Skip navigation

BMC Helix

4 Posts authored by: Crystal Miceli
Share This:

Updated 1/22/18


Two vulnerabilities (known as Meltdown, CVE-2017-5754, and Spectre, CVE-2017-5753 & CVE-2017-5715) were publicly disclosed on January 3, 2018.  These vulnerabilities can impact almost all modern-day CPUs through an architecture design flaw within the hardware itself. Meltdown flaw includes application-level access to system memory, including memory allocated for the kernel. Spectre actually consists of two variants that can include the ability for one application to force another application to access arbitrary portions of its memory, which can then be read through a side channel. Both vulnerabilities are known to be exposed to servers, workstations, mobile devices, web browsers, and more.


BMC continues to monitor the industry regarding these threats, as well as individual vendor/supplier updates related to available patches/fixes. While many patches have been made available, there have also been widespread reports of system performance and stability impacts to various patches, prompting some vendors to pull those patches and recommend against them. In light of this, and in alignment with risk analysis against our services and assets, have prompted the following actions for BMC OnDemand services.

  • Anti-virus updated with patch enhancements to support recommended Meltdown/Spectre patching, as well as up-to-date definitions to minimize ability to launch remote execution exploits.
  • OS patches applied to shared multi-user systems.
  • Infrastructure software hosted by AWS have been addressed.
  • Infrastructure software hosted by BMC OnDemand will proceed with required updates by February.


At this time, additional vendor-issued firmware patches are still under review and will await confirmation of stable resolutions before deploying further to customer systems.  Once available, patching will be scheduled and coordinated as part of emergency and schedule maintenance windows, as needed.


In the meantime, please note that various mitigations are also in place, including but not limited to, BMC OnDemand services operating in private cloud environments, with dedicated hosting hardware not shared with other companies, therefore minimizing likelihood of exploitation.  Intrusion prevention systems also receive updates as needed (at least daily) to monitor specific attack code and websites hosting the attack code as they emerge.  Updates will continue to be applied for ongoing coverage updates as new exploits emerge.


More information about these flaws can be found here:

Share This:

Notifications are a critical part of the process of managing the lifecycle of incidents, problems, changes, etc. But we find that teams often struggle on how to best TEST notifications when going live for the first time or adopting new features. Why is it a challenge? Systems usually have real people data, including email addresses, and it’s important to avoid sending “test” notifications to these real individuals if they are not participating in the testing.

So how do you limit who receives emails during these test cycles?

Possible Approaches

  • For newly activated environments – Email engine is always configured and active on all the environments by default. This includes Remedy ITSM, SmartIT and MyIT/DWP apps.
    • If there is requirement to stop/disable email notifications on any of the environments, customers/implementation teams can submit a request with BMC Service Desk through
    • BMC Service Desk can help with disabling notifications by stopping the email engine or disabling outgoing/incoming mailbox configurations.
  • To disable notifications at the user level, the implementation team or customer admins will be responsible for making the necessary configuration changes.


The BMC RaaS team has provided some recommendations which can be followed to limit unexpected emails to non-testers during your UAT. You may choose one or many of these options depending on your use case.


Options to disable notifications

If you are conducting a system UAT or testing in a non-prod environment, and have full set of foundation and people data configured in the system, OOTB notification rules may trigger system generated notifications to end users and support staffs configured in the system. To avoid this “spamming” situation where false notifications to go out to the real user base, one of the following options can be followed:


1.   Ensure there is no email address configured for user profile; i.e.; “Email Address” field on CTM:People form has no valid email address configured for the user.  You can remove “email Address” for the users who don’t need to receive notifications.
Note: This option however may not be feasible when you are looking to disable notifications for a large user base, you may want to consider other options depending on your use case.


2.  Turn off notifications for individual users. In this scenario, “Notification Availability” is set to ‘No’ for the user profile. This configuration option is available on CTM:People form under Notificaitons tab. If Notification Availability is set to “No”, notification engine skips that user profile for sending any email notification. You can update this setting for bulk user at one time.


3.   Disable notification by Support Group. If your requirement is to avoid sending notifications to all the members of a particular or multiple support groups, you can achieve this by updating individual support group configuration. “Disable Group Notificaitons = Yes” on Group Notifications Settings tab on CTM:Support Group form will turn off group notifications.


