This content is viewable by Everyone
BigFix Endpoint Manager FAQs
- Service Category: Desktop Support
- Owner Team: IT Desktop Engineering
-
Service:BigFix Endpoint Management
Frequently asked questions
General
- What is BigFix?
- What information is collected by BigFix?
- By requiring BigFix on all UCSF systems, aren’t we creating an extremely attractive target for hackers? How are you protecting BigFix?
- What is a locked configuration status in BigFix? Who has control over whether a system is locked or unlocked?
- What are security patches? Will a patch reboot my computer?
- I have week-long experiments that run on my computer, and I do not want them to be interrupted with a reboot when patches are applied. How can I ensure that that doesn't happen?
- What if BigFix cannot be installed on the system because it's an appliance?
- My computers are registered in DNS. Why do I need to register them again by installing BigFix or on the device registration webpage?
- My department doesn’t maintain an inventory of systems. What should I do?
- My department has its own IT. How can we get access to BigFix?
- Do I have to register computers owned and managed by a third party that are used on the UCSF network?
- Do I have to register UCSF-owned systems on outside networks?
- Do VA computers require the installation of BigFix?
Desktops and laptops
- Why is UCSF requiring the installation of BigFix on all desktops and laptops on the network?
- What should I expect after installing BigFix?
- What data does BigFix collect from personal computers? Why is collecting this information necessary?
- How does installing and using BigFix on personal computers help keep our sensitive information secure?
- Who has access to the administrator controls for the BigFix system?
- What processes are in place to prevent unauthorized use of the BigFix system by both internal and external users?
- Do the requirements and tools used to protect patient data differ for learners vs. those for faculty and staff?
- How often does hard drive encryption need to be monitored? And what are acceptable methods for monitoring drive encryption?
- I use a tablet device as my primary computing device and never use my laptop for university business or my coursework. Do I still need to install BigFix on my laptop?
- Since I own and administer my computer, which is used only occasionally for UCSF business, must I cede total control of my computer to an ITS administrator?
- Does BigFix prevent me from installing system software updates before they are “officially” approved by UCSF ITS? I routinely install system security and version updates, and I do not want to be told by BigFix that I can’t install an update.
- Does BigFix require an ITS administrator’s approval to install non-UCSF–related software (e.g., personal finance, photography, network, printer, music or games software)?
- Does my computer username have to match my UCSF username? I have multiple users on my computer, including myself as an administrator and as a user, but none of those usernames is the same as my UCSF username.
Servers
- Why is UCSF requiring the installation of BigFix on all servers on the network?
- What should I expect after installing BigFix?
- What will IT be doing with BigFix on my server?
- Who has access to the administrator controls for the BigFix system?
- What processes are in place to prevent unauthorized use of the BigFix system by both internal and external users?
- What impact does running BigFix on my server have on system performance?
- How compatible is BigFix with other processes and services that typically run on most servers?
General
- BigFix, formerly IBM Tivoli Endpoint Manager, is software that runs on your computer and collects information about your computer. At UCSF, registration of desktops and laptops connected to the network is accomplished by installing BigFix.
- Knowing what is attached to the UCSF network is critical to identify and remediate security vulnerabilities. BigFix collects hardware and software information to help IT inventory devices that are attached to the network.
What information is collected by BigFix?
- The information collected from your computer is described on the BigFix Retrieved Properties page.
By requiring BigFix on all UCSF systems, aren’t we creating an extremely attractive target for hackers? How are you protecting BigFix?
- BigFix security measures in place today:
- Require DUO two-factor authentication for access
- Undergo regular vulnerability scanning
- Are patched monthly
- Are monitored and audited for access
- Are rigorously controlled with regard to changes
- All changes require authentication from console administrators. Data is published via web reports for IT support teams; there is no direct access to the console. Ability to unlock systems is limited through strictly monitored change controls and processes.
- Additional measures under consideration include host-based IPS (e.g., TripWire).
What is a locked configuration status in BigFix? Who has control over whether a system is locked or unlocked?
- Locking a system means that it is excluded from any actions such as patching or installing software. Only data-gathering operations can take place apart from changing settings for the client itself, including updates of the BigFix client. Both Linux/Unix workstation and server clients are defaulted to a locked state.
- Currently, only the BigFix administrators, who are a small team of IT professionals, have the ability to lock and unlock systems. We are currently exploring additional technical and process controls to further restrict locked system changes.
What are security patches? Will a patch reboot my computer?
- Your computer regularly requires software updates, called security patches, to keep the operating system and applications secure. BigFix has the ability to remotely deploy patches that are needed to keep your system secure. Depending on the patch, remote deployment completion may require that you reboot your computer or proceed to the next step. This can result in occasional multiple reboots.
- You will be prompted to reboot with a pop-up message on your computer that describes why you need to reboot (e.g., for computer patching). Under normal circumstances, you will have the ability to defer the reboot for a specified number of hours. When the prescribed time has expired (generally 12 to 18 hours), the window will remain on your screen until you reboot your computer.
