What is new in V9.5

BigFix Platform Version 9.5 provides new features and enhancements.

Patch 18:
Security vulnerabilities and library upgrades
  • The SQLite library was upgraded to Version 3.34.1.
  • The OpenLDAP library was upgraded to Version 2.4.56.
  • The OpenSSL library was upgraded to Version 1.0.2y.
Added support for BigFix Relay, Console and Agent

Added support for BigFix Relay, Console and Agent running on Windows 10 Version 21H1.

Added property to the operating system inspector
A new property named display version was added to the operating system inspector. This property returns the Windows operating system version and returns valid information only for Windows 10 20H2 and later Windows 10 versions.
Patch 17:
Library upgrades
The Curl library was upgraded to Version 7.73.0.
Added support for BigFix Server and Console
Added support for BigFix Server and Console running on Windows Server 2019.
Added support for BigFix Agent
Added support for BigFix Agent running on:
  • MacOS 11 x86 64-bit.
  • Windows 10 Enterprise for Virtual Desktops.
    Note: For Windows 10 Enterprise for Virtual Desktops, the relevance expression "product info string of operating system" returns “Server RDSH”.
Added support for new database levels
  • DB2 Version 11.5.4 Stardard Edition and DB2 Version 11.5.5 Stardard Edition support.
    Note: Ensure that you upgrade BigFix to Version 9.5 Patch 17 or higher, before upgrading DB2 11.5.0 to 11.5.4 / 11.5.5.
  • Microsoft SQL Server 2019 support.
New RPM package required
Note: Starting from Version 9.5 Patch 17, the unixODBC RPM package must be installed for the Server component on Linux systems.
Patch 16:
Security vulnerabilities and library upgrades
  • The Codejock library was upgraded to Version 19.2.0.
  • The YUI library was upgraded to Version 2.9.0.
  • The Curl library was upgraded to Version 7.69.1.
Added support for BigFix Relay running on:
  • Red Hat Enterprise Linux Version 8 x86 64-bit on Intel.
  • CentOS 8 x86 64-bit.
Enhanced security of TLS connections with support of Diffie-Hellman (DHE) and ephemeral Elliptic Curve Diffie-Hellman (ECDHE)
BigFix Platform Version 9.5 Patch 16 HTTPS servers now allow ephemeral Diffie-Hellman (DHE) and ephemeral elliptic curve Diffie-Hellman (ECDHE) for key exchange while keep leveraging on RSA for authentication. With this feature, new, random asymmetric keys are chosen for each TLS connection that are never written to persistent storage. When the TLS connection terminates, keys are securely erased, ensuring in this way that, if an RSA private key is ever divulged, that key cannot be used to decrypt any secret exchanged during the TLS sessions.

Patch 15:
Security vulnerabilities and library upgrades
  • The OpenSSL toolkit level was upgraded to Version 1.0.2u.
Added support for BigFix Agent

Added support for BigFix Agent running on Oracle Enterprise Linux 8 on Intel.

Patch 14:
Security vulnerabilities and library upgrades
  • The libssh2 external library level was upgraded to Version 1.9.0.
  • The OpenLDAP external library level was upgraded to Version 2.4.48.
Added support for new database levels
IBM DB2 Standard Edition Version 11.5 GA.
Added support for BigFix Relay
Added support for BigFix Relay running on Windows 10 Version 20H2.
Added support for BigFix Console
Added support for BigFix Console running on Windows 10 Version 2004 and Windows 10 Version 20H2.
Added support for BigFix Agent
Added support for BigFix Agent running on:
  • SUSE Linux Enterprise 15 PPC 64-bit.
  • Red Hat Enterprise Linux 8 x86 64-bit.
  • Red Hat Enterprise Linux 8 PPC 64-bit LE on Power 8 and 9.
  • Red Hat Enterprise Linux 8 on s390x.
  • Ubuntu 18.04 LTS PPC 64-bit LE on Power 8.
  • MacOS 10.15.
  • Windows 10 Version 1909.
  • Windows 10 Version 2004.
  • Windows 10 Version 20H2.
  • CentOS 8.
    Note: On CentOS 8, the Client UI might fail to launch.
Patch 13:
Relays in DMZ
You can configure parent relays outside a demilitarized zone (DMZ) to initiate connections to child relays that are within the DMZ network. This means that relay-to-relay communication is always initiated from the parent relay. You can use this feature to avoid opening firewall ports from the DMZ to the internal secure network which in turns helps toughen the security of your environment.

