Features added in the previous releases

Overview of the enhancements made in the previous releases of MCM and BigFix Mobile.

MCM and BigFix Mobile v3.1 updates

Mobile App Catalog
The Mobile App Catalog provides a central point for maintenance of all supported MCM Mobile Applications. When a macOS or Windows application is uploaded to the app catalog, it is automatically staged on the MDM servers. Previously it had to be uploaded and then staged from the Admin section of MCM WebUI. Settings can be defined globally where all the applications will inherit them. This can be overwritten at application level and only apply to individual applications. For more information, see App Catalog.
Mobile Application Configuration
App Config Support allows specific mobile Application configuration to be defined and pushed at the time the app is installed through MDM. This allows it to be installed with the correct internal configuration already in place. For more information, see App configuration.
Okta Device Trust​
The Device Trust feature from BigFix Mobile prevents unmanaged devices from accessing enterprise services. It provides an extra layer of security to your organization's application access and protects against potential threats from compromised devices. For more information, see Device trust.
Kiosk Mode Support for Phones and Tablets​
Kiosk Mode allows locking a device to only be able to run one, or a small set of applications. It turns an Android or Apple phone or tablet into a dedicated device that can only run the specified app(s). Kiosk devices are powerful and interactive self-service terminals designed to streamline and enhance user experiences in various settings. These dedicated devices provide a simplified and intuitive interface for users to access specific applications, information, or services. Kiosks are commonly found in retail stores, airports, hotels, healthcare facilities, educational institutions, and other public spaces. For more information, see Kiosk management.
BigFix 11 SHA-384 Signed Content Support
MCM v3.1 has been tested for BigFix 11. BESUEM and BESUEM Mobile sites are republished with SHA-384 signatures. Part of the MCM v3.1 publishing process will add the SHA-384 signing process to the site content.​

MCM and BigFix Mobile v3.0 updates

Windows Active Directory and Hybrid Domain Join
BigFix MCM supports Active Directory and Hybrid Domain Join through Offline Domain Join (ODJ) service. Hybrid Domain Join enables organizations to leverage existing on-premises Active Directory infrastructure while taking advantage of the benefits of cloud-based authentication and management. When enabled, users can sign in to their devices using their on-premises credentials, and then access cloud-based resources without having to enter additional credentials. For setup and configuration information, see Domain join installation and configuration.
Custom Templates
With MCM v3.0 release, WebUI provides a set of custom policy templates suitable for Windows, Apple, and Android that you can directly save or modify to create custom policies. For more information on how to create custom policies through available custom templates, see Custom from Template.
User-based endpoint targeting and enrollment
With MCM v3.0, you can target specific set of users and end-user devices to deploy specific MDM policies and actions. BigFix MCM integrates Active Directory Group Membership and Attributes to create Smart Groups. Smart Groups in association with Policy Groups evaluate applicable users and endpoints (based on group membership, attributes, device type, enrollment type and so on) to target and deploy policies and actions during enrollment or post enrollment. For information on how to create Smart Groups through WebUI, see Smart Groups.
Secure certificate deployment through Simple Certificate Enrollment Protocol (SCEP)
IT admins can now automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption by integrating SCEP with BigFix MCM. To understand the SCEP enrollment flow, see SCEP enrollment. To configure SCEP, see Simple Certificate Enrollment Protocol (SCEP) configuration.
Apple User Enrollment for BYOD
With MCM v3.0, device users can enroll their own Apple devices. This allows the organizations to securely manage the work profile on those devices while the device users can enjoy the privacy on their personal profile as organizations cannot wipe, lock, or otherwise impose control over their personal profile. For more information, see Apple BYOD enrollments.
Apple VPP Apps and Books Support
IT Admins can manage custom apps, Apple Appstore apps to User Enrolled devices, and company licensed-app store apps on all MCM enrolled Apple devices, as MCM is now integrated with the Apps and Books (VPP) capabilities in Apple Business Manager. For more information, see Apple VPP Apps.
SAML-authenticated enrollment
BigFix MCM and BigFix Mobile support Security Assertion Markup Language (SAML) authentication to enroll devices. The user's SAML credentials are used to authenticate their identity to complete the enrollment process. With MCM v3.0 release, Okta is tested and supported as a SAML identity provider with AD/Open LDAP and Azure AD as identity services. For more information, see SAML-authentication configuration.
Android - Additional features supported
Cross-profile management: BigFix Mobile supports Android crossprofile management through which organizations can protect and control data sharing from work profile to personal profile in the same device. For more information, see Cross-profile management.
Password Wipe: From MCM v3.0 onwards, Password Wipe support is extended for Android mobile devices. For instructions, see Passcode Wipe.
Other enhancements
  • Primary User Assignment: You can now assign or modify primary user for a device through User Assignment action. When a device has primary user info, it can be easily managed through Smart Groups. If you want to assign primary user for huge number of devices, contact HCL Support at BigFixServices@hcl.in
  • Enrollment UI Rebranding: You can change the appearance of the Enrollment UI and Android Server Configuration UI by changing the color, image, logo, brand name and so on. For instructions, see Rebranding user interfaces.

