On August 24, 2020 BMC released version 20.08 of Client Management. This version marks an end to the old method of versioning and now uses a BMC compliant versioning scheme. This new scheme uses that last two digits of the current year and the month product was made GA (General Availability), two digit format, as the new scheme BMC uses for all of their products. More importantly however is the huge number of features and enhancements that are included in this version. There are three major sections of Client Management where these improvements are easily identified. They are:
Remote Control Patch Management Web Based Management Console (Full Featured for Supporting Incident Management)
There are additional items beyond the list above that I will also discuss.
The most notable new feature is the centralized logging of ALL remote control sessions and if they were recorded or not. From a “security” standpoint, this will allow those interested a single page that will display what device was remotely accessed, by whom, and when they started and when they completed.
- BMC Client Management enables you to track the remote control licenses. One license is used for each remotely controlled device. For more information, see Managing licenses for remote control sessions.
- BMC Client Management enables you to store the details of the remote sessions conducted on your device. You can view a list of the remote sessions performed on your device including details such as who has accessed your device and the start and end time when the device was accessed. For more information, see Managing remote control session history and Managing remote control session history via web console.
- Two new options, Remove deprecated videos and Video Quality are added to the remote control recording configuration.
The Remove deprecated videos option enables you to define if the videos not yet uploaded on a client should be removed when the video manager is not defined. The Video Quality option enables you to select the quality of the recording. Lower quality reduces the recording size. By default, videos are recorded in top quality. For more information about these options, see Configuring remote control recording.
- The DisableDirectXCapture parameter is added to the Driver section of the RemoteControl.ini file. This parameter provides you the option to bypass the display capture from DirectX feature. For more information on this topic, see Troubleshooting issues when remotely controlling a device.
The following enhancements are added to Patch Management:
- Review superseded patches management.
- Hide a patch from a patch job.
- Patch module suspended information is displayed in patch job and patch group device assignment views.
- Reactivate a patch job without having to open the wizard.
- The Encryption Driver Path (Windows 10) option on the Patch group installation tab defines the path that contains the encryption drivers when installing Windows 10 major updates.
- When adding a patch to a patch group, if the patch is superseded by another patch, a popup is displayed asking if you want to add selected patches, add selected and superseding patches, or cancel the action.
- Patch Synchronization at startup is activated per default in Rollout configuration. The default value for the PatchSynchroAtStartup parameter is set to true.
- If you have several patch groups and the installation of one of the patch groups fails, then another patch group installation is initiated instead of retrying the same patch group installation.
- The error messages detected during a patch installation are displayed in the console to help understand why the patch job is still in the ‘Installation Pending’ state. This information is displayed in the Properties window on the Active Patches tab of a patch job and in the Details window on the Assigned Devices tab of a patch job.
Enhancements and New Features in the Web Console
- More direct actions: registry, processes, windows events, file system.
- View topology.
- Run an existing operational rule on a device.
- Start a patch scan.
- Start WebStart.
- Update the search index with the new or modified devices.
- Store the recording for the remote control on request session.
What this means to you? Now a technician will be able to use a web browser to launch the Management console in order to support a customer. The ability to use Direct Access to modify the registry or edit a file on the remote system or to assign a software deployment to fulfill the customers request. Ability to see missing patches or what patches just got installed or just see if the the customer’s PC is running low on hard drive space to just name a few options. It is FAST and EFFICIENT!
—–> Watch the Web Console Demo <——
- A new password policy is introduced in this release for security reasons. You can set the minimum password length and other password rules while defining the security settings. Blank passwords are no longer allowed.
When you log in to or upgrade to the BMC Client Management version 20.08, and if your password does not adhere to the password rules or if you log in with a blank password, then a warning message is displayed. We recommend you define a new password as per the password rules. For more information on the password rules, see Security settings.
Administrators using the Windows installer or the Linux script for installations must enter a password with minimum 8 characters.
- For customizing the SSL certificates, we have added 5 new parameters to the mtxagent.ini file. These parameters define the default certificate attributes for organization, organizational unit, locality, state, and country.
These parameters can be configured during installation (for more information, see Installing on-premises on Windows and installation options and Installing on-premises on Linux and installation options) and can be modified later when using direct access agent configuration, when defining the parameter settings of the BCM agent using the operational rules, or when defining security parameters before rolling out the agent.
- For enhanced security, the rollout of any type can have a secured executable. You can encrypt the executable by setting a password to execute it. This enhancement introduces an optional new parameter that users can enter when manually running the executable. If no or wrong password is supplied, the installation fails. For more information about managing the secured executable, see Downloading and installing a rollout from a server and for more information on the new Rollout Password parameter, see The Agent Rollout wizard 2 – Defining general parameters before rolling out the agent.
- Additional compiling flags are enabled on all platforms to cope up with buffer overflow vulnerabilities. Its consequences are that the binaries are now bigger than before and it may cause agent crashes.
- For new installations, TLS 1.2 is the new default parameter defined in the agent configuration file. This change is implemented on client and server side. If you want to use the TLS 1.0 or TLS 1.1 parameter, you can still do that using the (mtxagent.ini) file.
The old installations (if you already have BMC Client Management installed) remain unaffected by this change.
- Fixed various HTTP based vulnerabilities related to the XML processing, synchronization of console authentication token etc.
