This glossary provides terms and definitions for the Modern Client Management for BigFix software and products.

The following cross-references are used in this glossary:
  • See refers you from a non-preferred term to the preferred term or from an abbreviation to the spelled-out form.
  • See also refers you to a related or contrasting term.


  1. See Fixlet.
  2. A set of Action Script commands that perform an operation or administrative task, such as installing a patch or rebooting a device.
Action Script
Language used to perform an action on an endpoint.
See BigFix agent.
ambiguous software
Software that has an executable file that looks like another executable file, or that exists in more than one place in a catalog (Microsoft Word as a standalone product or bundled with Microsoft Office).
audit patch
A patch used to detect conditions that cannot be remediated and require the attention of an administrator. Audit patches contain no actions and cannot be deployed.
automatic computer group
A computer group for which membership is determined at run time by comparing the properties of a given device against the criteria set for group membership. The set of devices in an automatic group is dynamic, meaning that the group can and does change. See also computer group.


A collection of actions that are deployed together. A baseline is typically used to simplify a deployment or to control the order in which a set of actions are applied. See also deployment group.
BigFix agent
The BigFix code on an endpoint that enables management and monitoring by BigFix.
BigFix client
See BigFix agent.
BigFix console
The primary BigFix administrative interface. The console provides a full set of capabilities to BigFix administrators.
Bring Your Own Device (BYOD) refers to employees using personal devices to connect to their organizational networks and access work-related systems and potentially sensitive or confidential data.


A software program or computer that requests services from a server. See also server.
client time
The local time on a BigFix client device.
A set of compute and storage instances or services that are running in containers or on virtual machines.
Common Vulnerabilities and Exposures Identification Number (CVE ID)
A number that identifies a specific entry in the National Vulnerability Database. A vendor's patch document often includes the CVE ID, when it is available. See also National Vulnerability Database.
Common Vulnerabilities and Exposures system (CVE)
A reference of officially known network vulnerabilities, which is part of the National Vulnerabilities Database (NVD), maintained by the US National Institute of Standards and Technology (NIST).
An individual action within a deployment that has more than one action. See also deployment group.
computer group
A group of related computers. An administrator can create computer groups to organize systems into meaningful categories, and to facilitate deployment of content to multiple computers. See also automatic computer group and manual computer group.
See BigFix console.
Digitally-signed files that contain data, rules, queries, criteria, and other instructions, packaged for deployment across a network. BigFix agents use the detection criteria (Relevance statements) and action instructions (Action Script statements) in content to detect vulnerabilities and enforce network policies.
content relevance
A determination of whether a patch or piece of software is eligible for deployment to one or more devices. See also device relevance.
Coordinated Universal Time (UTC)
The international standard of time that is kept by atomic clocks around the world.
corrupt patch
A patch that flags an operator when corrections made by an earlier patch have been changed or compromised. This situation can occur when an earlier service pack or application overwrites later files, which results in patched files that are not current. The corrupt patch flags the situation and can be used to re-apply the later patch.
custom content
BigFix code that is created by a customer for use on their own network, for example, a custom patch or baseline.
See Common Vulnerabilities and Exposures system.
See Common Vulnerabilities and Exposures Identification Number.


data stream
A string of information that serves as a source of package data.
default action
The action designated to run when a Fixlet is deployed. When no default action is defined, the operator is prompted to choose between several actions or to make an informed decision about a single action.
definitive package
A string of data that serves as the primary method for identifying the presence of software on a computer.
To dispatch content to one or more endpoints for execution to accomplish an operation or task, for example, to install software or update a patch.
Information about content that is dispatched to one or more endpoints, a specific instance of dispatched content.
deployment group
The collection of actions created when an operator selects more than one action for a deployment, or a baseline is deployed. See also baseline, component, deployment window, and multiple action group.
deployment state
The eligibility of a deployment to run on endpoints. The state includes parameters that the operator sets, such as 'Start at 1AM, end at 3AM.'
deployment status
Cumulative results of all targeted devices, expressed as a percentage of deployment success.
deployment type
An indication of whether a deployment involved one action or multiple actions.
deployment window
The period during which a deployment's actions are eligible to run. For example, if a Fixlet has a deployment window of 3 days and an eligible device that has been offline reports in to BigFix within the 3-day window, it gets the Fixlet. If the device comes back online after the 3-day window expires, it does not get the Fixlet. See also deployment group.
An endpoint, for example, a laptop, desktop, server, or virtual machine that BigFix manages; an endpoint running the BigFix Agent.
device holder
The person using a BigFix-managed computer.
device property
Information about a device collected by BigFix, including details about its hardware, operating system, network status, settings, and BigFix client. Custom properties can also be assigned to a device.
device relevance
A determination of whether a piece of BigFix content applies to applies to a device, for example, where a patch should be applied, software installed, or a baseline run. See also content relevance.
device result
The state of a deployment, including the result, on a particular endpoint.
Disaster Server Architecture (DSA)
An architecture that links multiple servers to provide full redundancy in case of failure.
See Disaster Server Architecture.
dynamically targeted
Pertaining to using a computer group to target a deployment.


A networked device running the BigFix agent.


To reduce a list of items to those that share specific attributes.
A piece of BigFix content that contains Relevance and Action Script statements bundled together to perform an operation or task. Fixlets are the basic building blocks of BigFix content. A Fixlet provides instructions to the BigFix agent to perform a network management or reporting action.
Full Disk Encryption
To reduce a list of items to those that share specific attributes.


group deployment
A type of deployment in which multiple actions were deployed to one or more devices.


