Features added in the previous releases
Overview of the enhancements made in the previous releases of MCM and BigFix Mobile.
MCM and BigFix Mobile v3.1 updates
- Mobile App Catalog
- The Mobile App Catalog provides a central point for maintenance of all supported MCM Mobile Applications. When a macOS or Windows application is uploaded to the app catalog, it is automatically staged on the MDM servers. Previously it had to be uploaded and then staged from the Admin section of MCM WebUI. Settings can be defined globally where all the applications will inherit them. This can be overwritten at application level and only apply to individual applications. For more information, see App Catalog.
- Mobile Application Configuration
- App Config Support allows specific mobile Application configuration to be defined and pushed at the time the app is installed through MDM. This allows it to be installed with the correct internal configuration already in place. For more information, see App configuration.
- Okta Device Trust
- The Device Trust feature from BigFix Mobile prevents unmanaged devices from accessing enterprise services. It provides an extra layer of security to your organization's application access and protects against potential threats from compromised devices. For more information, see Device trust.
- Kiosk Mode Support for Phones and Tablets
- Kiosk Mode allows locking a device to only be able to run one, or a small set of applications. It turns an Android or Apple phone or tablet into a dedicated device that can only run the specified app(s). Kiosk devices are powerful and interactive self-service terminals designed to streamline and enhance user experiences in various settings. These dedicated devices provide a simplified and intuitive interface for users to access specific applications, information, or services. Kiosks are commonly found in retail stores, airports, hotels, healthcare facilities, educational institutions, and other public spaces. For more information, see Kiosk management.
- BigFix 11 SHA-384 Signed Content Support
- MCM v3.1 has been tested for BigFix 11. BESUEM and BESUEM Mobile sites are republished with SHA-384 signatures. Part of the MCM v3.1 publishing process will add the SHA-384 signing process to the site content.
MCM and BigFix Mobile v3.0 updates
- Windows Active Directory and Hybrid Domain Join
- BigFix MCM supports Active Directory and Hybrid Domain Join through Offline Domain Join (ODJ) service. Hybrid Domain Join enables organizations to leverage existing on-premises Active Directory infrastructure while taking advantage of the benefits of cloud-based authentication and management. When enabled, users can sign in to their devices using their on-premises credentials, and then access cloud-based resources without having to enter additional credentials. For setup and configuration information, see Domain join installation and configuration.
- Custom Templates
- With MCM v3.0 release, WebUI provides a set of custom policy templates suitable for Windows, Apple, and Android that you can directly save or modify to create custom policies. For more information on how to create custom policies through available custom templates, see Custom from Template.
- User-based endpoint targeting and enrollment
- With MCM v3.0, you can target specific set of users and end-user devices to deploy specific MDM policies and actions. BigFix MCM integrates Active Directory Group Membership and Attributes to create Smart Groups. Smart Groups in association with Policy Groups evaluate applicable users and endpoints (based on group membership, attributes, device type, enrollment type and so on) to target and deploy policies and actions during enrollment or post enrollment. For information on how to create Smart Groups through WebUI, see Smart Groups.
- Secure certificate deployment through Simple Certificate Enrollment Protocol (SCEP)
- IT admins can now automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption by integrating SCEP with BigFix MCM. To understand the SCEP enrollment flow, see SCEP enrollment. To configure SCEP, see Simple Certificate Enrollment Protocol (SCEP) configuration.
- Apple User Enrollment for BYOD
- With MCM v3.0, device users can enroll their own Apple devices. This allows the organizations to securely manage the work profile on those devices while the device users can enjoy the privacy on their personal profile as organizations cannot wipe, lock, or otherwise impose control over their personal profile. For more information, see Apple BYOD enrollments.
- Apple VPP Apps and Books Support
- IT Admins can manage custom apps, Apple Appstore apps to User Enrolled devices, and company licensed-app store apps on all MCM enrolled Apple devices, as MCM is now integrated with the Apps and Books (VPP) capabilities in Apple Business Manager. For more information, see Apple VPP Apps.
