List of advanced options
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=<path+license.pvk>
[-sitePvkPassword=<password>]
{ -list | -display
| [ -f ] -delete option_name
| [ -f ] -update option_name=option_value }
These options are typically supplied by your IBM Software Support.
Advanced options for disabling functions
- disableNmoSiteManagementDialog
- If set to "1", the site management dialog is unavailable to non-master operators (NMOs).
- disableNmoComments
- If set to "1", NMOs cannot add comments. NMOs will still be able to view comments.
- disableNmoManualGroups
- If set to "1", NMOs cannot add or remove computers from manual groups, and see manual groups that none of their computers are members of.
- disableGlobalRelayVisibility
- If set to "1", NMOs cannot see relays in the relay-selection drop-downs in the console that don't belong to them. The exception is if they view a machine that is currently configured to report to a relay not administered by them, in this case that relay appears in the list as well.
- disableNmoRelaySelModeChanges
- If set to "1", NMOs cannot toggle automatic relay selection on and off.
- disableDebugDialog
- If set to "1", the keyboard sequence CTRL-ALT-SHIFT-D cannot be used to open up the console's debug dialog.
- disableComputerNameTargeting
- If set to "1", the third radio option "target by list of computer names" is removed on the targeting tab of the take action dialog.
- allowOfferCreation
- If set to "0", the 'Offer' tab in the Take Action Dialog is disabled. Offer presets in Fixlets are ignored by the console.
- disableNmoCustomSiteSubscribe
- If set to "1", the "Modify Custom Site Subscriptions" menu item is disabled for all NMOs
Advanced options for password policies
- passwordComplexityRegex
- Specifies a perl-style regular expression to use as a password
complexity requirement when choosing or changing operator passwords.
These are some examples:
- Require a 6-letter or longer password that does not equal the
string 'bigfix'.
(?![bB][iI][gG][fF][iI][xX]).{6,}
- Require a 6-letter or longer password containing lowercase, upper
case, and punctuation.
(?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]]).{6,}
- Require an eight-character or longer password that contains 3
of the following 4 character classes: lowercase, uppercase, punctuation,
and numeric.
((?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:punct:]])| (?=.*[[:lower:]])(?=.*[[:upper:]])(?=.*[[:digit:]])| (?=.*[[:lower:]])(?=.*[[:digit:]])(?=.*[[:punct:]])| (?=.*[[:digit:]])(?=.*[[:upper:]])(?=.*[[:punct:]])).{8,}
Note: The Site Administrator passwords are not affected by this complexity requirement. - Require a 6-letter or longer password that does not equal the
string 'bigfix'.
- passwordComplexityDescription
- Specifies a description of the password complexity requirement. This string is displayed to the user when a password choice fails the complexity requirements set using the passwordComplexity option. An example of password complexity description is "Passwords must have at least 6 characters." If you do not set this value but you set passwordComplexityRegex setting, the description set in passwordComplexityRegex is displayed to the user.
- passwordsRemembered
- Specifies the number of unique new passwords that can be set for
an user account before an old password can be reused. The default
value is "0".
This option was introduced with IBM BigFix V8.2.
- maximumPasswordAgeDays
- Specifies the number of days that a password can be used before
the system requires the user to change it. The default value is "0"
(no maximum).
This option was introduced with IBM BigFix V8.2.
- minimumPasswordLength
- Specifies the least number of characters that a password for a
user account can contain. The default value is "6". This is an usage
example of this option:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=LOCATION -sitePvkPassword=PASSWORD -update minimumPasswordLenth=9
This option was introduced with IBM BigFix V8.2.
- enforcePasswordComplexity
- If set to '1' or 'true', the passwords must meet the following
minimum requirements:
- They must not contain the user's account name or parts of the user's full name that exceed two consecutive characters.
- They must be at least six characters long.
- They must contain characters from three of the following four
categories:
English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created. The default value is "0".
This option was introduced with IBM BigFix V8.2.
- accountLockoutThreshold
- Specifies the number of incorrect logon attempts for a user name
before the account is locked for accountLockoutDurationSeconds seconds.
The default value is "5".
This option was introduced with IBM BigFix V8.2.
- accountLockoutDurationSeconds
- Specifies the number of seconds that an account gets locked after accountLockoutThreshold failed
log on attempts. The default value is "1800".
This option was introduced with IBM BigFix V8.2.
Advanced options for targeting restrictions
- targetBySpecificListLimit
- Specifies the maximum number of computers that can be targeted by individual selection.
- targetBySpecificListWarning
- Specifies the threshold for the number of computers that can be targeted by individual selection before the console displays a warning message.
- targetByListSizeLimit
- Specifies the maximum number of bytes that can be supplied when targeting by textual list of computer names.
Advanced options for authentication
- loginTimeoutSeconds
- Specifies the amount of idle time in seconds before the console requires reauthentication to take certain actions. The timer is reset every time the user reauthenticates or does an action that would have required authentication within the idle time threshold. The default value is zero on upgrade from a deployment earlier than V8.2, the default value is infinity on a clean install of V8.2 or later.
- loginWarningBanner
- Specifies the text to show to any user after he/she logs into
the Console or Web Reports. The user must click OK to continue.
This is a usage example of this option:
./BESAdmin.sh -setadvancedoptions -sitePvkLocation=/root/backup/license.pvk -sitePvkPassword=pippo000 -update loginWarningBanner='new message'
This option was introduced with IBM BigFix V9.1.
- timeoutLockMinutes
- Specifies how many idle time minutes must elapse before the console
requires to authenticate again. This setting is different from loginTimeoutSeconds because timeoutLockMinutes hides
the entire console to prevent any other user to see or use it. The
idle time refers to the lack of any type of input to the session including
key buttons, mouse clicks, and mouse movements.
This option was introduced with IBM BigFix V9.1.
Advanced options for customizing computer removal
By defaults, inactive computers are not automatically managed by IBM BigFix, they continue to be displayed in the console views, unless you mark them as deleted by deleting their entries from the Computers list view, and their data is always kept in the database filling in tables with unused data.
You can modify this behavior by specifying advanced options that mark inactive computers as deleted, hiding them in the console views, and remove their data from the IBM BigFix database.
In this way the console views show only the computers that reported back to the IBM BigFix server within a specified number of days and the database runs faster because you free more disk space.
- inactiveComputerDeletionDays
- Specifies the number of consecutive days that a computer does not report back to the IBM BigFix server before it is marked as deleted. When the computer reports back again, the computer is no more marked as deleted and an entry for it is shown again in the console views. The default value for this option is 0, which means that inactive computers are never automatically marked as deleted.
- inactiveComputerPurgeDays
- Specifies the number of consecutive days that a computer does not report back to the BigFix server before its data is deleted from the BigFix database. When the computer reports back again, it is requested to send back a full refresh to restore its data in the database and it is no more marked as deleted. The default value for this option is 0, which means that computer data is never automatically removed from the database.
- inactiveComputerPurgeBatchSize
- On a daily basis, BigFix runs
an internal task that removes from the database the data of the computers
for which inactiveComputerPurgeDays elapsed. The task deletes
the computer data, including he computer's hostname, in buffers to
avoid potential load to the database. The inactiveComputerPurgeBatchSize value
specifies how many computers are cleaned up in the database in each
buffer. The default value for this option is 1000. If the computer
reports back again, the matching with its entry in the database is
done using the computer ID.Note: Specify the option inactiveComputerPurgeBatchSize if you assigned a value different from 0 to inactiveComputerPurgeDays.
Other advanced options
- includeSFIDsInBaselineActions
- If set to "1", it requires the console to include source Fixlet IDs when emitting baseline actions. Emitting these IDs is not compatible with 5.1 clients.
