Installing BigFix MDM Server for Apple endpoints

Learn how to install BigFix MCM server for Apple endpoints.

About this task

For instructions on how to install BigFix MCM Server for Apple endpoints through WebUI, see Install BigFix MDM Service for Apple.

In this section, you can find instructions on how to install BigFix MCM Server for Apple endpoints using the BESUEM Fixlet Install BigFix Apple MDM Server.

Before you begin: These prerequisites must be met to install the BigFix MDM Server for Apple endpoints:
  • You must have the required certificates and keys. See, MDM SSL Certificates.
  • You must have BigFix Agent running on the MDM Server target.
  • You must have the following certificate files:
    • Apple Push Notification certificates PEM file that is obtained through the HCL vendor signing process and processed by Apple for this MDM Server deployment.
    • Apple Push Notification private key and password
    • The trusted CA provided TLS certificate for the MDM Server

In the Install BigFix Apple MDM Server Fixlet, provide this information:
  1. Enter user facing hostname. This is the hostname of the server that the enrolling devices should be pointing to. The value must be the hostname from a valid URL. For example, enter mdmserver.deploy.bigfix.com.
  2. Enter user facing hostname. This is the hostname of the server that the enrolling devices should be pointing to. The value must be the hostname from a valid URL. For example, enter mdmserver.deploy.bigfix.com.
  3. Enter the MDM API password that you want to use (it can be anything, and this is not visible externally anywhere after it is configured).
  4. Enter LDAP parameters. This is used for authorization to enroll users for MDM over the air. This limits enrollment to your MDM server to authorized users only. Omitting all LDAP parameters disables the need for LDAP authentication to enroll for MDM.
    1. LDAP URL: Valid format is ldap://<server>:<port>. For more information on LDAP URL formats, see https://ldap.com/ldap-urls/
    2. LDAP Base DN: Valid format "ou=Users,dc=example,dc=org"
    3. LDAP Bind User: The root point to bind to the server. For example, CN=domain join, OU=Users, OU=demo,DC=demo,DC=bigfix, DC=com DC=mydomain, DC=mycompany, DC=com. "user@example.org"
    4. LDAP Bind Password: The password entered here is encrypted and stored in the MDM_PARAM_4.enc file in the /var/opt/BESUEM/certs directory.
      Note: LDAP Authentication is turned on by default.
  5. Enter the Apple Push certificate and key contents.
    1. Enter the Apple Push key password.
    2. In the Apple Push Certificate PEM content section, enter the entire text contents of Push PEM file.
    3. In the Apple Push Key content section, enter the entire text contents of Push key file.
  6. Upload the files containing the details of the MDM Server TLS certificate and key contents.
    1. TLS key password: Enter a string to set TLS key password.
    2. In the MDM Server TLS Certificate section, click Upload File and browse through the location to select the TLS .crt file to be used.
    3. In the MDM Server TLS Key section, click Upload File and browse through the location to select the TLS .key file to be used.
  7. Upload the files containing the MDM Server authentication certificate and key contents.
    1. In the MDM Server Certificate Authority section, click Upload File and browse through the location to select the ca.cert.pem file.
    2. In the MDM Server Certificate content section, click Upload File and browse through the location to select the server.cert.pem file.
    3. In the MDM Server Key section, click Upload File and browse through the location to select the server.key file.
      Tip: For more information on how to generate .pem and .key files, see MDM SSL Certificates.
  8. Enter message text for an end user agreement. This is an optional field. The message entered here is displayed to the end users to accept to proceed with enrollment of Apple devices through the enrollment process. This allows the organization to notify or warn device users of the terms of enrolling their devices. This message can include, for example, a warning about allowing remote management of the device or helpdesk contact information.
  9. Enter LDAP parameters. This is used for authorization to enroll users for MDM over the air. This limits enrollment to your MDM server to authorized users only. Omitting all LDAP parameters disables the need for LDAP authentication to enroll for MDM.
    1. LDAP URL: Valid format is ldap://<server>:<port>. For more information on LDAP URL formats, see https://ldap.com/ldap-urls/
    2. LDAP Base DN: Valid format "ou=Users,dc=example,dc=org"
    3. LDAP Bind User: The root point to bind to the server. For example, CN=domain join, OU=Users, OU=demo,DC=demo,DC=bigfix, DC=com DC=mydomain, DC=mycompany, DC=com. "user@example.org"
    4. LDAP Bind Password: The password entered here is encrypted and stored in the MDM_PARAM_4.enc file in the /var/opt/BESUEM/certs directory.
      Note: LDAP Authentication is turned on by default.