Release Notes V10.0.0

At time of publication, Java™ Web Start does not support FIPS mode and might prevent the controller and player from enforcing compliance with FIPS 140-2 requirements. When FIPS 140-2 compliance is enabled and the controller or player are started by using Java™ Web Start, compliance with the FIPS 140-2 requirements might not be fully enforced for all HTTPS encrypted communications.

At time of publication, Java™ Web Start does not support NIST mode and might prevent the controller and player from enforcing compliance with SP800-131A requirements. When NIST SP800-131A compliance is enabled and the controller or player are started by using Java™ Web Start, compliance with the SP800-131A requirements is not fully enforced. Full compliance with the SP800-131A requirements in this scenario is enforced when the other remote control components are already configured for SP800-131A.

When you run the controller in FIPS or NIST mode, an old JNLP banner splash screen might be displayed instead of the Remote Control banner. Java™ caches the splash image and stores the banner. Therefore, if there is a previous run of the controller, Java™ Web Start does not check to see whether the new image is newer or different. It uses the existing banner. A workaround for this issue is to clear the java cache, which can be done in the Java control panel so that the old banner is no longer used.

If you are using the version 10.0.0-0029 or earlier of the Remote Control Server and you are using the On-demand Target on macOS, when you try to start the application, the error message “The application "BigFixRC-xxx" can't be opened.” is shown. To solve the problem, follow the instructions at Error when you start On-demand Target on macOS.

It is a known limitation that when the installer is run for an upgrade (if the Remote Control server is installed already and shortcuts are present), it does not detect the existing shortcuts, though the shortcuts are still valid. To note, the upgrade preserves the same install location.

When the Lite Web Portal (LWP) is enabled and the property liteweb.portal.autodetect.url is set to "True" and if the portal page is opened using IE11, no session can be started. This is because when "Start" button is clicked an error page is shown reporting the following message: "500 - (Internal server error) The server encountered an error and can't fulfill the request.". This is caused by the missing "Origin" field in the request performed by the IE11. To work around the problem, you can set liteweb.portal.autodetect.url to "False" and manually set the property liteweb.portal.url.

For details and workaround, see HCL Software knowledge article KB0073874

While running the installer, the error message “Installer User Interface Mode Not Supported” is displayed. The workaround is to right click on the installer and run the Windows 8 in compatibility mode.

If you run an installation server task via Wizard on Windows 2019, it fails. From the installation log, it seems that there are problems related to the determination of operating system tsetup.ini. This can be due to installation binary must have the compatibility mode set to Windows 8 before to be manually launched.

While enabling the Privacy Mode feature, you may observe blinking on the obscured target screen and on the controller window. This behavior has been observed on Windows 10 virtual machines with Version 1909. This behavior does not compromise the overall privacy enablement and functionality.

Remote Control V10 uses new code signing certificates. When manually installing the remote control components on Windows systems where the Windows Defender SmartScreen feature is present, the warning message “Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.” may be shown.

Click More info link and proceed with the installation. Over time, the new certificates will gain reputation and the message will no longer show. Refer to Microsoft Documentation for more information about SmartScreen.

During controller upgrade, on Linux environment, the new parameter allow.user.commands is not created in trc_controller.cfg. Therefore, users need to manually add this parameter to use the new feature. This is applicable for all supported platforms. However for managed sessions, during server upgrade, this parameter is added to controller.properties on server and set as 'True' by default.

If Remote Control V10.0 is running on a target with Windows 10 or later with multiple screens, when you try to establish a remote session with that target (either through Peer to peer mode or through Managed mode) and select All Screens after enabling privacy mode, the controller receives corrupted stream, irrespective of the controller version. Fore more information on the Privacy Mode feature, see Privacy Mode and Input Lock. Fore related information, see Viewing multiple target screens.

Start the controller from /Applications. Close the connection window. Click the question mark icon in the toolbar, then click Help. The error message, Unable to show help contents is displayed.

