BMC Client Management (BCM) is a client/server system providing the ability to inventory, take control, distribute software, patch, deploy Windows Operating Systems and many other functionalities. Most importantly, this functionality is available for devices on the LAN and also for devices that are on the WAN. It has never been easier to take control of devices that are on the WAN by using the remote control on request: simply send an invite to a user to take control of their computer.
It is composed of:
- A master server that is connected to a database of the type SQL Server Express, SQL Server, Oracle or postgres.
- Consoles to connect to the master server and perform all operations available. The console can run from the LAN and/or from the WAN.
- Relays to link devices with the master server. Relays help limit bandwidth usage, enable access to devices in the WAN if set in a DMZ, and they reduce the activity and the amount of communications that otherwise the master would have to manage. Having a relay in a DMZ enables agentless remote control of devices in the WAN.
- Clients on which an agent is installed. The optional installation of a BMC Client Management agent on a device allows additional functionality such as detailed inventories, remote control recording, software distribution, patch management etc.
- Devices which can be discovered by the asset discovery module and devices being controlled by the remote control on request invitations.
- 1- Planning the installation
- 2- Installing the master
- 3- Connecting to the master
- 4- Pre-configurations
- 5- Prepare the rollout installations
- 6- Install relays
- 7- Install Clients
1- Planning the installation
One of the key to success with BCM is to ensure all the prerequisites are met from the beginning of the project. This will ensure performance and stability. This KA lists some very important information to consider while planning the architecture of BCM: Client Management: Prerequisites.
If you are going to install the master on linux, make sure to pay extra attention to the following KA, else the agents could crash because the system doesn't allow to open enough files:
2- Installing the master
BCM can be installed on numerous systems: Windows and linux (several distributions), and also Mac OS X for clients. Windows server masters can be connected to a MS SQL Server or to an Oracle database. linux masters can be connected to an Oracle or to a postgres database.
The easiest to setup is a Windows Server Master and a SQL Server Express database, but this has some limitation. More information in this KA: Client Management: The easiest - How to install a master withe the included SQL Server Express. This KA also covers the installation of the console on the master and its first connection to the master.
For other Operating Systems (OS) and database types, please consult the official documentation here (12.9).
3- Connecting to the master
It is possible to connect to the master using three different types of console:
The web start console is the preferred console to connect to the master as it is updated automatically when the master is upgraded and as it also integrate the SSL certificates without no additional configuration.
A certificate that is unique to the master is generated at the first start of the BCM Master agent after its installation. Because of this there no real reason to replace it by another one, generated by another means if it is not mandatory in the company. BCM support TLS 1.0, 1.1 and 1.2 (12.9), but it is possible to force TLS 1.2 for the agent communications and for the master to database connection:
- agent communications: Client Management: How to force TLS 1.2 for communications
- master to database communications: Client Management: I forced TLS 1.2 communication on my server but then BCM cannot communicate with the SQL Server Database
The certificate must be imported into the devices to:
- ensure the best performance to the remote control through the web console
- avoid certificates warning messages when accessing the web interface: Client Management: SSL certificate warnings may be displayed when accessing the Client Management web interface pages (Windows)
4.2 Relay selection mechanisms
It is possible to select devices in several ways, one is static (the device will always try to connect to the same ip/hostname), and the other ones dynamics, meaning they will be capable of contacting relays depending on the mechanism set into the relay configuration.
Setting up the proper mechanisms from the beginning would be great, but don't worry, this still can be changed if at some point it needs to be enhanced. The preferred method is the Relay List mechanism: Client Management: How to use the relay list mechanism to select relays.
More information on these relay selection mechanisms in this KA: Client Management: Understanding the various mechanisms your relays can be selected by. This KA describes the mechanisms and also has links to KAs that are specific to some of the mechanisms.
5- Prepare the rollout installations
5.1 Rollouts Best Practices
Make sure to read the following KA before starting to deploy agents. A lot of customers encounter issues with the unique identifier of the BCM agents because they are not aware of this information: Client Management: Installing agents best practices.
The following could allow to easily deploy the installer to devices in mass, by either importing the targets from the active directory of by discovering them from the network. This is why it is listed at this very early stage. Following this section is not mandatory and can also be set later on.
5.2 Directory Servers Synchronizations
BCM allows to synchronize objects from the Active Directory and from three other types of directory servers: Administrators, Devices and Users. Follow this KA to set up the directory server into the BCM console: Client Management: How to create a directory server and how to troubleshoot it if it fails at connecting.
- administrators in BCM will allow these to connect and authenticate to the BCM console by using their regular domain login: Client Management: How to synchronize the administrators from the Active directory so they can log into the console with the same account.
The authentication will still be made by the system, BCM only synchronizes the account and its details from the active directory, not the passwords
- devices and users will allow to assign objects to them, and also deploy agents to devices synchronized and that do not have an agent on them:
5.3 Asset discovery
This module allows to scan the network to discover all types of devices. Depending on the type of devices and of the credentials that could be set in the scan configurations, the scanner will be capable of discovering the exact OS, hardware specs and an applications installed on the target.
Learn how to create an asset discovery scan and how to scan the network with it: Client Management: Client Management: How to scan the network with the Asset Discovery module - INCLUDES VIDEO.
The following KA explains how to create dynamic device groups from the scans results: Client Management: List all the Windows workstations that were discovered by the asset discovery module. This could be used to deploy rollouts to newly discovered targets very easily.
6- Install relays
Relays are mandatory when there are more than 500 children under the master (see the KA Client Management: Prerequisites) and recommended anyways when there are several locations, or when devices must connect to BCM from the WAN (and that there is no VPN).
The following KA explains why are relays useful: Client Management: A quick overview on how packages and patches are sent to the target devices.
6.1 Install a regular relay
Relay share the same binaries with the client, but the relay must be enabled in the Agent Configuration > Module Configuration > Relay to behave as a relay. More information in this KA: Client Management: How to create and deploy Agent Rollouts to relays.
As a reminder, before deploying a relay it is very important to think about the mechanism that clients will use to get their relay and adapt the relay configuration accordingly. Refer to 5.2 in this document.
6.2 Configure a DMZ relay
The method above will work in most situation, but the timeouts might have to be tweaked for a DMZ relays as if timeouts are too low the admins could experience disconnections because connections in the WAN are often less stable.
The following KA explains how to manage devices in the WAN with BCM, if there is a VPN or not: Client Management: Managing Devices Across the Internet with Client Management. It also links to a KA that explains how to configure the BCM relays and clients to better manage the timeouts.
As soon as a DMZ relay has been set it is possible to take control of devices on the WAN that do not have an agent (yet) through the remote control on request module. More information on this in the following KA: Client Management: How to take control on request (agentless) .
7- Install Clients
As mentioned above, it is not mandatory to install a BCM agent on a device to take control of it, and it is also not mandatory to gather information and hardware and inventories from devices (refer to 6.2 for more information) but it is mandatory to perform any other action, such as gathering other types of inventories, perform software distribution, patch management etc
7.1 Clients Windows
There are several ways of installing an agent in BCM:
A- The Push mode
This is the most used as it avoids to have to install the agents manually on each device. It allows to deploy (automatically) a list of clients through agent deployment servers. This can be combined to the directory server synchronization (refer to 6.1) and to the asset discovery (refer to 6.2). More information in the following KA: Client Management: How to create and deploy Agent Rollouts to clients by using the push mode - INCLUDES VIDEO.
B- The Pull mode
The pull is the same executable that is used in the push mode but is meant to be used manually or through scripts. More information in the following KA: Client Management: How to create and deploy Agent Rollouts to clients by using the pull mode - INCLUDES VIDEO.
This method can help work around restrictions there could be on the environment such as blocking SMB access to all devices. The following KA shows a possible workaround to this limitation: Client Management: How to deploy an agent through a GPO.
7.2 Clients Mac:
A- The Push mode
It will not be possible to push an agent to mac targets if the account root is not enabled on the target and if this account is not allowed to access to sshd on the target. Step 1 below is therefore mandatory:
B- The Pull mode
Some companies do not allow to enable root and/or ssd for root on their Macs. It has been requested to allow the usage of sudo but this hasn't been implemented yet (12.9). Refer to section A- of the above KA for more information on the usage of Macs pulls.
7.3 Clients linux
Both push and pull modes are described it the following KA: Client Management: How to Install the BMC Client Management Agent on Linux.
As per for Mac OS, some companies do not allow to enable root and/or ssh for root on their linux. It has been requested to allow the usage of sudo but this hasn't been implemented yet (12.9). Refer to section A- of the above KA for more information on the usage of linux pulls.
7.4 Push rollouts to devices synchronized from the Active Directory
BCM allows to synchronize devices from the active directory into dynamic device groups. This can be used to assign devices to operational rules, as an example or to push agents. More information in the following KA: Client Management: How to push rollouts to devices synchronized from the Active Directory.
7.5 Push rollouts to devices discovered by Asset discovery scanners
BCM allows to discover devices through the asset discovery module. It is then possible to populate device groups from queries based on the type of devices "Unmanaged" and push agents to them. More information in the following KA: Client Management: How to push rollouts to devices discovered by Asset Discovery scanners.
7.6 Deploy agents in the WAN
If the devices don't have access to the LAN then only rollout pulls can be used, because in this situation the devices could not be reached by a rollout server. More information in the following KA: Client Management: How to deploy or reinstall agents that are in the WAN (No VPN) .