BigFix offers several ways to identify computers that do not have the BigFix Client installed or running:

• BigFix Client Deploy Tool: A tool that will connect to Active Directory and check if the computers have the BigFix Client service running. The BigFix Client Deploy Tool comes installed when you install the BigFix Installation Generator. The BigFix Client Deploy Tool can be used to install the BigFix Client if the computers are in the Active Directory domain.
• BigFix Asset Discovery Fixlet Site: A Fixlet site that allows you to remotely deploy "Scan Points" to periodically scan the remote subnets and then import the data into the BigFix Console. Read below for more details.

BigFix Asset Discovery

The BigFix Asset Discovery Fixlet site allows you to help find unmanaged computers that do not have the BigFix Client installed (or computers that do not have the BigFix Client running) that are on the network and additionally help you identify network devices such as routers, printers, and switches that cannot have the BigFix Client installed.

BigFix Asset Discovery works by allowing you through Fixlet messages and Tasks to deploy "Scan Points", which are NMAP scanners, to specified BigFix Clients in your network. You can then use Fixlets and Tasks to periodically run scans. The scan results are automatically shipped to the BigFix Server, which imports the data into the database. The scan information can then be viewed in the BigFix Console in the "Unmanaged Asset" tab.

Here are some pictures illustrating the process.

The designated scan points will scan their local subnets:

The result are then automatically sent to the BigFix Server, imported in the database, and available for view in the BigFix Console "Unmanaged Assets Tab":

Instructions for using BigFix Asset Discovery

Follow these instructions to begin using BigFix Asset Discovery:

1. First, read the warnings below about using the BigFix Asset Discovery prior to installation.
2. Then please see the Deployment Guide at the following location to configure and manage the BigFix Asset Discovery solution: http://publib.boulder.ibm.com/infocenter/tivihelp/v26r1/topic/com.ibm.tem.doc_8.2/Asset_Discovery_Users_Guide.pdf

Warnings

The warnings below are very important, please read them before installing the BigFix Asset Discovery Fixlet site. Check with your network team before scanning the network!

Licensing

• When you designate scan points, you are installing the NMAP scanner application available from http://www.insecure.org/nmap. You must agree to the license agreement for NMAP before designating the scan points.
• When you designate scan points, you are installing the packet capture library, WinPCAP 3.1, available at http://www.winpcap.org/install/default.htm will be installed. You must agree to the license agreement for WinPCAP before designating the scan points.
• Nmap is distributed in a .zip file. In order to extract it, BigFix will temporarily download and use Info-Zip's decompression tool. Info-Zip is an open-source decompression utility. More information on Info-Zip is available at http://www.info-zip.org/. You must agree to the license agreement for Info-Zip before designating the scan points.

Potential Scanning Issues

• Network scans can potentially trigger Intrusion Detection Systems.
• Network scans can potentially cause old network devices, such as old printer network devices, to fail if scanned.
• Network scans can potentially cause personal firewalls, such as ZoneAlarm or BlackIce, to advise the user that a computer is scanning the local computer.
• NMAP is sometimes flagged by virus scanners as a potentially harmful tool (because it can be used for malicious purposes). Check to make sure your virus scanner is not set to block NMAP from running.
• If you set NMAP to scan a very large network (such as 10.10.*.*) it will take a very long time and could consume significant bandwidth during the scan. Note that the default scan is the local Class C network, which usually is a fast LAN. BigFix does not recommend scanning large networks across the WAN with this tool.
• Using NMAP to scan is usually a very safe operation, but there potentially could be issues specific to your organization that could result from scanning computers. Please obtain the appropriate authorization before proceeding.