Home
Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
BigFix Mobile
BigFix Mobile enables you to enroll and manage Android, iOS, and iPadOS devices.
Android mobile management
BigFix Mobile, the Enterprise Mobility Management (EMM) solution, is integrated with Android Enterprise. With this solution, you can effortlessly enroll and manage Android devices.
Android device security
BigFix Mobile provides various device security management features through which you can protect corporate content and devices.
Default security policy override
Learn how to override default security policies.

Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
- Modern Client Management and BigFix Mobile
  This guide is intended for HCL BigFix Master Operators (MO) and those who administer BigFix deployments. If you are looking for information about using Modern Client Management (MCM) and BigFix Mobile, see the WebUI User's Guide.
- BigFix MCM
  Read this section to learn enrolling and managing Windows and macOS desktop and laptop devices.
- BigFix Mobile
  BigFix Mobile enables you to enroll and manage Android, iOS, and iPadOS devices.
  - Android mobile management
    BigFix Mobile, the Enterprise Mobility Management (EMM) solution, is integrated with Android Enterprise. With this solution, you can effortlessly enroll and manage Android devices.
    - Managed Google Play Accounts enterprise
      Learn how enrolling to Managed Google Play Accounts facilitates you to manage your Android devices through BigFix Mobile.
    - Provisioning Android devices
      During device provisioning, a device is enrolled to BigFix Mobile and deployed with the policies from the associated policy group.
    - Android policy management
      A policy represents a group of settings that govern the behavior of a managed device and the apps installed on it.
    - Android device management
      Learn how to configure managed Google Play application runtime permissions and how to push permission rules to the managed Android devices.
    - Android device security
      BigFix Mobile provides various device security management features through which you can protect corporate content and devices.
      - Default security policy override
        Learn how to override default security policies.
      - Managing passcode in Android devices
        Read this section to learn how to enforce passcode policy, set and wipe passcode in an Android device. The device user can set passcode in the Android device when passcode policy is enforced.
    - Android hardware security
      The hardware security features from Android helps the Admins to lock hardware elements of a company-owned device to secure company data and prevent data loss.
    - Cross-profile management
      With Android crossprofile restriction policy, organizations can protect and control data sharing from the work profile to personal profile in the same device.
    - Verify Apps enforcement
      Verify Apps enforcement feature enables Google Play Protect to scan all the apps installed on Android device for harmful software before and after they are installed to ensure that malicious apps cannot compromise corporate data. This setting is optional.
  - Apple mobile management
    With BigFix Mobile, you can seamlessly enroll iOS and iPadOS devices.
  - Device trust
    The Device Trust feature from BigFix Mobile prevents unmanaged devices from accessing enterprise services. It provides an extra layer of security to your organization's application access and protects against potential threats from compromised devices. This extra security helps ensure that your users access applications from a device that you know is trusted.
  - Application management
    With the application management capability in BigFix Mobile, you can administer, distribute, and control mobile applications on your enrolled Android and iOS mobile devices. You can add and assign apps to devices, protect company data in apps, force install work apps which do not require user permission, and do much more. smooth app distribution and effective management on Android and iOS devices.
  - Kiosk management
    In kiosk mode, you can lock a device, so that it can run only one or a small set of applications. This mode turns an Android or Apple phone or tablet into a dedicated device that can run only one or more specified apps. Kiosk mode provides effective control over the device use and helps ensure that the devices can be used only for intended purposes. Mobile devices can run tasks in kiosk mode by configuring the settings through a policy. This feature applies only for company owned devices. In a dedicated or supervised device, the device user can access only the apps that the kiosk policy allows.
  - OS update
    The OS update policy allows to configure rules and settings to manage the operating system updates on the enrolled devices. This policy ensures that devices receive the necessary updates for security, bug fixes, and feature enhancements, while also maintaining a consistent and secure environment for all devices within the organization. The system update policy impacts both the current and future updates for the device, including any pending system update.
- SCEP Certificate-based authentication
  BigFix MCM supports certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- SAML-authenticated enrolment flow
  When you configure SAML as the authentication method, when a user hits the enrollment URL and click Enroll, the user is first authenticated via the identity provider before proceeding with the enrollment process.
- Application management
  Application management in BigFix MCM enables IT admins to centrally control, distribute, and maintain Windows and macOS applications. It allows IT administrators to streamline the deployment, update, and security of apps on enrolled devices.
- Email configuration management
  With BigFix MCM and BigFix Mobile, you have the ability to install and set up email application that can connect to your email system. This allows users to easily connect, verify their identity, and synchronize their work email accounts on their devices.
- VPN management
  BigFix MCM and BigFix Mobile enable organizations to manage and configure Virtual Private Network (VPN) settings on enrolled Android, Apple, and Windows devices, ensuring secure remote access to corporate networks.
- Wi-Fi configuration management
  BigFix MCM and BigFix Mobile offer WiFi configuration management, where administrators can control and configure the wireless network settings on MCM-enrolled devices. This helps organizations to maintain a secure and reliable wireless network infrastructure while providing flexibility for users to connect to authorized networks.
- Known limitations
  Read this topic to get familiarized with MCM v3.0 known limitations.
- Troubleshooting
  This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
- Frequently Asked Questions
  Read this section for commonly asked questions and their answers to manage the MCM deployments better.

Default security policy override

Learn how to override default security policies.

CAUTION: Though it is possible to override the default security policy, it is recommended that IT admins change it only when it is necessary.

IT admin can override security policies through custom policies. To do that:

Define the override settings in a custom JSON file and upload it through WebUI. For example:
- Code to allow users to boot into safe mode
```
{ "advancedSecurityOverrides": { "developerSettings": "DEVELOPER_SETTINGS_ALLOWED" } } 
```
- Code to allow downloading untrusted apps in the personal profile.
```
{ "advancedSecurityOverrides": { "untrustedAppsPolicy": "ALLOW_INSTALL_IN_PERSONAL_PROFILE_ONLY" } } 
```
Add the defined custom policy to a policy group with appropriate Assign To Group selected.
Deploy the policy group to MDM server or directly onto the selected devices.