The BigFix team is very pleased to announce the release of BigFix Modern Client Management (MCM) 10! The main features in this release are as follows:
BigFix Modern Client Management can be added to any BigFix module to extend BigFix capabilities and future proof management of your Windows 10 and MacOS endpoints. Key use cases supported with this release include:
- Over-the-Air Enrollment - Enroll your devices over-the-air and optionally install the BigFix Agent to extend device management capabilities such as software installation, patching, and compliance.
- Policy Enforcement - Create, edit, and manage MDM policies such as Kernel Extensions, Configuring Inactivity, Timeouts, and passcode settings.
- Deep Visibility - Gain deeper visibility of your modern endpoints (Windows 10 and MacOS) alongside traditional endpoints to save time and reduce infrastructure sprawl.
- Automated Actions - Deploy modern endpoint management actions such as locking and wiping devices, restarting, shutting down and removing policies.
BigFix MCM Infrastructure - OS and Database Support
BigFix MCM 10 is an add on to BigFix 10 Patch, Lifecycle or Compliance. MCM is composed of two main components with the following prereqs:
BigFix MDM server
- RedHat Enterprise Linux 7
- Docker 1.13
BigFix MDM Plugin Portal
- Windows Server 2012 R2 (and above) or RedHat Enterprise Linux 7.4 (and above)
- MongoDB 4.2 or higher (any edition)
The BigFix MCM management interface is built into the BigFix 10 WebUI.
Product documentation can be found here:
• https://help.hcltechsw.com/bigfix/10.0/webui/index.html (see chapter titled “Getting Started with MCM”)
A note on BigFix MCM certificates:
The BigFix MCM components communicate internally and to the endpoints using a set of cryptographic certificates and keys. For testing and pre-production purposes a BigFix utility has been provided to generate a set of self signed certificates. Commercial certificates from a trusted CA are required for production.
If configuring the MDM server component to support Mac OS an Apple push notification certificate is required. Additional information on initiating the steps required to generate this certificate is included in the order validation email sent to customer contact on the order.
The certificates referenced above are a prereq to installing the BigFix components using the provided fixlets.
A Note on Security Hardening BigFix MCM Infrastructure:
Security is a primary mandate of BigFix. A challenge for modern large-scale systems is to ensure security across the infrastructure. The axiom that “you are only as strong as your weakest link” applies. A general best practice is to apply the principle of least privilege to all BigFix resources. What does this mean in practical terms? Limit administrative access. Ensure administrative access is used only when required. Monitor and manage access lists, and prune access as appropriate. The following white paper provides an excellent summary, and an associated set of resources:https://www.sans.org/reading-room/whitepapers/bestprac/paper/1188
Special mention should also be made of the MongoDB instance associated with the Plugin Portal instance for Modern Client Management and Cloud. The MongoDB instance is user installed, and by default is only available as a service on the local host. This should not be altered, as controlled access ensures only direct access is possible. In addition, given this component is not installed by BigFix directly, it is recommended to review the MongoDB security checklist: https://docs.mongodb.com/manual/administration/security-checklist/
Known Limitations and Workarounds
• Multiple MDM servers can be deployed in an environment in parallel for scalability, but they cannot yet be configured behind a load balancer. You should direct separate groups of devices to each server to enroll until load balancer support is available.
• The enrollment process needs to be able to authenticate your users via LDAP. Network connectivity from the MDM Server to LDAP is required.
BigFix 10 documentation: