Home
Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
BigFix Mobile
BigFix Mobile enables you to enroll and manage Android, iOS, and iPadOS devices.
Android mobile management
BigFix Mobile, the Enterprise Mobility Management (EMM) solution, is integrated with Android Enterprise. With this solution, you can effortlessly enroll and manage Android devices.
Provisioning Android devices
During device provisioning, a device is enrolled to BigFix Mobile and deployed with the policies from the associated policy group.
Zero-touch enrollment
BigFix Mobile supports zero-touch enrollment of company-owned Android devices. Android zero-touch enrollment is a deployment method suitable for corporate-owned Android devices. Zero-touch enrollment is a simple, fast, and secure way to configure management settings online. Organizations can get the associated devices shipped with enforced management settings, so that employees can get started immediately on booting up the devices.
User-authenticated zero-touch enrollment configuration

Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
- Modern Client Management and BigFix Mobile
  This guide is intended for HCL BigFix Master Operators (MO) and those who administer BigFix deployments. If you are looking for information about using Modern Client Management (MCM) and BigFix Mobile, see the WebUI User's Guide.
- BigFix MCM
  Read this section to learn enrolling and managing Windows and macOS desktop and laptop devices.
- BigFix Mobile
  BigFix Mobile enables you to enroll and manage Android, iOS, and iPadOS devices.
  - Android mobile management
    BigFix Mobile, the Enterprise Mobility Management (EMM) solution, is integrated with Android Enterprise. With this solution, you can effortlessly enroll and manage Android devices.
    - Managed Google Play Accounts enterprise
      Learn how enrolling to Managed Google Play Accounts facilitates you to manage your Android devices through BigFix Mobile.
    - Provisioning Android devices
      During device provisioning, a device is enrolled to BigFix Mobile and deployed with the policies from the associated policy group.
      - BYOD Android devices - provisioning with the enrollment URL
        This page explains provisioning WebUI/Users_Guide/byod.html Android devices with the enrollment URL.
      - BYOD Android devices - QR code enrollment
        This page explains provisioning BYOD Android devices using a QR code. Mobile users can enroll their personally-owned Android devices to BigFix Mobile with a QR code.
      - Fully-managed Android devices - QR code enrollment
        This page explains provisioning fully-managed Android devices using a QR code.
      - Zero-touch enrollment
        BigFix Mobile supports zero-touch enrollment of company-owned Android devices. Android zero-touch enrollment is a deployment method suitable for corporate-owned Android devices. Zero-touch enrollment is a simple, fast, and secure way to configure management settings online. Organizations can get the associated devices shipped with enforced management settings, so that employees can get started immediately on booting up the devices.
        Manual zero-touch configuration
        Read this page to learn how to set up manual zero-touch configuration.
        Automatic zero-touch configuration
        User-authenticated zero-touch enrollment configuration
      - Dedicated Android devices - QR code enrollment
        Read this page to learn provisioning company-owned Android devices with dedicated device mode using a QR code.
      - Dedicated Android devices - Zero-touch enrollment
        This page explains provisioning dedicated Android devices through zero-touch enrollment.BigFix Mobile supports zero-touch enrollment of dedicated Android devices. Android zero-touch enrollment offers seamless deployment of dedicated devices.
    - Android policy management
      A policy represents a group of settings that govern the behavior of a managed device and the apps installed on it.
    - Android device management
      Learn how to configure managed Google Play application runtime permissions and how to push permission rules to the managed Android devices.
    - Android device security
      BigFix Mobile provides various device security management features through which you can protect corporate content and devices.
    - Android hardware security
      The hardware security features from Android helps the Admins to lock hardware elements of a company-owned device to secure company data and prevent data loss.
    - Cross-profile management
      With Android crossprofile restriction policy, organizations can protect and control data sharing from the work profile to personal profile in the same device.
    - Verify Apps enforcement
      Verify Apps enforcement feature enables Google Play Protect to scan all the apps installed on Android device for harmful software before and after they are installed to ensure that malicious apps cannot compromise corporate data. This setting is optional.
  - Apple mobile management
    With BigFix Mobile, you can seamlessly enroll iOS and iPadOS devices.
  - Device trust
    The Device Trust feature from BigFix Mobile prevents unmanaged devices from accessing enterprise services. It provides an extra layer of security to your organization's application access and protects against potential threats from compromised devices. This extra security helps ensure that your users access applications from a device that you know is trusted.
  - Application management
    With the application management capability in BigFix Mobile, you can administer, distribute, and control mobile applications on your enrolled Android and iOS mobile devices. You can add and assign apps to devices, protect company data in apps, force install work apps which do not require user permission, and do much more. smooth app distribution and effective management on Android and iOS devices.
  - Kiosk management
    In kiosk mode, you can lock a device, so that it can run only one or a small set of applications. This mode turns an Android or Apple phone or tablet into a dedicated device that can run only one or more specified apps. Kiosk mode provides effective control over the device use and helps ensure that the devices can be used only for intended purposes. Mobile devices can run tasks in kiosk mode by configuring the settings through a policy. This feature applies only for company owned devices. In a dedicated or supervised device, the device user can access only the apps that the kiosk policy allows.
  - OS update
    The OS update policy allows to configure rules and settings to manage the operating system updates on the enrolled devices. This policy ensures that devices receive the necessary updates for security, bug fixes, and feature enhancements, while also maintaining a consistent and secure environment for all devices within the organization. The system update policy impacts both the current and future updates for the device, including any pending system update.
- SCEP Certificate-based authentication
  BigFix MCM supports certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- SAML-authenticated enrolment flow
  When you configure SAML as the authentication method, when a user hits the enrollment URL and click Enroll, the user is first authenticated via the identity provider before proceeding with the enrollment process.
- Application management
  Application management in BigFix MCM enables IT admins to centrally control, distribute, and maintain Windows and macOS applications. It allows IT administrators to streamline the deployment, update, and security of apps on enrolled devices.
- Email configuration management
  With BigFix MCM and BigFix Mobile, you have the ability to install and set up email application that can connect to your email system. This allows users to easily connect, verify their identity, and synchronize their work email accounts on their devices.
- VPN management
  BigFix MCM and BigFix Mobile enable organizations to manage and configure Virtual Private Network (VPN) settings on enrolled Android, Apple, and Windows devices, ensuring secure remote access to corporate networks.
- Wi-Fi configuration management
  BigFix MCM and BigFix Mobile offer WiFi configuration management, where administrators can control and configure the wireless network settings on MCM-enrolled devices. This helps organizations to maintain a secure and reliable wireless network infrastructure while providing flexibility for users to connect to authorized networks.
- Known limitations
  Read this topic to get familiarized with MCM v3.0 known limitations.
- Troubleshooting
  This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
- Frequently Asked Questions
  Read this section for commonly asked questions and their answers to manage the MCM deployments better.

