Home
Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
MCM and BigFix Mobile server and components installation
Reference Information
This section contains more detailed information about some of the essential installation aspects.
BigFix MDM Server TLS Certificate Content
Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.

Installation and Configuration
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
  - Audience
    This guide is for administrators and IT managers who want to install and configure BigFix MCM and BigFix Mobile. It details prerequisites for each of the scenario and provides installation instructions that allow you to deploy the program in your environment. It also includes information about configuring and maintaining BigFix MCM and BigFix Mobile components.
  - Planning the installation
    Read this section before you begin to install or update any of the BigFix MCM or BigFix Mobile product features. Effective planning and an understanding of the key aspects of the installation process can help ensure a successful installation.
  - On-premises deployment setup
    Understand the prerequisites and preparation required to install the BigFix MDM server and BigFix PlugIn Portal on-premise.
  - On-premises Upgrade
    If you already have BigFix MCM and/or BigFix Mobile 2.x deployment, and if you want to upgrade to version 3.x, you can find the instructions here.
  - Configuring BigFix MCM and BigFix Mobile
    After the MCM components are set up, there are additional configuration options available to enable features like Bulk Enrollment for Windows, DEP policies for macOS, or prestage installers for Windows and MacOS MDM endpoints.
  - Reference Information
    This section contains more detailed information about some of the essential installation aspects.
    - Generating WNS credentials
      This document describes how to get Windows Notification Service (WNS) credentials that you can upload during installing or upgrading Windows MDM server.
    - Generating APNs certificate
      To obtain a push certificate from Apple, complete these steps:
    - Renew APNs certificate and update Apple MDM service
      You can renew your APNs certificate within the validity period before expiration.
    - Update Apple Enrollment Certificate before expiration
      To continue to manage the enrolled Apple devices without interruption, you must set up the Fixlet "Update Apple Enrollment Profile before Expiration" as a policy action.
    - Update Settings for Windows MDM Server
      Learn how to update BigFix MDM Service for Windows for MCM 2.0 or later.
    - Bootstrap tokens for Apple devices
      In macOS 10.5 and above, bootstrap tokens are used for granting secure tokens to user accounts and performing certain operations. For example, on a Mac computer with Apple silicon, the bootstrap token, if available, can be used to authorize the installation of both kernel extensions and software updates when managed using MDM.
    - Update Enrollment Profile Parameters for Apple MDM Server
      You can update MDM enrollment profile parameters for Apple devices that was initially set up while installing the BigFix Apple MDM Server.
    - Enroll to Managed Google Play Accounts enterprise
      Learn how to enroll to Managed Google Play Accounts enterprise to manage applications on Android devices.
    - Uninstall MDM components
      Learn how to uninstall MDM components.
    - BigFix MDM Server TLS Certificate Content
      Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.
    - Wildcard certificates
      You can use wildcard TLS certificates for your MDM Server in several scenarios.
    - Supported system environments
      This section provides information about the supported system environments for MCM.
    - Troubleshooting
      This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
    - Installing BigFix
      To install the BigFix Platform, obtain a license, and run the installation wizard that guides you through the installation of the BigFix root server, console, client, and WebUI.
- Identity service configuration
  Starting from UEM3.0, MCM extends the capability to identify and manage devices based on users. The users can be identified based on their associated attributes including names, roles, group memberships, distribution list memberships, or physical locations. The devices identified based on users can then be targeted and managed through various configurations to provide conditional access and ensure compliance, endpoint security, and App protection.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.

BigFix MDM Server TLS Certificate Content

Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.

BigFix MDM server TLS Certificate Content

The MDM Server certificate must be available in a .crt or .pem format, and must take the form of a certificate chain containing the following:

The actual MDM TLS certificate provided by the trusted CA
Any intermediate certificates provided by the trusted CA
The trusted CA root certificate

If the trusted CA does not provide such a chain directly, concatenate the individual .crt or .pem files into a single certificate chain and provide it as the MDM Server’s TLS certificate during MDM Server installation.

The following command is an example for concatenating certificates on Linux:

cat <server TLS .crt> [intermediate .crt] <CA root .crt> > mdmserver.crt

This may require additional action on one or more files provided by a trusted CA to extract the various certificates and keys needed to build the required chain.

Encrypt TLS private key

To securely store the private key used while creating the CSR for the Trusted CA TLS certificate, you must encrypt it. Do the following to encrypt the TLS private key.

Run the following command:
```
openssl rsa -des3 -in <TLSKEY>.key -out mdmserver.key
```
where TLSKEY is the name of the key used when originally creating the TLS Certificate CSR.
When prompted, enter the encrypted private key pass phrase of your choice.
Verify it.

Note: Before uploading the TLS key for MDM server installation, you must decrypt the encrypted file.