it.ucsf.edu

BigFix Endpoint Manager Frequently Asked Questions

Michael Kearns's picture

Frequently Asked Questions

General

Desktops and Laptops

Servers

General

What is BigFix?

BigFix, formerly IBM Tivoli Endpoint Manager is software that runs on your computer and collects information about your computer. BigFix collects hardware and software information to help IT inventory devices that are attached to the network. Knowing what is attached to the UCSF network is critical to identify and remediate security vulnerabilities.  At UCSF, registration of desktops and laptops connected to the network is accomplished by installing BigFix.

 

By requiring BigFix on all UCSF systems, aren’t we creating an extremely attractive target to hackers? How are you protecting BigFix?

BigFix security measures in place today:

  • Requires DUO two-factor authentication for access
  • Regular vulnerability scanning
  • Monthly patching
  • Monitoring and auditing of access
  • Rigorous change control
  • All changes require authentication from console administrators
  • Data published via web reports for IT support teams; no direct access to console
  • Limiting the ability to unlock systems through strictly monitored change controls and processes

Additional measures under consideration:

  • Host-based IPS (e.g. TripWire) 

What is a locked configuration status in BigFix? Who has control over whether a system is locked or unlocked?

Locking a system means that it excluded from any actions like patching or installing software. Only data gathering operations can take place apart from changing settings for the client itself, including updates of the BigFix client. Currently, only the BigFix administrators, a small team of IT professionals have the ability to lock and unlock systems. We are currently exploring additional technical and process controls to further restrict locked system changes.

Both Linux workstation and server clients are defaulted to a locked state.

What are security patches? Will it reboot my computer?

Your computer regularly requires software updates to keep the operating system and applications secure, and these are called patches.  BigFix has the ability to remotely deploy patches that are needed for your system to keep it secure.  Depending on the patch, it may require a reboot of your computer to complete or proceed to the next step. This can result in multiple reboots occasionally. You will be prompted to reboot with a pop-up message on your computer that describes why you need to reboot, like computer patching. Under normal circumstances, you will have the ability to defer the reboot for several hours. When the prescribed time has expired (generally 12-18 hours) the window will remain on your screen until you reboot your computer.  Only under extraordinary circumstances (e.g., critical security threat that requires immediate action) will your computer be forced to reboot without your approval.

I have week long experiments that run on my computer and do not want them to be interrupted with a reboot when patches are applied. How can I ensure that doesn't happen?

The default BigFix installer will work on most computers attached to data collection devices. However, under unusual circumstance the BigFix Client might install and reboot for patching rather than indefinitely deferring patches. For those cases, your computer can be categorized to require communication before an automated unscheduled reboot. To request your computer be placed in this category, please contact the IT Service Desk at 415-514-4100 with the computer hostname.

What if BIgFix cannot be installed on the system because it is an appliance?

We understand there are instances where it’s impossible to install BigFix including devices with embedded operating systems (networked lab equipment; proprietary data collection/analysis equipment, temperature sensors, alarms, or an HPC cluster.) An exemptions request process has been integrated into the manual registration form: https://ucsf.service-now.com/ess/device_registration.do

My systems are registered in DNS why do I need to register them again by installing BIgFix or on the device registration web page?

The DNS is a hostname to IP address lookup system, and doesn’t have comprehensive information on the system owner, and MAC address, particularly for dynamically allocated addresses.

My department doesn’t maintain an inventory of systems. What should I do?

Maintaining an accurate system inventory is foundational to effectively managing system security. Guidance developing a device inventory program is available from the SANS institute: https://www.sans.org/critical-security-controls

Do I have to register computers owned and managed by a third party that are used on the UCSF Network?

All computers that connect to the UCSF network are required to register by installing BigFix.  In the very small number of circumstances where BigFix cannot be installed, an exemption request process has been integrated into the manual registration form: https://ucsf.service-now.com/ess/device_registration.do  

Do I have to register UCSF-owned systems on outside networks?

All computers that connect to the UCSF network are required to register by installing BigFix. In the very small number of circumstances where BigFix cannot be installed, an exemption request process has been integrated into the manual registration form: https://ucsf.service-now.com/ess/device_registration.do This includes computers on blended networks at San Francisco General Hospital (SFGH 10.86), any computer owned by UCSF, computers supported by UCSF and at remote sites owned and operated by UCSF.

Do VA computers require the installation of BigFIx?

VA computers are controlled by the IT department at the VA and are exempted from installing BigFix.  VA IT will register computers on behalf of VA clinicians, staff and trainees.

What information is collected by BigFix?

The information collected from your computer is described on the BigFix retrieved properties page.

Desktops and Laptops

Why is UCSF requiring the installation of BigFix on all desktops and laptops on the network?

Having visibility into all devices on the network is critical to protecting UCSF data and computing resources. This will provide UCSF IT with an accurate inventory of what devices are on the network, their patch status, and to whom they belong. Unknown or unidentified (i.e. unregistered) devices on the UCSF network are a risk to every other device on the UCSF network and will be subject to removal from the UCSF network.

What to expect after installing BigFix?

The BigFix icon will appear on the System Tray (Windows) or Menu Bar (Mac OS X. The BigFix Client will run in the background and report the initial status of your system to the BigFix Server. If the system needs patching, you will be prompted to accept the patching task. You can defer the task, but if the task is deferred for too long, the patching task window will stay in the foreground, and you will not be able to dismiss it. The system will reboot after the patching task has completed. If the system is significantly behind in patching, multiple reboots may be necessary. BigFix will run in the background, consuming minimal CPU resources, periodically checking in with the server to provide ongoing updates of the system status as well as check for new tasks (e.g., patching to run)

What data does BigFix collect from personal computers? Why is collecting this information necessary?

BigFix collects user name and system configuration data such as operating system, CPU, RAM, hard drive space. No personal data or information, such as browser history or files in the hard drive, is collected. All system information retrieved by BigFix is treated as confidential by UCSF IT staff. Collecting this information is necessary to verify encryption and associate the computer to the owner.

How does installing and using BigFix on personal computers help keep our sensitive information secure?

BigFix provides an accurate inventory of devices on our network and associates the computer with a specific user. This allows IT to identify unauthorized or compromised computers and take action to protect UCSF data and resources (preventing network outages, for example). BigFix collects system hardware specifics (operating system, CPU, RAM, hard drive space), allowing us to determine if a system can support encryption. BigFix allows us to verify patch levels and anti-virus/malware software version. This functionality supports the implementation of Network Access Control over the next 9-12 months; preventing computers without encryption and potentially anti malware/virus and minimum patch levels from connecting to the UCSF network.

Who has access to the administrator controls for BigFix system?

Designated UCSF IT Staff has access to the administrator controls for BigFix. All access to BigFix, and actions performed within, are logged and regularly audited.

What processes are in place to prevent unauthorized use of the BigFix system both from internal and external users?

In accordance with the University of California Electronic Communication Policy, administrator rights are limited to professional IT staff that follow industry best practices for system administration, including accessing the minimum amount of data to do their work. The BigFix system is housed in the Data Center with restricted physical access and continuous monitoring. Regular patches are applied to ensure system integrity. Administrator access logs are reviewed regularly to ensure appropriate access.

Do the requirements and tools used to protect patient data differ for students from faculty and staff?

No, the tools are the same and allow parity and efficiency for reporting on the posture of UCSF security and risk. The same policies and procedures apply to all students, faculty and staff.

How often does hard drive encryption need to be monitored? And what are acceptable methods for monitoring drive encryption?

Best practices recommend weekly to monthly reporting to ensure encryption requirements are enforced. BigFix and Dell Data Protection and Encryption (DDPE) combined reporting ensure a device is encrypted in the event it is stolen.

