Creating Server Based Computer Groups

BigFix Platform 10.0.4 introduces the Server Based Computer Group, a new type of Group thought to deal better with correlated devices and all their representations. This section provides some more details on the scenario where this Group can be used and how it works.

Introduction

With versions earlier than BigFix Platform 10.0.4, BigFix makes available two type of Groups: Manual and Automatic Groups.
  • Manual Groups: These Groups are static and Group membership is assigned manually.
  • Automatic Groups: These are dynamic Groups where the membership can change dynamically, depending on the current values of the inclusion properties evaluated by the BigFix Agent.
The Server Based Computer Groups are different compared to the previous two types of Groups because:
  • Membership is evaluated on the Server Side on a regular basis, with a refresh time that can be configured.
  • Membership takes into consideration devices as a whole, therefore all the representations of a device will belong to the Group.

See Introducing Computer Groups for a summary table listing the differences and scenarios associated to the three types of Groups.

A Server Based Computer Group includes the correlated object and all its instances if the property clause, that is defined in the Group membership definition, is evaluated to true regardless from which instance the property belongs to. This ensures that the Group is aware of the correlation and treats the device as a single entity target for any regular BigFix operation.

For example, as a BigFix Operator you might want to create a Group that contains all the devices that have a specific AWS tag, and you decide to use this Group as a target for deploying a Patch Management Fixlet. This means that the membership will be calculated based on the retrieved, non-agent, property "Cloud tag" but you can use the BigFix Agent to patch all the AWS machines that an AWS Operator tagged for patching.

Clearly the Server Based Computer Group was created to handle correlated devices, nevertheless it can also be used when the correlation is not involved. In fact, you can use any property as a criterion for membership, not necessarily the reserved properties created on purpose to leverage data included in the non-agent representations (as explained below).

The real advantage in using this new type of Groups is that, for the Server Based Computer Group, the membership is periodically evaluated on the Server. The evaluation is based on the data stored in the database from the last report received from the Client.

As said, membership is dynamically re-evaluated at a fixed configurable interval. See the Procedure section for more details on how to set the refresh interval.

Given the above, there might be a slight discrepancy with the live agent status, anyway, using this approach you can save network traffic or agent evaluation cycles for large Groups of computers when you can rely on database information.

Along with the introduction of Server Based Computer Groups, BigFix Platform 10.0.4 makes available a new inspector whose details can be found here and a new property for Session relevance object whose details can be found here.

Server Based Computer Groups can be created in one of the two following ways:

  • With the Console, see below for more details.
  • With REST API, see here for more details.

Procedure

To create a Server Based Computer Group, follow this procedure:

  1. Click Tools > Create New Server Based Group.
  2. From the Create Server Based Computer Group dialog, enter the name of your Group.


  3. Select the refresh interval for this specific Server Based Computer Group. The default value for this parameter is 15 minutes but you might want to change it depending on your specific use case. For example, in a Cloud scenario where you are using the AWS plugin configured with the default 2 hours refresh time, you can set your Server Based Group refresh interval to 1 hour instead of 15 minutes.
  4. Select the site where the new Server Based Computer Group must be created, the default is the Master Action Site.
  5. Enter a property, a relation, and a value into the three boxes at the bottom of the dialog.
  6. Take into account that the Create Server Based Computer Group dialog lists only reserved properties. To add reserved properties, such as AWS Region used in this example, you can follow the steps described here.
  7. Select the desired property, and the Group membership condition, for example AWS Region contains us-west-.
  8. Click the + button to add a new Group membership property, for example Agent Type equals native.
  9. Select the desired mode condition, in the example Include computers with all of the following properties is selected.
  10. When you are finished, click Create to propagate the Group settings. You now have a new Server Based Computer Group that is listed under the Computer Groups icon in the navigation tree and can be used to subdivide your network into more workable chunks.

Refreshing the Server Based Computer Group

On an existing Server Based Computer Group, you can request an immediate refresh.

  • Just right-click the Group and select Refresh or use the Refresh button in the Group details bar from the Console.
  • Use the proper API in the available REST APIs for Computer Groups.

Procedure to create a Server Based Group via REST API

For more details, see Computer Group.

Settings

Use the BESRelay_ServerBasedGroup_RefreshMinutes configuration setting to modify the default refresh value with which the BigFix Server refreshes the Server Based Computer Groups defined with the default value.

Use the _BESRelay_ServerBasedGroup_IgnoreAgentsNotReportingAfterHours configuration setting to specify the amount of hours after which the not reporting devices should not be taken into account by the BigFix Server for a membership in a Server Based Computer Group.

For more details on these settings, see the Miscellaneous section of the List of settings and detailed descriptions page.

Caveats

  • Only global properties can be used in Server Based Computer Groups.
  • Only the four “contains”, “does not contain”, “equals” and “does not equal” operators are available to define a rule.
  • The search text is always case insensitive (Unicode is of course supported so ‘è’ matches ‘È’) for consistency with Automatic Groups.
  • Only devices subscribed to the site where the Group is defined will be members of the Group.
  • Unlike an Automatic Group, a Server Based Computer Group always uses the last version of the global property. So, when a property is deleted, the Group will behave as if the property had no available results.

Known Limitations

  • In a DSA environment only the primary BES Root Server will fully manage the Server Based Computer Groups, that is, send actions to clients to update the Group membership and expose all the functionalities to create, edit and refresh the Groups.
  • Non-primary BES Root Server(s) will run in restricted mode. So:
    • It is not possible to create, edit, remove or refresh Server Based Computer Groups.
    • The BigFix Server will not send subscription actions to clients to update the membership.
    • The membership table in the Database is not filled by the DSA replication process but by the local BigFix Server.
  • The Group name must contain alphanumeric characters only.

BigFix New Server Based Computer Groups and BigFix Applications

The Inventory and Compliance Analytics applications must be upgraded to take advantage of the Server Based Computer Groups feature.

  • BigFix Inventory will support BigFix Server Based Computer Groups starting from 10.0.5 release (July, 2021).
  • For Compliance Analytics, a new version that will support the new BigFix Server Based Computer Groups will be delivered in the near future.

Application versions without official support for the new Server Based Computer Groups will report them as empty.

You will need to follow application specific instructions on how to upgrade and synchronize Computer Group definitions when support is announced.