For details, see Relays in DMZ.

Troubleshoot issues more efficiently by persisting the relay chain on the BigFix Client
The Relay chain is identified for each client and it consists of a set of Relays involved in the registration between the client and the server to which the client is registered. With this feature, you can allow the client to trace the relay chain for each registration and ensure that the relay information is available on the client side. This helps you troubleshoot issues related to client-to-server communications more efficiently, and improve the data reported by the BES Client Diagnostics task.

For details, see Viewing the relay chain on the client.

Install BigFix agent with IPS format (.p5p package) on Solaris 11
On Solaris 11, the BigFix agent installation package is now available as IPS (Image Packaging System), which is the latest Solaris packaging technology. The old version of the installation package is also still available. You can therefore choose an installation option that best suits your requirements.

For details, see Solaris 11 installation Instructions.

Delete registry keys by using actionscript
You can now delete not just the values of the registry keys set on the clients, but the keys themselves as a whole by using actionscripts. This operation also has a 64-bit equivalent. This feature helps you maintain the Windows registry keys, for example by removing the keys that are no longer used.

For details, see regkeydelete and regkeydelete64.

Removal of Adobe Flash Player dependency in Web Reports component
As a preparatory step to deal with end of support (EOS) of Adobe Flash Player in the year 2020, the Adobe Flash Player dependency was removed from the Web Reports functionality. However, your experience of viewing the graphs remains the same.
Run queries in client context
BigFix extends the ability of the Agent to run queries when submitted through the Fixlet Debugger or REST API. This allows you to run any relevance for tasks such as troubleshooting or investigations directly from these interfaces.

For details, see BigFix Query.

Added support for BigFix Agent on Raspberry Pi
Added support for running Agent on Raspbian 9 and 10 Raspberry Pi 3 models B and B+.

For details, see Raspbian Installation Instructions.

Added support for BigFix Agent SLES 15 on Intel

Added support for BigFix Agent running on SUSE Linux Enterprise 15 x86_64 on Intel.

Security vulnerabilities and library upgrades
  • The OpenSSL toolkit level was upgraded to Version 1.0.2r.
  • The libcURL file transfer library level was upgraded to Version 7.64.0.
Patch 12:
Security vulnerabilities and library upgrades

In this version, security vulnerabilities were addressed and some libraries were upgraded.

  • The OpenSSL toolkit level was upgraded to Version 1.0.2q.
  • The jQuery library level was upgraded to Version 3.0.0.
  • The jQuery UI library level was upgraded to Version 1.12.1.
  • The jqPlot (jQuery plugin) level was upgraded to Version 1.0.9.
Patch 11:
Reduce network traffic and relay infrastructure costs by exchanging cached files with peers (PeerNest)
This version introduces peer-to-peer configuration which will help you reduce the relay infrastructural costs. In a peer-to-peer setup, endpoints in a subnet coordinate their download activities in order to download binaries only once from the relay, thus reducing the network traffic outside of the subnet. With this setup, you can facilitate a faster and direct exchange of binaries between endpoints and remove the need for every client to download the same binary from a relay, allowing the removal of dedicated relays from branch offices.

For details, see Working with PeerNest.

Improve real-time visibility by delivering notifications to clients across firewalls through client-established, persistent connections
The BigFix Query function relies on a UDP based notification where the relay notifies the clients of a new query. Firewalls or NAT may block this notification mechanism. Through the new persistent connection feature, a persistent connection initiated by the client is used by the relay to manage the UDP based notification. This allows the delivery of any type of notification, thus offering a faster alternative to command polling. A persistent connected client also acts as a UDP notification forwarder (proxy) for the other clients in the same subnet which can reduce the number of connections and optimize relay performance. The relay can deliver notifications to clients through client-established, persistent connections.