An endpoint state that prevents most of the BigFix actions from running until the device is unlocked.


See multiple action group.
management rights
The limitation of console operators to a specified group of computers. Only a site administrator or a master operator can assign management rights.
manual computer group
A computer group for which membership is determined through selection by an operator. The set of devices in a manual group is static, meaning they do not change. See also computer group.
master operator
A console operator with administrative rights. A master operator can do everything that a site administrator can do, except creating operators.
A collection of files that contain the parameters of the BigFix process, including URLs to Fixlet content. The BigFix agent brings content into the enterprise based on subscribed mastheads.
MCM and BigFix Mobile
Refers to the offering by Bigfix that is common for both Modern Client Management to manage laptops (Windows and macOS) and BigFix Mobile to manage mobile devices (Android, iOS, and iPadOS).
mirror server
A BigFix server required if the enterprise does not allow direct web access but instead uses a proxy server that requires password-level authentication.
The utilization of distinct sets of cloud services, typically from multiple vendors, where specific applications are confined to a single cloud instance​.
multiple action group (MAG)
A BigFix object that is created when multiple actions are deployed together, as in a baseline. A MAG contains multiple Fixlets or tasks. See also deployment group.


A deployment option that allows a device holder to accept or decline a BigFix action and to exercise some control over when it runs. For example, a device holder can decide whether to install a software application, and whether to run the installation at night or during the day.
open-ended deployment
A deployment with no end or expiration date; one that runs continuously, checking whether the computers on a network comply.
A person who uses the BigFix WebUI, or portions of the BigFix console.


A piece of code added to vendor software to fix a problem, as an immediate solution that is provided to users between two releases.
patch category
A description of a patch's type and general area of operation, for example, a bug fix or a service pack.
patch severity
The level of risk imposed by a network threat or vulnerability and, by extension, the importance of applying its patch.


A client that is running special server software. Relays spare the server and the network by minimizing direct server-client downloads and by compressing upstream data.
BigFix query language that is used to determine the applicability of a piece of content to a specified endpoint. Relevance asks yes or no questions and evaluates the results. The result of a Relevance query determines whether an action can or should be applied. Relevance is paired with Action Script in Fixlets.


See Security Content Automation Protocol.
SCAP check
A specific configuration check within a Security Content Automation Protocol (SCAP) checklist. Checks are written in XCCDF and are required to include SCAP enumerations and mappings per the SCAP template.
SCAP checklist
A configuration checklist that is written in a machine-readable language (XCCDF). Security Content Automation Protocol (SCAP) checklists have been submitted to and accepted by the NIST National Checklist Program. They also conform to a SCAP template to ensure compatibility with SCAP products and services.
SCAP content
A repository that consists of security checklist data represented in automated XML formats, vulnerability and product name related enumerations, and mappings between the enumerations.
SCAP enumeration
A list of all known security related software flaws (CVEs), known software configuration issues (CCEs), and standard vendor and product names (CPEs).
SCAP mapping
The interrelationship of enumerations that provides standards-based impact measurements for software flaws and configuration issues.
Security Content Automation Protocol (SCAP)
A set of standards that is used to automate, measure, and manage vulnerability and compliance by the National Institute of Standards and Technology (NIST).
A software program or a computer that provides services to other software programs or other computers. See also client.
signing password
A password that is used by a console operator to sign an action for deployment.
single deployment
A type of deployment where a single action was deployed to one or more devices.
A collection of BigFix content. A site organizes similar content together.
site administrator
The person who is in charge of installing BigFix and authorizing and creating new console operators.
software package
A collection of Fixlets that install a software product on a device. Software packages are uploaded to BigFix by an operator for distribution. A BigFix software package includes the installation files, Fixlets to install the files, and information about the package (metadata).
SQL Server
A full-scale database engine from Microsoft that can be acquired and installed into the BigFix system to satisfy more than the basic reporting and data storage needs.
standard deployment
A deployment of BigFix that applies to workgroups and to enterprises with a single administrative domain. It is intended for a setting in which all Client computers have direct access to a single internal server.
statistically targeted
Pertaining to the method used to target a deployment to a device or piece of content. Statically targeted devices are selected manually by an operator.
superseded patch
A type of patch that notifies an operator when an earlier version of a patch has been replaced by a later version. This occurs when a later patch updates the same files as an earlier one. Superseded patches flag vulnerabilities that can be remediated by a later patch. A superseded patch cannot be deployed.
system power state
A definition of the overall power consumption of a system. BigFix Power Management tracks four main power states Active, Idle, Standby or Hibernation, and Power Off.


To match content with devices in a deployment, either by selecting the content for deployment, or selecting the devices to receive content.
The method used to specify the endpoints in a deployment.
A type of Fixlet designed for re-use, for example, to perform an ongoing maintenance task.


virtual private network (VPN)
An extension of a company intranet over the existing framework of either a public or private network. A VPN ensures that the data that is sent between the two endpoints of its connection remains secure.
See virtual private network.
A security exposure in an operating system, system software, or application software component.


A mode that allows an application to turn a computer on from standby mode during predefined times, without the need for Wake on LAN.
Wake on LAN
A technology that enables a user to remotely turn on systems for off-hours maintenance. A result of the Intel-IBM Advanced Manageability Alliance and part of the Wired for Management Baseline Specification, users of this technology can remotely turn on a server and control it across the network, thus saving time on automated software installations, upgrades, disk backups, and virus scans.
See wide area network.
wide area network (WAN)
A network that provides communication services among devices in a geographic area larger than that served by a local area network (LAN) or a metropolitan area network (MAN).