As a workaround, you can run the following command, which requires Administrator authority.

sudo chmod +x "/Applications/Remote Control Controller.app/Contents/Plugins/Java.runtime/Contents/Home/jre/lib/jspawnhelper"

If the ApplePressAndHold feature is enabled on macOS, the controller might block all keyboard input if a key on the keyboard is pressed and held for more than 3 seconds. You must restart the controller to regain keyboard input to the controller.

As a workaround you can disable the feature for the controller application by using the following command:

defaults write com.bigfix.remotecontrol.controller ApplePressAndHoldEnabled -bool false

The behavior is prevented when you use the controller in a peer-to-peer session, or when you use the preinstalled controller in a managed session. The workaround has no effect on a controller that is started with a .jnlp file. To use the workaround for a .jnlp file, the ApplePressAndHold feature must be disabled for all applications for the current user. Type the following command to disable all applications.

defaults write -g ApplePressAndHoldEnabled -bool false

To re-enable the ApplePressAndHold feature, you can rerun the commands and replace false with true.

The issue is seen when the always.use.preinstalled.controller property is set to true in the trc.properties file. When you use Apple's Safari browser on a macOS system to access the server's web interface and start or join a remote control session or play back a session recording, the application does not open automatically. Instead, a file with a Remote Control icon and the extension .trcjws is automatically saved to the Downloads folder. To open the application, click on the Downloads icon on the right hand side of the Dock and then click the downloaded .trcjws file. Alternatively, use a different browser such as Firefox.

Although Java 1.6 is not officially supported since V9.1.2, controllers that run this version of Java fail to connect to the BigFix Remote Control server when HTTPS mode is configured.

The log distribution task exports session audit history from the database to log files on the file system. However, the task can cause java out of memory errors when the query it runs returns a large result set. The log distribution task is enabled by default in older versions of remote control. In the new version of remote control, it is disabled by default for new installations. However, when you upgrade from an older version of remote control, the current setting remains in force. Therefore, it is recommended to turn off this feature if you do not require it. It can cause high memory usage and might cause the server to run out of memory. Especially on servers that have numerous session audit logs in the session history. Also, if you do not process and clean up the exported audit logs, they can use up free disk space. For more information about the setting the values, see Audit log distribution.

If you are using the current version of Internet Explorer 11, the ActiveX control might fail to install when you try to run the on-demand target. Alternatively, you can choose to use Firefox where this limitation does not exist.

During a session, if the controller has the chat window or collaboration windows open when the target loses the connection to the network, the chat and collaboration windows remain active and accessible. However, any action that is taken within the windows has no effect.

During a collaboration session, the num lock icon might not be available to the new master controller after a session handover. The previous master controller still has access to the icon but nothing happens when they click the icon.

During a collaboration session, if a participant loses network connection and then reconnects to the session, the participant limit is not enforced when they reconnect. For example, the participant limit is one and UserA is connected to the session. UserA loses network connection. UserB requests to join the session and is accepted. UserA reconnects to the network and because of the session resilience feature, reconnects to the remote control session. Two participants are now in the session although the limit is set to one.

During a server installation that uses the installer, if you select to create the database, and a database exists with the same name, an error is reported. The message window provides two options, Retry and Continue. When you click Retry, nothing happens. When you click Continue, the installation proceeds and the existing database is used.

On Microsoft™ Windows™ systems, when you use the accessible user interface, the Enter connection code option is not available, preventing you from starting a session through a broker. To enable the option, disable the accessible UI by setting Accessibility=no in the target configuration.

On 64-bit versions of Windows™, during an attended installation of the device driver for the virtual smart card reader, the installer can exit without installing the device driver. This issue occurs if the installation of the Microsoft™ Visual C++ 2015 Redistributable Package prompts to restart the system and you select No.

In the first phase of macOS support for Remote Control, compliance with FIPS 140-2 or NIST SP800-131a is not supported. The remote control target uses OpenSSL. However, OpenSSL does not have FIPS 140-2 certification and validation for OS X El Capitan (10.11) or macOS Sierra (10.12). The BigFix® Remote Control Target for macOS cannot be configured to run in FIPS mode.

