BigFix Reviews

For me, Inventory Services is heavily used in our environment. The patch management suite, I would say is the second, and very important for us to ensure that we are maintaining our PCI and SOX compliance for the company I work with. In addition to that, we have server automation that we use, security and compliance module, lifecycle management, and OSD. So all of those things are really important for us.

Clearly, with Inventory Services, the speed is really key. In retail, we need answers very, very quickly. Other competitor products (which we do have in house) just don't compare.

Web reports. The interface for web reports is still pretty basic, and really hasn't changed in the seven years that we've had the product, so that would be one thing that would be really nice.

I really don't know that there's really much more that can be added that's already not currently in the pipeline, or currently exists.

It's been stable. I've used the product for seven years and I haven't had an issue that has brought things down. So it's been very stable.

Scalability is also really great. We have a very small client base in comparison to what we could potentially do, so scalability is wonderful.

In the seven years, I think I've submitted maybe four to five problems. That's it. Response time has always been good.

When we're selecting a solution, we want a vendor that we can trust, that is on top of it, on point, and thorough.

I would say I would give it a nine. Only because as I stated earlier, web reports, if that were to improve, I'd give it a ten. There's always room for improvement.

Really understand what your environment is like. Make sure that your network team is engaged with all of that.

My primary use case of this solution is for information security-related functions, like patching and threat detection.

BigFix has enabled us to have a highly successful endpoint patching program for the past decade. It's been enormously successful there. It's also become a core part of many of our business processes, from compliance monitoring of endpoints, encryption management, key escrow, and local administrator password escrow. It's built into our inventory. It's very much everywhere.

We do use BigFix as a system of investigation in the instance of lost and stolen devices to get an idea of what sort of data was possibly on it. It is an integral part of our compliance management system. Using BigFix to report on our encryption stance has been extraordinarily impactful in terms of avoiding fines for HIPAA violations and in terms of lost and stolen devices. We're definitely talking millions of dollars per year. We've got two hospitals, and probably lose a laptop a day. The scale is such that it's a huge number of machines wandering off. Now that we have good encryption coverage and good reporting on that coverage, in a lot of instances, we can acknowledge and verify that the device was lost but that it was verifiably encrypted, there were no records released, and we can then close an investigation. That's huge.

The custom content flexibility is the most important feature. Its ubiquity is also valuable. We've got very good adoption and it helps that it's one of the few tools that we have everywhere.

Network traffic is one of our current pain points. BigFix's high performance and high availability in our environment easily overwhelms our high-performance firewalls. Every time we push out patches to our entire population, it makes the firewalls very unhappy for about an hour and slows down some of our core enterprise apps. We're working to identify ways to fix that. We think that BigFix provides mechanisms for spreading out that load over time. We're going to be deploying that soon which will hopefully take care of the problem. Bandwidth is never a problem for us, we have enormous bandwidth. The number of sessions gets overwhelming when you have tens of thousands of machines all getting patched simultaneously. We're just going to spread that out over time and BigFix does offer that capability.

Around the scalability concern, I would like to see the ability to run teamed, clustered, or hierarchical root servers in order to provide a more robust, high availability system. The single monolithic root server model does somewhat bother me.

Until our most recent information security system that we stood up, which is unrelated to BigFix, BigFix was our most solid system, in terms of how much engineering effort it requires to keep up and running, relative to the number of servers involved. It's a pretty solid system. We do run into bugs and interesting functional quirks, usually around how the endpoint agent reports into the relays. It mostly just takes care of itself, for the most part. We do have to do a little care and feeding, but it's mostly self-sufficient.

We manage about 75,000 systems, most of them in a single instance and we have not run into serious performance issues at that scale. I have some concerns around the root server and the number of relays checking into it. We may be running into some performance issues there, but they're not impacting the functionality at this time.

Technical support has gone through its ups and downs, especially under IBM. The IBM support mechanism is clunky and somewhat challenging. They have made improvements recently. One thing that I really value about this organization is that we have a dedicated customer advocate, who is on the development team, and who is able to escalate serious issues as necessary, when the standard channels aren't working well. They've maintained that personal touch that has really improved our confidence in the support.

SCCM is not particularly effective as a cross-platform solution, so that alone makes it less of a contender. Also, BigFix is a lot more flexible, in terms of the types of content you can deploy, the types of reporting you can do, and the types of customizations you can do. We used to do a lot with the integration of the data from BigFix into many other systems, and so the customization is critical and SCCM doesn't offer anything like that.

I would rate it a solid eight out of ten. It's definitely not better than that, because it has a lot of Legacy code, a lot of early design decisions that it's still limping along with. On the other hand, I haven't found anything better out there. There are other competing products in this space, but nothing has convinced me that there is any compelling reason to switch. A lot of the value that we've gotten comes from the people that we're involved with, and the relationships that we've built with the community and vendor over time. I haven't found something that has a better security design. I'm a security guy, and a lot of the decisions that were made very early on in the BigFix product translate to enforcing good security practice, which I have not seen in other vendor solutions.

I would advise organizations looking at BigFix to not try to do everything all at once, but to get one process in place really solidly, and then move on to the next, all the while working on increasing coverage, and getting it on all of the systems. Both of those things take a long time. Don't try to build everything all simultaneously, because you will fail and it will probably take several iterations to get it right so make sure to take a very measured approach.

We help our customers and ourselves do vulnerability and compliance implementations, licensing compliance, and patch management solutions.

I've worked with the product a very long time, almost eight and a half years now, and for my own company, we're able to make sure that our endpoints are secure, regardless of the location on or off network. Also, for a lot of our customers, a big benefit is being able to give with accuracy, the reporting of compliancies based on NIST or STIGs, compliance reporting tools and being able to know that what they're doing.

It has also helped to reduce network traffic when it comes to downloading patches. By only having to download the patch once to the central location and then utilizing the relay structure to then download the patch to a specific site and then everything gathering at local, it greatly reduces the bandwidth of multiple endpoints.

We use it to compare current and old patches. I don't necessarily want to deploy a roll-up patch, but we have to because that's how the vendors are producing them. By being able to evaluate whether the new patching is as successful as the old way, we're able to compare the different content of the patches and not just that the patch has been delivered, but that the vulnerability that the patch is supposed to fix no longer exists.

Before we started using this solution, patching was done per endpoint. What we're able to do now is, we can test the patches, deploy them, with certainty that they're not breaking anything else, and then large scale deploy the amount. I've seen customers reduce their patch cycle times from a 60-day turnaround window to a 15-day turnaround window.

Finally, it has helped reduce software spend. By having to look at the licensed tools and what's being utilized and not utilized, we're able to make informed decisions about software license levels. This product falls a little short as far as the licensing compliance capabilities. I would like to see some development surrounding that so that I could input ELA agreements, regardless of vendor, and be able to pull those compliance-based reports.

The ease of use is the most valuable feature. Underlying that is the truth that the information that's being derived from the endpoints is accurate. There's no gray matter, and we don't have to interpret the results.

I would like to see file consistency and sizing, and I would like to see more robust reporting in the power management features. Energy use and consumption has become a cry within IT development. It's an underserved piece of the product that has implications that could allow security and green IT and sustainability to be married better.

The stability is paramount. It has definitely reduced the need for multiple products down at the endpoint, it's reduced the number of agents needed at the endpoint, and overall because the product was created so many years ago when networks were not nearly as robust as they are now, the improvement of the product over time along with the improvement of the stability of large networks, has coincided. It is as stable today as when you could only transfer 15 bits across the line.

We're a partner, so we deliver technical support to customers. When we need to talk to the product support, traditionally, with the product over the last five years, I would not say support has been supportive. I hope that changes.

Our initial setup was very complex because we not only have it set up for our internal use, but we also have a managed service platform in which we service multiple clients. We have a cloud-based solution with it as well. We're called in for a lot of the crazy deployments that are out there in the customer world where they have massive amounts of endpoints and really complex network systems.

If you utilize the tool to the maximum capacity available to you, your ROI is significantly five to seven-fold over cost.

SCCM was a product that was originally designed to deploy Microsoft Office and to patch some of the underlying structures of the Microsoft operating system. It was never designed to be a large-scale security compliance or endpoint management tool. So when you look at it from those foundations, it doesn't compare. SCCM is a free product that's offered as part of an ELA agreement that can do those functions and features, but it's not designed to do it.

I would rate BigFix a nine out of ten. It is a world leader in the patch management, vulnerability management, and security compliance space. Not a ten because the product still has room for growth and maturity to be a full-scale platform for agnostic management.

