Deploy MCM actions

With MCM and BigFix Mobile, you can perform the following MDM-specific actions:

  • Lock
  • Wipe
  • Passcode Wipe
  • Restart
  • Shutdown
  • Remove Policy
  • Deploy BigFix Agent
  • Deploy MDM Application
  • Windows Enrollment
  • Regenerate Encryption Recovery Key
  • Unenroll
  • OS Update
  • User Assignment


Note:
  • You can deploy MDM actions only to the MCM and BigFix Mobile managed devices.
  • You can also deploy MDM actions to correlated devices that have MCM and BigFix Mobile representation.
  • Certain actions are operating system specific, and each action has an operating system logo on it to indicate which operating system it applies to. If you find more than one logo for an action, it represents that action can be applied to each operating system depicted.
  • Deploying the Deploy BigFix Agent action requires installer packages to be pre-staged to work properly. For macOS, see Prestage macOS BigFix installer. For Windows, see Prestage Windows BigFix Installer.
To perform different MDM actions, follow these steps:
  1. Login to the WebUI.
  2. Click Apps and select MCM.
  3. From the Modern Client Management page, click Actions.
  4. The MDM Actions page displays all the possible actions along with the supported operating system for every action. You can also filter applicable actions by using the Supported Operating Systems filter. Click on the specific MDM action you want to deploy on MDM endpoints.

Lock Device

Use this action to remotely lock devices that are lost or stolen. Lock helps protect the data stored on devices when they are lost or stolen. If after initiating a lock action the device is recovered, the device can be unlocked using the recovery pin set initially by the action launched from the WebUI.

Note:
  • Lock action is applicable for macOS, iOS, iPadOS, and Android devices.
  • Lock action is not applicable to Windows devices. The lock action deployed on Windows MDM devices does not lock those Windows devices, and this action reports as failed.
  1. From the list of available actions, select Lock.
  2. On the following screen, click Edit Devices to add or remove the devices.

  3. Click Send Command to deploy the action to the targeted devices.
    Result: The targeted devices are locked.
    Note: Different operating systems prompt users for different options during the lock operation. For Android devices, users can enter the Android Command duration (in seconds). The command expires if not executed within the time specified.

Wipe

Use this action to erase the data on the remote device, even if the device is locked. The Wipe action helps you to completely erase the data from the targeted devices from the BigFix management without warning the end-user.

Note:
  • The recovery code applies only to macOS devices. Windows devices will execute the Wipe action while ignoring the recovery pin.
  • Users can wipe only one device at a time and cannot execute wipe on device groups.
  • When targeting Android devices, the following options are available to specify the level of wipe on the Android device:
    • WIPE DATA UNSPECIFIED: This value is ignored.
    • PRESERVE RESET PROTECTION DATA: Preserve the factory reset protection data on the device.
    • WIPE EXTERNAL STORAGE: Additionally wipe the external storage of the device.

  1. From the list of available actions, select Wipe.
  2. On the following screen, click Edit Devices to select target devices to wipe.
    MDM Wipe
    • macOS: If you select macOS devices to wipe, set a six-digit recovery PIN. This PIN is required to reinstall the operating system on the device. Ensure to record it and share it with the device owner.
    • Windows: When you select Windows devices to perform wipe action, the following options are displayed:
      • Complete Wipe:Completely wipes the device remotely, removing all user data, applications, and settings. This ensures a complete restoration of the device to its factory state, effectively erasing all traces of personal or sensitive information. It's a thorough measure often used in scenarios where data security is crucial, such as when a device is lost, stolen, or being prepared for disposal. This setting is equivalent to selectingReset this PC > Remove everything from the Settings app, with Clean Data set to "No" and Delete Files set to "Yes".

      • Persist User Data: Resets the device remotely and persists user accounts and data. It provides a balance between wiping sensitive information and retaining user-specific configurations, enhancing data security while minimizing user disruption. This setting is equivalent to selecting Reset this PC > Keep my files when manually starting a reset from the Settings app.
        Note: After the wipe action is completed, user has to re-enrol the device.
      • Persist Provisioned Data: Completely wipes the device remotely.

      • Protected Wipe: Performs a remote wipe and cleans the protected data and partitions on the device, ensuring thorough erasure of sensitive information stored in secure areas. It facilitates persistent resetting attempts until the wiping process is successfully completed, enhancing the security and reliability of the operation, particularly in scenarios involving lost or stolen devices.
        Note: In some device configurations, this command may leave the device unable to boot. Contact IT admin to fix this issue.
      Note: If the deployment status of the wipe action on the device shows Not Reported, then user needs to sync the target device manually to complete the wipe action on that device.
  3. Click Send Command to deploy the action to the targeted devices.

    Result: Once the deployment is complete, the targeted devices are wiped from MDM.

Passcode Wipe

Use this action to remove passcode from the targeted iOS and iPadOS devices.

Note:
  • The target iOS or iPadOS device must be a supervised device for this action to be successful.
  • All the iOS 15 or later are supervised.
If an iOS or iPadOS device user forgets the passcode, an IT Admin can remotely remove the passcode from the device, so that the device user can get back access to the device.

To wipe passcode on selected devices, complete the following steps.

  1. From the list of available actions, select Passcode Wipe.
  2. On the following screen, click Edit Devices to add or remove devices.
  3. Click Send Command to deploy the action to the targeted devices.

When the action is completed, it removes Passcode, PIN, patterns from the targeted iOS and iPadOS devices.

