Home
Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
Simple Certificate Enrollment Protocol (SCEP) configuration
BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
Configure SCEP infrastructure
To configure the infrastructure to support SCEP feature, complete the following steps:

Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
- Identity service configuration
  Starting from UEM3.0, MCM extends the capability to identify and manage devices based on users. The users can be identified based on their associated attributes including names, roles, group memberships, distribution list memberships, or physical locations. The devices identified based on users can then be targeted and managed through various configurations to provide conditional access and ensure compliance, endpoint security, and App protection.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
  - Configure SCEP infrastructure
    To configure the infrastructure to support SCEP feature, complete the following steps:
  - Configure settings for SCEP functionality on MDM server
    To configure SCEP, deploy the Fixlet ID 203: Configure Settings for SCEP functionality on MDM Server.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.

Configure SCEP infrastructure

To configure the infrastructure to support SCEP feature, complete the following steps:

Step 1: Configure NDES server - You must configure a Network Device Enrollment Service (NDES) server role on Windows Server 2012 R2 or later. For instructions on installing and troubleshooting NDES, see BigFix Wiki page Configure NDES server.
- The server that hosts NDES must be domain-joined and in the same forest as your Enterprise CA.
- You cannot use NDES that is installed on the server that hosts the Enterprise CA.
- You must install the Certificate connector on the same server that hosts NDES.
Step 2: Configure the Fixlet Configure settings for SCEP functionality on MDM server
Step 3: Trusted certificate profile: SCEP profile must be pushed as the pre-enrollment policy and must be included in the Policy Group. Ensure you have trusted certificate profile to devices that use SCEP certificate profiles. SCEP certificate profiles directly reference the trusted certificate profile that you use to provision devices with a Trusted Root CA certificate.
- User certificate - to provide certificate to authenticate logged in user (supported in Windows and Apple).
- Device certificate - to provide certificate to authenticate the managed device (supported in Windows only).

For information on how to create a default SCEP policy, see the following pages.

Windows SCEP DeviceID template
Windows SCEP Username template
Apple SCEP Template
Note: You must upgrade to MCM v3.0 to create custom SCEP policy from custom template.