Policy Groups

Policy Groups enable you to combine policies, apps, and a BigFix Agent in a single group and deploy it onto the MDM server or onto enrolled devices.

You can assign an enrollment type specific to an operating system and deploy onto the MDM server, the policies in the deployed policy group becomes default enrollment policy for those specific devices.

You can assign an enrollment type specific to an operating system and deploy onto eligible devices to override the default enrollment policy.

A policy group can contain the following:​

Before you Begin: You must be a master operator to perform policy group related tasks such as creating, adding policies and applications, deleting, deploying and so on. As a non-master operator, you can only create policies to be included in the policy group.

Working with Policy Groups

Create Policy Group

To create a policy group:
  1. From BigFix WebUI main page, click Apps > MCM
  2. From the Modern Client Management home page, click Policy Group.
  3. On the Policy Groups page, click Create Policy Group.
  4. On the Create Policy Group page, do the following:
    1. Enter Policy Group Name and Description
    2. Select OS.
    3. Assign To Group. If this policy group is deployed on to MDM servers, assign to group specifies what types of enrolling devices are eligible to get the policies and applications defined within this policy group.
      Note: If you do not assign any group here, you can only deploy this policy group to one or more already enrolled devices or BigFix Device Groups. On enrollment, devices do not get the policies and applications from any unassigned policy group.
      These are the available Enrollment Groups:
      Operating System Enrollment Group
      Android
      • Work profile enrollment: Assigns this policy group to BYOD Android devices. On fresh enrollment, BYOD Android devices receive the policies added in this group.
      • Fully managed enrollment: Assigns this policy group to fully-managed Android devices. On fresh enrollment, fully-managed Android devices receive the policies added in this group.
      • Dedicated device enrollment: Assigns this policy group to Dedicated Android devices. On fresh enrollment, Dedicated Android devices receive the policies added in this group.
        Note: For Android, you can provision policies only through the policy groups feature; you cannot provision an individual policy that is not added to any policy group directly onto the MDM server or enrolled devices.
      IOS
      • Over the Air Enrollment: Assigns this policy group to the iOS devices that are enrolled over the air. On fresh enrollment, iOS devices that are enrolled over the air receive the policies added in this group.
      • User Enrollment (BYOD): Assigns this policy group to BYOD iOS devices. On fresh enrollment, BYOD iOS devices receive the policies added in this group.
      • Automated Device Enrollment: Assigns this policy group to the iOS devices that are enrolled through Automated Device Enrollment.
      iPadOS
      • Over the Air Enrollment: Deploys the policies in the policy group to all iPadOS devices that are enrolled over the air. On fresh enrollment, iPadOS devices that are enrolled over the air receive the policies added in this group.
      • User Enrollment (BYOD): Assigns this policy group to BYOD iPadOS devices. On fresh enrollment, BYOD iPadOS devices receive the policies added in this group.
      • Automated Device Enrollment: Deploys the policies in the policy group to all iPadOS devices that are enrolled through Automated Device Enrollment.
      macOS
      • Over the Air Enrollment: Deploys the policies in the policy group to all macOS devices that are enrolled over the air. On fresh enrollment, macOS devices that are enrolled over the air receive the policies added in this group.
      • User Enrollment (BYOD): Assigns this policy group to BYOD macOS devices. On fresh enrollment, BYOD macOS devices receive the policies added in this group.
      • Automated Device Enrollment: Deploys the policies in the policy group to all macOS devices that are enrolled through Automated Device Enrollment.
      Windows
      • Over the Air Enrollment: Deploys the policies in the policy group to all Windows devices that are enrolled over the air.
      • Bulk Enrollment: Deploys the policies in the policy group to all Windows devices that are enrolled through bulk enrollment.
      • Autopilot Enrollment: Deploys the policies in the policy group to all Windows devices that are enrolled through Autopilot Enrollment.
  5. To add an application or a policy, on the left navigation pane, click the + sign next to the desired item. Then select the desired policies and/or applications. Then click Save to save your changes and close the module.
    • Add Policy: This option allows users to add policies to their policy group. The policies listed are prefiltered by the selected operating system of the policy group. Select a policy from the list and click OK to add that policy to the policy group. You can add multiple policies of different types. Ensure that you do not add any contradicting policies. In case of certain policies (like passcode and restrictions policies), you can add only one policy of its type in a policy group.
      Note: Before saving the group policy, if you want to remove a policy that you have added, go back to the policy list and deselect the policies you want to remove.
      Important: For Android dedicated devices, ensure to add a policy with kiosk mode setting to the policy group. Otherwise, the dedicated device works as just a fully-managed device.
    • Add Application (macOS and Windows only): This option allows users to add prestaged applications to their policy group. The applications listed are prefiltered by the selected operating system of the policy group. Select one or more applications and click OK to add them to the policy group.
      Important: Only Mac and Windows Policy Groups can add applications from this page. To add applications on Android, iOS, or iPadOS devices, you must create an Appstore App Policy and add it to the policy group via Add Policy.
    • Add BigFix Agent (MCM only): This lists all the available pre-staged BigFix Agent versions for the selected OS (Windows and macOS only).
  6. To save the current selection of policies to your policy group, click the Save button in the bottom right to save your policy group.
    Note: Ensure you have added at least one policy and one application to your policy group. If you attempt to save a policy group without any application or policy selected, WebUI will prompt you to add at least one policy or application.
Result: A policy group is created and listed in the policy groups. The created policy is displayed in a data grid. You can filter and sort as required to find a specific policy group.

