionally you can specify the same parameters supported for createUser with the exception of masterOp that is supported only by createUser, and loginPermission that is supported only by editUser and has the following behavior:.\BESAdmin.exe /editUser <UserName> /loginPermission:<always|never|role> /customContent:<yes|no> /showOtherUsersActions:<yes|no> /unmanagedAssetPrivilege:<all|none|scanpoint>
- loginPermission
- Specifies when the user is allowed to log in. The default value is always which means that the user is always allowed to log in. The value never means that the user is not allowed to log in at all. The value role means that the user can log in if he is a member of a role. This parameter is used to disable operators login, or to assign a role to an LDAP group and allow anyone in that LDAP group to log in.
- findinvalidsignatures
- You can check the signatures of the objects in the database by
specifying the following parameters:
- -resignInvalidSignatures (optional)
- Attempts to resign any invalid signatures that BESAdmin finds.
- -deleteInvalidlySignedContent (optional)
- Deletes contents with invalid signatures.
The syntax to run this service is:.\BESAdmin.exe /findinvalidsignatures [ /resignInvalidSignatures | /deleteInvalidlySignedContent ]
- minimumSupportedClient
- This service defines the minimum version of the Endpoint Manager Agents used in your Endpoint Manager environment. Note: Based on this setting, the Endpoint Manager components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations imposed by this setting.The currently available values are:
- 8.2 which means that no activity issued by Endpoint Manager Agents V8.2, such as registration to server, archive files and reports uploads, are prevented from running or limited. This behavior applies also if the minimumSupportedClient service is not set.
- 9.0 which means that:
- Initial or regular registrations of V8.2 Endpoint Manager Clients to a Relay or to the Server succeed.
- Reports sent by V8.2 Endpoint Manager Clients are discarded by FillDB.
- The upload of an archive file generated on a V8.2 Endpoint Manager Client, by an archive now command for example, fails.
The syntax to run this service is:.\BESAdmin.exe [/sitePvkFile=<path+license.pvk>] [/sitePassword=<password>] /minimumSupportedClient=<version>.<release>
If you omit [/sitePvkFile=<path+license.pvk>] [/sitePassword=<password>], you will be requested to enter the site key and password in a pop-up window.
For example, if you want to state that agents V8.2 are not supported in your Endpoint Manager environment, you can run the following command:./BESAdmin.exe /minimumSupportedClient=9.0
- resignsecuritydata
- You can resign all of the users content in the database to enable
user login to the Console. The command resigns security data using
the existing key file. You can specify the following parameter:
The complete syntax to run this service is:/mastheadLocation=<path+/actionsite.afxm>
.\BESAdmin.exe /resignsecuritydata /sitePvkLocation=<path+license.pvk> [ /sitePvkPassword=<password> ] /mastheadLocation=<path+/actionsite.afxm>
- rotateserversigningkey
- You can rotate the server private key to have the key in the file
system match the key in the database. The command creates a new server
signing key, resigns all existing content using the new key, and revokes
the old key.The syntax to run this service is:
.\BESAdmin.exe /rotateserversigningkey /sitePvkLocation=<path+license.pvk> [ /sitePvkPassword=<password> ]
- setproxy
- If your enterprise uses a proxy to access the Internet, you must
set a proxy connection to enable the IBM Endpoint Manager server
to gather content from sites as well as to do component-to-component
communication or to download files.
The BES components that access the internet run, by default, as SYSTEM account on the Windows server.
The proxy configuration is managed in the registry by the key HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server\Proxy.
Run the following command to create or modify the HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server\Proxy key in the registry:
For information about how to run the command and about the values to use for each argument, see Setting up a proxy connection on the server.BESAdmin /setproxy /proxy:<proxy_host> /user:<proxy_username> /pass:<proxy_password> [/exceptionlist:<proxy_exceptionlist>]