Multiple Customer Deployments

This page has not been liked. Updated 1/11/17, 8:07 PM by APTNinjaTags: None

MSP Platform Scheme

The following scheme shows how BigFix components should be implemented to manage multiple customers on the same BigFIx Server.

The BigFix Server in the MSP Datacenter should only be accessible by MSP Top-Level Relays.

Each customer should at least install one Top-Level Relay in its network, and make sure this machine can access MSP Top-Level Relays on TCP 52311 and can be accessed by MSP Top-Level Relays on TCP port 52311.


How to Segregate Customers

To uniquely identify each customer on the BigFix Console, MSP’s will use a mix of BigFix Console property, customized BigFix Client installation and Operator Management Rights features.

For each new customer, decide which customer identifier value will be used. Also decide with operator login name will be used. Best is to match the customer identifier value. For multi-tenancy reason, use generic values, for example a 4-digit value.

For example, first customer cid will be 0001 and associated operator login name will be 0001.


BigFix Console Property

On the BigFix Console, login as a Master Operator and create a BigFix Property named cid (stands for customer identifier), with the below relevance:

if (exists setting "cid" whose (exists value of it) of client) then value of setting "cid" of client else "no cid"



BigFix Client Installer Customization for Customer Top-Level Relay

To make sure each BigFix Client will report its cid value at installation time, you will create installer configuration files for each customer.

This configuration file with be used to install the BigFix Client on the machine(s) that will become the customer Top-Level Relay(s).

This configuration file will be named clientsettings.cfg and contain the following lines:







Then put this file in a copy of the client installer folder and install the BigFix Client on the customer machine(s) that will become their Top-Level Relay(s).

Once this is done, the machine(s) will start reporting in to the MSP Top-Level-Relays and should be visible in the BigFix Console.


NOTE: If the clients are having problems reporting, the information from the custom property will not make it back up to the console, and you will not see the computers listed in the custom site they are supposed to be subscribed to. Ensure that clients are able to report into the server/console first to solve the problem.


BigFix Console Operator Creation

By default, all BigFix Clients subscribe to the Master Operator Actionsite, so using Master Operator accounts to manage specific customers should be avoided, as other customers will be able to view the same Actionsite information on their own computers.

To avoid this scenario, you will need to create a specific BigFix Console Operator account that will only be able to manage a specific customers BigFix Clients.

To do so, launch the BigFix Administration tool. Click “Add User”.

Fill in relevant information and select options as below. The screenshot shows the creation of an Operator for a customer having a cid value of 0001.

Once this is done, connect to the BigFix Console with a Master Operator account.

Go to Console Operators tab. Right-click the newly created Operator (0001 in this case), and click on “Assign User Management Rights”

Click “Add”, and browse the left tree to “By Retrieved Property”, “By cid” and select the cid value of this customer, as shown below:


Then log out from the BigFix Console and log back in with the Operator login you just created (0001 in this example).

Install BigFix Relay function by deploying task “Install BigFix Relay x.x.x.x”, from BES Support site, where x.x.x.x is the current version of the Relay software (should match same version as the BigFix Server & Console).

Check connectivity from MSP Top-Level Relay to Customer Top-Level Relay:

telnet customer-top-level-relay 52311


TEM Console Custom Content Sites for Customers

Circumstances may arise whereby the MSP is required to manage and/or deploy custom content for a specific customer. To avoid all customers BigFix Clients downloading and evaluating this custom content, the MSP must create “Custom Sites” and subscribe only the specific customers BigFix Clients to that site.

For Example, you might create a custom site called “custom-0001” and subscribe only BigFix Clients whose cid = 0001 to that site. You would also need to assign “Owner” privileges to the custom site “custom-0001” to the BigFix Console user id 0001, as this is the BigFix Console account being used to manage BigFix Clients with the cid equal to 0001.

Also note that by default, the BigFix Operator accounts you create for each customer cid will have no access to the IBM External sites, such as Patches for Windows, Asset Discovery, Inventory & License, etc, so you will need to give “Reader” access for any of these sites that are required by these customer specific BigFix Console Operator accounts.


BigFix Web Report Management

User Creation

To create a Web Report User for each customer, do the following:

  • Login in to the Web Reports interface using an Admin account.
  • Go to Administration>Users page, click on “Add New User”.
  • Fill the username field. You are not required to use a generic name, because this information is not sent and consequently not visible in BigFix Client registry keys or log files.
  • Fill in password field.
  • Select option “Restrict normal user by Console Operator” and select the appropriated BigFix Console Operator id (you should see a list of all your BigFix Console Operator ID’s that you created for every customer cid).
  • Check option “Restrict user to Read-Only mode”.
  • Finally click on “Add New User”. The following screenshot shows an example:


BigFix Client Installer Customization for Customer BigFix Clients

This configuration file with be named clientsettings.cfg and contain following information:







Then put this file in a copy of client installer folder.

If you plan to use the Client Deploy Tool, also put this file under “BESClientDeploy\BigFixInstallSource\ClientInstaller”


Message Level Encryption

Follow the instructions at to enable Message Level Encryption for more security.