TIP: You can configure a distribution list (it can be an individual’s email address also) configured in support group configuration. If yyou do this, the notification engine will not send notifications to any of the support group members, instead a single notification will be sent to the email address defined in Group Email field. This can be useful when you are performing testing and want to avoid notifications going out to real support staff without making any changes to their people profiles. For details refer – Configuring Support group Notifications


4.   Change notification rules. There are several notification rules configured OOTB on basis of which notifications are sent out for different ITSM modules. You can create “User Notification Events” if you have a requirement to overwrite default “System Notification Events”. User Notification events have precedence over supersede system notification events.

NOTE: Do not modify any System notification Event. Always create corresponding “User Notification Event” for corresponding Notification type which require customization. Detailed documentation -

  1. Notification Workflow
  2. BMC Remedy ITSM notification Events


Alternatively you can also follow instructions on one of the following links to disable notifications-

    1. Changing Notification Availability
    2. Setting notification Preferences
    3. Disabling Notifications


We hope this guidance helps you to thoroughly test notifications without sending unexpected messages to those outside the test group! Many thanks to Aditya Sharma for this guidance!

Share This:

In the customer service business, management fields a lot of complaints. Tasks aren't completed quickly enough, or needed information is not available, or a product doesn't behave as desired. What I've learned over the years is this. Set the right expectations - and expectations can be met.


Think about a visit to your dry cleaner on a Monday afternoon. You drop off your clothes and the person at the desk asks you an important question: "Is Thursday ok?" Maybe you were hoping to have those clothes back by Wednesday - but you've just received a reality check.  The cleaner isn't saying Thursday arbitrarily. It's what they feel is a realistic time estimate that they can meet. It's an achievable SLA.


Now's your chance. You can negotiate. One particular suit is crucially needed by Wednesday for the biggest meeting of your career. Can that one item be done earlier? When the cleaner tells you it can, you feel like you've hit the jackpot. When the cleaner delivers on the promise made, they've earned your trust and loyalty. So how did the dry cleaner do all this, while pushing back on what you originally wanted from the service? And what is your role in keeping the relationship healthy?


  • Service Provider
    • Know what you're capable of delivering
      • Examine your business, resources and work loads, and give yourself a little room for the unexpected before entering into service contracts.
    • Set the right expectations up front
      • Tell the customer what is reasonable, but be willing to give a little to foster good-will when it's possible.
  • Service Recipient
    • Negotiate reasonably
      • Don't demand more than you truly need. Be flexible and respectful of both sides of the relationship, knowing that you're both professionals in need of a mutually beneficial arrangement.
      • Don't overuse the "emergency card." When emergencies happen (and they will), your service provider is happy to try to do something extraordinary, but not if it's a constant situation that could have been prevented with some better planning.


If both sides have courtesy, trust and respect for one another and follow these guidelines, a healthy, long-term relationship can be formed that benefits both parties.


Let's see the other way this interaction could have gone, just to illustrate the need for these simple rules.


You arrive at the store on Monday afternoon and the dry cleaner doesn't ask if Thursday is ok, but rather - "What day do you need them back?" You have no knowledge of the current workload of the dry cleaner, but you know that you need that suit on Wednesday, so you decide to ask for more than you need just to be safe. "I need them on Tuesday," you say. The cleaner shakes his head. "I can do Thursday." You get a little more aggressive. "Wednesday is my drop dead date." The cleaner says that it all can't be done by then, and you walk out of the store to seek another cleaners as time slips away. Nobody got what they wanted because expectations were not set properly and pro-actively, and negotiations were not reasonable.


As a service provider, you have the first move in this interaction. How well you know your capability to deliver, and how pro-actively you share that information with customers to build a relationship based on clear expectation setting and delivery - makes all the difference.

Share This:

As you may have heard by now, there is a major ransomware being spread across the globe over the past 24 hours, and it is particularly nasty.  It is going by some variation of WannaCry.  Being malware, it spreads to any vulnerable Windows system it finds.  Also being ransomware, it will encrypt local data and hold it for ransom in order to decrypt it.


What you need to know:

First, BMC OnDemand is NOT currently affected by this outbreak.  We have performed a variety of actions to ensure our environment is safe and remains that way.  This includes perimeter checkpoints, including intrusion prevention policies, port restrictions, and network vulnerability scanning.  In addition, our endpoints have also been updated with the emergency definitions to specifically protect against this malware.  Critical systems are also being updated as needed, and we are performing proactive scanning to ensure our risk level remains low.  Finally, we have implemented several security alerts to ensure any potential exposure notifies us as quickly as possible.


We will continue to monitor the situation, and provide updates as necessary as we continue our pro-active measures to prevent disruptions to your service.


Please let us know if you have any questions.


-The BMC OnDemand Team

Filter Blog

By date:
By tag: