Home
Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
BigFix MCM
Read this section to learn enrolling and managing Windows and macOS desktop and laptop devices.
Enrolling Windows devices
You can get Windows 10 and Windows 11 devices enrolled in BigFix MCM in many ways.
Enrollment by non-admin device users
BigFix MCM facilitates non-admin device users to enroll the domain-joined devices to MDM and manage them.
Grant and Revoke admin rights through Domain Controller
Admin can provide one-time admin access to multiple domain-joined devices from the Domain controller. With the admin rights, devices can be enrolled over-the-air via .ppkg file. Once the devices are enrolled, domain Admin can revoke the device user’s admin access and trigger a restart for all the devices from MDM.

Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
- Modern Client Management and BigFix Mobile
  This guide is intended for HCL BigFix Master Operators (MO) and those who administer BigFix deployments. If you are looking for information about using Modern Client Management (MCM) and BigFix Mobile, see the WebUI User's Guide.
- BigFix MCM
  Read this section to learn enrolling and managing Windows and macOS desktop and laptop devices.
  - Enrolling Windows devices
    You can get Windows 10 and Windows 11 devices enrolled in BigFix MCM in many ways.
    - Enrolling through enrollment URL - Windows
      Read this section to understand how the users can enroll Windows 10 and Windows 11 devices to MDM when the admin shares the enrollment URL.
    - Bulk enrollment - Windows
      Bulk enrollment is an efficient way to set up and enroll a huge number of Windows devices to BigFix MCM.
    - Autopilot enrollment - Windows
      BigFix MCM supports Windows Autopilot enrollment.
    - Autopilot enrollment with Offline Domain Join service
      Read this page to learn the ODJ architecture in MCM and the high-level process flow for enrolling Autopilot enabled Windows devices with ODJ service.
    - Enrollment by non-admin device users
      BigFix MCM facilitates non-admin device users to enroll the domain-joined devices to MDM and manage them.
      - Grant and Revoke admin rights through Domain Controller
        Admin can provide one-time admin access to multiple domain-joined devices from the Domain controller. With the admin rights, devices can be enrolled over-the-air via .ppkg file. Once the devices are enrolled, domain Admin can revoke the device user’s admin access and trigger a restart for all the devices from MDM.
      - Automatic enrollment of Hybrid Azure AD joined devices using Group Policy Object
        You can configure to automatically mass-enroll a large number of Hybrid Azure AD joined corporate devices into BigFix MCM without any user intervention or Admin user credentials. The enrollment into MDM is triggered by a group policy created on the local Active Directory.
    - SCEP enrollment
      BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
  - Enrolling Apple devices
    You can get Apple devices enrolled in BigFix MCM in the following ways.
  - Full Disk Encryption
    With BigFix MCM, you can centrally manage the native full-disk encryption technologies from Windows (BitLocker) and macOS (FileVault2) to secure data at rest.
  - OS update
    MDM administrators can remotely manage software updates such as software patches, minor or major versions. This can help secure or enhance the current operating system.
- BigFix Mobile
  BigFix Mobile enables you to enroll and manage Android, iOS, and iPadOS devices.
- SCEP Certificate-based authentication
  BigFix MCM supports certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- SAML-authenticated enrolment flow
  When you configure SAML as the authentication method, when a user hits the enrollment URL and click Enroll, the user is first authenticated via the identity provider before proceeding with the enrollment process.
- Application management
  Application management in BigFix MCM enables IT admins to centrally control, distribute, and maintain Windows and macOS applications. It allows IT administrators to streamline the deployment, update, and security of apps on enrolled devices.
- Email configuration management
  With BigFix MCM and BigFix Mobile, you have the ability to install and set up email application that can connect to your email system. This allows users to easily connect, verify their identity, and synchronize their work email accounts on their devices.
- VPN management
  BigFix MCM and BigFix Mobile enable organizations to manage and configure Virtual Private Network (VPN) settings on enrolled Android, Apple, and Windows devices, ensuring secure remote access to corporate networks.
- Wi-Fi configuration management
  BigFix MCM and BigFix Mobile offer WiFi configuration management, where administrators can control and configure the wireless network settings on MCM-enrolled devices. This helps organizations to maintain a secure and reliable wireless network infrastructure while providing flexibility for users to connect to authorized networks.
- Known limitations
  Read this topic to get familiarized with MCM v3.0 known limitations.
- Troubleshooting
  This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
- Frequently Asked Questions
  Read this section for commonly asked questions and their answers to manage the MCM deployments better.

Grant and Revoke admin rights through Domain Controller

Admin can provide one-time admin access to multiple domain-joined devices from the Domain controller. With the admin rights, devices can be enrolled over-the-air via .ppkg file. Once the devices are enrolled, domain Admin can revoke the device user’s admin access and trigger a restart for all the devices from MDM.

A. Grant Admin rights to the device users from Domain Controller

Log in to Domain controller as a Domain Administrator.
From the start menu go to Windows Administrative Tools > Active Directory Users and Computers.
To grant Admin permissions to non-admin users:
1. Navigate to Users, select Domain Users, right click and select Add to a group…
2. In the Select Groups popup, in the Enter the object names to select text box, enter Domain Admins.
3. Click Check Names to verify and click OK.

Now, all the users under Domain Users group get Admin rights. For the changes to take effect, restart the user’s device. From the user’s device, you can verify if the user got Admin right by navigating to Access Work or School > Your Info.

B. Perform user-initiated enrollment

Open Firefox or any other supported browser, and in the address bar, enter enrollment URL. For example, https://mdmserver.demo.com.
Enter valid AD credentials to authenticate.
Once the authentication is successful, the user can download .ppkg file by clicking OK > Yes > Yes, add it in the subsequent screens.

C. Revoke Admin rights of the user from the Domain Controller

Log in to Domain controller as a Domain Administrator
From the start menu go to Windows Administrative Tools > Active Directory Users and Computers.
To revoke Admin permissions from the domain user:
1. Navigate to Users, double click Domain Admins.
2. Go to Members tab, select Domain Users, click Remove, and click Yes to confirm.
3. Click Apply > OK.
  Now, Admin rights are revoked from all the users under Domain Users group. For the changes to take effect, restart the user’s device from MDM. From the user’s device, you can verify if the user got Admin right by navigating to Access Work or School > Your Info.
  Now, the user can manage the device through MDM without Admin rights. Work or school account will still be present, for non-admin user. However, only Admin can unenroll the device from MDM.