I would advise someone considering this solution to start with the simplest thing that you need to be fixed, whether that's patch management or that's software-inventory, and learn how the product works. If you can conceptually understand that it's an agnostic platform, then what I would do for patching is the same thing that I would do for inventory, which is the same thing that I would do for compliance management. Then converting over those features until into a holistic environment is easy. If you're trying to eat the elephant all at once, it gets very overwhelming very quickly.

We use this solution to import management across all of our stores, desktops and server infrastructures.

Having higher visibility on patching level, on patching successful, and non-successful has been a way that BigFix has improved my organization. Also, the ability to customize the content to do what we need it to do is very powerful and very flexible for us. Finally, in the area of custom interfaces, like REST API, really gives us the ability to provide for our external customers.

It has immensely helped to reduce network traffic when it comes to downloading patches. Downloading once and distributing to all endpoints applicable greatly reduces bandwidth.

The most valuable feature is the ability to make the platform do almost anything you want it to do. Out-of-the-box features are very powerful, but with creativity you can make the platform do almost anything you want it to do.

I would like to see more flexibility on how queries are run through the API. We've got some of our desktop customers that use the API to query a lot, and that actually impacts our server automation plan sometimes. On a day when they might be heavily querying and it hits a web report server, that messes with our server automation plans and the reporting for it. The server automation should be hitting the actual BigFix database versus the web reports.

I would also like to see improvement on configuring where the logs go. It's been annoying for both of our desktop teams. Even on the Linux side, we should be able to set the property to have the logs go to a different location. It's annoying because sometimes if you need to clear out the best data you end up losing all the logs. You can try to save it off but it's an extra step. If you try to move those logs ahead of time with the client property it shouldn't be an issue, install the BigFix agent into a nonstandard location. It's important for some of our UNIX endpoints who don't give enough space. It should be supported from the install, out of the box.

It'll scale almost as big as you need it. You just throw hardware at it.

In regards to technical support, level 2 is very helpful, but when things need to get more visibility you can get their core developers to help which is really helpful.

The initial setup was complex. There are a lot of steps to set it up, at least on the Linux side.

License management isn't quite as easy as it should be to deal with the licensing. You need to take the server down to import the new licenses which I find to be annoying. 

I would rate it a nine out of ten. It's incredibly flexible. I've managed and worked with several endpoint management solutions like ITMS, or ZENworks. I haven't worked with SCCM, but it's like if SCCM was a Ferrari, BixFix is an incredibly tweak-able, tunable, indie car. It can do a lot of cool stuff but you have to tweak it, and you have to know how to use it. 

I would advise someone considering this solution to throw out all of your expectation on how you think things need to work. Throw out how you did things before. Don't try to shoehorn what you did before into a product you might move to because it's probably going to do things better than you did before. 

Primarily my clients use it for being able to not only patch but also to be able to detect and remediate vulnerabilities in their environment. In addition, to be able to provide an accurate inventory of both the hardware and software of what they currently have deployed.

Some of my clients have gone from it taking months to be able to get through a patch cycle or to discover what's out there, down to days. A lot of it's been over a 90% improvement.

BigFix is incredibly fast and accurate in patching, reporting, and remediation.

• More integration with external data
• Extending the reporting capabilities
• Integration with some of the service ticket providers

The solution is extremely stable and it communicates very well.

Their support is very good. 

We had one of our clients with over 30,000 endpoints, and within two days all of those 30,000 endpoints were installed and reporting back, and they were ready to patch. Installation is fairly simple.

We always were able to get our client the best cost from the vendor, so pricing was not really an issue.

We also evaluated Microsoft. BigFix was more accurate in the reporting, the patching, and overall functionality.

I would rate it ten out of ten for reliability, dependability, and being able to get the job done the first time around. 

Try it in a test run, you'll be really satisfied with the results.

I believe that the agent on the endpoint is very powerful. It can do a lot. It can patch, it can get information on the asset, and it's just a very powerful tool.

It helps maintain our environment, so all of our systems are patched and up to date. It also helps provide security settings to the endpoints as well. We can also push out applications and different settings.

