One of the most popular comparisons on IT Central Station is IBM BigFix vs SCCM
Which of these two solutions would you recommend and why?
SCCM is good for managing windows endpoints but it uses WMI which is a headache and has slower reporting. it also has limited support(in most cases none) for Unix/Linux based OS, and third-party vendor applications.
if you're a very large environment, SCCM becomes a headache when you try to scale over 10,000 endpoints
The upside is that if you're a heavy windows environment, SCCM can be the ideal way to go, but if you plan on introducing different OS, you should consider BigFix.
SCCM can be free with the enterprise version of windows,
With IBM BigFix, you have support for over 90 different Operating systems, and over 9000 application vendors and over 250,000 third-party applications. and can roll out patches and achieve compliance in minutes and hours.
BigFix uses an intelligent agent(with local inspectors) and a relevance language for making sure that only the correct patches are applied to an endpoint and complete granular visibility into an endpoint (e.g applications installed, processes running, hardware information, etc)
With BigFix setting up distribution points has become much simpler and it can be done simply from the console. no extensive configuration is necessary.
When it comes to scalability, a single BgFix server can manage up to 250,000 endpoints.
The downside to IBM BigFix is the learning curve to it, its a bit high.
I am going to talk about IBM BigFix and Microsoft SCCM.
SCCM is a Windows dedicated platform for OS Confguration Management. It is powerful for managing Windows environments but very limited for managing UNIX environments (in particular OS provisioning, patch management, audit, compliance, remote control, etc.). It doesn’t integrate well with mixed Windows -Linux/ Unix setups and .
IBM BigFix, formerly Tivoli Endpoint Manager (TEM), is powerful for managing all OS (Windows, UNIX, VMware ESX, Linux, OSX) and for daily tasks and activities (remote control, patch management, software distribution, OS deployment, compliance, audit, reporting, network access and protection)
Both of them have their own inventory database and use Master-slave architecture (agent should be installed for both of SCCM and BigFix managed nodes).
If you are going to manage more Windows than UNIX systems, so it is better to use SCCM. If your main focus is to manage different OS using GUI and command line, I would recommend to use BigFix. It is flexible and offers many features and functionalities that help administrators automate and orchestrate infrastructure with few clicks rather than do it manually and lose more much time fixing and fixing issues.
Talking Licensing model, SCCM is more expensive than BigFix.
For those who are interested, there are also other tools that manage infrastructure and OS (Ansible, Puppet, OO, SA, etc.).
As a couple people have mentioned, understanding your requirements would help to point you in the right direction.
One person above made the comment "SCCM isn't just for patching like BigFix". Just to be very clear BigFix does all of the same stuff as SCCM, but the usual entry for BigFix is the Patch Management. BigFix does have inventory, software distribution, OS deployment for Windows and Linux, Compliance (very extensive).
If you were just interested in Windows OS deployment, I might point you to SCCM, but the OS deployment from BigFix has improved quite a bit, so it is a good product also.
For setup, I can 100% tell you that BigFix is way easier. Getting an infrastructure up and running with the BigFix server and say 200 clients is about a 4 hour job. By the end of the 4 hours, BigFix can show you the patch status for any systems checking in and this is not just Windows. With the client deploy tool, I can easily deploy hundreds of clients in a few minutes.
Adding infrastructure for scalability (relays) is also very easy and only takes a few minutes to add. If you want to service Internet connected devices, then you add a relay in the DMZ (and firewall rules) and you are able to connect to a device pretty much like they are on the LAN. This does not require a different infrastructure to make it work.
When I was first introduced to BigFix back when IBM bought them, I downloaded the trial version and attempted an installation without reading documentation. For my home lab, I was able to install the server and 5 clients in about 1 hour. I was also able to see the patch info and deploy patches to these systems. I mainly did this just to see how hard it would be to set up. Once set up, I started to read the documentation.
I know people that use SCCM, BigFix and Dell Kace that they really like the simplicity, scalability and power of BigFix over the others.