The BigFix® Remote Control Controller for macOS is bundled with the Oracle Java SE Runtime Environment, which does not have a FIPS certified cryptographic provider. If the controller is configured for FIPS or NIST compliance mode, or it is launched from a remote control server in which FIPS or NIST compliance is configured, the connection to the target fails with the following error message: Error initializing the local FIPS certified cryptographic provider. The session cannot be established.

The BigFix® Remote Control Target for macOS does not support Fast User Switching during a remote control session. Also, when you switch to a different user account, no message is displayed on the controller to indicate that the session is temporarily interrupted.

When a user logs out, all the applications that are running in the user's session are terminated. Therefore, because the BigFix® Remote Control Target for macOS runs as an application, it is terminated too.

These limitations also apply to the BigFix® Remote Control Target for macOS in an on-demand session.

When a .jnlp file is started from the server to run the controller or player, macOS might block it from running. A message reports an unsigned application. No option is available to continue, instead you must go to the control panel, and in the Security & Privacy panel, select the option to allow the application to run anyway. User authentication is requested before you can continue.

To prevent the message from being displayed, enable the always.use.preinstalled.controller property on the server. Also, ensure that the controller is installed on the macOS system before you start a session.

Any macOS version 10.14 or lower prevents applications from listening on port 1024 and lower. These ports require root privileges, but in this release, the target runs with the privileges of the current user. Therefore, the default port is 8787 but you can manually set it to 888 if you are running macOS 10.15 or greater.

The standalone player, which is used to play back local session recordings, must be installed separately on macOS systems. On Windows™ and Linux™ systems, this application is installed by the controller package. On macOS systems, install trc_player.pkg separately. You can obtain the trc_player.pkg file from FlexNet Operations or from the BigFix® Remote Control server UI. For more information, see Obtain the installation files.

When the AuditToSystem property is enabled, the installed BigFix® Remote Control Target for macOS target adds audit events to a file in the user's home directory, rather than to the system event log. The file is trcaudit_[date]_[time].log file, where [date]_[time] is the date and time that the session took place.

You can use the Run Tools tab in the controller configuration window to enter tools that can be run on the target. However, running tools on the BigFix® Remote Control Target for macOS is not implemented.

File Transfer session mode is not yet implemented on the BigFix® Remote Control Target for macOS. The target refuses the session when a session is started in this session mode.

The following options in the Perform Action in Target menu in the controller UI are not supported: Drawing Tool, Highlighting Tool, Clear Instructions, and Lock Workstation.

The trc_controller.cfg file is contained in the Remote Control Target.app. The files and content within the application are signed. If an administrator changes values in the .cfg file, the controller might fail to start. Therefore, the default values cannot be changed in the installed product, nor can the administrator enforce any global configuration settings by using the mandatory options. You can create a local configuration when you run the controller by using the Configure controller option in the controller UI.

A controller user cannot inject Force Quit against a BigFix® Remote Control Target for macOS that is running OS X El Capitan 10.11.

The following limitation is not an issue when you upgrade from version 9.0.0, 9.0.1, or 9.1.0 to Remote Control.

In IBM® Endpoint Manager for Remote Control version 9.0.0, new capabilities were introduced that can cause compatibility issues with earlier versions. The issues occur if the different components are not upgraded in the correct order.

The limitation applies only to environments where the gateway and broker components are deployed. In these environments, the broker and gateway must be updated before the server or the target components. After they are upgraded, the targets and server can be upgraded in the order that best suits your environment because there are no dependencies between them.

Always back up any properties files. You must back up your properties files for a controller upgrade in this release because any existing properties are lost.

Older versions of Remote Control controllers, earlier that V9.1.4, cannot connect to V9.1.4 targets that by default refuse AES and MARS encryption. Upgrade the controller components to the latest version to avoid this incompatibility.

When the Remote Control server is configured to be compliant with the NIST SP800-131A requirements, it requires all encrypted SSL/TLS connections to use TLS 1.2 exclusively. This compliance requirement can prevent connectivity from the server to other components that might not support TLS 1.2 connections or might require further specific configuration. For example, database servers, LDAP servers, or mail servers.

