Welcome
Installing and Configuring BigFix Mobile and MCM
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
MCM and BigFix Mobile server and components installation
This guide provides instructions for installing the MCM and BigFix Mobile server along with its components, ensuring proper setup and configuration.
Reference Information
This section contains more detailed information about some of the essential installation aspects.
Prepare Google Admin console for ChromeOS
Enable Chrome Enterprise Management

BigFix Documentation Homepage
Modern Client Management and BigFix Mobile
Welcome to the Modern Client Management and BigFix Mobile documentation, where you can find information about how to install, maintain, and use Modern Client Management and BigFix Mobile.
BigFix Mobile and MCM Overview
Discover how BigFix Mobile and Modern Client Management (MCM) extend unified endpoint management to mobile devices and modern OS platforms like iOS, Android, and Windows 10+, all from a single console.
Guides in PDF format
This section contains links to PDF versions of all the MCM and BigFix Mobile manuals.
Installing and Configuring BigFix Mobile and MCM
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
  This guide provides instructions for installing the MCM and BigFix Mobile server along with its components, ensuring proper setup and configuration.
  - Audience
    This guide is for administrators and IT managers who want to install and configure BigFix MCM and BigFix Mobile. It details prerequisites for each of the scenario and provides installation instructions that allow you to deploy the program in your environment. It also includes information about configuring and maintaining BigFix MCM and BigFix Mobile components.
  - Planning the installation
    Read this section before you begin to install or update any of the BigFix MCM or BigFix Mobile product features. Effective planning and an understanding of the key aspects of the installation process can help ensure a successful installation.
  - On-premises deployment setup
    Understand the prerequisites and preparation required to install the BigFix MDM server and BigFix PlugIn Portal on-premise.
  - On-Premises Upgrade
    Upgrade your on-prem BigFix Mobile and MCM setup to the latest version for improved security, new features, and better support for Apple, Android, and Windows devices. Learn how to update the MDM Server and Plugin, meet key prerequisites like Plugin Portal and Podman, and complete the upgrade with minimal disruption.
  - Configuring BigFix MCM and BigFix Mobile
    After the MCM components are set up, there are additional configuration options available to enable features like Bulk Enrollment for Windows, DEP policies for macOS, or prestage installers for Windows and MacOS MDM endpoints.
  - Reference Information
    This section contains more detailed information about some of the essential installation aspects.
    - Apple MDM Plugin inspectors
      Use Apple MDM plugin inspectors in BigFix MCM and BigFix Mobile to retrieve device-specific data from managed macOS, iOS, and iPadOS devices.
    - Bootstrap tokens for Apple devices
      In macOS 10.5 and above, bootstrap tokens are used for granting secure tokens to user accounts and performing certain operations. For example, on a Mac computer with Apple silicon, the bootstrap token, if available, can be used to authorize the installation of both kernel extensions and software updates when managed using MDM.
    - BigFix MDM Server TLS Certificate Content
      Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.
    - Configure Windows MDM Notification Type to Use Polling
      In restricted or offline environments, skip WNS setup by using polling-based notifications. This lets Windows devices check in with the MDM server on a schedule—no push credentials needed.
    - Enroll to Managed Google Play Accounts Enterprise
      Learn how to enroll to Managed Google Play Accounts enterprise to manage applications on Android devices.
    - Generating WNS credentials
      This document describes how to get Windows Notification Service (WNS) credentials that you can upload during installing or upgrading Windows MDM server.
    - Generating APNs certificate
      To obtain a push certificate from Apple, complete these steps:
    - Installing BigFix
      To install the BigFix Platform, obtain a license, and run the installation wizard that guides you through the installation of the BigFix root server, console, client, and WebUI.
    - Migrating from Docker to Podman
      Migrating from Docker to Podman enables a daemonless, rootless container management approach, improving security and compatibility with RHEL 8+. The migration process includes verifying system compatibility, transferring container images and volumes, updating scripts, and ensuring smooth operation with BigFix MCM and BigFix Mobile.
    - Prepare Google Admin console for ChromeOS
      - Prepare Google Admin Console
        Once you have a Google Workspace (GWS) Admin user account, follow these steps to set up the environment for Chrome OS device and policy management using a custom EMM/MDM solution:
      - Enable Chrome Enterprise Management
      - Disable force-reenrolment
      - Create Rules at Google Admin console
    - Preparing the Container Runtime Environment
      Setting up the correct container runtime environment is essential for running containerized applications efficiently. This guide provides detailed instructions for preparing a container runtime environment on RHEL 8 and RHEL 9, including prerequisites, installation steps, considerations, and troubleshooting tips.
    - Renew APNs certificate and update Apple MDM service
      You must renew your APNs certificate within the validity period before expiration.
    - Supported system environments
      This section provides information about the supported system environments for MCM.
    - Update Apple Enrollment Certificate before expiration
      To continue to manage the enrolled Apple devices without interruption, you must set up the Fixlet "Update Apple Enrollment Profile before Expiration" as a policy action.
    - Update Enrollment Profile Parameters for Apple MDM Server
      You can update MDM enrollment profile parameters for Apple devices that was initially set up while installing the BigFix Apple MDM Server.
    - Uninstall MDM components
      Learn how to uninstall MDM components.
    - Update Settings for Windows MDM Server
      Learn how to update BigFix MDM Service for Windows for MCM 2.0 or later.
    - Update TLS certificates
      You can update the TLS certificate that was initially installed with the MDM Server. Additionally, you can easily rectify errors by replacing incorrect certificates, keys, and passwords uploaded during installation. To perform this action, use Fixlet 702: BigFix MDM Server - Stage External TrustedCA TLS Certificates.
    - Wildcard certificates
      You can use wildcard TLS certificates for your MDM Server in several scenarios.
  - Troubleshooting
    This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
- Identity Service Configuration
  Configure identity services for BigFix Mobile and MCM to enable secure authentication and seamless user access. Learn how to integrate with identity providers and streamline user management across Apple, Android, and Windows devices.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.
Quick Start
This quick start guide gets you up and running with your BigFix MCM and BigFix Mobile solution. It helps you secure, configure, and manage your mobile devices quickly and efficiently.
User Guide
Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
Glossary
This glossary provides terms and definitions for the BigFix software and products.

