Configure settings for SCEP functionality on MDM server

To configure SCEP, deploy the Fixlet ID 203: Configure Settings for SCEP functionality on MDM Server.

About this task

From the BigFix Modern Client Management site, to deploy the Fixlet ID 203: Configure Settings for SCEP functionality on MDM Server, complete the following steps.

Procedure

  1. Log in to the BigFix console.
  2. Open the Fixlets and Tasks icon in the Domain Panel.
  3. In the search bar, enter "Configure Settings for SCEP".
  4. Select the Fixlet named Configure Settings for SCEP functionality on MDM Server
  5. In the Description tab, enter the required information.
    • SCEP URL: Configure a URL that can be reachable by Windows client to download certificates from the corresponding SCEP server. Example: http://scep.example.com:8080/certsrv/mscep.dll/
      Note: BigFix MCM currently supports NDES as SCEP Server. For information on configuring NDES, see BigFix Wiki document at Configure NDES server.
    • SCEP Admin URL: URL to fetch the challenge password and CA thumbprint for making SCEP calls. Example: http://scep.example.com:8080/certsrv/mscep_admin/
    • Challenge Validity: It is a one-time password. In the Fixlet, the value for Challenge Validity is set based on how it is configured in NDES service.
      • If NDES is configured with default settings, then in the Fixlet, configure the 'Challenge Validity' as 0. In this case, Challenge Validity becomes available for one time use within 60 minutes. MDM requests for a new password every time.
      • If NDES setting is configured as "Never expire" to reuse password, then in the Fixlet, configure the 'Challenge Validity' as -1. In this case, the password never expires. MDM requests for password once and caches it for further use.

      • If NDES setting is configured with a Challenge Validity time in minutes, then in the Fixlet, configure the 'Challenge Validity' as the same integer value in minutes as set in NDES. In this case, MDM caches the password for the configured time period before requesting for a new password.

    • Server Type: Enter "NDES".
    • Server User: Enter the Email of the SCEP Admin user. Example: ndesadmin@mcm.bigfix.com
    • Server Password: Enter the password of the SCEP Admin user.
    • SCEP Policy:
      • NA - Not applicable. Use this option to disable SCEP. If you do not want to use SCEP for distributing certs, you can choose this option to disable SCEP and leave all the other parameters empty. When SCEP Policy Type is N/A, no check is performed for any of the other parameters.
      • PROXY - When this is configured, SCEP certificate request from end points will go through the proxy.
      • DIRECT - When this is configured, SCEP will be Internet facing and all end points will reach out directly to the SCEP URL for certificate requests.
      Note: When SCEP Policy Type is Proxy or Direct, you must enter value for all the parameters to proceed with deploying the Fixlet.
  6. Click Take Action.
  7. On the Target tab, select the MDM Server.
  8. Click OK.