- SAML-authenticated enrollment
- BigFix MCM and BigFix Mobile support Security Assertion Markup Language (SAML) authentication to enroll devices. The user's SAML credentials are used to authenticate their identity to complete the enrollment process. With MCM v3.0 release, Okta is tested and supported as a SAML identity provider with AD/Open LDAP and Azure AD as identity services. For more information, see SAML-authentication configuration.
- Android - Additional features supported
- Cross-profile management: BigFix Mobile supports Android crossprofile management through which organizations can protect and control data sharing from work profile to personal profile in the same device. For more information, see Cross-profile management.
- Other enhancements
-
- Primary User Assignment: You can now assign or modify primary
user for a device through User Assignment action. When a device has primary user info, it can be easily
managed through Smart Groups. If you want
to assign primary user for huge number of devices, contact HCL
Support at
BigFixServices@hcl.in
- Enrollment UI Rebranding: You can change the appearance of the Enrollment UI and Android Server Configuration UI by changing the color, image, logo, brand name and so on. For instructions, see Rebranding user interfaces.
- Primary User Assignment: You can now assign or modify primary
user for a device through User Assignment action. When a device has primary user info, it can be easily
managed through Smart Groups. If you want
to assign primary user for huge number of devices, contact HCL
Support at
MCM and BigFix Mobile v2.1.3 updates
- MCM Admin UI password must be set with high complexity
- MCM Admin UI password must be set with high complexity. This enables the application to restrict the user to log in if the user enters wrong credentials five times consecutively. If the password is not set with high complexity, then the user can make unlimited failed attempts to log on to Admin UI.
- Improved unenrollment behavior
-
With BigFix Platform versions earlier than 10.0.8, when a device is unenrolled and then re-enrolled, WebUI and Console displayed multiple devices with unique computer IDs creating confusions.
With BigFix Platform 10.0.8 release, when you unenroll an MDM device, it deletes the device from the root server, Console, and WebUI. To enable this feature, upgrade BigFix Platform to 10.0.8 or later; no MCM upgrade is required to enable this.
For the steps to unenroll an MDM device, refer to Unenroll devices.
MCM and BigFix Mobile v2.1.1 updates
This section lists updates on features that are applicable for both MCM and BigFix Mobile in this release.
- Create PPKG with Expiration Time
- PPKG creation is made simpler and more secure with this release. Admins can configure expiration time for their PPKG, which stops enrolling Windows devices through that PPKG beyond the specified expiration time. Also, WebUI internally creates a unique token for every PPKG that gives more control to prevent unwanted usages of the PPKG. For information about how to create a timestamped PPKG, see Bulk enrollment - Windows
MCM and BigFix Mobile v2.1 updates
This section lists updates on features that are applicable for both MCM and BigFix Mobile in this release.
- Added operating systems Support
- This version additionally supports the following operating systems:
- Android 12
- iOS/iPadOS 15
- Windows 11
- macOS Monterey 12
MCM 2.1 Updates
- OS update for MacOS
- BigFix MCM 2.1 includes an action to update the system software in macOS devices. For instructions and more information, see OS Update section of Deploy MCM actions of WebUI User Guide.
- System Extension Whitelist for MacOS
- With BigFix MCM 2.1, you can create system extension policy. System extensions allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. For instructions, see System Extension Whitelists.
BigFix Mobile 2.1 Updates
This section lists updates on features that are applicable for BigFix Mobile in this release.
- Android dedicated device support
- From UEM 2.1 release, BigFix Mobile supports Android dedicated devices. Now, you can enroll and manage company-owned devices in Kiosk mode. For more information, see Dedicated device management section in Android mobile management.
- Android Advanced feature set support
-
This release supports the following Android features:
- Verify Apps enforcement - Scans all the apps installed on Android device for harmful software before and after they are installed to ensure that malicious apps can not compromise corporate data. For more information, see Verify Apps enforcement.
- VPN Management: Allows IT admins to ensure that data from certain apps always goes through the VPN specified. They can also apply a setting such that device is connected to the network only when VPN is connected. For more information, see VPN management
- WiFi Configuration management:
- Allows IT admins to silently provision enterprise WiFi configuration on managed devices.
- Allows IT admins to lock down WiFi configurations on managed devices, restricting the users from creating new configurations or modifying the existing corporate configurations.
-
Private app management: IT Admins can add and manage private apps for Android Enterprise devices via Managed Google Play. For more information see, Private and custom app deployment.
- Hardware Security management: IT Admins can lock down hardware elements of a company-owned device to ensure data and device security. For more information see, Android hardware security
- Advanced Android Zero Touch enrollments
-
- Android Zero Touch enrollments are made much more easier with Zero Touch Automatic configurations. Also, IT admin to automate much of the device enrollment process. See Automatic zero-touch configuration.
- With Sign-in URLs, IT admins can limit enrollments to specific accounts or domains. See User-authenticated zero-touch enrollment configuration.
- EMM Managed Android Enterprise account
-
Creating Android Enterprise account is simpler than before, as the organizations do not need a Google account. For more information, see Managed Google Play Accounts enterprise.
- Clear passcode for iOS/iPadOS
-
UEM 2.1 release includes a WebUI action to facilitate system admins to remotely wipe passcode on iOS and iPadOS devices. If device users forget their Apple device password, this feature helps them to get back and use the devices, For instructions, see Deploy MCM actions of the WebUI User Guide.
BigFix Mobile and MCM v2.0 updates
BigFix Mobile
- BigFix Mobile is a separate offering for managing mobile phones and tablets that comes with its own license. You need to buy the BigFix Mobile license to enroll or manage mobile devices. If you do not have the BigFix Mobile license, the WebUI will not show any references to Android, iOS or iPadOS workflows, and will only support Windows (Windows 10 and Windows 11) and macOS workflows.
- The BigFix Mobile license is only for Mobile Device Support, which does not include Windows or macOS MDM Management. However, due to some dependencies, MDM control of these platforms will technically work for BigFix Mobile - only customers until the end of 2021.
MCM and BigFix Mobile v2.0 updates
This section lists updates on features that are applicable for both MCM and BigFix Mobile in this release.
- WebUI user experience updates
- Mobile support: If you have the BigFix Mobile license, you can manage mobile devices with WebUI. WebUI dynamically displays UI according to your license.
- MCM Dashboard: Modern Client Management dashboard dashboard provides insights into every aspect of device management, device security, and device encryption.
- Jump To: This drop down provides quick links to navigate to different pages within the MCM application.
- Admin section: You can now Install MDM servers, Plugins, and do operational tasks from Admin section.
- Policy Group: Create a default policy that gets deployed to MDM endpoints at enrollment time by combining MDM policies, custom policies, apps, and BigFix Agents. For more details, see Policy Groups
- Health Check: Extended health check to monitor the BigFix Mobile environment and disk encryption. For more details, see Health Check.
- Apple Bootstrap token support
MCM now supports MDM operations that require use of the bootstrap tokens. For more information, see Bootstrap tokens for Apple devices.
- New Fixlet - Update Apple Enrollment Certificate before
expiration
This release introduces a Fixlet to renew Apple Device Identity Certs that are assigned to an Apple device at the time of MDM enrollment. For more details, see Update Apple Enrollment Certificate before expiration.
- MDM-debug tool
This tool can be used to set log levels for individual/group/all MDM modules, execute commands and update policy settings on the MDM enrolled devices using REST APIs. This will be helpful to quickly debug production issues when there is a communication failure at different MDM layers and to trace the execution work flows, requests, and endpoint responses. For instructions on how to use it, refer to MDM debug tool.
- Autopilot cli for enrollment of Windows 10 devices
This release introduces a command line utility to set up and trigger Autopilot enrollment of Windows 10 devices. For a complete step-by-step procedure and instructions, see Autopilot enrollment.
- Enrollment by non-admin Windows 10 device users
Windows 10 device users without admin credentials can now enroll devices to BigFix MCM. They can enroll a single device over-the-air or automatically bulk enroll multiple devices without admin rights and manage them through BigFix MCM. For more details, see Enrollment by non-admin device users.
- Full Disk Encryption
MCM v2.0 introduces the Full Disk Encryption feature to centrally manage the native full-disk encryption technologies of Windows (BitLocker) and macOS (FileVault2) to secure data at rest.
