Home
Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
MCM and BigFix Mobile server and components installation
Reference Information
This section contains more detailed information about some of the essential installation aspects.
Update TLS certificates
You can update the TLS certificate that was initially installed with the MDM Server. Additionally, you can easily rectify errors by replacing incorrect certificates, keys, and passwords uploaded during installation. To perform this action, use Fixlet 702: BigFix MDM Server - Stage External TrustedCA TLS Certificates.

Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
  - Audience
    This guide is for administrators and IT managers who want to install and configure BigFix MCM and BigFix Mobile. It details prerequisites for each of the scenario and provides installation instructions that allow you to deploy the program in your environment. It also includes information about configuring and maintaining BigFix MCM and BigFix Mobile components.
  - Planning the installation
    Read this section before you begin to install or update any of the BigFix MCM or BigFix Mobile product features. Effective planning and an understanding of the key aspects of the installation process can help ensure a successful installation.
  - On-premises deployment setup
    Understand the prerequisites and preparation required to install the BigFix MDM server and BigFix PlugIn Portal on-premise.
  - On-premises Upgrade
    If you already have BigFix MCM and/or BigFix Mobile 2.x deployment, and if you want to upgrade to version 3.x, you can find the instructions here.
  - Configuring BigFix MCM and BigFix Mobile
    After the MCM components are set up, there are additional configuration options available to enable features like Bulk Enrollment for Windows, DEP policies for macOS, or prestage installers for Windows and MacOS MDM endpoints.
  - Reference Information
    This section contains more detailed information about some of the essential installation aspects.
    - Generating WNS credentials
      This document describes how to get Windows Notification Service (WNS) credentials that you can upload during installing or upgrading Windows MDM server.
    - Generating APNs certificate
      To obtain a push certificate from Apple, complete these steps:
    - Renew APNs certificate and update Apple MDM service
      You can renew your APNs certificate within the validity period before expiration.
    - Update Apple Enrollment Certificate before expiration
      To continue to manage the enrolled Apple devices without interruption, you must set up the Fixlet "Update Apple Enrollment Profile before Expiration" as a policy action.
    - Update Settings for Windows MDM Server
      Learn how to update BigFix MDM Service for Windows for MCM 2.0 or later.
    - Bootstrap tokens for Apple devices
      In macOS 10.5 and above, bootstrap tokens are used for granting secure tokens to user accounts and performing certain operations. For example, on a Mac computer with Apple silicon, the bootstrap token, if available, can be used to authorize the installation of both kernel extensions and software updates when managed using MDM.
    - Update Enrollment Profile Parameters for Apple MDM Server
      You can update MDM enrollment profile parameters for Apple devices that was initially set up while installing the BigFix Apple MDM Server.
    - Enroll to Managed Google Play Accounts enterprise
      Learn how to enroll to Managed Google Play Accounts enterprise to manage applications on Android devices.
    - Uninstall MDM components
      Learn how to uninstall MDM components.
    - BigFix MDM Server TLS Certificate Content
      Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.
    - Wildcard certificates
      You can use wildcard TLS certificates for your MDM Server in several scenarios.
    - Update TLS certificates
      You can update the TLS certificate that was initially installed with the MDM Server. Additionally, you can easily rectify errors by replacing incorrect certificates, keys, and passwords uploaded during installation. To perform this action, use Fixlet 702: BigFix MDM Server - Stage External TrustedCA TLS Certificates.
    - Supported system environments
      This section provides information about the supported system environments for MCM.
    - Troubleshooting
      This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
    - Installing BigFix
      To install the BigFix Platform, obtain a license, and run the installation wizard that guides you through the installation of the BigFix root server, console, client, and WebUI.
- Identity service configuration
  Starting from UEM3.0, MCM extends the capability to identify and manage devices based on users. The users can be identified based on their associated attributes including names, roles, group memberships, distribution list memberships, or physical locations. The devices identified based on users can then be targeted and managed through various configurations to provide conditional access and ensure compliance, endpoint security, and App protection.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.

Update TLS certificates

You can update the TLS certificate that was initially installed with the MDM Server. Additionally, you can easily rectify errors by replacing incorrect certificates, keys, and passwords uploaded during installation. To perform this action, use Fixlet 702: BigFix MDM Server - Stage External TrustedCA TLS Certificates.

About this task

To renew the expired TLS certificates or re-upload the correct TLS certificates that were installed previously, complete the following steps.

Procedure

From BigFix Console under the BESUEM site, open Fixlet 702: BigFix MDM Server - Stage External TrustedCA TLS Certificates.
Provide the following information:
- MDM Server TLS Key Password: Enter the password.
- MDM Server TLS CERT content : Copy and paste the latest certificate mdmserver.crt data.
- MDM Server TLS KEY content : Copy and paste the mdmserver.key.pem content.
Select an option to deploy certificate.
- Deploy: The new certificate is immediately implemented; requires an instant restart of the MDM server.
- Stage: Creates the updated configuration, but does not actually apply it and perform the associated MDM server restart until the Fixlet 701: BigFix MDM Server CA certificate for the targeted server is subsequently run (ideally scheduled in non-peak times to minimize service disruption).

Results

TLS certificates get updated in the locations /var/opt/BESUEM/certs and /var/opt/BESUEM/certs/server.