Home
Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
MCM and BigFix Mobile server and components installation
Reference Information
This section contains more detailed information about some of the essential installation aspects.
Troubleshooting
This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
Ignore MDM server vulnerability due to TLS 1.0
Read this section to address MDM Server security exposure.

Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
  - Audience
    This guide is for administrators and IT managers who want to install and configure BigFix MCM and BigFix Mobile. It details prerequisites for each of the scenario and provides installation instructions that allow you to deploy the program in your environment. It also includes information about configuring and maintaining BigFix MCM and BigFix Mobile components.
  - Planning the installation
    Read this section before you begin to install or update any of the BigFix MCM or BigFix Mobile product features. Effective planning and an understanding of the key aspects of the installation process can help ensure a successful installation.
  - On-premises deployment setup
    Understand the prerequisites and preparation required to install the BigFix MDM server and BigFix PlugIn Portal on-premise.
  - On-premises Upgrade
    If you already have BigFix MCM and/or BigFix Mobile 2.x deployment, and if you want to upgrade to version 3.x, you can find the instructions here.
  - Configuring BigFix MCM and BigFix Mobile
    After the MCM components are set up, there are additional configuration options available to enable features like Bulk Enrollment for Windows, DEP policies for macOS, or prestage installers for Windows and MacOS MDM endpoints.
  - Reference Information
    This section contains more detailed information about some of the essential installation aspects.
    - Generating WNS credentials
      This document describes how to get Windows Notification Service (WNS) credentials that you can upload during installing or upgrading Windows MDM server.
    - Generating APNs certificate
      To obtain a push certificate from Apple, complete these steps:
    - Renew APNs certificate and update Apple MDM service
      You can renew your APNs certificate within the validity period before expiration.
    - Update Apple Enrollment Certificate before expiration
      To continue to manage the enrolled Apple devices without interruption, you must set up the Fixlet "Update Apple Enrollment Profile before Expiration" as a policy action.
    - Update Settings for Windows MDM Server
      Learn how to update BigFix MDM Service for Windows for MCM 2.0 or later.
    - Bootstrap tokens for Apple devices
      In macOS 10.5 and above, bootstrap tokens are used for granting secure tokens to user accounts and performing certain operations. For example, on a Mac computer with Apple silicon, the bootstrap token, if available, can be used to authorize the installation of both kernel extensions and software updates when managed using MDM.
    - Update Enrollment Profile Parameters for Apple MDM Server
      You can update MDM enrollment profile parameters for Apple devices that was initially set up while installing the BigFix Apple MDM Server.
    - Enroll to Managed Google Play Accounts enterprise
      Learn how to enroll to Managed Google Play Accounts enterprise to manage applications on Android devices.
    - Uninstall MDM components
      Learn how to uninstall MDM components.
    - BigFix MDM Server TLS Certificate Content
      Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.
    - Wildcard certificates
      You can use wildcard TLS certificates for your MDM Server in several scenarios.
    - Supported system environments
      This section provides information about the supported system environments for MCM.
    - Troubleshooting
      This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
      - Logging
        The MCM component generates log files which can provide extra information when you troubleshoot an issue.
      - Windows error codes
        The following includes commonly encountered error messages and related information.
      - Installing Docker CE and Docker compose on RHEL8 or RHEL9
        Learn how to install Docker CE and Docker compose on Red Hat Enterprise Linux (RHEL) 8 using dnf or yum commands. You can also find information about resolving Docker CE container connectivity issue in this section.
      - Troubleshooting Azure connection
      - DEP troubleshooting
        You can find DEP enrollment troubleshooting information in this section.
      - MDM debug tool
        This command-line tool can be used to set log levels for individual/group/all MDM modules, execute commands and update policy settings on the MDM enrolled devices using REST APIs. This will be helpful to quickly debug production issues when there is a communication failure at different MDM layers and to trace the execution work flows, requests, responses from/to end points.
      - Ignore MDM server vulnerability due to TLS 1.0
        Read this section to address MDM Server security exposure.
      - Error while reinstalling MDM server
        Read this page to troubleshoot the error while reinstalling an MDM server after uninstalling the same.
    - Installing BigFix
      To install the BigFix Platform, obtain a license, and run the installation wizard that guides you through the installation of the BigFix root server, console, client, and WebUI.
- Identity service configuration
  Starting from UEM3.0, MCM extends the capability to identify and manage devices based on users. The users can be identified based on their associated attributes including names, roles, group memberships, distribution list memberships, or physical locations. The devices identified based on users can then be targeted and managed through various configurations to provide conditional access and ensure compliance, endpoint security, and App protection.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.

Ignore MDM server vulnerability due to TLS 1.0

Read this section to address MDM Server security exposure.

Problem

For versions up to MCM 2.1, vulnerability scan on the MDM Server detects exposure due to MDM Server accepting connections using TLS 1.0 and TLS 1.1.

Cause

This vulnerability exposure is specific to the port 5671 only. Up to MCM 2.1, port 5671 uses TLS 1.0 for internal communication.

The encryptions through TLS 1.0 was formally deprecated in March 2021 due to security issues. Websites using TLS 1.0 are considered non-compliant by PCI since 30 June 2018. PCI Data Security Standard (PCI DSS) does not consider TLS 1.0 to be strong enough to protect sensitive information transferred to or from web sites.

Therefore, the vulnerability scan detects the exposure.

It does not impact the ports 443 or 8443 as TLS V1.2 or higher is forced for communications through these ports.

Solution

You can safely ignore the vulnerability alert regarding the use of TLS 1.0.

This is because this vulnerability impacts only port 5671, which is used only for communication between RabbitMQ and the MDM Plugins internally. This port is not exposed to the Internet. This connection is controlled by client/server certificates, and therefore, only the MDM Plugins with those specific client/server certificates can establish a connection to initiate internal communication. Without appropriate client certificates, even the internal communication cannot be established.

This will not be an issue in versions later than MCM 2.1, as TLS V1.2 or higher is forced for communications through all the ports, and hence will be completely TLS requirement compliant even for internal communication.