- defaultHiddenFixletSiteIDs
- This options allows to selectively change the default Fixlet visibility on a per-site basis. It only takes effect when global default Fixlet hiding is not in use. You specify a comma-separated list of all the site IDs to be hidden by default. The list of sites IDs is in the SITENAMEMAP table in the database.
- showSingleActionPrePostTabs
- If set to "1", the 'Pre-Action Script' and 'Post-Action Script' tabs of the Take Action Dialog shows up even on single actions.
- propertyNamespaceDelimiter
- Specifies the separator for retrieved properties, By default, retrieved properties are separated into namespaces by the character sequence '::'. The character sequence used to indicate a separator can be changed using this deployment option.
- minimumConsoleRequirements
- Specifies if the minimum requirements that must be satisfied by
the machines running the database that the console connect to. Its
value consists of a comma separated list of one or more of the following
requirement strings:
- "RAM:<min MB MO ram>/<min MB NMO ram>"
- Requires that the console runs on a machine with at least the specified amount of physical RAM. Two different values must be supplied; one for master operators and another for non-master operators. Both values must be less than 2^32. For example, "RAM:2048/1024" .
- "ClientApproval"
- States that the BES Client must determine if a machine is suitable
for login. A machine is considered suitable for login if one of the
following settings is specified locally:
- "moConsoleLoginAllowed"
- "nmoConsoleLoginAllowed"
To enable the master operator login from a Windows client computer where the console is running, add the following registry keys:
- On a 64-bit computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient\Setting s\Client\moConsoleLoginAllowed]value=1
- On a 32-bit computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Client\moConsoleLoginAllowed]value=1
To enable the non master operator login from a Windows client computer where the console is running, add the following registry keys:
- On a 64-bit computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\EnterpriseClient \Settings\Client\nmoConsoleLoginAllowed]value=1
- On a 32-bit computer:
[HKEY_LOCAL_MACHINE\SOFTWARE\BigFix\EnterpriseClient\Settings\Cl ient\nmoConsoleLoginAllowed]value=1
This option was introduced with IBM BigFix V6.0.12.
- actionSiteDBQueryTimeoutSecs
- Specifies how long action site database queries can run before
the console stops the query (to release its read lock and let any
database writers through), and then restart the query where it left
off. If not set, the default value is 60 seconds. If set to "0" the
action site database queries never time out.
This option was introduced with IBM BigFix V6.0.17.
- usePre70ClientCompatibleMIME
- If set to "true", the console can create action MIME documents
that pre-7.0 clients can understand. By default, it is set to "true"
on upgrade and "false" for fresh installs.
This option was introduced with IBM BigFix V7.0.
- disableRunningMessageTextLimit
- If set to a value other than "0", the console users can enter
more than 255 characters in the running message text in the Take Action
Dialog.
This option was introduced with IBM BigFix V7.0.7.
- useFourEyesAuthentication
- If set to "true", you can set the approvers for user actions in
console user document. The approver must confirm the action on the
same console where the user is logged on.
This option was introduced with IBM BigFix V8.2.
- masterDatabaseServerID
- By default, the database with server ID 0 is the master database.
This is the database that BESAdmin needs to connect to. Use this option
to change the master database to a different machine.
This option was introduced with IBM BigFix V7.0.
- enableWakeOnLAN
- If set to "1", the console shows the "right click WakeOnLAN" functionality
in the computer list. By default the functionality is not shown.
This option was introduced with IBM BigFix V7.1.
- enableWakeDeepSleep
- If set to "1", the console shows the "right click Send BESClient
Alert Request" functionality in the computer list. By default the
functionality is not shown. During Deep sleep, all UDP messages except
this specific wake up message are ignored.
This option was introduced with IBM BigFix V8.0.
- requireConfirmAction
- If set to "1", every time an action is taken a confirmation pop-up
window with a summary of the action details is displayed. The information
listed in the pop-up window is:
The summary lists the need of doing a restart or a shutdown as well, if the action requires it. By default the confirmation window is not displayed.Action Title Estimated endpoints targeted Start time End time
This option was introduced with IBM BigFix V7.1.