BigFix Client Compliance

BigFix Client Compliance solutions ensure that computers are in full compliance with corporate security policies and best-practice standards when accessing enterprise networks. To use the BigFix Client Compliance, an extension is added to the BES Client that enables:
  • Self Quarantine: Enables network access control software (VPN clients, firewalls, etc.) to quarantine the computer based on the compliance evaluation results from the BES Client.
  • Network Enforced Quarantine: Enables network admission control frameworks and technologies (Cisco Network Admission Control, InfoExpress CyberGatekeeper, Sygate Secure Enterprise, ZoneLabs Integrity, and others), to quarantine the computer based on the compliance evaluation results from the BES Client.

Using either of these methods, you can specify a compliance policy that will check the following:

  • Patch Status: Check that the computer has all the latest patches that are required by company policy.
  • Security Configuration: Check that all the security policies are in place and there are no security vulnerabilities (weak passwords, open shares, unauthorized USB/wireless devices, insecure settings, etc.).
  • AntiVirus Status: Check that the AntiVirus agent is installed and enabled, the definitions are up-to-date, and no viruses are currently detected.
  • AntiSpyware Status: Check that the computer has AntiSpyware protection in place and working.
  • Configuration Standards: Custom compliance checks can easily be added to allow for additional flexible policies.

How does it work?

  • Create a compliance document: Using the BES Console, you can specify the the compliance policies that you want to enforce. The information is compiled into a compliance document.
  • Distribute the compliance document: Using the BES Console, select the computers (or computer groups) that will receive the compliance documents. This allows for you to specify different compliance policies for different types of computers (i.e., servers in the data center have different policies than mobile laptops).
  • Configure network enforcement agent: The network enforcement agent needs to be configured to query the BES Client for the compliance status based on the compliance document. The details of the configuration depend on which network enforcement agent is used. The BES Client can automatically configure the network enforcement agent for many network enforcement products (see below for details).
  • Assessment and Quarantine: The network enforcement agent will now to repeatedly query the BES Client for the compliance status of the computer. If the computer is not in compliance, it will automatically quarantined by the network enforcement agent.
  • Automated remediation: Even in quarantine, the BES Client will automatically remediate the computer into compliance, enabling the computer to be seamlessly placed onto the network.

BigFix Client Compliance Configuration Fixlet Site

The BigFix Client Compliance Configuration Fixlet site provides content that allows you to install, update, and remove the BigFix Client Compliance extension. In addition, there are tools that can be used to update the rules for determining compliance, analyze the results of compliance tests, and customize specific compliance standards.

Companion Quarantine Fixlet Sites

There are additional companion Fixlet sites that provide following functionality for each supported 3rd-party network admission technology:
  • Determining whether or not a computer requires quarantine.
  • Configuring the the quarantine action.
  • Configuring the action to release the computer from quarantine.

Detailed information about these sites can be found here: