Short question, probably with a short answer, but wading through marketing materials to truly understand the answer is a little above my level of ability today.
Does BigFix do Mobile Device Management (a la official Apple MDM, like Jamf Pro)? Not âCan BigFix work with mobile devicesâ, but âDoes BigFix have a way to operate within the âofficialâ MDM paths for macOS and Windows devicesâ? Iâve seen Maas360 mentioned from time to time, but not often, and not recently. I would really like to have a BigFix method to do things like macOS configuration profiles, but I know of no way myself.
BigFix isnât an MDM provider per se. Its âProfilesâ feature works by slinging .mobileconfig files and installing them via the profiles command (on macOS).
We manage our macOS systems with Airwatch (for MDM policies) and BigFix (for patching and application deployment).
Thanks, Aram. Unfortunately, my macOS is a little light, but we need (and Jamf Pro does) more than just configuration profiles. Thereâs a bunch of things that only either the User or an Apple MDM compliant management tool can put in place (.kext whitelisting is my biggest concern right now) that we canât do through BigFix.
With Apple having gone in this direction, are there any plans from either IBM or HCL to move along with them, or will BigFix on macOS slowly turn into osquery (reporting info but making no changes)?
Itâs important to note that most players in this space have a âpure MDMâ component and a âheavy lifting with an agentâ component. JAMF and Airwatch are examples of this; both have their pluses and minuses. Both are IMO weak in metadata and targeting, so they have âextensionâ attributes that are stdout from shell scripts, saved as data that is munged into various forms of groups and smart groups. BigFix doesnât have an MDM component per se, but it excels at âheavy liftingâ deployment and targeting, due to its relevance language.
IMO the whole âunified managementâ thing is where we see MDM vendors grafting on the heavy lifting bits for traditional OSes, vs traditional OS management grafting on MDM bits. Choose wisely.
I recommend taking a good look at what you actually need. BigFix excels in being an OS-agnostic management platform, where your skills and approach scale to high numbers across multiple platforms. If youâre looking for a multi-platform MDM, Airwatchâs client-agnostic approach is valuable, but IMO their heavy-lifting side is weak. If youâre coming at this purely from an Apple point of view, I do think JAMFâs single-vendor focus is hard to ignore.
(Look for my talk submissions at .edu and MacIT conferences near you. )
Thanks again, Andrew! Weâve got both BigFix and Jamf Pro here and Iâm regularly being asked âwhy bothâ? The âwhy Jamf Proâ answer is easy due to the Apple MDM functionality, but the âwhy BigFixâ answer has been harder to come up with. Your response here will be very helpful in that regard.
Itâs currently an âApple-onlyâ concern, but Intune is coming and itâs only a matter of time before folks are asking the same question about Windows.
This is true, but you can use any MDM to do this, but what kextâs do you have in your environment? that is a question BigFix can answer that I donât believe MDM can at all. BigFix can be leveraged to get state that MDM cannot. That said, BigFix is also generally going to be better at deploying software, especially larger software, as compared to MDM. I really think that long term a hybrid approach is needed in most cases on MacOS.
Deploying the kext approvals is the thing thatâs holding us up right now. BigFix is great at deploying software, I agree 100%. But, huge âbutâ here, with out the ability to automate these kext approvals I can no longer use BigFix to deploy key Mac software in my environment. For example, I need to deploy a new Mac antivirus app to my Mac population and I canât do it centrally with BigFix. Groups here that use JAMF, and that number is growing quickly, are all set because thatâs what JAMF does. The rest of us need to manually upgrade our endpoints. This is being felt at the highest levels in my IT organization and, TBH, I am having to answer for it.