Deploy Policy Group

You can deploy a Policy Group to the MDM server to push the contents of the policy group to eligible devices at the time of enrollment. You can also directly deploy the contents of the policy group onto already enrolled devices.

Default policies - Deploy Policy Group on MDM Server
Policy groups can be deployed on to MDM servers, so that enrolling devices automatically get the contents of the policy group. A policy group can target specific operating system (Android, iOS, iPadOS, macOS, Windows) and specific MDM enrollment type (such as OTA, DEP, Bulk enrollment, Autopilot enrollment, BYOD enrollment, and fully-managed enrollment).
To deploy a policy group to MDM server:
  1. From the Policy Groups page, select a Policy group. The blue action bar appears.
  2. From the Deploy dropdown, select On MDM Server.
  3. If you want to associate Smart Groups to the Policy Group, on the next page, click Edit Smart Groups and select the Smart Groups.
  4. Review the selected Smart Groups and the Policy Group and click Deploy.
Result:
  • This deploys the policy group onto all the MDM servers in your BigFix environment.
  • If you have selected Smart Groups at the time of deploying the Policy Group on MDM servers, on enrollment, the contents of the Policy Group deployed on the MDM server are deployed onto eligible devices as default policies as per the specified operating system, enrollment type, and Smart Group definition​.
Note:
  • You can only deploy one policy group at a time to devices or to the MDM server. However, you can run the “Deploy Policy Group to MDM Server” multiple times to deploy policy groups that affect different operating systems and enrollment groups. The latest policy group of a specific operating system and enrollment group combination takes effect on enrollment. For example:​

    • If you create a macOS Over The Air Enrollment Policy Group "First Policy Group" and deploy it to MDM servers, newly enrolled OTA macOS devices get the contents of "First Policy Group"​

      .

    • If you then create a macOS Over The Air Enrollment Policy Group "Second Policy Group" and deploy it to MDM servers, newly enrolled OTA macOS devices get the contents of "Second Policy Group"

    • You cannot select both “First Policy Group” and "Second Policy Group" at a time to deploy them onto the MDM server. You can only deploy them one at a time.
Update policies on enrolled devices - Policy Group Action
You can update the policies on enrolled MDM devices by deploying a Policy Group to the selected devices or device groups.
Note: When you do not select an enrollment type while creating a Policy Group, you can deploy that policy group onto selected eligible devices or device groups.
To deploy a Policy Group onto selected eligible devices or device groups:
  1. From the Policy Groups page, select a policy group. The blue action bar appears.
  2. Click Policy Group Action.
  3. In the Deploy Policy Group page, click Edit Devices to select the devices or device groups.
  4. Review the selected policy and the devices and click Deploy.
Result: This deploys the policy group onto all the MDM servers in your environment.
Important: Dedicated Android devices: After the enrollment, when a policy group is deployed, policies in the deployed policy group overwrites previous policies if any.

Smart Group and Policy Group Association

When you associate Smart Groups to Policy Group, the policies are deployed based on the criteria defined in the Smart Group (such as primary user membership to the Active Directory group, Active Directoryuser attribute rules, and device attributes rules ) along with the OS type and enrollment type.
Note: You can associate multiple Policy Groups to a Smart Group and vise versa.

Edit a Policy Group

To edit a policy group, click on the name of a policy group. From here, you can change the selected policies and applications, change the name, description and other details. Saving the policy group with changes overwrites the old policy group, so be sure about the changes you want to make. You can click the save button once you are done with your changes to save and go back to the display page. You can also select the cancel button to return without saving your changes.

Delete a Policy Group

To delete a policy group:
  1. From the Policy Group page, select a policy group that you want to delete.
  2. Use the horizontal scroll bar to move towards the right end of the page and click the delete icon present for the selected policy group.
Note: You can also delete a policy group from the edit policy group page by clicking the red Delete button in the bottom right of the page.

Result: The selected policy group is deleted. The policies deployed previously through this policy group on the devices do not get affected.