For details, see Persistent connections.

Prevent BES server overload and network congestion by defining a fallback relay
You can now define a fallback relay for your clients when they fail to connect to any relay specified in their settings.

For details, see Step 2 - Requesting a license certificate and creating the masthead and Editing the Masthead on Linux systems.

Simplify the installation and upgrade of the WebUI component including it as part of the BigFix Platform installation
The installation of the BigFix Platform (both evaluation and production versions) on both Windows and Linux now includes the option to install the WebUI component as well, offering a convenient alternative to the fixlet-based installation. The upgrade of the WebUI component will be executed as part of the platform components update process, and as noted in 9.5.10, the WebUI can now scale to manage 120,000 endpoints from either a Linux or Windows BES Server installation.

For details, see Installing the WebUI (Windows) and (Optional) - Installing the WebUI Standalone (Linux).

Enhance corporate security by specifying the TLS ciphers that can be used in network communications between the BigFix components and the internet
Starting in this version, master operators can control which TLS ciphers should be used for encryption. A master operator can set a deployment-wide TLS cipher list in the masthead by using BESAdmin.

For details, see Working with TLS cipher lists.

Enhance security and reduce load on the BES root server by automatically shutting down the BigFix Console after a period of inactivity
Starting in this version, you can control the maximum amount of time to keep an inactive session of BigFix console alive. After the timeout, the BigFix console is closed.

For details, see List of advanced options.

Enhance the security of your BigFix Server by optionally disabling access to the Internet
Starting in this version, you can control whether your server accesses the Internet for updating the license and gathering the sites or not by using a configuration setting.

For details, see Airgap Mode.

Gather WebUI content more securely through HTTPS and in an optimized manner
  • WebUI: Gather BES sites with HTTPS by default

    You can gather license updates and external sites by using the HTTPS protocol on a BigFix server or in an airgapped environment. For details, see Customizing HTTPS for Gathering.

  • Optimize Gathering from Synch Servers

    The Gathering process has been optimized with more effective handling of Gather errors.

Establish an increased level of security when creating new users by assigning them minimal permissions
When you create users, they are assigned minimum permissions (read-only) by default, which offers an additional level of security.

For details, see List of advanced options (look up defaultOperatorRolePermissions) and Adding Local Operators.

Enhanced security and visibility with more detailed server audit logs
The server audit logs now include the following items:
  • Messages for deletion of computers from the console or through API
  • Messages for deletion of actions
  • Audit entries are presented in a single line and contain the same number of field delimiters. Field delimiters are present even if no value exists for a specific field. Since the format of the audit fields is subject to change over time, each line has a version number as the first entry. The current format includes texts from existing audit log messages (which are in old format) and presents them in the last field.

The server generates audit logs for two new events: the deletion of an action and the removal of a computer.

For details, see Server audit logs.

Reduce the costs of managing relay infrastructure through a new Dashboard that summarizes relay health across the entire network
You can now monitor the status of your relays across the entire network by using the Relay Health dashboard. The Relay Health Dashboard shows you specific details about the relays in your BigFix environment.

For details, see Relay Health Dashboard.

Configure the default behavior of Timeout Override on clients
Starting in this version, you can define the default behavior for timeout and disposition on a specific client for all the programs or processes triggered by any wait or waithidden commands, unless it is specified differently in an override section of that specific wait or waithidden command definition.

For details, see List of settings and detailed descriptions.

Optimize and accelerate Platform REST API interactions
You can now control and reduce the number of fields returned by a REST request by using the ?fields= parameter to limit the fields returned for a given resource when using the API resources /api/actions and /api/action/{action id}/status.

For details, see Action and Computer.

Accelerate fixlet creation and testing by using the FastQuery interface in Fixlet Debugger
Fixlet Debugger is extended to use FastQuery interface in addition to Local Fixlet Debugger Evaluator and Local Client Evaluator. You can choose a remote endpoint to evaluate relevance.

For details, see Fixlet Debugger.

Save time when working in tight maintenance windows by enabling group actions to start before sub action downloads are available
Group actions with pre-cached downloads now start without requiring all sub-action downloads to be available on the client, provided the downloads for the first relevant sub-action are available. Additionally, the server and relay caches are primed by continuing with as many download requests as possible even under a 'disk limited' constraint.

For details, see Enabling data pre-cache.

Other Enhancements
  • Improved documentation on configuration settings. For details, see BigFix Configuration Settings.
  • Added changes to the client component for enabling a new version of the self-service application (SSA).
  • Added support for running Agent and Relay on Windows Server 2019.
Patch 10:
CDT Key file option and custom installation path
When installing the BigFix clients from the Client Deploy Tool (CDT) Wizard, you can access the target computers through the SSH key authentication. You can also specify for the Windows target computers a custom installation path, if you do not want to use the default installation path.

For more information, see Deploying clients from the console.

TLS-encrypted SMTP connection for Web Reports
When setting up an email address from Web Reports, you can upgrade the SMTP connection to TLS.

For more information, see Setting Up Email.

Windows authentication leveraged in command line utilities
You can use your Windows credentials to authenticate to BigFix utilities such as the PropagateFiles.exe tool and the IEM CLI.

For more information, see Creating special custom sites whose name begins with FileOnlyCustomSite.

Windows performance, efficiency, and maintenance improvements
  • The FillDB configuration was modified to permit more efficient database bulk insert and update operations. Given that FillDB is responsible for pushing client reports into the database, this results in a more responsive and more efficient BigFix.
  • The Microsoft SQL Server configuration was updated to provide improved concurrency and scalability options for BigFix.
  • The BigFix provided Microsoft SQL Server index management scripts were rewritten to ensure indexes are better managed, with improved fault tolerance while consuming fewer system resources and reducing application impact. This has a positive impact on the long term performance, scalability, and stability of BigFix.
Added support for BigFix Agent SLES 11 and 12 on Power 9
Added support for the following BigFix Agents:
  • SUSE Linux Enterprise 11 PPC on Power 9 (P8 compatibility mode)
  • SUSE Linux Enterprise 12 PPC on Power 9 (P9 mode)
Added support for BigFix Agent on Mac OS 10.14
Added support for BigFix Agent on MacOS 10.14.
Note: On Mac OS Mojave Version 10.14 or later, some default security settings restrict access to certain folders in the user's library which in turn might affect custom content. For more information, see Client requirements.
64-bit enablement for the Mac OS agent

The Mac OS agent binaries are now 64-bit applications.

Changes in the disaster recovery, hardware migration and roll back procedures

The changes introduced by some of the security enhancements have an impact on the disaster recovery, hardware migration and roll back procedures. For more details about these procedures, see:

Server Backup

Server Recovery

Removing the Product Components on Linux systems

Migrating the BigFix Server (Linux)

Changed signing key for the Red Hat installation packages
Starting from BigFix Version 9.5.10, the Red Hat RPM packages for Server, Agent and Relay are signed with a new PGP key, different than the one used in Version 9.5.9. Also the CentOS BigFix Agent and Relay use the same Red Hat binaries. The same applies to Oracle Linux BigFix Agent.

For more information, see Red Hat Installation Instructions.

Patch 9:
Added signature to the Red Hat installation packages
Starting from BigFix Version 9.5.9, the Red Hat RPM packages for Server, Agent and Relay are signed with a PGP key. Also the CentOS BigFix Agent and Relay use the same Red Hat binaries. The same applies to the Oracle Linux BigFix Agent.

For more information, see Red Hat Installation Instructions.

Ability for endpoints to constrain the download action if the Agent is not connected to the designated (preferred) Relay
BigFix 9.5.9 introduces the capability to prevent starting actions requiring downloads when the BigFix Agent is not connected to a preferred Relay. In such scenario, you can avoid that actions are executed if the total size of the downloads associated to the action exceeds a configurable value.

For more information, see Download.

Ability for Web Reports to restrict access to some properties
BigFix 9.5.9 introduces a new client setting that allows to configure a list of properties that will be blacklisted for Web Reports. In such scenario, you can prevent reporting on large or privacy sensitive data and you can limit the memory usage.

