Home
Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
Domain join installation and configuration
Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.

Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
- Identity service configuration
  Starting from UEM3.0, MCM extends the capability to identify and manage devices based on users. The users can be identified based on their associated attributes including names, roles, group memberships, distribution list memberships, or physical locations. The devices identified based on users can then be targeted and managed through various configurations to provide conditional access and ensure compliance, endpoint security, and App protection.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
  - Prerequisites for hybrid domain join
    Read this page to learn the prerequisites to set up ODJ service to support the Azure AD joined Windows devices to join on-premises AD on enrollment.
  - Prerequisites for AD domain join
    Read this page to learn the prerequisites to set up ODJ service to support Windows devices to join on-premises AD on enrollment.
  - ODJ and MDM SSL certificates and keys
    SSL certificates and keys are required to authenticate the MDM Server to the Windows ODJ Server. These certificates and keys must be generated through the BESAdmin command. The generated SSL certificates/keys are stored in the directory that you specify in the BESAdmin command.
  - Install and configure ODJ Service - BigFix WebUI
    ODJ service is an "Add-on" service and is installed through WebUI after completing the initial MDM server install. Log in to WebUI to install and configure ODJ Service.
  - Troubleshoot ODJ
    https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.

Domain join installation and configuration

Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.

BigFix MCM supports Active Directory (AD) Domain Join and Hybrid Domain Join through Offline Domain Join (ODJ) service. This facilitates you to manage your Windows 10 and Windows 11 endpoints through both on-premises AD and Azure AD.

A domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory domain.

BigFix MCM provides the device management capabilities necessary for managing and securing the device. Azure Active Directory provides the identity management and authentication services.

ODJ service facilitates you to manage your Windows endpoints in the following ways:

To automatically deploy a huge number of Windows endpoints seamlessly without user intervention
To enable an Autopilot endpoint to connect with AD even when the endpoint is offline and there is no VPN connectivity while enrolling.
To enable users to join a Windows laptop to an AD domain without requiring any special privileges in AD.
To join computers to the domain when they first start up after an operating system installation without requiring additional restart to complete the domain join.
To manage Autopilot enrolled laptops to inherit existing policies through AD, including the certificate policy. This makes it possible for you to domain join Windows laptops as part of a policy group configuration.

Hybrid Domain Join

If you want to join your Azure AD joined Windows laptops to your AD DS domain, you can accomplish this by using the Offline Domain Join service. This is especially useful to perform Autopilot enrollments.

AD Domain Join

If you have an on-premises Active Directory Domain Services (AD DS) environment, and if you want your Windows laptops to join your AD DS domain on enrollment, you can do this by using the Offline Domain Join service. When you configure the environment for this, the Windows devices enrolled through the following enrollment methods automatically join the AD DS domain.