I use a tablet device as my primary computing device and never use my laptop for university business or my coursework. Do I still need to install BigFix on my laptop?

Any laptop that you might use to view UCSF email, store a UCSF related file, or ever at any point connect to the UCSF network must have BigFix installed. Even if you choose not to utilize your laptop for UCSF business in any way you should ensure it is encrypted.

Your tablet cannot run BigFix and therefore is not required to. Configuring your tablet to download UCSF email automatically encrypts the device and enforces a device passcode (PIN number); this meets the UCSF minimum security standard.

Since I own and administer my computer, which is used only occasionally for UCSF business, I can’t cede total control of my computer to an ITS administrator.

BigFix will not take away any rights/privileges from yours or any other local accounts. You can still install whatever you need without asking permission. It will just grant UCSF admins the ability to push patches and check for encryption/antivirus software.

Does BigFix prevent me from installing system software updates before they are “officially” approved by UCSF ITS? I routinely install system security and version updates, and do not want to be told by BigFix that I can’t install an update.

No – you can still install any new software or updates – it won’t prevent that.

Does BigFix require an ITS administrator’s approval to install non-UCSF-related software (e.g., personal finance, photography, network, printer, music, game, etc., software)?

No, no approval needed.

Does my computer user name have to match my UCSF user name? I have multiple users on my computer, including myself as an administrator and as a user, but neither of these user names are the same as my UCSF user name.

No, your computer and user names do not need to be changed. When you install BigFix, it’s supposed to ask you for your UCSF username and password. When you enter those, BigFix will associate that computer with you, regardless of your local user or computer name.

 

Servers

Why is UCSF requiring the installation of BigFix on all servers on the network?

Having visibility into all devices on the network is critical to protecting UCSF data and computing resources. This will provide UCSF IT with an accurate inventory of what devices are on the network, their patch status, and to whom they belong. Unknown or unidentified (i.e. unregistered) devices on the UCSF network are a risk to every other device on the UCSF network and will be subject to removal from the UCSF network.

What to expect after installing BigFix?

BigFix will be started automatically, and show up in the Services Snap-in (Windows) or as a process (Linux / Unix). The BigFix client will run in a locked state. It will report back to the server, but not run any jobs that would apply patches or make changes on the system. BigFix will run the background, consuming minimal CPU resources and periodically check in with the server to provide ongoing updates of the system status

What will IT be doing with BigFix on my server?

BigFix will collect system configuration data such as operating system, CPU, RAM, hard drive space, patch status, and list of local accounts on the server. BigFix will not collect any personal data or information, such as browser history or user data, stored on the server. IT will not install patches, or alter files, without consulting with the system owner. However, IT reserves the right to disconnect servers from the network or install patches if the system owner has not responded in a timely manner.

Who has access to the administrator controls for BigFix system?

Designated UCSF IT Staff has access to the administrator controls for BigFix. All access to BigFix, and actions performed within, are logged and regularly audited.

What processes are in place to prevent unauthorized use of the BigFix system both from internal and external users?

In accordance with the University of California Electronic Communication Policy, administrator rights are limited to professional IT staff that follow industry best practices for system administration, including accessing the minimum amount of data to do their work. The BigFix system is housed in the Data Center with restricted physical access and continuous monitoring. Regular patches are applied to ensure system integrity. Administrator access logs are reviewed regularly to ensure appropriate access.

What impact does running BigFix on my server have on system performance?

The default CPU usage settings are optimized to avoid using too much CPU on your server. You can expect the BigFix client to use at most 2% of the CPU, calculated based on a single processor, so if you have multiple processors, the overall % of agent CPU is reduced significantly.

How compatible is BigFix with other processes/services that typically run on most servers?

BigFix is a widely used system management tool with a proven track record to not interfere other server processes. UCSF has experienced running BigFix on tens of thousands of desktops and hundreds of servers over the past few years with minimal issues.