Release Notes

What's new

Features introduced in IBM BigFix Remote Control

• Network response indicator

  A new icon is displayed in the controller window that provides an indication of the network round-trip time during a session. That is, the time it takes for network data to be sent from the controller to the target and the response returned to the controller. For more information, see Network response indication.

• Change the color quality of the session window to improve session performance

  If your network is slow, use the Performance settings option during a session to adjust the image quality of the target desktop and improve the session performance. The new setting to change the color quality and enable partial screen updates is enabled in the controller menu. You can also set custom values. This feature cannot be configured centrally. For more information, see Change the color quality of the session window to improve session performance. As part of this new feature, the display name of the Enable true color and Lock color depth policies changed. Enable true color is now Enable high quality colors and Lock color depth is now Lock color quality. However, the target silent installation parameter names, the Windows registry property names, and the name of the policies in the Linux configuration file remain the same. For more information, see Server session policies.

• Performance enhancements

  A new flow control algorithm is implemented. This enhancement provides both faster updates when network conditions allow it and increased responsiveness to user input in slow and low-bandwidth networks.

• Multiple log levels for the target component
  You can configure properties to determine what type of information and how much information is reported in the target log file. When you install the target software, an INFO level log file is now enabled by default. You can configure the logging properties in various ways.

  • Use parameters when you run a target custom installation. For more information, see Running a target custom installation on a Windows system.
  • Configure the properties after you install the target. For more information, see Logging target activity.
  • Select properties when you create a target configuration in the target configuration wizard in the IBM BigFix console. For more information, see Creating IBM BigFix Remote Control target configuration tasks.
  • Apply the update Fixlet that is relevant to your operating system. Use the Fixlets to configure the Log level value.
    • Update Debug Settings for IBM BigFix Remote Control Target for Windows.
    • Update Debug Settings for IBM BigFix Remote Control Target for Linux.

  The DebugTrace property is deprecated due to the introduction of this new feature. Therefore, the View Application log option on the target UI is no longer available.

• End a session when audit messages cannot be uploaded to the server

  A new property is introduced in the controller.properties file on the server. Use the abort.on.audit.fail property to determine whether the remote control session ends when a controller cannot send audit messages to the server during the session. For more information, see controller.properties

• Session resilience

  During a remote control session, that is connected by using a broker, when connection failure is detected, reconnection to the session is attempted automatically. The controller user and target user are informed of what is happening with the session connection through various message windows. For more information, see Session resilience for sessions that are connected by using a broker

  A new server policy, Allow automatic session handover is introduced as part of this feature. If the policy is set to yes, and the master controller does not reconnect to the broker within 3 minutes, session control automatically passes to another participant. For more information about the policy, see Server session policies

Previous limitations that are fixed in IBM BigFix Remote Control

The controller might display an incorrect certificate message.

In some cases, the controller incorrectly displays the following error message, Unable to Connect. The Certificate from the peer is issued for a different host. If the message is displayed and the certificate is issued for the correct host, the certificate might have failed for a different reason. For example, with the controller in NIST mode, the certificate might have an RSA key less than 2048 bits.

Port 80 incorrectly added to the server URL.

If the ServerURL key already has a value set in the target registry, the Windows operating system target installer might add port 80 to the URL. This issue causes a problem if the URL is for HTTPS, because HTTPS uses port 443 by default. Normally, the server URL is generated by the installer and always contains the port number. However, this issue can happen if you manually edit the registry and set the ServerURL key without a port and then run the installer. A port 80 value is then added to the ServerURL key.

After a session handover, the custom tools menu is missing from new master controllers window.

After you hand over the session to a different controller, the custom tools are missing from the new controller's action menu. Any special key sequences that are configured are also missing from the menu. This issue happens in managed and broker collaboration sessions when the controller hands over control or grants control to a new controller.

OSSN banner is displayed on the logon screen

The OSSN banner that is shown on the target computer to indicate that a remote control session is in progress, is now also visible when the logon screen is displayed on the target.

