IBM Endpoint Manager, Version 9.2

List of advanced options

The following lists show the advanced options that you can specify in the Advanced Options tab of the IBM BigFix Administrative tool on Windows systems, or in the BESAdmin.sh command on Linux systems using the following syntax:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk>
[-sitePvkPassword=<password>]  
{ -list | -display 
| [ -f ] -delete option_name 
| [ -f ] -update option_name=option_value }

Note: The notation <path+license.pvk> used in the command syntax stands for path_to_license_file/license.pvk.

These options are typically supplied by your IBM Software Support.

Advanced options for disabling functions

Use these options if you want to disable specific capabilities on the console.

disableNmoSiteManagementDialog: If set to "1", the site management dialog is unavailable to non-master operators (NMOs).
disableNmoComments: If set to "1", NMOs cannot add comments. NMOs will still be able to view comments.
disableNmoManualGroups: If set to "1", NMOs cannot add or remove computers from manual groups, and see manual groups that none of their computers are members of.
disableGlobalRelayVisibility: If set to "1", NMOs cannot see relays in the relay-selection drop-downs in the console that don't belong to them. The exception is if they view a machine that is currently configured to report to a relay not administered by them, in this case that relay appears in the list as well.
disableNmoRelaySelModeChanges: If set to "1", NMOs cannot toggle automatic relay selection on and off.
disableDebugDialog: If set to "1", the keyboard sequence CTRL-ALT-SHIFT-D cannot be used to open up the console's debug dialog.
disableComputerNameTargeting: If set to "1", the third radio option "target by list of computer names" is removed on the targeting tab of the take action dialog.
allowOfferCreation: If set to "0", the 'Offer' tab in the Take Action Dialog is disabled. Offer presets in Fixlets are ignored by the console.
disableNmoCustomSiteSubscribe: If set to "1", the "Modify Custom Site Subscriptions" menu item is disabled for all NMOs

Advanced options for password policies

Use these settings to enforce password policies in your BigFix environment.

passwordComplexityRegex

Specifies a perl-style regular expression to use as a password complexity requirement when choosing or changing operator passwords. These are some examples:

Require a 6-letter or longer password that does not equal the string 'bigfix'.
```
(?![bB][iI][gG][fF][iI][xX]).{6,}
```
Require a 6-letter or longer password containing lowercase, upper case, and punctuation.
```
(?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]]).{6,}
```

Require an eight-character or longer password that contains 3 of the following 4 character classes: lowercase, uppercase, punctuation, and numeric.

((?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]])|
(?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:digit:]])|
(?=.*[[:lower:]])(?=.*[[:digit:]])(?=.*[[:punct:]])|
(?=.*[[:digit:]])(?=.*[[:upper:]])(?=.*[[:punct:]])).{8,}

Note: The Site Administrator passwords are not affected by this complexity requirement.

passwordComplexityDescription

Specifies a description of the password complexity requirement. This string is displayed to the user when a password choice fails the complexity requirements set using the passwordComplexity option. An example of password complexity description is "Passwords must have at least 6 characters." If you do not set this value but you set passwordComplexityRegex setting, the description set in passwordComplexityRegex is displayed to the user.

passwordsRemembered

Specifies the number of unique new passwords that can be set for an user account before an old password can be reused. The default value is "0".

This option was introduced with IBM BigFix V8.2.

maximumPasswordAgeDays

Specifies the number of days that a password can be used before the system requires the user to change it. The default value is "0" (no maximum).

This option was introduced with IBM BigFix V8.2.

minimumPasswordLength

Specifies the least number of characters that a password for a user account can contain. The default value is "6". This is an usage example of this option:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=LOCATION
-sitePvkPassword=PASSWORD -update minimumPasswordLenth=9

This option was introduced with IBM BigFix V8.2.

enforcePasswordComplexity

If set to '1' or 'true', the passwords must meet the following minimum requirements:

They must not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
They must be at least six characters long.

They must contain characters from three of the following four categories:

    English uppercase characters (A through Z) 
    English lowercase characters (a through z) 
    Base 10 digits (0 through 9) 
    Non-alphabetic characters (for example, !, $, #, %)

If you specify also the minimumPasswordLength setting, then the effective minimum password length will be the higher value between six and the value of minimumPasswordLength.

