Install BigFix Endpoint Manager – UCSF IT does the rest!
BigFix is required for all computers conducting UCSF business, whether a machine is UCSF-owned or your personal computer. This is because, when it comes to securing UCSF IT resources, we can't fix what we can't see.
The BigFix Endpoint Manager allows UCSF IT to find, fix and secure IT resources attached to the UCSF network. Using BigFix, we can track a computer, associate the computer with a user, and collect system information (e.g., OS, CPU, RAM, hard drive space).
This ensures that you have the UCSF IT Security Suite to protect your computer and the UCSF network. It also allows us to verify that your computer is patched, encrypted and protected from viruses and malware.
Another important reason for having BigFix on your computer is because UCSF IT will automatically install required security software via BigFix. This security software:
- Helps verify that devices meet UCSF’s minimum security standards
- Searches for signs that a system has been compromised
- Collects forensic data if a security alert is triggered
- Prevents computers without encryption and potentially without anti-malware or anti-virus protection or minimum patch levels from connecting to the UCSF network
Verify if BigFix is installed
Because BigFix allows us to track a computer, associate the computer with a specific user and collect system specifics (e.g., OS, CPU, RAM, hard drive space), we are able to determine if a system can support encryption. BigFix can also be leveraged to verify patch levels and anti-virus/anti-malware software versions.
Note: Having BigFix on your computer is also important because UCSF is implementing Network Access Control. This will prevent computers without encryption and potentially without anti-malware or anti-virus protection or minimum patch levels from connecting to the UCSF network.
How to verify BigFix installation
On a Windows computer, click on the icon with the purple circle and a green arrow in the system tray (lower right-hand corner of your screen).
On your Mac OS X computer, in the upper-right of the menu bar near the clock, look for the purple circle with a green arrow and click on it.
How to install BigFix
If you do not see the BigFix icon, download the appropriate installer for your computer or server (e.g., Windows, Mac OS X, Linux).
What to expect after installing BigFix
Desktops and laptops
You will be prompted to register your computer through a simple, quick process: Follow the instructions at Registering Your Computer.
BigFix will run in the background, and the BigFix icon will appear on the system tray (Windows) or menu bar (Mac OS X).
BigFix will automatically install required security software, such as Forescout SecureConnector, so you do not have to install the software on your own. The security software will:
- Verify that devices meet UCSF’s minimum security standards
- Search for signs that a system has been compromised
- Collect forensic data if a security alert is triggered
If the system needs patching, you will be prompted to accept the patching task through a pop-up window. You can defer this task, but if it is deferred too long, the pop-up will stay in the foreground, and you will not be able to dismiss it.
The system will reboot after the patching task has completed. If the system is significantly behind in patching, multiple reboots may be necessary.
Servers and Linux workstations
BigFix will be started automatically. It will show up in the Services Snap-in (Windows) or as a process (Linux / Unix). The BigFix client will run in a locked state. It will report back to the server, but it will not run any jobs that would apply patches or make changes on the system.
BigFix will run in the background, consuming minimal CPU resources, and will periodically check in with the server to provide ongoing updates of the system status.
BigFix on lab computers and data collection computers
The default BigFix installer will work on most computers that are attached to data collection devices. However, in unusual circumstances, the BigFix client may install and reboot for patching rather than indefinitely deferring patches.
For those cases, your computer can be categorized to require communication before an automated unscheduled reboot. To request placement of your computer in this category, contact the IT Service Desk at 415-514-4100 and provide the computer hostname.
Registration is required for these systems. However, an exemptions request process has been integrated into the manual registration form: https://ucsf.service-now.com/ess/device.