Known issues in IBM BigFix Remote Control

Log distribution task can cause java out of memory errors

The log distribution task exports session audit history from the database to log files on the file system. However, the task can cause java out of memory errors when the query it runs returns a large result set. The log distribution task is enabled by default in older versions of remote control. In the new version of remote control, it is disabled by default for new installations. However, when you upgrade from an older version of remote control, the current setting remains in force. Therefore, it is recommended to turn off this feature if you do not require it. It can cause high memory usage and might cause the server to run out of memory. Especially on servers with numerous session audit logs in the session history. Also, if you do not process and clean up the exported audit logs, they can use up free disk space. For more information about the setting the values, see Audit log distribution.

The on-demand target can fail to run in Internet Explorer 11.

If you are using the current version of Internet Explorer 11, the ActiveX control might fail to install when you try to run the on-demand target. For more information, see the following technote http://www-01.ibm.com/support/docview.wss?uid=swg21969742. Alternatively, you can choose to use Firefox where this limitation does not exist.

The chat and collaboration windows remain active and accessible when the target loses the connection

During a session, if the controller has the chat window or collaboration windows open when the target loses the connection to the network, the chat and collaboration windows remain active and accessible. However, an action on the windows has no affect.

The Num lock icon might not be available to the new master controller after a collaboration session handover.

During a collaboration session, the num lock icon might not be available to the new master controller after a session handover. The previous master controller still has access to the icon but nothing happens when they click the icon.

Java™ Web Start does not support NIST mode and might prevent the controller and player from enforcing compliance with SP800-131a requirements.

At time of publication, Java Web Start does not support NIST mode and might prevent the controller and player from enforcing compliance with SP800-131A requirements. When NIST SP800-131A compliance is enabled and the controller or player are started by using Java Web Start, compliance with the SP800-131A requirements is not fully enforced. Full compliance with the SP800-131A requirements in this scenario is enforced when the other remote control components are already configured for SP800-131A.

Java Web Start does not support FIPS mode and might prevent the controller and player from enforcing compliance with FIPS 140-2 requirements.

At time of publication, Java Web Start does not support FIPS mode and might prevent the controller and player from enforcing compliance with FIPS 140-2 requirements. When FIPS 140-2 compliance is enabled and the controller or player are started by using Java Web Start, compliance with the FIPS 140-2 requirements might not be fully enforced for all HTTPS encrypted communications.

For a NIST-compliant server, all encrypted SSL/TLS connections must use TLS 1.2 exclusively.

When the Remote Control server is configured to be compliant with the NIST SP800-131A requirements, it requires all encrypted SSL/TLS connections to use TLS 1.2 exclusively. This compliance requirement can prevent connectivity from the server to other components that might not support TLS 1.2 connections or might require further specific configuration. For example, database servers, LDAP servers, or mail servers.

Java does not support legacy use of SSL certificates with SHA-1 in NIST SP800-131A-compliance mode.

Java does not support legacy use of SSL certificates with SHA-1. This issue affects the server and the controller. When NIST SP800-131A compliance is enabled, the server and the controller components disallow the usage or verification of certificates that use SHA-1. The certificates must be updated to SHA-2.

Participants limit in collaboration is not enforced when participant loses network connection and other participants join

During a collaboration session, if a participant loses network connection and then reconnects to the session, the participant limit is not enforced when they reconnect. For example, the participant limit is one and UserA is connected to the session. UserA loses network connection. UserB requests to join the session and is accepted. UserA reconnects to the network and because of the session resilience feature, reconnects to the remote control session. There are now 2 participants in the session although the limit is set to 1.

The Retry button has no effect when you select to create the database and there is an existing database

During a server installation that uses the installer, if you select to create the database, and there is an existing database with the same name, an error is reported. The message window provides two options, Retry and Continue. When you click Retry, nothing happens. When you click Continue, the installation proceeds and the existing database is used.

