IBM Endpoint Manager, Version 9.1

Additional administration commands

The installation automatically downloads the IBM Endpoint Manager Administration Tool program BESAdmin.exe, in the C:\Program Files (x86)\BigFix Enterprise\BES Server directory.

You can run the script BESAdmin.exe to perform additional operations. To run this script from the command prompt, use the following command:
.\BESAdmin.exe /service { arguments }
where service can be one of the following:
converttoldapoperators
createuser
deleteuser
edituser
findinvalidsignatures
minimumSupportedClient
resignsecuritydata
rotateserversigningkey
setproxy
Note: The notation <path+license.pvk> used in the command syntax displayed across this topic stands for path_to_license_file/license.pvk.
Each service has the following arguments :
converttoldapoperators
You can convert local operators to LDAP operators, so that they can log in with their LDAP credentials. Optionally you can use the -mappingFile argument to specify a file, the mapping file, where each line has the name of the user to convert, followed by a tab, followed by the name of the user in LDAP/AD. Specify the name using the same format that the user will use to log into the console, domain\user, user@domain, or user. If you do not specify a mapping file, all users are converted assuming their name in LDAP/AD is the same as their local user name.
The syntax to run this service is:
.\BESAdmin.exe /convertToLDAPOperators [/mappingFile:<file>]
createuser
You can create accounts for operators that access the Console. For security purposes, a password-protected public/private key is also generated so the new operator can properly create and sign actions.
The syntax to run this service is:
.\BESAdmin.exe /createUser:<UserName> 
/userPassword:<UserPassword> 
/masterOp:<yes|no> 
/customContent:<yes|no> 
/showotherusersactions:<yes|no>
/unmanagedAssetPrivilege:<all|none|scanpoint>
Optionally you can specify the following parameters:
masterOp
Specifies whether the user is a master operator. The default value is yes.
customContent
Specifies whether the user can create custom content. The default value is yes.
showotherusersactions
Specifies whether the user can see other user's actions that affect the computers they manage. The default value is yes.
unmanagedAssetPrivilege
Defines what unmanaged assets the user can see. The default value is scanpoint.
deleteuser
You can mark as deleted a non-master operator. When you run this command the operator instance is removed from the database but the content that the operator created is not removed.
The syntax to run this service is:
.\BESAdmin.exe /deleteUser <UserName>
editUser
The syntax to run this service is:
.\BESAdmin.exe /editUser <UserName> 
/loginPermission:<always|never|role>
/customContent:<yes|no> 
/showOtherUsersActions:<yes|no>
/unmanagedAssetPrivilege:<all|none|scanpoint>
Optionally you can specify the same parameters supported for createUser with the exception of masterOp that is supported only by createUser, and loginPermission that is supported only by editUser and has the following behavior:
loginPermission
Specifies when the user is allowed to log in. The default value is always which means that the user is always allowed to log in. The value never means that the user is not allowed to log in at all. The value role means that the user can log in if he is a member of a role. This parameter is used to disable operators login, or to assign a role to an LDAP group and allow anyone in that LDAP group to log in.
findinvalidsignatures
You can check the signatures of the objects in the database by specifying the following parameters:
-resignInvalidSignatures (optional)
Attempts to resign any invalid signatures that BESAdmin finds.
-deleteInvalidlySignedContent (optional)
Deletes contents with invalid signatures.
For additional information about invalid signatures see http://www-01.ibm.com/support/docview.wss?uid=swg21587965.
The syntax to run this service is:
.\BESAdmin.exe /findinvalidsignatures 
[ /resignInvalidSignatures | /deleteInvalidlySignedContent ]
minimumSupportedClient
This service defines the minimum version of the Endpoint Manager Agents used in your Endpoint Manager environment.
Note: Based on this setting, the Endpoint Manager components can decide when it is safe to assume the existence of newer functions across all the component in the deployment. Individual agent interactions might be rejected if the interaction does not comply with the limitations imposed by this setting.
The currently available values are:
  • 8.2 which means that no activity issued by Endpoint Manager Agents V8.2, such as registration to server, archive files and reports uploads, are prevented from running or limited. This behavior applies also if the minimumSupportedClient service is not set.
  • 9.0 which means that:
    • Initial or regular registrations of V8.2 Endpoint Manager Clients to a Relay or to the Server succeed.
    • Reports sent by V8.2 Endpoint Manager Clients are discarded by FillDB.
    • The upload of an archive file generated on a V8.2 Endpoint Manager Client, by an archive now command for example, fails.
If you ran a fresh installation of Endpoint Manager V9.1.11 the minimumSupportedClient is not set and so all the agents, regardless of their version, can join your Endpoint Manager environment.
The syntax to run this service is:
.\BESAdmin.exe [/sitePvkFile=<path+license.pvk>] [/sitePassword=<password>] 
/minimumSupportedClient=<version>.<release>

If you omit [/sitePvkFile=<path+license.pvk>] [/sitePassword=<password>], you will be requested to enter the site key and password in a pop-up window.

For example, if you want to state that agents V8.2 are not supported in your Endpoint Manager environment, you can run the following command:
./BESAdmin.exe /minimumSupportedClient=9.0
resignsecuritydata
You can resign all of the users content in the database to enable user login to the Console. The command resigns security data using the existing key file. You can specify the following parameter:
/mastheadLocation=<path+/actionsite.afxm>
The complete syntax to run this service is:
.\BESAdmin.exe /resignsecuritydata /sitePvkLocation=<path+license.pvk>
[ /sitePvkPassword=<password> ] /mastheadLocation=<path+/actionsite.afxm>
rotateserversigningkey
You can rotate the server private key to have the key in the file system match the key in the database. The command creates a new server signing key, resigns all existing content using the new key, and revokes the old key.
The syntax to run this service is:
.\BESAdmin.exe /rotateserversigningkey /sitePvkLocation=<path+license.pvk>
[ /sitePvkPassword=<password> ]
setproxy
If your enterprise uses a proxy to access the Internet, you must set a proxy connection to enable the IBM Endpoint Manager server to gather content from sites as well as to do component-to-component communication or to download files.

The BES components that access the internet run, by default, as SYSTEM account on the Windows server.

The proxy configuration is managed in the registry by the key HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server\Proxy.

Run the following command to create or modify the HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\Enterprise Server\Proxy key in the registry:
BESAdmin /setproxy /proxy:<proxy_host> /user:<proxy_username> 
/pass:<proxy_password> [/exceptionlist:<proxy_exceptionlist>]
For information about how to run the command and about the values to use for each argument, see Setting up a proxy connection on the server.
Parent topic: Step 3 - Installing the components

Feedback