- Only under extraordinary circumstances (e.g., a critical security threat that requires immediate action) will your computer be forced to reboot without your approval.
I have week-long experiments that run on my computer, and I do not want them to be interrupted with a reboot when patches are applied. How can I ensure that that doesn't happen?
- The default BigFix installer will work on most computers attached to data collection devices. However, under unusual circumstances, the BigFix client might install and reboot for patching rather than indefinitely defer patches.
- To prevent this, your computer can be categorized to require communication with you before an automated unscheduled reboot takes place. To request that your computer be placed in this category, contact the IT Service Desk at 415-514-4100 with the computer hostname.
What if BigFix cannot be installed on the system because it's an appliance?
- We understand that there are instances when it's impossible to install BigFix, including on devices with embedded operating systems (e.g., networked lab equipment, proprietary data collection/analysis equipment, temperature sensors, alarms or an HPC cluster). An exemption request process has been integrated into the manual registration form at https://ucsf.service-now.com/ess/device.
My computers are registered in DNS. Why do I need to register them again by installing BigFix or on the device registration webpage?
- BigFix is required because the DNS, a hostname to the IP address lookup system, doesn’t have comprehensive information on the system owner or for MAC addresses, particularly for dynamically allocated addresses.
My department doesn’t maintain an inventory of systems. What should I do?
- Maintaining an accurate system inventory is foundational for effective management of system security. Guidance for developing a device inventory program is available from the SANS Institute at https://www.sans.org/critical-security-controls.
My department has its own IT. How can we get access to BigFix?
- BigFix for Departmental IT enables you to manage physical and virtual servers, workstations, and laptops from a single admin console. Guidance requesting a BigFix access is available: /services/bigfix-management-department-it
Do I have to register computers owned and managed by a third party that are used on the UCSF network?
- All computers that connect to the UCSF network are required to register by installing BigFix. For the very small number of circumstances when BigFix cannot be installed, an exemption request process has been integrated into the manual registration form at https://ucsf.service-now.com/ess/device.
Do I have to register UCSF-owned systems on outside networks?
- All computers that connect to the UCSF network are required to register by installing BigFix. For the very small number of circumstances when BigFix cannot be installed, an exemption request process has been integrated into the manual registration form at https://ucsf.service-now.com/ess/device. This includes:
- Computers on blended networks at San Francisco General Hospital (SFGH 10.86)
- Any computer owned by UCSF
- Computers supported by UCSF
- Computers at remote sites owned and operated by UCSF
Do VA computers require the installation of BigFix?
- VA computers are controlled by the IT department at the VA and are exempted from installing BigFix. VA IT will register computers on behalf of VA clinicians, staff and trainees.
Desktops and laptops
Why is UCSF requiring the installation of BigFix on all desktops and laptops on the network?
- Having visibility into all devices on the network is critical to protecting UCSF data and computing resources. BigFix provides UCSF IT with an accurate inventory of devices on the network, their patch status and their owners.
- Unknown or unidentified (i.e., unregistered) devices on the UCSF network are a risk to every other networked device and will be subject to removal from the UCSF network.
What should I expect after installing BigFix?
- The BigFix icon will appear in the system tray (Windows) or menu bar (Mac OS X). The BigFix client, running continuously in the background and consuming minimal CPU resources, will report the initial status of your system to the BigFix server.
- BigFix will periodically check in with the server to provide (1) ongoing updates of your system status and (2) checks for new tasks (e.g., patching to run). If the system needs patching, you will be prompted to accept the patching task. You can defer the task, but if it is deferred for too long, the patching task window will stay in the foreground, and you will not be able to dismiss it.
- The system will reboot after the patching task has completed. If the system is significantly behind in patching, multiple reboots may be necessary.
What data does BigFix collect from personal computers? Why is collecting this information necessary?
- BigFix collects username and system configuration data such as operating system, CPU, RAM and hard drive space. Collecting this information is necessary to verify encryption and to associate the computer to the owner.
- No personal data or information, such as browser history or files in the hard drive, is collected. All system information retrieved by BigFix is treated as confidential by UCSF IT staff.
How does installing and using BigFix on personal computers help keep our sensitive information secure?
- BigFix provides an accurate inventory of devices on our network and associates each computer with a specific user. This allows IT to identify unauthorized or compromised computers and take action to protect UCSF data and resources (e.g., prevent network outages).
- BigFix collects system hardware specifics (operating system, CPU, RAM, hard drive space), allowing us to determine if a system can support encryption.
- BigFix allows us to verify patch levels and anti-virus/anti-malware software versions. This functionality supports the implementation of Network Access Control. Network Access Control prevents computers without encryption, as well as those that may lack anti-malware/anti-virus software or minimum patch levels, from connecting to the UCSF network.
Who has access to the administrator controls for the BigFix system?
- Designated UCSF IT staff has access to the administrator controls for BigFix. All access to BigFix, and actions performed within it, are logged and regularly audited.
What processes are in place to prevent unauthorized use of the BigFix system by both internal and external users?