- WNS credentials
The communication between Windows Notification Services (WNS) and the MDM server is securely established using WNS credentials. Windows now requires customer specific WNS credentials to be procured and provided at the time of all installs and upgrades that include a Windows MDM server. For more information about how to generate WNS credentials, see Generating WNS credentials. Users can upload WNS credentials through BESUEM Fixlets or through WebUI.
- Performance enhancements
This release includes a number of stability and performance enhancements and fixes. For capacity planning and configuration recommendations, see BigFix Capacity Planning documentation at BigFix Performance & Capacity Planning Resources.
- Addressed security vulnerabilities
Product security vulnerability issues from MCM v1.1 are addressed in this release.
Update considerations
MCM v1.1 updates
- Apple Automated Device Enrollment
MCM v1.1 introduces a feature that helps you to set up and pre-configure new or factory reset macOS devices automatically. For complete information and setup instructions, see Apple Automated Device Enrollment.
- Autopilot enrollment of Windows 10 devices
This release introduces the Autopilot feature that helps you to set up and pre-configure new or factory reset Windows 10 devices automatically. For complete information and setup instructions, seeAutopilot enrollment.
- Bulk enrollment of Windows 10 devices
The Bulk enrollment feature in MCM v1.1 facilitates you to enroll a large number of BigFix managed Windows 10 devices to MDM server within minutes. For more information, see Bulk enrollment - Windows.
- Certificate management
MCM v1.1 introduces the ability to deploy certificate policies on MDM endpoints for both macOS and Windows to make it much easier for you to manage certificates. For instructions, see Certificates Policy.
- Configure and Manage BigFix MCM through WebUI
This release includes the ability to configure and manage BigFix MCM through WebUI. You can easily install MCM components, upgrade, and uninstall through WebUI. For detailed instructions, see MCM User Guide.
- Deploy software to MDM endpoints
With this release, you can deploy software applications to MDM endpoints via MDM APIs through WebUI quickly. For instructions, see Prestage an Application.
- Restriction profiles
With MCM v1.1, you can create restrictions profiles for both Windows and macOS. Configuring many settings like privacy and user experience on MDM endpoints is straightforward and simple.
- LDAPS utility
MCM v1.1 introduces a command line utility through which you can quickly troubleshoot LDAPS issues.
- Unenroll
From this release, if you want to unenroll your devices from MCM, you can do it through WebUI. For instructions, see Unenroll devices.
- Fixlets to upgrade MCM components
With MCM v1.1 release, you can update MDM Enrollment Profile for Apple devices. Take a look at the BESUEM site for the relevant Fixlets.
- Performance enhancements
This release includes a number of stability and performance enhancements and fixes. For capacity planning and configuration recommendations, see BigFix Capacity Planning documentation at BigFix Performance & Capacity Planning Resources.
- Addressed security vulnerabilities
Product security vulnerability issues from MCM v1.0.1 are addressed in this release.
MCM v1.0.1 updates
- Support for the BigFix Work from Home Solution
MCM v1.0.1 supports the BigFix Work from Home Solution. For complete information about the BigFix Work from Home Solution, read The BigFix Work from Home Solution Guide.
- Performance enhancements
This release includes a number of stability and performance enhancements and fixes. For capacity planning and configuration recommendations, see BigFix Capacity Planning documentation at BigFix Performance & Capacity Planning Resources.
-
Extended operating system support
- The MCM solution supports RHEL 8 on MDM Server and Plugin Portal servers with a workaround to install Docker CE. For more information, see Installing Docker CE and Docker compose on RHEL8 or RHEL9.
- The MCM solution supports Windows 10 (Pro, Enterprise, and Home)
running on MCM endpoints.Note: Only certain Windows editions support all available operating system features that are configured through MDM. For complete information, see the Windows Configuration service provider (CSP) reference document. Each CSP highlights which Windows editions are supported.
- Fixlets to upgrade MCM components
With MCM v1.0.1 release, you can upgrade the MCM components by using Fixlets that are available through the BigFix Console. Take a look at the BESUEM site for the relevant Fixlets.
- WebUI Health Checks dashboard for MCM serviceability
The WebUI Health Checks dashboard is available to monitor the health of your BigFix MCM deployments. For more information, see Health Checks.
- Addressed security vulnerabilities
Product security vulnerability issues from MCM v1.0.0 are addressed in this release.