BigFix Mobile and MCM is available as an On-premises solution. Learn how to deploy BigFix Mobile and MCM in an on-premises environment for secure, centralized mobile device management within your organization's infrastructure.

Read this section to understand the key concepts of MCM.

Read this section to understand various users involved in MCM and BigFix Mobile management and their tasks.

This guide provides instructions for installing the MCM and BigFix Mobile server along with its components, ensuring proper setup and configuration.

Configure identity services for BigFix Mobile and MCM to enable secure authentication and seamless user access. Learn how to integrate with identity providers and streamline user management across Apple, Android, and Windows devices.

BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.

Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.

MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.

The Remote Access feature in BigFix Modern Client Management (MCM) allows administrators to view the screen of managed mobile devices through the BigFix WebUI for troubleshooting and support purposes.

The following diagram illustrates the deployment architecture for integrating BigFix MCM with the certificate enrollment infrastructure. It shows the key components involved in the certificate enrollment workflow, including Active Directory, Microsoft Certificate Authority (CA), Network Device Enrollment Service (NDES), NDES Proxy, LDAP Proxy, and BigFix components.

Before configuring certificate enrollment for BigFix MCM, ensure that the required infrastructure components and access permissions are available. The certificate enrollment workflow relies on integration between Active Directory, Microsoft Certificate Services, NDES, and BigFix components.The following prerequisites should be verified before proceeding with the configuration steps described in this guide.

Active Directory provides the directory services required for integrating Microsoft Certificate Authority (CA) and Network Device Enrollment Service (NDES). The following steps ensure that the Active Directory environment is properly prepared before configuring the certificate enrollment infrastructure.

The Microsoft Certificate Authority (CA) is responsible for issuing certificates requested through Network Device Enrollment Service (NDES) using the Simple Certificate Enrollment Protocol (SCEP).This section describes the required configuration on an existing Enterprise Certificate Authority to support certificate enrollment.

A custom certificate template must be created to support SCEP-based certificate enrollment with required security and key configurations.

The Network Device Enrollment Service (NDES) provides the SCEP interface that allows devices managed by BigFix MCM to request certificates from the Microsoft Certificate Authority. This section describes how to install and configure NDES and verify that it is ready to process certificate enrollment requests.

This document provides step-by-step instructions for installing and configuring HAProxy as a proxy for the Network Device Enrollment Service (NDES), covering both challenge and certificate enrollment requests.

This section provides step-by-step instructions to install and configure OpenLDAP as an LDAP proxy on RHEL 8.

This section describes how to configure BigFix MCM to integrate with the certificate enrollment infrastructure using NDES Proxy and LDAP Proxy.

This section describes how to create and configure a SCEP profile in BigFix MCM to enable device certificate enrollment using the configured NDES Proxy infrastructure.

This section describes the network communication paths and required ports between components involved in the certificate enrollment workflow for BigFix MCM.

This section describes the end-to-end certificate enrollment flow for devices managed by BigFix MCM, using MCM Proxy, NDES Proxy, and Microsoft Certificate Authority.

The purpose of this document is to provide a quick start into the Apple Business Manager (ABM) portal steps required to get macOS devices enrolled into MCM and iOS and iPadOS devices enrolled to BigFix Mobile using Apple Device Enrollment Program (DEP).

You need Microsoft developer account to create WNS credentials. WNS credentials is needed to install or upgrade Windows MDM server and utilize BigFix MCM features.

This guide provides step-by-step instructions for configuring Windows Autopilot, tailored for BigFix Admins and IT teams. It covers both manual setup in the Azure portal and automated configuration using the autopilotcli tool, ensuring a streamlined deployment process.

This topic provides a list of common errors encountered when enrolling Windows endpoints using Windows MDM through BigFix MCM. It includes links to detailed information on Windows MDM errors, WinHTTP errors, XML parsing errors, and Windows BITS client errors.

This topic provides sample Android custom policies in JSON format for use with BigFix WebUI, covering configurations such as kiosk mode, Wi-Fi restrictions, app verification, and VPN setup. Each policy can be modified to meet organizational requirements and includes guidance for uploading and assigning policies. Reference links to official documentation are provided for further customization and policy details.