Restart

Use this action to restart the targeted devices.
Note: Mac, iOS, iPadOS: This action works only for the devices enrolled as a supervised device (institutionally owned).
  1. From the list of available actions, select Restart.
  2. On the following screen, click Edit Devices to add or remove devices.
  3. Click Send Command to deploy the action to the targeted device.

Shutdown

Use this action to shut down the targeted devices.
Note:
  • The device gets shut down and no longer report back to BigFix.
  • Shutdown action is available only for macOS/iOS/iPadOS and not for Windows.
  • Windows: Shutdown actions targeted at Windows MDM devices report back as "Fixed" but are not actually shut down.
  • Mac, iOS, iPadOS: This action works only for the devices enrolled as a supervised device (institutionally owned). Devices do not report "Fixed" status, but are shut down properly.
  1. From the list of available actions, select Shutdown.
  2. From the following screen, click Edit Devices to add or remove devices.

  3. Click Send Command to deploy the action to the targeted devices.
    Note: The restart action is only available for Apple DEP devices. Non supervised Apple devices targeted with the restart action will ignore the restart command.

Remove Policy

You can remove policies from selected devices using this action. You can only remove policies on devices that are enrolled in MCM and BigFix Mobile.

Note:
  • If remove policy action is sent to macOS devices that do not have the selected policy, the action fails.
  • You cannot remove Android policy. You can only overwrite Android policy by deploying another policy through Policy Groups.
  1. From the list of available actions, select Remove Policy.
  2. From the following screen, click Edit Devices to add or remove devices.

  3. Click Edit Policies to select the policy that needs to be removed from the targeted devices.
  4. Click Send Command to deploy the action to the targeted devices.

Deploy BigFix Agent

See Deploy BigFix Agent.

Deploy MDM Application

See Deploy BigFix Agent.

Windows Enrollment

If ppkg file is present in your MDM server, then you can also initiate Windows bulk enrollment via this page. To do that:
  1. From the list of available actions, select Windows Enrollment.
  2. From the following screen, click Edit Devices to select devices in your environment that have BigFix agent installed.
    enrollment
  3. Action Staggering Settings: Select Enable Action Staggering and enter Stagger Action Over Duration in minutes. Use this setting to spread out the load on the MDM server and network to prevent all the targeted endpoints attempting to enroll at the same time. Staggering enrolling endpoints normalizes the amount of traffic generated by newly enrolled devices over a broader more manageable period of time. When this is set, each endpoint selects a random time within the specified time interval to enroll.
  4. For Select Your Provisioning Package, select the MDM server to which you want to enroll the selected devices.
    Note: This dropdown lists the MDM servers in which the PPKG is deployed as per Create Windows Provisioning Package.
  5. Click Send Command.
    • A BigFix deployment is generated that initiates MDM enrollment on the selected devices.
    • The deployment document with information on devices targeted and device results is displayed.
    • The targeted devices start the enrollment processes.
    • At any point, to stop the deployment, click Stop Deployment.

    Bulk enroll - Status overview

Regenerate Encryption Recovery Key

See Regenerate Encryption Recovery Key.

Unenroll

See Unenroll devices

OS Update

Use this action to update the system software in macOS devices. You can also configure software update settings through OS Update Policy.

To update system software in macOS devices, complete the following steps:

  1. From the list of available actions for macOS, select OS Update.
  2. On the OS Update page, under Target Devices, click Edit Devices and select the applicable target devices or group.
    OS Update action - macOS
  3. Under macOS System Update, select a macOS Version to update. This drop-down dynamically lists the security patches, minor and major versions, and all other software updates applicable to the macOS devices in your environment.
    Important:
    • Supported: Only Big Sur and Monterey are supported for macOS updates.
    • Not supported: Catalina OS upgrades (10.15.X) are not supported.
  4. Select the Install Action. According to the action selected, WebUI displays appropriate messages to consider.
  5. Click Send Command.
Note:
  • This action will only be relevant and run on endpoints that have the specified update listed as available.
  • Successful action indicates only sending the update to the MDM server and notifying the operating system to schedule the update according to rules of the operating system. This does not indicate actual system update on the OS.
  • If the update was applicable before, but after successfully sending the OS update command, becoming unavailable indicates the update was installed on the OS. It will reflect in the analysis only after a refresh.

User Assignment

Use this action to assign a user to an MCM enrolled device. You can set or change the primary user that was assigned to a device during enrollment. If a user is already assigned to a device, this action overrides and assigns the specified user as the primary device user. If a user is not assigned previously, this action assigns the primary device user afresh.
Note: With MCM v3.0, this action allows you to assign primary user for one device at a time. If you want to assign primary users for huge number of devices, contact HCL Support at BigFixServices@hcl.in

To assign a user to a device, complete the following steps:

  1. From the list of available actions, select User Assignment.
  2. On the User Assignment page, under Target Devices, click Edit Devices and select a device.
    User Assignment
  3. Under User Info, enter the Email ID of the user to whom you want to assign the target device.
  4. Click Send Command.
Note: When the action is successful, WebUI registers the primary user with the entered email ID.

Send Client Refresh

Use this action to send client refresh to devices.

This action is available for all BigFix managed devices, regardless of whether the device is managed by MDM, by BigFix Native agent, or through cloud plugins.

Send Client Refresh action becomes available under Administration menu, when you select one or more devices from the Device List.
Client refresh
By deploying the Send Client Refresh action, you can send a full client refresh request to devices. It is equivalent to performing Send Refresh on the BigFix Console.
In BigFix 9.5, Send Client Refresh creates an action against targeted devices with the ActionScript notify client ForceRefresh.

In MCM and BigFix Mobile, WebUI sends a direct API call to force clients to perform full refresh.