Home
Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
Domain join installation and configuration
Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
ODJ and MDM SSL certificates and keys
SSL certificates and keys are required to authenticate the MDM Server to the Windows ODJ Server. These certificates and keys must be generated through the BESAdmin command. The generated SSL certificates/keys are stored in the directory that you specify in the BESAdmin command.

Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
- Identity service configuration
  Starting from UEM3.0, MCM extends the capability to identify and manage devices based on users. The users can be identified based on their associated attributes including names, roles, group memberships, distribution list memberships, or physical locations. The devices identified based on users can then be targeted and managed through various configurations to provide conditional access and ensure compliance, endpoint security, and App protection.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
  - Prerequisites for hybrid domain join
    Read this page to learn the prerequisites to set up ODJ service to support the Azure AD joined Windows devices to join on-premises AD on enrollment.
  - Prerequisites for AD domain join
    Read this page to learn the prerequisites to set up ODJ service to support Windows devices to join on-premises AD on enrollment.
  - ODJ and MDM SSL certificates and keys
    SSL certificates and keys are required to authenticate the MDM Server to the Windows ODJ Server. These certificates and keys must be generated through the BESAdmin command. The generated SSL certificates/keys are stored in the directory that you specify in the BESAdmin command.
  - Install and configure ODJ Service - BigFix WebUI
    ODJ service is an "Add-on" service and is installed through WebUI after completing the initial MDM server install. Log in to WebUI to install and configure ODJ Service.
  - Troubleshoot ODJ
    https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.

ODJ and MDM SSL certificates and keys

SSL certificates and keys are required to authenticate the MDM Server to the Windows ODJ Server. These certificates and keys must be generated through the BESAdmin command. The generated SSL certificates/keys are stored in the directory that you specify in the BESAdmin command.

Note: You must have a reachable DNS host name to run the commands in the BESAdmin tool to generate certificates.

To generate SSL certificates on a Windows BigFix root server, run this command:

BESAdmin.exe /generateplugincertificates /certificatespath:<path-to-store-certs> [/commonname:<CN-for-server-and-client-cert>]

To generate SSL certificates on a Linux BigFix root server, run this command:

BESAdmin.sh -generateplugincertificates -certificatespath=<path-to-store-certs> [-commonname:<CN-for-server-and-client-cert>

Note:

For commonname, use the FQDN name of the Windows machine, where the ODJ service needs to be installed.
These commands work only if path-to-store-certs directory exists.

The following SSL certificates are generated in the folder that you have created.

Use these certificates and keys when you Install ODJ service.
- ca.cert.pem
- server.cert
- server.key
Use these certificates and keys when you Configure MDM Server for ODJ Service.
- ca.cert.pem
- client.cert.pem
- client.key