Policy Groups
Policy Groups enable you to combine policies, apps, and a BigFix Agent in a single group and deploy it onto the MDM server or onto enrolled devices.
You can assign an enrollment type specific to an operating system and deploy onto the MDM server, the policies in the deployed policy group becomes default enrollment policy for those specific devices.
You can assign an enrollment type specific to an operating system and deploy onto eligible devices to override the default enrollment policy.
-
MDM Policies (Passcode policy, Restrictions Policy, Certificates Policy, Appstore App Policy, Kernel Extension Whitelists, Full Disk Access, Custom policy)Note: OS Update Policy for iOS and Disk Encryption Policy for Windows are not supported in policy groups)
Before you Begin: You must be a master operator to perform policy group related tasks such as creating, adding policies and applications, deleting, deploying and so on. As a non-master operator, you can only create policies to be included in the policy group.
Working with Policy Groups
- Create Policy Group
- Deploy Policy Group
- Associate Policy Group to Smart Group
- Edit a Policy Group
- Delete a Policy Group
Create Policy Group
- From BigFix WebUI main page, click
- From the Modern Client Management home page, click
- On the Policy Groups page, click Create Policy Group.
- On the Create Policy Group page, do the following:
- Enter Policy Group Name and Description
- Select OS.
- Assign To Group. If this policy group is
deployed on to MDM servers, assign to group specifies what types of
enrolling devices are eligible to get the policies and applications
defined within this policy group.Note: If you do not assign any group here, you can only deploy this policy group to one or more already enrolled devices or BigFix Device Groups. On enrollment, devices do not get the policies and applications from any unassigned policy group.These are the available Enrollment Groups:
Operating System Enrollment Group Android - Work profile enrollment: Assigns this policy group to BYOD Android devices. On fresh enrollment, BYOD Android devices receive the policies added in this group.
- Fully managed enrollment: Assigns this policy group to fully-managed Android devices. On fresh enrollment, fully-managed Android devices receive the policies added in this group.
- Dedicated device enrollment: Assigns this
policy group to Dedicated Android devices. On
fresh enrollment, Dedicated Android devices
receive the policies added in this group.Note: For Android, you can provision policies only through the policy groups feature; you cannot provision an individual policy that is not added to any policy group directly onto the MDM server or enrolled devices.
IOS - Over the Air Enrollment: Assigns this policy group to the iOS devices that are enrolled over the air. On fresh enrollment, iOS devices that are enrolled over the air receive the policies added in this group.
- User Enrollment (BYOD): Assigns this policy group to BYOD iOS devices. On fresh enrollment, BYOD iOS devices receive the policies added in this group.
- Automated Device Enrollment: Assigns this policy group to the iOS devices that are enrolled through Automated Device Enrollment.
iPadOS - Over the Air Enrollment: Deploys the policies in the policy group to all iPadOS devices that are enrolled over the air. On fresh enrollment, iPadOS devices that are enrolled over the air receive the policies added in this group.
- User Enrollment (BYOD): Assigns this policy group to BYOD iPadOS devices. On fresh enrollment, BYOD iPadOS devices receive the policies added in this group.
- Automated Device Enrollment: Deploys the policies in the policy group to all iPadOS devices that are enrolled through Automated Device Enrollment.
macOS - Over the Air Enrollment: Deploys the policies in the policy group to all macOS devices that are enrolled over the air. On fresh enrollment, macOS devices that are enrolled over the air receive the policies added in this group.
- User Enrollment (BYOD): Assigns this policy group to BYOD macOS devices. On fresh enrollment, BYOD macOS devices receive the policies added in this group.
- Automated Device Enrollment: Deploys the policies in the policy group to all macOS devices that are enrolled through Automated Device Enrollment.
Windows - Over the Air Enrollment: Deploys the policies in the policy group to all Windows devices that are enrolled over the air.
- Bulk Enrollment: Deploys the policies in the policy group to all Windows devices that are enrolled through bulk enrollment.