- Enhanced the administrators password hash technique with security. We now use a very strong technique to hash the administrator’s password so that its not easily used.
BMC Client Management 20.08 adds the following capabilities to the Java console
- In earlier versions of BMC Client Management, setting up a proxy on each BMC Client Management agent was possible only by editing the mtxagent.ini file. Now it is possible to configure the proxy parameters through the Java console and/or the Agent Proxy Parameter Setup operational rule step. For more information on this topic, see Proxy Options parameters and Agent Configuration steps.
- The database SQL log file is available in the Java console. The logging parameters include Enable SQL Log, SQL output Log File, Maximum SQL Log File Size, Maximum SQL Log File Count, and Maximum SQL Execution Time. For more information on this topic, see Setting the Logging Parameters and Accessing log files available via console.
- A new parameter, DHCP Response Timeout, is added to the Relay module to define the timeout value before waiting for a response from the DHCP server on port 68. The default value is 15 seconds.
- A new alert preference, BCM Agents licenses count is reached, is added which is generated when the BMC Client Management agents license reaches its limit and an agent may not be created with it in the database.
- A new parameter, Recorder, is added to the remote control on request rollout configuration. This parameter defines the device on which the recording should be stored during capture. For more information about this parameter, see Advanced parameters.
An instant direct communication channel is implemented in the Java console and web console. When you log in to the product, you will see a What’s New? section on the home page. This section has important links, messages, or alerts.
Product behavior in versions earlier than 20.08
Product behavior in version 20.08
|No indication if a patch needs to be downloaded from vendor.||Indication if a patch needs to be downloaded from vendor.|
|No column showing superseded patches information.||The Superseded By column is added to the Patches tab of patch groups.|
|If installation of a patch job fails, same patch is reinstalled at the next retry.||If installation of a patch job fails, another patch is installed instead of reinstalling the same patch at the next retry.|
|No error message displayed if patch installation fails.||Upload and display error message detected during patch installation.|
|No information displayed on the currently downloading patch.||Patch job and patch group logs show which patch is currently downloading.|
|Patch GUID is not mandatory.||Master list building fails if the patch GUID is empty.|
|Default value of the Synchronize at Startup parameter is set to False.||Default value of the Synchronize at Startup parameter is set to True.|
|Patch Synchronization at startup must be activated per default in the rollout configuration.|
|Asset discovery scan results do not include details of printer, switch and router, chassis type, and OS.||Asset discovery improvements include more OIDs for printer, switch and router, more chassis type, and improved OS detection on the devices with macOS and Linux.|
|For devices and BCM agents with macOS and Linux, hardware inventory collects less information than the devices with Windows.||Hardware inventory, for devices and BCM agents with macOS and Linux, is improved. It includes information on computer system, physical memory, processor, and so on.|
|If you are using WMI (Windows Management Instrumentation) for a remote inventory scan to collect the device information and the remote connection fails, the log file does not have any information on the failure.||If you are using WMI (Windows Management Instrumentation) for a remote inventory scan to collect the device information and the remote connection fails, #_wmi_credentials_chl.log contains the information on the failure.|
|Log files need better organization structure.||Scan results and logs are reorganized. Main logs are at the root level. A folder contains all nmap logs, and each single scanned IP has a dedicated folder containing all logs related to it.|
|Log files do not include information on the chassis detection.||Log of nmap package installation is renamed installNmap.log and is now located under log/AssetDiscovery/.|
|An archive folder is added to store the last five scans.|
|Log files include information on the chassis detection.|
|Nmap version is updated to 7.80.|
|Nmap package creation and publication processes are rewritten.|
|In the Nmap package, WinPcap is replaced with Npcap.|
|The Linux Master installation and upgrade scripts do not support systemd.||The Linux Master installation and upgrade scripts (master-header.sh and linux-master-upgrade.sh) support systemd.|
|The installation or upgrade scripts don’t check if the operating system and the current BMC Client Management version is supported or not.||The installation or upgrade scripts check if the operating system and the current BMC Client Management version is supported by the 20.08 version. So upgrading to the 20.08 version from the unsupported versions of BMC Client Management or unsupported operating systems is no longer possible. For supported upgrade path, see Upgrading and for a list of the supported operating systems, see Software requirements.|
|Windows XP, 2003, and Vista are removed from the ‘Check Operating System’ Tools step from the operational rule.|
|No check on number of identities uploaded to the master.||A checksum is implemented to limit number of identities uploaded to the master and to free up the resources on master.|
|The identity checksum is based on the core attributes including Device GUID, IP address, User name (if UploadUserRelated is true), Primary user name (if UploadUserRelated is true), Relay GUID (unless Master or unconnected device). If this checksum is different from the previous uploaded one, the upload is forced. Otherwise, the sending delay is taken into account.|
Mobile Device Management
|The iOS notification mechanism uses the Apple binary protocol.||The iOS notification mechanism is upgraded to use the HTTP/2 mechanism.|
|The Apple Push Notification service (APNs) will no longer support the legacy binary protocol as of November 2020. To continue using the BMC Client Management mobile device management features, you must upgrade to version 20.08 or install 12.9 patch 3.|
Steven R. Gibbs
Sr. Systems Consultant
BMC Certified in Client Management