For more information, see the _WebReports_Properties_Blacklist setting in Web Reports.

Improved Relay scalability by supporting 5000 endpoints per Relay
BigFix leaf relays for the Windows and Linux platforms can be configured now to manage up to 5000 endpoints.

For the implementation guidelines, see the BigFix capacity planning guide: BigFix Performance and Capacity Planning.

Added support for AIX 7.2 on Power 9

Added support for BigFix Agent and Relay on AIX 7.2 on Power 9.

Patch 7:
New database offered during the installation

When performing a fresh installation of BigFix Server Version 9.5 Patch 7, if no database engine is detected, you can choose whether to install Microsoft SQL Server 2016 SP1 Evaluation or to manually install another SQL Server version. The provided evaluation version is valid for 180 days.

Slimmed down Windows installation files

When performing a fresh installation or an upgrade to Patch 7, the SQL Server installer is provided as a separate file and is no longer contained in the BigFix server installer which is now smaller.

Client Deploy Tool enhancements
  • Added a new wizard to distribute the agents on all supported platforms
  • Added a new dashboard to view the results of the deployments
  • Added the possibility to upload the target log files to the BigFix server.
Names of files and folders using local encoding on UNIX and Linux clients

You can specify the names of files and folders of UNIX and Linux clients in their local encoding, even if it is different from the encoding on the BigFix server. Depending on the actions to be completed on the client, you can use a set of commands that are documented on BigFix Developer site.

Read from and write to files, having different encoding

You can read from and write to files, having different encodings using the encoding inspector. For additional information see Reading and writing files in the specific encodings and BigFix Developer site.

Enhanced Client identity matching when Clients are detected
You can use the new setting (clientIdentityMatch) to allow the BigFix Server to use the existing computer information to try to match the identity of a Client and reassign the same ComputerID to computers that might have been rolled back or restored and avoid having duplicate computer entries.
New options when running commands as a user local to the target
The override action script command has been improved with new options to run commands on the target client as user different from the logged on user. For more information, see the override command on the BigFix Developer web site.
Improved SSL configuration documentation

The documentation of SSL configuration has been updated to ensure a major consistency across the different BigFix applications. See the overview of the SSL configuration containing certificate requirements and links to the SSL configuration procedures for all BigFix applications: HTTPS across BigFix applications.

