Home
Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
BigFix MCM
Read this section to learn enrolling and managing Windows and macOS desktop and laptop devices.
Full Disk Encryption
With BigFix MCM, you can centrally manage the native full-disk encryption technologies from Windows (BitLocker) and macOS (FileVault2) to secure data at rest.
Recovery Key Escrow Configuration
Key escrow is a method of storing important cryptographic keys. By using key escrow, organizations can ensure that in the case of crisis, such as security breach, lost or forgotten keys, natural disaster, or otherwise, their critical keys are safe and can be recovered.

Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
- Modern Client Management and BigFix Mobile
  This guide is intended for HCL BigFix Master Operators (MO) and those who administer BigFix deployments. If you are looking for information about using Modern Client Management (MCM) and BigFix Mobile, see the WebUI User's Guide.
- BigFix MCM
  Read this section to learn enrolling and managing Windows and macOS desktop and laptop devices.
  - Enrolling Windows devices
    You can get Windows 10 and Windows 11 devices enrolled in BigFix MCM in many ways.
  - Enrolling Apple devices
    You can get Apple devices enrolled in BigFix MCM in the following ways.
  - Full Disk Encryption
    With BigFix MCM, you can centrally manage the native full-disk encryption technologies from Windows (BitLocker) and macOS (FileVault2) to secure data at rest.
    - Windows BitLocker
      BitLocker is the Windows encryption technology that protects your data from unauthorized access by encrypting your drive.
    - MacOS FileVault
      For information about macOS FileVault, see https://developer.apple.com/documentation/devicemanagement/fdefilevault
    - Set up the BES Server Plugin Service (Fixlet 708 in BES Support)
      To enable the Full Disk Encryption feature, you must install the BES Server plug-in in BigFix. To install the BES Server plug-in, run the installation Fixlet and target the BigFix server.
    - Recovery Key Escrow Configuration
      Key escrow is a method of storing important cryptographic keys. By using key escrow, organizations can ensure that in the case of crisis, such as security breach, lost or forgotten keys, natural disaster, or otherwise, their critical keys are safe and can be recovered.
      - Set up Vault
        Vault is the open source secret engine that BigFix uses to secure, store and tightly control access to tokens, passwords, certificates, encryption keys for protecting secrets and other sensitive data using a UI, CLI, or HTTP API.
  - OS update
    MDM administrators can remotely manage software updates such as software patches, minor or major versions. This can help secure or enhance the current operating system.
- BigFix Mobile
  BigFix Mobile enables you to enroll and manage Android, iOS, and iPadOS devices.
- SCEP Certificate-based authentication
  BigFix MCM supports certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- SAML-authenticated enrolment flow
  When you configure SAML as the authentication method, when a user hits the enrollment URL and click Enroll, the user is first authenticated via the identity provider before proceeding with the enrollment process.
- Application management
  Application management in BigFix MCM enables IT admins to centrally control, distribute, and maintain Windows and macOS applications. It allows IT administrators to streamline the deployment, update, and security of apps on enrolled devices.
- Email configuration management
  With BigFix MCM and BigFix Mobile, you have the ability to install and set up email application that can connect to your email system. This allows users to easily connect, verify their identity, and synchronize their work email accounts on their devices.
- VPN management
  BigFix MCM and BigFix Mobile enable organizations to manage and configure Virtual Private Network (VPN) settings on enrolled Android, Apple, and Windows devices, ensuring secure remote access to corporate networks.
- Wi-Fi configuration management
  BigFix MCM and BigFix Mobile offer WiFi configuration management, where administrators can control and configure the wireless network settings on MCM-enrolled devices. This helps organizations to maintain a secure and reliable wireless network infrastructure while providing flexibility for users to connect to authorized networks.
- Known limitations
  Read this topic to get familiarized with MCM v3.0 known limitations.
- Troubleshooting
  This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
- Frequently Asked Questions
  Read this section for commonly asked questions and their answers to manage the MCM deployments better.

Recovery Key Escrow Configuration

Key escrow is a method of storing important cryptographic keys. By using key escrow, organizations can ensure that in the case of crisis, such as security breach, lost or forgotten keys, natural disaster, or otherwise, their critical keys are safe and can be recovered.

Recovery Key Escrow Configuration involves the following steps:

Certificate creation – You must create a certificate and key pair for encrypting the recovery key through WebUI MDM app. This certificate is used in Windows actions and in macOS escrow payload. The key is placed in BES Server Plugin folder for decrypting.
Set up Vault – You must specify an existing Vault server (URL, access keys), or you can also deploy Vault with self-signed certificates. You can access the Vault directory to get the unseal keys and access keys that were generated, and configure Vault settings in WebUI.
Escrow server plugin setup – Set up the Escrow server plugin through WebUI by configuring with details of the key and Vault details, so that the private key is stored in the 'Applications' directory of the BES server.

Troubleshooting: Manual device task to escrow recovery key – If recovery key is missing or out of date, you can retrieve it through Regenerate Encryption Recovery Key.