MSP Platform Scheme

The following scheme shows how TEM components should be implemented to manage multiple customers on the same TEM Server.

The TEM Server in the MSP Datacenter should only be accessible by MSP Top-Level Relays.

Each customer should at least install one Top-Level Relay in its network, and make sure this machine can access MSP Top-Level Relays on TCP 52311 and can be accessed by MSP Top-Level Relays on TCP port 52311.

How to Segregate Customers

To uniquely identify each customer on the TEM Console, MSP’s will use a mix of TEM Console property, customized TEM Client installation and Operator Management Rights features.

For each new customer, decide which customer identifier value will be used. Also decide with operator login name will be used. Best is to match the customer identifier value. For multi-tenancy reason, use generic values, for example a 4-digit value.

For example, first customer cid will be 0001 and associated operator login name will be 0001.


TEM Console Property

On the TEM Console, login as a Master Operator and create a TEM Property named cid (stands for customer identifier), with the below relevance:

if (exists setting "cid" whose (exists value of it) of client) then value of setting "cid" of client else "no cid"


TEM Client Installer Customization for Customer Top-Level Relay

To make sure each TEM Client will report its cid value at installation time, you will create installer configuration files for each customer.

This configuration file with be used to install the TEM Client on the machine(s) that will become the customer Top-Level Relay(s).

This configuration file will be named clientsettings.cfg and contain the following lines:

cid=<put cid value here without any quote>

_BESClient_Register_Affiliation_SeekList=<put cid value here without any quote >

_BESRelay_Register_Affiliation_AdvertisementList=<put cid value here without any quote>

__RelayServer1="http://<MSP-top-level-relay-1 FQDN>:52311/bfmirror/downloads"

__RelayServer2="http://<MSP-top-level-relay-2 FQDN>:52311/bfmirror/downloads"

_BESClient_RelaySelect_FailoverRelay="http://<MSP-failover-relay FQDN>:52311/bfmirror/downloads"

Then put this file in a copy of the client installer folder and install the TEM Client on the customer machine(s) that will become their Top-Level Relay(s).

Once this is done, the machine(s) will start reporting in to the MSP Top-Level-Relays and should be visible in the TEM Console.


TEM Console Operator Creation

By default, all TEM Clients subscribe to the Master Operator Actionsite, so using Master Operator accounts to manage specific customers should be avoided, as other customers will be able to view the same Actionsite information on their own computers.

To avoid this scenario, you will need to create a specific TEM Console Operator account that will only be able to manage a specific customers TEM Clients.

To do so, launch the TEM Administration tool. Click “Add User”.

Fill in relevant information and select options as below. The screenshot shows the creation of an Operator for a customer having a cid value of 0001.

Once this is done, connect to the TEM Console with a Master Operator account.

Go to Console Operators tab. Right-click the newly created Operator (0001 in this case), and click on “Assign User Management Rights”

Click “Add”, and browse the left tree to “By Retrieved Property”, “By cid” and select the cid value of this customer, as shown below:

Then log out from the TEM Console and log back in with the Operator login you just created (0001 in this example).

Install TEM Relay function by deploying task “Install TEM Relay x.x.x.x”, from BES Support site, where x.x.x.x is the current version of the Relay software (should match same version as the TEM Server & Console).

Check connectivity from MSP Top-Level Relay to Customer Top-Level Relay:

telnet customer-top-level-relay 52311

TEM Console Custom Content Sites for Customers

Circumstances may arise whereby the MSP is required to manage and/or deploy custom content for a specific customer. To avoid all customers TEM Clients downloading and evaluating this custom content, the MSP must create “Custom Sites” and subscribe only the specific customers TEM Clients to that site.

For Example, you might create a custom site called “custom-0001” and subscribe only TEM Clients whose cid = 0001 to that site. You would also need to assign “Owner” privileges to the custom site “custom-0001” to the TEM Console user id 0001, as this is the TEM Console account being used to manage TEM Clients with the cid equal to 0001.

Also note that by default, the TEM Operator accounts you create for each customer cid will have no access to the IBM External sites, such as Patches for Windows, Asset Discovery, Inventory & License, etc, so you will need to give “Reader” access for any of these sites that are required by these customer specific TEM Console Operator accounts.

TEM Web Report Management

User Creation

To create a Web Report User for each customer, do the following:

  • Login in to the Web Reports interface using an Admin account.
  • Go to Administration>Users page, click on “Add New User”.
  • Fill the username field. You are not required to use a generic name, because this information is not sent and consequently not visible in TEM Client registry keys or log files.
  • Fill in password field.
  • Select option “Restrict normal user by Console Operator” and select the appropriated TEM Console Operator id (you should see a list of all your TEM Console Operator ID’s that you created for every customer cid).
  • Check option “Restrict user to Read-Only mode”.
  • Finally click on “Add New User”. The following screenshot shows an example:

TEM Client Installer Customization for Customer TEM Clients

This configuration file with be named clientsettings.cfg and contain following information:

cid=<put cid value here>

_BESClient_Register_Affiliation_SeekList=<put cid value here>

_BESRelay_Register_Affiliation_AdvertisementList=<put cid value here>

__RelayServer1="http://<Customer-top-level-relay-1 FQDN>:52311/bfmirror/downloads"

__RelayServer2="http://<Customer-top-level-relay-2 FQDN OR -top-level-relay>:52311/bfmirror/downloads"

_BESClient_RelaySelect_FailoverRelay="http://<MSP-failover-relay FQDN>:52311/bfmirror/downloads"

Then put this file in a copy of client installer folder.

If you plan to use the ClientDeploy Tool, also put this file under “BESClientDeploy\BigFixInstallSource\ClientInstaller”

Message Level Encryption

Follow the instructions at to enable Message Level Encryption for more security.