Java™ does not support legacy use of SSL certificates with SHA-1. This issue affects the server and the controller. When NIST SP800-131A compliance is enabled, the server and the controller components disallow the usage or verification of certificates that use SHA-1. The certificates must be updated to SHA-2.

During a session if the session ends because the inactivity timeout limit is reached, and the Choose file to send window is open in the target, the window does not close at the end of the session. If the target is an on-demand target, the target does not exit until you click OK or Cancel in the window.

Some virtualization software does not render a mouse on the guest. Instead, only the mouse on the host is used to stop the user from seeing two pointers instead of one. As a side effect, when the virtual machine is under the control of a remote controller, the local user might not see the mouse move within the guest window.

During the server installation, when you are using the installer program, the auto-generated certificate overwrite and password options are not enabled at first. If you are using an auto generated certificate and want to enable the overwrite and password options, click Use an auto generated certificate store to enable them.

This limitation applies to Windows™ 8.1 and Windows™ Server 2012 R2 operating systems and it affects standard users only. During a session with an on-demand target, if you select 'Inject Alt + Tab' from the controller action menu, it has no effect on the target system. In Windows™ 8.1 and Windows™ Server 2012 R2 operating systems, Microsoft™ blocks applications from injecting the Alt + Tab keyboard shortcut except for Ease of Access applications. The on-demand target can mark itself as an Ease of Access application when it is run by an administrator user but not when it is run by a standard user.

When you install the CLI tools in a Windows™ operating system and select Use a proxy server or a Remote Control Gateway during the installation, two options are enabled. You can either select Use an HTTP proxy or Use a Remote Control Gateway. However, the CLI tools do not work in environments where gateways are configured and the Use a Remote Control Gateway is not applicable.

During a session with a Linux™ target, the Enable Privacy and Enable Input Lock options might be available in the Perform Action in target menu in the controller. Clicking the options has no effect on the target because these features are not supported on a Linux™ target.

In the server UI, the logon page is displayed when you select an option after a period of inactivity. The time limit is defined in the web.xml file. However, when you select AdminView Current Server Status and keep the page on display, the web session does not time out. The result is that you can continue to select options after the time limit is reached and the logon page is not displayed.

During a remote control session, if the visible target area is too large and the VRAM of the computer that runs the controller is too small, the image on the controller flickers. The scroll bars on the session window do not work and might hide occasionally. The controller session window toolbar might also be hidden by the target screen.

The Windows™ 10 startup screen is a background image that must be cleared to get to the logon screen. When you go to the logon prompt and there is no further input, the background screen is displayed again. The smart card reader might take a while to load, which means that the background screen is redisplayed before you can select the smart card as the logon method. Therefore, you must clear the background again and choose the smart card.

Brokers require an SSL or TLS certificate that is verified by the endpoints or other brokers when they establish a secure connection. The host name can be encoded in the certificate by using two methods. The traditional method that uses the commonName (CN) field in the Subject is deprecated in favor of the subjectAltName extension. SSL or TLS clients must verify any subjectAltName extensions, if they are present, and fall back to the CN field otherwise. Due to a problem with the verification code in the broker and target, the subjectAltName verification is disabled until a solution is found.

The broker, target, and CLI components in Remote Control are unable to support verification of wildcard certificates. The only solution currently is to request a server certificate with the server's full FQDN in the CN field. It is acceptable for the certificate to have subjectAltName fields. The limitation that the broker and target ignore these fields when they verify the certificate.

When the On-demand target is run on a Linux™ operating system as a normal user, some of the target information cannot be retrieved when you use the Get System Info feature. The following target information is blank when you retrieve or view the system information. Model, Vendor, Serial Number, UUID.

When you try to launch the Remote Control on-demand target from the landing page, by using Firefox you might be unable to install the on-demand plug-in if HTTPS is being used and the server's certificate is not signed by a CA in the Firefox truststore.

During a session in which smart card authentication is enabled, the controller can fail to detect the insertion or removal of a smart card from the card reader. This issue is intermittent. To resolve the issue when you are in a peer to peer session you can end the session, then close the controller and reopen it. Start a new session and use the smart card feature again. To resolve the issue in a managed session, end the session, start a new session, and use the smart card feature again.