Known limitations in IBM BigFix Remote Control

At time of publication, the following limitations were known.

There might be compatibility issues with earlier versions.

The following limitation is not an issue when you upgrade from version 9.0.0, 9.0.1, or 9.1.0 to IBM BigFix Remote Control.

In IBM Endpoint Manager for Remote Control version 9.0.0, new capabilities were introduced that can cause compatibility issues with earlier versions. The issues occur if the different components are not upgraded in the correct order.

The limitation applies only to environments where the gateway and broker components are deployed. In these environments, the broker and gateway must be updated before the server or the target components. After they are upgraded, the targets and server can be upgraded in the order that best suits your environment because there are no dependencies between them.

Always back up any properties files. You must back up your properties files for a controller upgrade in this release because any existing properties are lost.

For more information, see the IBM BigFix Remote Control Installation Guide.

Running the Controller in NIST mode might display a previous version of remote control banner.

When you run the controller in FIPS or NIST mode, an old JNLP banner splash screen might be displayed instead of the IBM BigFix Remote Control banner. Java caches the splash image and stores the banner. Therefore, if there is a previous run of the controller, Java Web Start does not check to see whether the new image is newer or different. It uses the existing banner. A workaround for this issue is to clear the java cache, which can be done in the Java control panel so that the old banner is no longer used.

The Choose file to send window remains open when the session times out.

During a session if the session ends because the inactivity timeout limit is reached, and the Choose file to send window is open in the target, the window does not close at the end of the session. If the target is an on-demand target, the target does not exit until you click OK or Cancel in the window.

Some virtualization software does not render a mouse on the guest.

Some virtualization software does not render a mouse on the guest. Instead, only the mouse on the host is used to stop the user from seeing two pointers instead of one. As a side effect, when the virtual machine is under the control of a remote controller, the local user might not see the mouse move within the guest window.

The auto-generated certificate overwrite and password options are not enabled at first.

During the server installation, when you are using the installer program, the auto-generated certificate overwrite and password options are not enabled at first. If you are using an auto generated certificate and want to enable the overwrite and password options, click Use an auto generated certificate store to enable them.

During a session with an on-demand target, if you select 'Inject Alt + Tab' from the controller action menu, it has no effect on the target system.

This limitation applies to Windows 8.1 and Windows Server 2012 R2 operating systems and it affects standard users only. During a session with an on-demand target, if you select 'Inject Alt + Tab' from the controller action menu, it has no effect on the target system. In Windows 8.1 and Windows Server 2012 R2 operating systems, Microsoft™ blocks applications from injecting the Alt + Tab keyboard shortcut except for Ease of Access applications. The on-demand target can mark itself as an Ease of Access application when it is run by an administrator user but not when it is run by a standard user.

The Use Remote Control Gateway option is not applicable when you install the CLI tools

When you install the CLI tools in a Windows operating system and select Use a proxy server or a Remote Control Gateway during the installation, two options are enabled. You can either select Use an HTTP proxy or Use a Remote Control Gateway. However, the CLI tools do not work in environments where gateways are configured and the Use a Remote Control Gateway is not applicable.

The Enable Privacy and Enable Input Lock options might be available when you are connected to a Linux target

During a session with a Linux target, the Enable Privacy and Enable Input Lock options might be available in the Perform Action in target menu in the controller. Clicking the options has no affect on the target because these features are not supported on a Linux target.

Remote installation of the target does not work on Windows 10 operating system

Using the remote target installation feature from the server or controller component does not work for a target that has Windows 10 operating system installed.

The server UI web session does not time out when the View Current Server Status page is kept displayed

In the server UI, the logon page is displayed when you select an option after a period of inactivity. The time limit is defined in the web.xml file. However, when you select AdminView Current Server Status and keep the page on display, the web session does not time out. The result is that you can continue to select options after the time limit is reached and the logon page is not displayed.