Patch 6:
Security enforcement enhancements
  • Two new masthead parameters, minimumSupportedClient and minimumSupportedRelay are added to enforce a higher level of security in the deployment. For more information, see Additional administration commands for Windows servers, or Running the BigFix Administration Tool for Linux servers.
  • You can use a new advanced option (requireSignedRegistration ) to ensure that a client registration request is not accepted if there is at least one relay in the registration chain that is not upgraded to the same version of BigFix that is installed on the Server.
New security check on Fixlet/task content
A new security check was added to parse the content of the imported or generated Fixlet and tasks, and identify the existence of possible script content. If such content is detected, a Warning Panel is displayed to the Console Operator.
OpenSSL Initialization changes
Starting from 9.5.6, each BigFix component initializes OpenSSL in FIPS Mode based on the existence of the client setting _BESClient_Cryptography_FipsMode, and the client masthead.
Default status of Relay Diagnostic page changed
On both the Server and the Relay components, the Relay Diagnostic page is now disabled by default. The Relay Diagnostic page can be enabled again by setting _BESRelay_Diagnostics_Enable = 1 on those components.
Additional changes
  • Resigning of Mac Clients with new certificates
  • Console Qualification for Windows 10 Creators Update
Patch 5:
Enablement for the BigFix Detect application
Client Deploy Tool enhancements
  • Enabled the agents distribution on all supported platforms by using a new Fixlet
  • Enabled the distribution of the old agent versions, including agent versions that are no longer supported in BigFix Version 9.5
Added capability to run Fixlet actions as a specific user and to specify the context for the actions
Specified under which specific user context a specific action must be run on the endpoint
Airgap tool enhancements
  • Added capability to gather information on external sites without accessing a BigFix server in a secure deployment
  • Added file download capability
Enhanced the FillDB component to process agent reports by using a multi-thread approach
Improved BigFix Platform performance by leveraging multi-core server resources
Added capability for a Non-Master Operator to stop other Non-Master Operator actions
Enhanced the BigFix evaluation installation to avoid ripping and replacing the BigFix deployment if transition to production license is needed
Improved the user experience for "Try and Buy" scenarios and promoted the evaluation environment to production environment without installing again
Enhanced the REST API for Baseline support
Enabled REST API to perform major baseline functionality available on the console
Enhanced the BigFix agent application usage summary inspector
Collected the process executable path
Enhanced the Mac OS version of BigFix agent and inspectors
  • Detected applications installed into the /Library path
  • Improved Wi-Fi inspectors
  • Leveraged spotlight search when using inspectors for searching Mac installed applications
  • Enabled the process inspectors to report the process path name
Improved the BigFix database layer to enable direct access from Web UI
  • Enabled the Web UI not to depend on ETL and ensured backward compatibility with current Web UI versions still leveraging ETL
  • Improved the Web UI scalability and performance
Enhanced the Client UI end-user experience
  • Made running message dialog optionally not dismissible
  • Made running message dialog optionally topmost
Enhanced the Self Service application enablement
  • Allowed REST API blocking "action-ui-metadata" mime field included in the baseline and MAG definition
  • Added timestamp information of when the offer was issued in the Offer Available message
Security enhancements
  • Changed non-FIPS OpenSSL Windows library to use ASLR
  • Created native Red Hat Enterprise Linux (RHEL) Version 6 based agent and relay to allow the client installation when the operating system is in FIPS mode
Patch 3:
Enablement for Remote Web UI deployment
You can deploy the Web UI on a remote endpoint rather than on the BigFix Server.
Enablement for BigFix Query enhancements
You can target BigFix Query requests to dynamic groups.
Enablement for BigFix Software Distribution enhancements
You can use the Self-Service catalog from the Client UI when using the SWD application.
Enablement for DB2 HADR
You can run the database backup without requiring the shutdown of the BigFix Server.
Enablement for BigFix Patch enhancements
A new inspector is added to the set of Client inspectors to allow the Patch application to discover broken filesets on AIX agents.
Added support for new platforms and database levels
  • Microsoft SQL 2016 support
  • Tiny core Linux support for relay.
  • BigFix agent now supported on:
    • SUSE Linux Enterprise 12 on Power 8 Little Endian
    • Ubuntu 16.04 on Power 8 Little Endian
    • Windows Server 2016 and System Center 2016
    • Windows 10 Anniversary Update
    • Mac OS 10.12 (Sierra)
Migrated BigFix Platform manuals to the new BigFix Developer site
The content of the following manuals was reworked, improved, and migrated to the BigFix Developer website, the new repository for the BigFix Platform development and customization documentation:
  • Relevance Guide
  • Action Guide
  • API Reference Guide
Additional enhancements
  • SHA-2 signing certificate for Windows binaries
  • Capability to install and run the Web Reports as a non-administrative user.
Patch 2:
BigFix Query
You can use this function to retrieve information and run relevance queries on client workstations from the WebUI BigFix Query Application or by using REST APIs. This function is available only for BigFix Lifecycle or BigFix Compliance Version 9.5 Patch 2 or later licenses. For more information, see Getting client information by using BigFix Query.
Version 9.5
Unicode support
BigFix Platform V9.5 gathers data from BigFix clients deployed with different code pages and languages, encodes the data into UTF-8 format, and reports it back to the BigFix server.
HTTPS gathering
You can gather license updates and external sites via the HTTPS protocol on a BigFix server or in an airgapped environment.
SAML V2.0 integration
Single-sign-on and CAC/PIV authentication support for BigFix LDAP operators connecting to the console.
Database cleanup tools
You can use the BESAdmin interface or the BESAdmin command line to remove data about computers, custom Fixlets, properties, analyses, and actions and to update the PropertyIDMap table with changes.
FillDB log rotation
It is active by default with LogFileSizeLimit set to 100 MB.

For more information about the changes and the enhancements introduced with V9.5, see the https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/Change%20and%20Release%20Notes.