Enable Chrome Enterprise Management

Log in to Google Admin Console →https://admin.google.com
Login as Admin user.
Navigate to Devices → Chrome → Settings.
Under Enrollment & Access, enable Chrome Enterprise Enrollment.
Now, click on Settings from the dropdown menu. Under User & Browser settings navigate to Chrome Management - Partner Access. Select Enable Chrome Management - Partner Access and agree to the given Terms and Conditions.
Now, click on Device Settings and navigate to Chrome Management - Partner Access. Select Enable Chrome Management - Partner Access and agree to the given terms and conditions.
In the left navigation tree, select Security > Access and data control > API controls.
On the API controls page, scroll to the bottom, and then click MANAGE DOMAIN WIDE DELEGATION.
On the Domain-wide Delegation page, click Add new.
In the Add new client ID pop-up, enter the Unique Client ID value you recorded earlier, add the OAuth scopes listed below, then click AUTHORIZE. In the Add new client ID pop-up, enter the Unique Client ID recorded earlier (this can be found in the ChromeOS service account credentials JSON file). Add the OAuth scopes listed below, and then click Authorize. OAuth scopes to add:https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.device.chromeos,https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly,https://www.googleapis.com/auth/apps.alerts ,https://www.googleapis.com/auth/admin.directory.orgunit,https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member,https://www.googleapis.com/auth/chrome.management.policy,https://www.googleapis.com/auth/chrome.management.telemetry.readonly

11. Go to Account -> Admin Roles -> Create new role

Create a new role

Assign Chrome Management Privileges

Assign the Role to Service Accounts

Here is the admin configured