- In accordance with the University of California Electronic Communication Policy, administrator rights are limited to professional IT staff, who (1) follow best practices for system administration, including accessing the minimum amount of data to do their work, and (2) review administrator access logs regularly to ensure appropriate access.
- The BigFix system is housed in the Data Center, with restricted physical access and continuous monitoring, and patches are applied regularly to ensure system integrity.
Do the requirements and tools used to protect patient data differ for learners vs. those for faculty and staff?
- No. The tools are the same and allow parity and efficiency for reporting on the posture of UCSF security and risk. In addition, the same policies and procedures apply to all learners, faculty and staff.
How often does hard drive encryption need to be monitored? And what are acceptable methods for monitoring drive encryption?
- Best practices recommend weekly to monthly reporting to ensure that encryption requirements are enforced. Combined reporting by BigFix and Dell Data Protection and Encryption (DDPE) or Jamf Pro ensures that a device is encrypted, which is particularly important if it is stolen.
I use a tablet device as my primary computing device and never use my laptop for university business or my coursework. Do I still need to install BigFix on my laptop?
- Any laptop that you may use to view UCSF email; store a UCSF-related file; or ever, at any point, connect to the UCSF network must have BigFix installed. Even if you choose not to use your laptop for UCSF business in any way, you should ensure that it is encrypted.
- Your tablet cannot run BigFix and therefore is not required to do so. Configuring your tablet to download UCSF email automatically encrypts the device and enforces a device passcode (PIN number). This meets the UCSF minimum security standard.
Since I own and administer my computer, which is used only occasionally for UCSF business, must I cede total control of my computer to an ITS administrator?
- BigFix will not take away any rights or privileges from your local accounts or any others. You can still install whatever you need without asking permission.
- BigFix only grants UCSF administrators the ability to automatically push patches; check for encryption and anti-virus/anti-malware software; and install required security software, so you do not have to install them on your own.
Does BigFix prevent me from installing system software updates before they are “officially” approved by UCSF ITS? I routinely install system security and version updates, and I do not want to be told by BigFix that I can’t install an update.
- No. You can still install any new software or updates; BigFix won’t prevent that.
Does BigFix require an ITS administrator’s approval to install non-UCSF–related software (e.g., personal finance, photography, network, printer, music or games software)?
- No. No approval is needed.
Does my computer username have to match my UCSF username? I have multiple users on my computer, including myself as an administrator and as a user, but none of those usernames is the same as my UCSF username.
- No, your computer and user names do not need to be changed. When you install BigFix, it is supposed to ask you for your UCSF username and password. When you enter them, BigFix will associate that computer with you regardless of your local user or computer name.
Servers
Why is UCSF requiring the installation of BigFix on all servers on the network?
- Having visibility into all devices on the network is critical for protecting UCSF data and computing resources. BigFix provides UCSF IT with an accurate inventory of devices on the network, their patch status and their owners.
- Unknown or unidentified (i.e., unregistered) devices on the UCSF network are a risk to every other networked device and will be subject to removal from the UCSF network.
What should I expect after installing BigFix?
- BigFix will be started automatically, showing up in the Services Snap-in (Windows) or as a process (Linux/Unix). BigFix will run continuously in the background, consuming minimal CPU resources and periodically checking in with the server to provide ongoing updates of your system status.
- The BigFix client will run in a locked state. It will report back to the server but will not run any jobs that would apply patches or make changes on the system.
What will IT be doing with BigFix on my server?
- BigFix will collect system configuration data such as operating system, CPU, RAM, hard drive space, patch status and list of local accounts on the server. BigFix will not collect any personal data or information, such as browser history or user data, stored on the server.
- IT will not install patches, or alter files, without consulting with the system owner. Note: IT reserves the right to disconnect servers from the network or install patches if the system owner has not responded in a timely manner.
Who has access to the administrator controls for the BigFix system?
- Designated UCSF IT staff has access to the administrator controls for BigFix. All access to BigFix, and actions performed within, are logged and regularly audited.
What processes are in place to prevent unauthorized use of the BigFix system by both internal and external users?
- In accordance with the University of California Electronic Communication Policy, administrator rights are limited to professional IT staff, who (1) follow best practices for system administration, including accessing the minimum amount of data to do their work, and (2) regularly review administrator-access logs to ensure appropriate access.
- The BigFix system is housed in the Data Center, with restricted physical access and continuous monitoring. Patches are applied regularly to ensure system integrity.
What impact does running BigFix on my server have on system performance?
- The default CPU usage settings are optimized to prevent using too much CPU on your server. You can expect the BigFix client to use at most 2 percent of the CPU, calculated based on a single processor. If you have multiple processors, the overall percentage of agent CPU is reduced significantly.
How compatible is BigFix with other processes and services that typically run on most servers?
- BigFix is a widely used system management tool with a proven track record of not interfering with other server processes. UCSF has experienced running BigFix on tens of thousands of desktops and hundreds of servers over the past few years, with only minimal issues.