Complexity requirements are enforced when passwords are changed or created. The default value is "0".

This option was introduced with IBM BigFix V8.2.

accountLockoutThreshold

Specifies the number of incorrect logon attempts for a user name before the account is locked for accountLockoutDurationSeconds seconds. The default value is "5".

This option was introduced with IBM BigFix V8.2.

accountLockoutDurationSeconds

Specifies the number of seconds that an account gets locked after accountLockoutThreshold failed log on attempts. The default value is "1800".

This option was introduced with IBM BigFix V8.2.

Note: Web Reports has similar password controls, but they have to be set separately ('Users'->'User Options').

Advanced options for targeting restrictions

The options listed in the following table take effect only if the corresponding registry keys are not set on the consoles or if the keys are set to the default values.

targetBySpecificListLimit: Specifies the maximum number of computers that can be targeted by individual selection.
targetBySpecificListWarning: Specifies the threshold for the number of computers that can be targeted by individual selection before the console displays a warning message.
targetByListSizeLimit: Specifies the maximum number of bytes that can be supplied when targeting by textual list of computer names.

Advanced options for authentication

Use these settings to manage user authentications to the console.

loginTimeoutSeconds

Specifies the amount of idle time in seconds before the console requires reauthentication to take certain actions. The timer is reset every time the user reauthenticates or does an action that would have required authentication within the idle time threshold. The default value is zero on upgrade from a deployment earlier than V8.2, the default value is infinity on a clean install of V8.2 or later.

loginWarningBanner

Specifies the text to show to any user after he/she logs into the Console or Web Reports. The user must click OK to continue. This is a usage example of this option:

./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk 
-sitePvkPassword=pippo000 -update loginWarningBanner='new message'

This option was introduced with IBM BigFix V9.1.

timeoutLockMinutes

Specifies how many idle time minutes must elapse before the console requires to authenticate again. This setting is different from loginTimeoutSeconds because timeoutLockMinutes hides the entire console to prevent any other user to see or use it. The idle time refers to the lack of any type of input to the session including key buttons, mouse clicks, and mouse movements.

This option was introduced with IBM BigFix V9.1.

Note: Non efficient mime advanced option is no longer supported by the BigFix V9.2 server. Existing actions continue to run on clients but the server is no longer able to generate non efficient mime actions.

Advanced options for customizing computer removal

By defaults, inactive computers are not automatically managed by IBM BigFix, they continue to be displayed in the console views, unless you mark them as deleted by deleting their entries from the Computers list view, and their data is always kept in the database filling in tables with unused data.

You can modify this behavior by specifying advanced options that mark inactive computers as deleted, hiding them in the console views, and remove their data from the IBM BigFix database.

In this way the console views show only the computers that reported back to the IBM BigFix server within a specified number of days and the database runs faster because you free more disk space.

Use the following options to automatically remove computers from the console and delete their data from the database:

inactiveComputerDeletionDays: Specifies the number of consecutive days that a computer does not report back to the IBM BigFix server before it is marked as deleted. When the computer reports back again, the computer is no more marked as deleted and an entry for it is shown again in the console views. The default value for this option is 0, which means that inactive computers are never automatically marked as deleted.
inactiveComputerPurgeDays: Specifies the number of consecutive days that a computer does not report back to the BigFix server before its data is deleted from the BigFix database. When the computer reports back again, it is requested to send back a full refresh to restore its data in the database and it is no more marked as deleted. The default value for this option is 0, which means that computer data is never automatically removed from the database.
inactiveComputerPurgeBatchSize: On a daily basis, BigFix runs an internal task that removes from the database the data of the computers for which inactiveComputerPurgeDays elapsed. The task deletes the computer data, including he computer's hostname, in buffers to avoid potential load to the database. The inactiveComputerPurgeBatchSize value specifies how many computers are cleaned up in the database in each buffer. The default value for this option is 1000. If the computer reports back again, the matching with its entry in the database is done using the computer ID.
Note: Specify the option inactiveComputerPurgeBatchSize if you assigned a value different from 0 to inactiveComputerPurgeDays.