They're actually adding some of the features that I wanted, such as detecting, which allows us to fix things remotely. If there's a security issue, we could actually stop the security issue in its tracks. I think they need to polish up a little bit, and it seems like IBM is now finally starting to invest money into the solution. I think that's going to help its brand name.

The product is very scalable, but it can also be very complex. If you don't set things up right then you could have problems. You just need to know what you're doing.

Technical support has sometimes been very good, and sometimes it's been not so good. It just depends. I would say that in tier one sometimes they know, sometimes they don't, but then once you go up to tier two or tier three they're definitely experts in their field.

Previously we were using the Microsoft solution, Windows Software Update Services. That's a very all or none solution which is not as granular. Regarding BigFix, I like that I can push out updates to systems within their patch window and make sure that they're complete and done within that patch window.

The setup could be simple or it could be complex. It depends on your environment.

Patch management: We've gone from hideous to amazing.

The most valuable feature is the extensibility of the tool. We're able to implement solutions through available APIs and custom solutions. We're able to provide services quickly. We're able to provide services completely.

A lot of my suggestions have already been submitted through RFEs; some of them involve inspector enhancements in the end point. We've got enhancement requests on the BigFix Inventory side. I know that it's not quite as mature a product as BigFix is.

I think the current tool is fairly robust. We have ways of breaking it, though.

We're pushing the limits of the tool. We've got over 250,000 devices in our environment; probably one of the larger customers. There are a few that are larger. But we're also doing a lot with the tool that I think other customers aren't. We're doing software distribution as well as patch management. We're also doing inventory and software usage analysis. I don't know of too many other customers that are doing that.

Technical support depends on who you get. I deal with some amazing support folks, and then I've dealt with some less-than-amazing support folks.

Our previous tool was the predecessor to BigFix, Tivoli Configuration Manager. We were entitled to migrate from TCM to BigFix, so it was kind of a no-brainer.

I was involved in the initial setup. It was very straightforward. The implementation was pretty easy.

BigFix was on our short list before they were IBM. We decided against them because they were a small company, even though their solution was better than some of their competitors. Management knew it was too much of a risk to go with BigFix. When they finally became IBM, again, it was a no-brainer because they were on the top of our list of vendors satisfying the feature requirements and now they had the backing of IBM, so it made sense.

We looked at Alteryx. We looked at Microsoft SCCM. SCCM was a big competitor.

I don’t have that many criteria when selecting a vendor.

The advice that I would give depends on the problem that you are trying to solve. I spoke with a number of people at an IBM conference (users looking for a high-end endpoint security software who were potentially going to install BigFix), and they had nothing but good things to say about the tool and the people supporting it.

It's a well-developed tool, supported by people who are passionate about it.

I support multiple customers who use BixFix for many uses including for security compliance, server automation, remote control, software distribution, patching, etc. 

One of the biggest benefits BigFix has had for our organization is the ease and efficiency to perform many different tasks, across pillars and platforms, all from one pane of glass.

It has immensely reduced network traffic when it comes to downloading patches. Across the board, I've had a number of customers who've had platform tools that I'm able to combine into one tool.

We've set up and started using BigFix to patch and have had much higher patch saturation rates than in the past. We do historical tracking with BigFix, and we can see that the success rate's gone way up.

It has also helped to reduce help desk calls because of the success rate that we have with the patching. As the success rate goes up, we get fewer calls. 

The power is all in the platform. It's great to be able to patch. It's great to have a bunch of stuff for security compliance, etc but the power truly is in the platform or the tool.

I would like to see SDK for Web UI included in the next release. 

Overall it's a very stable solution.

I've worked with customers that have a couple thousand endpoints to a couple hundred thousand endpoints. I've also looked at other competing technologies out there, and it is definitely one of the leading tools on the marketplace in terms of the scalability performance.

The initial setup is very straight forward. Depending on the customer, it can be complex as far as doing the necessary planning. Some customers can miss the point of doing a lot of that planning up front. If done right, it's not complex at all. You get really fast ROI from the tool.

My customers definitely do see ROI from using BigFix but it varies from customer to customer. 

BigFix has faster ROI than SCCM. It's more scalable, requires a lot less hardware, has faster reporting, quicker data to get out of it; it's better.

I would rate it a nine out of ten. Not a ten because there's always room for improvement. I've been working with tools like BigFix for quite a while and it's one of the best tools on the market.