Learn how to configure the Network Device Enrollment Service (NDES) on a Windows Server to enable Simple Certificate Enrollment Protocol (SCEP) infrastructure. This topic outlines installation prerequisites, provides a step-by-step guide, and offers troubleshooting resources for common NDES issues.

Integrating Okta with an LDAP server allows users to authenticate to Okta using their LDAP credentials. This integration is required to enable SAML authentication for device enrollment.

MCM integrates with Azure Active Directory to enable identity and access management features, including conditional access, role-based access control, and identity governance. These capabilities help you manage and secure access to applications and resources. Refer to the linked documentation for detailed configuration steps.

BigFix Mobile enables Device Trust integration with Okta, allowing secure access from trusted devices. Configuration involves setting up Okta for domain and management hints, followed by managed app policies for deployment. Refer to the linked documentation for detailed setup instructions.

You can find sample Windows policies on this page. You can create custom policy through WebUI using these sample policies.

This document provides step-by-step instructions for delegating control to a domain user, enabling them to perform offline domain joins beyond the default limit of 10 computers without requiring domain admin privileges. The process involves configuring permissions in Active Directory Users and Computers for the relevant Organizational Units. For further details on domain join installation and configuration, refer to the BigFix MCM Help Center.

This guide is intended for HCL BigFix Master Operators (MO) and those who administer BigFix deployments. If you are looking for information about using Modern Client Management (MCM) and BigFix Mobile, see the WebUI User's Guide.

Read this section to learn enrolling and managing Windows and macOS desktop and laptop devices.

BigFix Mobilesimplifies the management and security of Android, iOS, and iPadOS devices, enabling IT admins to seamlessly enroll, configure, and monitor mobile devices, ensuring compliance and protection of corporate data.

The Feature Configuration page in BigFix WebUI enables you to target specific MDM servers and deploy advanced feature modules to managed endpoints. After uprading to MCM v3.6 or later, use the Feature Configuration page to activate specialized management capabilities like Geofencing, Battery Health monitoring, Jailbreak detection, and Remote Access for your MDM servers.

BigFix MCM supports certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.

When you configure SAML as the authentication method, when a user hits the enrollment URL and click Enroll, the user is first authenticated via the identity provider before proceeding with the enrollment process.

App Management in BigFix Mobile and MCM provides a centralized way to distribute, update, and control applications across multiple device platforms. Administrators can deploy both public store apps and internal corporate apps, enforce policies, and secure company data while simplifying the app lifecycle for end users.

The Battery Health feature provides visibility and proactive monitoring of mobile device battery performance to improve device reliability and minimize user productivity disruption. Monitoring is event-driven and avoids continuous polling mechanisms.

With BigFix MCM and BigFix Mobile, you have the ability to install and set up email application that can connect to your email system. This allows users to easily connect, verify their identity, and synchronize their work email accounts on their devices.

BigFix MCM and BigFix Mobile enable organizations to manage and configure Virtual Private Network (VPN) settings on enrolled Android, Apple, and Windows devices, ensuring secure remote access to corporate networks.

BigFix MCM and BigFix Mobile offer WiFi configuration management, where administrators can control and configure the wireless network settings on MCM-enrolled devices. This helps organizations to maintain a secure and reliable wireless network infrastructure while providing flexibility for users to connect to authorized networks.

Jailbreak Detection enables administrators to identify compromised mobile devices enrolled in the MDM platform.

Geofencing is a location-based technology that creates a virtual boundary (or “zone”) around a real-world area using GPS, Wi-Fi, cellular data, or RFID signals.

This procedure outlines the steps required to start a Remote Access session using Modern Client Management.

This topic lists known limitations and restrictions in BigFix Modern Client Management (MCM) and BigFix Mobile for each version. Use this to understand feature gaps, known issues, or unsupported configurations relevant to your environment.

This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.

Read this section for commonly asked questions and their answers to manage the MCM deployments better.