Other advanced options

Use these options to customize other aspects of your BigFix environment.

includeSFIDsInBaselineActions

If set to "1", it requires the console to include source Fixlet IDs when emitting baseline actions. Emitting these IDs is not compatible with 5.1 clients.

defaultHiddenFixletSiteIDs

This options allows to selectively change the default Fixlet visibility on a per-site basis. It only takes effect when global default Fixlet hiding is not in use. You specify a comma-separated list of all the site IDs to be hidden by default. The list of sites IDs is in the SITENAMEMAP table in the database.

showSingleActionPrePostTabs

If set to "1", the 'Pre-Action Script' and 'Post-Action Script' tabs of the Take Action Dialog shows up even on single actions.

propertyNamespaceDelimiter

Specifies the separator for retrieved properties, By default, retrieved properties are separated into namespaces by the character sequence '::'. The character sequence used to indicate a separator can be changed using this deployment option.

minimumConsoleRequirements

Specifies if the minimum requirements that must be satisfied by the machines running the database that the console connect to. Its value consists of a comma separated list of one or more of the following requirement strings:

"RAM:<min MB MO ram>/<min MB NMO ram>"

Requires that the console runs on a machine with at least the specified amount of physical RAM. Two different values must be supplied; one for master operators and another for non-master operators. Both values must be less than 2^32. For example, "RAM:2048/1024" .

"ClientApproval"

States that the BES Client must determine if a machine is suitable for login. A machine is considered suitable for login if one of the following settings is specified locally:

"moConsoleLoginAllowed"
"nmoConsoleLoginAllowed"

The console must run as an account with permissions to read the client registry keys stored under HKEY_LOCAL_MACHINE to log in when using the "ClientApproval" option.

To enable the master operator login from a Windows client computer where the console is running, add the following registry keys:

On a 64-bit computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\Setting s\Client\moConsoleLoginAllowed]value=1
On a 32-bit computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Client\moConsoleLoginAllowed]value=1

To enable the non master operator login from a Windows client computer where the console is running, add the following registry keys:

On a 64-bit computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient \Settings\Client\nmoConsoleLoginAllowed]value=1
On a 32-bit computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Cl ient\nmoConsoleLoginAllowed]value=1

This option was introduced with IBM BigFix V6.0.12.

actionSiteDBQueryTimeoutSecs

Specifies how long action site database queries can run before the console stops the query (to release its read lock and let any database writers through), and then restart the query where it left off. If not set, the default value is 60 seconds. If set to "0" the action site database queries never time out.

This option was introduced with IBM BigFix V6.0.17.

usePre70ClientCompatibleMIME

If set to "true", the console can create action MIME documents that pre-7.0 clients can understand. By default, it is set to "true" on upgrade and "false" for fresh installs.

This option was introduced with IBM BigFix V7.0.

disableRunningMessageTextLimit

If set to a value other than "0", the console users can enter more than 255 characters in the running message text in the Take Action Dialog.

This option was introduced with IBM BigFix V7.0.7.

useFourEyesAuthentication

If set to "true", you can set the approvers for user actions in console user document. The approver must confirm the action on the same console where the user is logged on.

This option was introduced with IBM BigFix V8.2.

masterDatabaseServerID

By default, the database with server ID 0 is the master database. This is the database that BESAdmin needs to connect to. Use this option to change the master database to a different machine.

This option was introduced with IBM BigFix V7.0.

enableWakeOnLAN

If set to "1", the console shows the "right click WakeOnLAN" functionality in the computer list. By default the functionality is not shown.

This option was introduced with IBM BigFix V7.1.

enableWakeDeepSleep

If set to "1", the console shows the "right click Send BESClient Alert Request" functionality in the computer list. By default the functionality is not shown. During Deep sleep, all UDP messages except this specific wake up message are ignored.

This option was introduced with IBM BigFix V8.0.

requireConfirmAction

If set to "1", every time an action is taken a confirmation pop-up window with a summary of the action details is displayed. The information listed in the pop-up window is:

Action Title
Estimated endpoints targeted
Start time
End time

The summary lists the need of doing a restart or a shutdown as well, if the action requires it. By default the confirmation window is not displayed.

This option was introduced with IBM BigFix V7.1.

Feedback