TEM Clients listen for UDP commands which have been sent to them by their parent Relay or Server. Many times UDP commands may not reach the TEM Client, as when UDP has been blocked by a firewall or there is a significant amount of network traffic. For such cases the TEM Client has been configured to poll its parent Relay or Server and check if there is any command for it.
If the TEM agent service is stopped, the machine will be grayed out in the TEM console after the default client poll time ( typically it is every 4 hours ) ... For a secure endpoint management we need to prevent user from disabling TEM (BigFix) agent.
On Windows, we can prevent the TEM Client service from being stopped or disabled.
We can also configure the service to automatically restart incase it is killed/stopped.
DENY Administrators from starting/stopping the BESClient service:
cmd.exe /c sc sdset besclient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
ALLOW Administrators to start/stop the BESClient service (default state):
cmd.exe /C sc sdset BESClient D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
Restoring the security descriptor is a little harder. The best way, is to use a third-party CLI tool called SCAcl as follows:
sc failure besclient reset= 0 actions= none
|251||Hide BES Clients from the Add/Remove Programs List - BES Client < 8.0||BES Support|
|325||Hide BES Clients from the Add/Remove Programs List - MSI||BES Support|
|713||Hide BES Clients from the Add/Remove Programs List - BES Client >= 8.0||BES Support|
|591||Install BES Client Helper Service||BES Support|
You should also apply the client helper Fixlet 591 which installs a watchdog executable file that will start the BESClient even if its stopped or disabled.