BigFix and (Apple) MDM?

straffin 2019-01-29 18:04:31 UTC #1

Short question, probably with a short answer, but wading through marketing materials to truly understand the answer is a little above my level of ability today.

Does BigFix do Mobile Device Management (a la official Apple MDM, like Jamf Pro)? Not “Can BigFix work with mobile devices”, but “Does BigFix have a way to operate within the ‘official’ MDM paths for macOS and Windows devices”? I’ve seen Maas360 mentioned from time to time, but not often, and not recently. I would really like to have a BigFix method to do things like macOS configuration profiles, but I know of no way myself.

Educate me?

– John

atlauren 2019-01-29 19:05:39 UTC #2

BigFix isn’t an MDM provider per se. Its “Profiles” feature works by slinging .mobileconfig files and installing them via the profiles command (on macOS).

We manage our macOS systems with Airwatch (for MDM policies) and BigFix (for patching and application deployment).

-Andrew

Aram 2019-01-29 19:47:13 UTC #3

For reference to profile configurations that are available for macOS via BigFix as of today, please see the following: https://www.ibm.com/support/knowledgecenter/en/SS63NW_9.5.0/com.ibm.bigfix.lifecycle.doc/Lifecycle/Profiling_Users_Guide/c_mac_profile_props.html

straffin 2019-01-29 20:15:08 UTC #4

Thanks, Andrew. This is what I figured.

Thanks, Aram. Unfortunately, my macOS is a little light, but we need (and Jamf Pro does) more than just configuration profiles. There’s a bunch of things that only either the User or an Apple MDM compliant management tool can put in place (.kext whitelisting is my biggest concern right now) that we can’t do through BigFix.

With Apple having gone in this direction, are there any plans from either IBM or HCL to move along with them, or will BigFix on macOS slowly turn into osquery (reporting info but making no changes)?

Add an OSquery inspector to the BigFix Client

atlauren 2019-01-29 20:41:50 UTC #5

@straffin,

It’s important to note that most players in this space have a “pure MDM” component and a “heavy lifting with an agent” component. JAMF and Airwatch are examples of this; both have their pluses and minuses. Both are IMO weak in metadata and targeting, so they have “extension” attributes that are stdout from shell scripts, saved as data that is munged into various forms of groups and smart groups. BigFix doesn’t have an MDM component per se, but it excels at “heavy lifting” deployment and targeting, due to its relevance language.

IMO the whole “unified management” thing is where we see MDM vendors grafting on the heavy lifting bits for traditional OSes, vs traditional OS management grafting on MDM bits. Choose wisely.

I recommend taking a good look at what you actually need. BigFix excels in being an OS-agnostic management platform, where your skills and approach scale to high numbers across multiple platforms. If you’re looking for a multi-platform MDM, Airwatch’s client-agnostic approach is valuable, but IMO their heavy-lifting side is weak. If you’re coming at this purely from an Apple point of view, I do think JAMF’s single-vendor focus is hard to ignore.

(Look for my talk submissions at .edu and MacIT conferences near you. )

-Andrew

straffin 2019-01-29 21:00:31 UTC #6

Thanks again, Andrew! We’ve got both BigFix and Jamf Pro here and I’m regularly being asked “why both”? The “why Jamf Pro” answer is easy due to the Apple MDM functionality, but the “why BigFix” answer has been harder to come up with. Your response here will be very helpful in that regard.

It’s currently an “Apple-only” concern, but Intune is coming and it’s only a matter of time before folks are asking the same question about Windows.

jgstew 2019-01-30 00:37:28 UTC #7

This is true, but you can use any MDM to do this, but what kext’s do you have in your environment? that is a question BigFix can answer that I don’t believe MDM can at all. BigFix can be leveraged to get state that MDM cannot. That said, BigFix is also generally going to be better at deploying software, especially larger software, as compared to MDM. I really think that long term a hybrid approach is needed in most cases on MacOS.

ResolverBob 2019-03-28 15:10:57 UTC #8

Deploying the kext approvals is the thing that’s holding us up right now. BigFix is great at deploying software, I agree 100%. But, huge “but” here, with out the ability to automate these kext approvals I can no longer use BigFix to deploy key Mac software in my environment. For example, I need to deploy a new Mac antivirus app to my Mac population and I can’t do it centrally with BigFix. Groups here that use JAMF, and that number is growing quickly, are all set because that’s what JAMF does. The rest of us need to manually upgrade our endpoints. This is being felt at the highest levels in my IT organization and, TBH, I am having to answer for it.

GwyndafDavies 2019-11-14 10:49:12 UTC #9

Worth watching our latest road-map session that has some insight on the above topics.

https://support.hcltechsw.com/csm?id=bigfix_events

Check out the Roadmap followup via the link above.

Worth bookmarking our new landing page: https://support.bigfix.com

straffin 2019-11-22 18:35:04 UTC #10

Actually just sat in on a Customer Interaction Session on what’s coming in v10. Exciting things are coming.