With great power comes great responsibility! While having domain admin rights on your workstation, you do not want to log in to it and use it to check your email or do your day-to-day activities. The same goes with your BigFix Master Operator. Your Master Operator account is needed for configuring your environment; your day-to-day job of patching and pushing out software should be used with a least privileged one.  For details, see my earlier article on how to set up roles and grant your account the access privileges it needs. You can also set additional security controls in your accounts. For details, see the official documentation.

In this article however, I will walk you through the steps for setting up some of these features to keep additional checks in place so they fit your organizational needs. 

1. On your BigFix Server computer, open BigFix Administration Tool (BESAdmin).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Enter the site key and password when prompted.

 

 

 

 

 

 

 

3. Open the Advanced Option tab and select Add.

The first setting to add is requireConfirmAction - set the value to true and click OK.

 

 

 

 

 

 

 

 

A summary of the action is displayed. Click OK to proceed.

 

 

 

 

 

 

 

 

 

 

 

 

disableNmoDynamicTargeting

 

 

 

 

 

This action prevents non-master operators (NMO) from targeting dynamically and sending out mass deployments. It only allows them to target either by using a list or by entering the device names manually.

 

 

 

 

 

 

 

 

 

loginTimeoutSeconds

 

 

 

 

 

 

This forces the operator including master operators to re-authenticate before each action is taken.

 

 

 

 

 

 

 

 

 

 

 

 

 

targetBySpecificListWarning

 

 

 

 

 

 

This issues a warning to the console operator when they target more machines than a predefined value.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

useFourEyesAuthentication

 

 

 

 

 

 

4. Go to roles settings and create an "approver" role and add the operators you want to be able to approve actions.

 

 

 

 

 

 

 

5. Set the operator that you want to be able to force an approval before the actions can be run.

 

 

 

 

 

 

 

 

Once this is done, you are prompted to enter the approver's credentials before taking an action.

 

 

 

 

 

 

 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Author

Brad Sexton is a BigFix technical advisor for the mid-Atlantic region. He was a BigFix administrator in a global enterprise for 7 years where he was using BigFix for OSD, Software Deployments, and patching. Brad joined the HCL BigFix team in 2018.

Review and editorial credits

Shivi Sivasubramanian is a senior-level technical author and editor with a demonstrated history of working in the technology industry. A firm believer in the magical power of words, she loves helping the community deliver expressive, minimalist, and user-friendly content. Shivi currently leads a team of information developers in BigFix.