MCM and BigFix Mobile v2.1.3 updates

MCM Admin UI password must be set with high complexity
MCM Admin UI password must be set with high complexity. This enables the application to restrict the user to log in if the user enters wrong credentials five times consecutively. If the password is not set with high complexity, then the user can make unlimited failed attempts to log on to Admin UI.
Improved unenrollment behavior

With BigFix Platform versions earlier than 10.0.8, when a device is unenrolled and then re-enrolled, WebUI and Console displayed multiple devices with unique computer IDs creating confusions.

With BigFix Platform 10.0.8 release, when you unenroll an MDM device, it deletes the device from the root server, Console, and WebUI. To enable this feature, upgrade BigFix Platform to 10.0.8 or later; no MCM upgrade is required to enable this.

For the steps to unenroll an MDM device, refer to Unenroll devices.

MCM and BigFix Mobile v2.1.1 updates

This section lists updates on features that are applicable for both MCM and BigFix Mobile in this release.

Create PPKG with Expiration Time
PPKG creation is made simpler and more secure with this release. Admins can configure expiration time for their PPKG, which stops enrolling Windows devices through that PPKG beyond the specified expiration time. Also, WebUI internally creates a unique token for every PPKG that gives more control to prevent unwanted usages of the PPKG. For information about how to create a timestamped PPKG, see Bulk enrollment - Windows
Upgrade Considerations:
  • If you want to deploy timestamped PPKG on to an MDM server, ensure the MDM server is upgraded to v2.1.1 or later.
  • PPKG files created without expiration time (created through older version of BigFix MCM) do not work as expected in MDM server v2.1.1 or later. Therefore, you need to create PPKG again and deploy.

MCM and BigFix Mobile v2.1 updates

This section lists updates on features that are applicable for both MCM and BigFix Mobile in this release.

Added operating systems Support
This version additionally supports the following operating systems:
  • Android 12
  • iOS/iPadOS 15
  • Windows 11
  • macOS Monterey 12

MCM 2.1 Updates

This section lists updates on features that are applicable for MCM in this release.
OS update for MacOS
BigFix MCM 2.1 includes an action to update the system software in macOS devices. For instructions and more information, see OS Update section of Deploy MCM actions of WebUI User Guide.
System Extension Whitelist for MacOS
With BigFix MCM 2.1, you can create system extension policy. System extensions allow software like network extensions and endpoint security solutions to extend the functionality of macOS without requiring kernel-level access. For instructions, see System Extension Whitelists.

BigFix Mobile 2.1 Updates

This section lists updates on features that are applicable for BigFix Mobile in this release.

Android dedicated device support
From UEM 2.1 release, BigFix Mobile supports Android dedicated devices. Now, you can enroll and manage company-owned devices in Kiosk mode. For more information, see Dedicated device management section in Android mobile management.

Android Advanced feature set support
This release supports the following Android features:
  • Verify Apps enforcement - Scans all the apps installed on Android device for harmful software before and after they are installed to ensure that malicious apps can not compromise corporate data. For more information, see Verify Apps enforcement.
  • VPN Management: Allows IT admins to ensure that data from certain apps always goes through the VPN specified. They can also apply a setting such that device is connected to the network only when VPN is connected. For more information, see VPN management
  • WiFi Configuration management:
    • Allows IT admins to silently provision enterprise WiFi configuration on managed devices.
    • Allows IT admins to lock down WiFi configurations on managed devices, restricting the users from creating new configurations or modifying the existing corporate configurations.
    For more information, see WiFi configuration management.
  • Private app management: IT Admins can add and manage private apps for Android Enterprise devices via Managed Google Play. For more information see, Private and custom app deployment.

  • Hardware Security management: IT Admins can lock down hardware elements of a company-owned device to ensure data and device security. For more information see, Android hardware security

Advanced Android Zero Touch enrollments
EMM Managed Android Enterprise account

Creating Android Enterprise account is simpler than before, as the organizations do not need a Google account. For more information, see Managed Google Play Accounts enterprise.

Clear passcode for iOS/iPadOS

UEM 2.1 release includes a WebUI action to facilitate system admins to remotely wipe passcode on iOS and iPadOS devices. If device users forget their Apple device password, this feature helps them to get back and use the devices, For instructions, see Deploy MCM actions of the WebUI User Guide.

BigFix Mobile and MCM v2.0 updates

BigFix Mobile

With this release, BigFix introduces BigFix Mobile. BigFix Mobile comes with a host of new features to enroll, manage, secure, service and retire iOS/iPadOS and Android devices. With BigFix Mobile, you can automate enrollment, configuration, remediation, compliance, and advanced analytics. To learn more about this solution and the supported features, see BigFix Mobile.
Important:
  • BigFix Mobile is a separate offering for managing mobile phones and tablets that comes with its own license. You need to buy the BigFix Mobile license to enroll or manage mobile devices. If you do not have the BigFix Mobile license, the WebUI will not show any references to Android, iOS or iPadOS workflows, and will only support Windows (Windows 10 and Windows 11) and macOS workflows.
  • The BigFix Mobile license is only for Mobile Device Support, which does not include Windows or macOS MDM Management. However, due to some dependencies, MDM control of these platforms will technically work for BigFix Mobile - only customers until the end of 2021.

MCM and BigFix Mobile v2.0 updates

This section lists updates on features that are applicable for both MCM and BigFix Mobile in this release.

  • WebUI user experience updates
    • Mobile support: If you have the BigFix Mobile license, you can manage mobile devices with WebUI. WebUI dynamically displays UI according to your license.
    • MCM Dashboard: Modern Client Management dashboard dashboard provides insights into every aspect of device management, device security, and device encryption.
    • Jump To: This drop down provides quick links to navigate to different pages within the MCM application.
    • Admin section: You can now Install MDM servers, Plugins, and do operational tasks from Admin section.
    • Policy Group: Create a default policy that gets deployed to MDM endpoints at enrollment time by combining MDM policies, custom policies, apps, and BigFix Agents. For more details, see Policy Groups
    • Health Check: Extended health check to monitor the BigFix Mobile environment and disk encryption. For more details, see Health Check.
  • Apple Bootstrap token support

    MCM now supports MDM operations that require use of the bootstrap tokens. For more information, see Bootstrap tokens for Apple devices.

  • New Fixlet - Update Apple Enrollment Certificate before expiration

    This release introduces a Fixlet to renew Apple Device Identity Certs that are assigned to an Apple device at the time of MDM enrollment. For more details, see Update Apple Enrollment Certificate before expiration.

  • MDM-debug tool

    This tool can be used to set log levels for individual/group/all MDM modules, execute commands and update policy settings on the MDM enrolled devices using REST APIs. This will be helpful to quickly debug production issues when there is a communication failure at different MDM layers and to trace the execution work flows, requests, and endpoint responses.​ For instructions on how to use it, refer to MDM debug tool.

  • Autopilot cli for enrollment of Windows 10 devices

    This release introduces a command line utility to set up and trigger Autopilot enrollment of Windows 10 devices. For a complete step-by-step procedure and instructions, see Autopilot enrollment.

  • Enrollment by non-admin Windows 10 device users

    Windows 10 device users without admin credentials can now enroll devices to BigFix MCM. They can enroll a single device over-the-air or automatically bulk enroll multiple devices without admin rights and manage them through BigFix MCM. For more details, see Enrollment by non-admin device users.

  • Full Disk Encryption

    MCM v2.0 introduces the Full Disk Encryption feature to centrally manage the native full-disk encryption technologies of Windows (BitLocker) and macOS (FileVault2) to secure data at rest.

  • WNS credentials

    The communication between Windows Notification Services (WNS) and the MDM server is securely established using WNS credentials. Windows now requires customer specific WNS credentials to be procured and provided at the time of all installs and upgrades that include a Windows MDM server. For more information about how to generate WNS credentials, see Generating WNS credentials. Users can upload WNS credentials through BESUEM Fixlets or through WebUI.

  • Performance enhancements

    This release includes a number of stability and performance enhancements and fixes. For capacity planning and configuration recommendations, see BigFix Capacity Planning documentation at BigFix Performance & Capacity Planning Resources.

  • Addressed security vulnerabilities

    Product security vulnerability issues from MCM v1.1 are addressed in this release.

Update considerations

MCM v1.1 updates

  • Apple Automated Device Enrollment

    MCM v1.1 introduces a feature that helps you to set up and pre-configure new or factory reset macOS devices automatically. For complete information and setup instructions, see Apple Automated Device Enrollment.

  • Autopilot enrollment of Windows 10 devices

    This release introduces the Autopilot feature that helps you to set up and pre-configure new or factory reset Windows 10 devices automatically. For complete information and setup instructions, seeAutopilot enrollment.

  • Bulk enrollment of Windows 10 devices

    The Bulk enrollment feature in MCM v1.1 facilitates you to enroll a large number of BigFix managed Windows 10 devices to MDM server within minutes. For more information, see Bulk enrollment - Windows.

  • Certificate management

    MCM v1.1 introduces the ability to deploy certificate policies on MDM endpoints for both macOS and Windows to make it much easier for you to manage certificates. For instructions, see Certificates Policy.

  • Configure and Manage BigFix MCM through WebUI

    This release includes the ability to configure and manage BigFix MCM through WebUI. You can easily install MCM components, upgrade, and uninstall through WebUI. For detailed instructions, see MCM User Guide.

  • Deploy software to MDM endpoints

    With this release, you can deploy software applications to MDM endpoints via MDM APIs through WebUI quickly. For instructions, see Prestage an Application.

  • Restriction profiles

    With MCM v1.1, you can create restrictions profiles for both Windows and macOS. Configuring many settings like privacy and user experience on MDM endpoints is straightforward and simple.

  • LDAPS utility

    MCM v1.1 introduces a command line utility through which you can quickly troubleshoot LDAPS issues.

  • Unenroll

    From this release, if you want to unenroll your devices from MCM, you can do it through WebUI. For instructions, see Unenroll devices.

  • Fixlets to upgrade MCM components

    With MCM v1.1 release, you can update MDM Enrollment Profile for Apple devices. Take a look at the BESUEM site for the relevant Fixlets.

  • Performance enhancements

    This release includes a number of stability and performance enhancements and fixes. For capacity planning and configuration recommendations, see BigFix Capacity Planning documentation at BigFix Performance & Capacity Planning Resources.

  • Addressed security vulnerabilities

    Product security vulnerability issues from MCM v1.0.1 are addressed in this release.

MCM v1.0.1 updates

  • Support for the BigFix Work from Home Solution

    MCM v1.0.1 supports the BigFix Work from Home Solution. For complete information about the BigFix Work from Home Solution, read The BigFix Work from Home Solution Guide.

  • Performance enhancements

    This release includes a number of stability and performance enhancements and fixes. For capacity planning and configuration recommendations, see BigFix Capacity Planning documentation at BigFix Performance & Capacity Planning Resources.

  • Extended operating system support
    • The MCM solution supports RHEL 8 on MDM Server and Plugin Portal servers with a workaround to install Docker CE. For more information, see Installing Docker CE and Docker compose on RHEL8 or RHEL9.
    • The MCM solution supports Windows 10 (Pro, Enterprise, and Home) running on MCM endpoints.
      Note: Only certain Windows editions support all available operating system features that are configured through MDM. For complete information, see the Windows Configuration service provider (CSP) reference document. Each CSP highlights which Windows editions are supported.
  • Fixlets to upgrade MCM components

    With MCM v1.0.1 release, you can upgrade the MCM components by using Fixlets that are available through the BigFix Console. Take a look at the BESUEM site for the relevant Fixlets.

  • WebUI Health Checks dashboard for MCM serviceability

    The WebUI Health Checks dashboard is available to monitor the health of your BigFix MCM deployments. For more information, see Health Checks.

  • Addressed security vulnerabilities

    Product security vulnerability issues from MCM v1.0.0 are addressed in this release.