- Autopilot Enrollment: Deploys the policies in the policy group to all Windows devices that are enrolled through Autopilot Enrollment.
- To add an application or a policy, on the left navigation pane, click the +
sign next to the desired item. Then select the desired policies and/or
applications. Then click Save to save your changes
and close the module.
- Add Policy: This option allows
users to add policies to their policy group. The policies listed are
prefiltered by the selected operating system of the policy group.
Select a policy from the list and click OK to add that policy to the
policy group. You can add multiple policies of different types.
Ensure that you do not add any contradicting policies. In case of
certain policies (like passcode and restrictions policies), you can
add only one policy of its type in a policy group.Note: Before saving the group policy, if you want to remove a policy that you have added, go back to the policy list and deselect the policies you want to remove.Important: For Android dedicated devices, ensure to add a policy with kiosk mode setting to the policy group. Otherwise, the dedicated device works as just a fully-managed device.
- Add Application (macOS and
Windows only): This option allows users to add prestaged
applications to their policy group. The applications listed are
prefiltered by the selected operating system of the policy group.
Select one or more applications and click OK to add them to the
policy group.Important: Only Mac and Windows Policy Groups can add applications from this page. To add applications on Android, iOS, or iPadOS devices, you must create an Appstore App Policy and add it to the policy group via Add Policy.
- Add BigFix Agent (MCM only): This lists all the available pre-staged BigFix Agent versions for the selected OS (Windows and macOS only).
- Add Policy: This option allows
users to add policies to their policy group. The policies listed are
prefiltered by the selected operating system of the policy group.
Select a policy from the list and click OK to add that policy to the
policy group. You can add multiple policies of different types.
Ensure that you do not add any contradicting policies. In case of
certain policies (like passcode and restrictions policies), you can
add only one policy of its type in a policy group.
- To save the current selection of policies to your policy group, click the
Save button in the bottom right to save your policy group.Note: Ensure you have added at least one policy and one application to your policy group. If you attempt to save a policy group without any application or policy selected, WebUI will prompt you to add at least one policy or application.
Deploy Policy Group
You can deploy a Policy Group to the MDM server to push the contents of the policy group to eligible devices at the time of enrollment. You can also directly deploy the contents of the policy group onto already enrolled devices.
- Default policies - Deploy Policy Group on MDM Server
- Policy groups can be deployed on to MDM servers, so that enrolling devices automatically get the contents of the policy group. A policy group can target specific operating system (Android, iOS, iPadOS, macOS, Windows) and specific MDM enrollment type (such as OTA, DEP, Bulk enrollment, Autopilot enrollment, BYOD enrollment, and fully-managed enrollment).
- Update policies on enrolled devices - Policy Group Action
-
You can update the policies on enrolled MDM devices by deploying a Policy Group to the selected devices or device groups.Note: When you do not select an enrollment type while creating a Policy Group, you can deploy that policy group onto selected eligible devices or device groups.To deploy a Policy Group onto selected eligible devices or device groups:
- From the Policy Groups page, select a policy group. The blue action bar appears.
- Click Policy Group Action.
- In the Deploy Policy Group page, click Edit Devices to select the devices or device groups.
- Review the selected policy and the devices and click Deploy.
Result: This deploys the policy group onto all the MDM servers in your environment.Important: Dedicated Android devices: After the enrollment, when a policy group is deployed, policies in the deployed policy group overwrites previous policies if any.
Smart Group and Policy Group Association
Edit a Policy Group
To edit a policy group, click on the name of a policy group. From here, you can change the selected policies and applications, change the name, description and other details. Saving the policy group with changes overwrites the old policy group, so be sure about the changes you want to make. You can click the save button once you are done with your changes to save and go back to the display page. You can also select the cancel button to return without saving your changes.
Delete a Policy Group
- From the Policy Group page, select a policy group that you want to delete.
- Use the horizontal scroll bar to move towards the right end of the page and click the delete icon present for the selected policy group.
Result: The selected policy group is deleted. The policies deployed previously through this policy group on the devices do not get affected.