User-authenticated zero-touch enrollment configuration

Before you begin

About this task

IT admin can configure a sign-in URL, to authenticate device user to proceed with zero-touch enrollment. Unauthorized users are restricted to proceed with device enrollment. This can be done through Manual or automatic zero-touch enrollment.

Log in to Admin Configuration and select Zero Touch Configuration.
From the Zero Touch Configuration window, do the following:
Select Automatic.
Select Enable user authentication during enroll.
Click Next.
On the next screen, select your zero-touch account. The selected zero-touch account is listed under Choose accounts to link (within Google iFrame). It displays the account ID and the number of associated devices.
To link your zero-touch account to BigFix Mobile, select the account and click Link. After successfully linking the account, the following screen is displayed. Click Configuration Info to verify the configuration details.
Click Next.
Enter the support information; company name, Email, Phone, and custom message. The information provided here is displayed on the device on enrollment.
Click Save.

Results

The associated devices are linked to the zero-touch account, mapped to the default enrollment profile, and are ready for advanced zero-touch provisioning.

Note: Click Unlink to unlink the devices. Once the account is unlinked, the zero-touch profile is removed. Click Link another account to link more accounts.

What to do next

The users can enroll the associated devices. Once an associated device is tuned on and connected to the internet:

The user is guided through initial enrollment setup.
The Support information and the custom message are displayed on the device screen while progressing with the enrollment process.
Google Chrome Terms and Conditions are displayed. Device user needs to accept them to open the Sign-in URL.
Device user needs to authenticate the sign-in URL with valid credentials and click Enroll.
Once authenticated successfully, the device user can proceed with the rest of the zero-touch enrollment process.
After the enrollment process is complete, a work profile in the device is created.
Overall, the enrollment experience is same as the normal zero-touch enrollment except that the user is authenticated via the sign-in URL.