My current site that I am at, we have BigFix Patch only as we were mainly interested in the patch status for servers (Windows, AIX, RedHat, Oracle Linux and Solaris) as there was no simple way to get this information and consolidate it in a common view. Even though we only have Patch, we can still create custom content to deploy software like Symantec Endpoint Protection, SCOM agents and others. We can also use it to collect custom data like, currently logged on users, SCOM agent configuration, hardware information and a lot more. Some of this is in-house developed from scratch, others are built using samples from the BigFix community.
Hope that helps a bit.
BigFix is the obvious choice in these scenarios: Scale (e.g. 50K endpoints and well beyond), Heterogenous Endpoint Support via single pane of glass (e.g. *nix distros, Windows, macOS, etc), Requirement for Vulnerability Remediation with High First Pass Success Rate (e.g. you need to patch/remediate and see results quickly), Require to avoid binding to AD/LADP (e.g. no binding or mixed environment with some endpoints bound and some not). If these requirements are not present it would be important to list out the top requirements and evaluate capabilities between the solutions from there.
Concerning in a multi-tenant scenario, multi-OS, complex network environments, BigFix can fully attend all or most of your requirements. For specific situations, you can use SCCM since you do not have complex requirements.
BigFix will attend better on using Security Checklists like CIS, PCI-DSS, DISA; or when you need to reach large network organizations and want to have a centralized management configuring remote “caches”; when you have complex network topology and restricted network security policies and many network segments, you can manage it well using BigFix.
SCCM will take you much longer. If you have more than 1000 PCs to migrate you should consider BigFix.
There are automation tools along with Big Fix to help cut the cost by 1/4 an SCCM. Also, the time is cut by more than 1/4 the time.
The key problem: the sheer number of apps that you need to find, check and review for Windows 10. For each app, how many versions are being used?
You can deploy Big Fix to all the endpoints in a few days. Once done, you will have complete visibility into all the apps deployed on each PC and what version they are running.
You can then run some test prior to deployment using BigFix.
There are a lot f Desk Top engineers who will use SCCM only because they are unaware of a better way.
Concerning in a multi-tenant scenario, multi-OS, complex network environments, BigFix can fully attend all or most of your requirements. For specific situations, you can use SCCM since you do not have complex requirement.
BigFix will attend better on using Security Checklists like CIS, PCI-DSS, DISA; or when you need to reach large network organizations and want to have a centralized management configuring remote “caches”; when you have complex network topology and restricted network security policies and many network segments, you can manage it well using BigFix;
can anyone share me proper comparison sheet for me(BigFix Vs SCCM)
I am sorry to not have any concrete information to share on either SCCM or IBM BigFix. My agency attempted a proof of concept with BigFix. Our interest was mostly to have a single tool for updating both Windows and Linux OS environments. However, IBM dropped the ball during the POC period so we never satisfactorily tested what we needed to in order to make a purchasing decision. Needless to say, if the support we had during the POC period is what we could expect had we purchased, we would have been gravely disappointed.
For myself, I like SCCM which interfaces well with Microsoft products across the board. With DoD standardizing on Windows 10 for computers and mobile devices, SCCM is clearly the path to follow. SCCM and SCOM can provide a multitude of information. This is what the government is using in a big way. With defense spending getting a financial boost, I would clearly go with the product the government is going to be using, SCCM and SCOM.
I designed, configured and implemented both in the last company but found SCCM with more features and tools with integrations with other apps, like service now, than BigFix. SCCM isn't just for patching like BigFix, application deployment, compliance, patching and license management are a few that supersedes
I would recommend either Patch Manager Plus or Desktop Central.
I really didn't use these tools. However, I think SCCM has more focus working with all windows systems. IBM has some tools but they are not the core of their business.
Could you share with me your use cases in order to recommend maybe a better tool?
Maybe SCCM is my initial recommendation.
What do you like most about SCCM?
Thanks for sharing your thoughts with the community!