Welcome
Installing and Configuring BigFix Mobile and MCM
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
SAML-authentication configuration
MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.
Using PingFederate
This document explains how to configure SAML Authentication for MCM using PingFederate through the MCM WebUI.
Step 2: Configure the SP Connection in PingFederate
Configure PingFederate by registering MCM as a Service Provider (SP) and setting the Assertion Consumer Service (ACS) URL. This allows PingFederate to securely send SAML assertions to the MCM server after user authentication.

BigFix Documentation Homepage
Modern Client Management and BigFix Mobile
Welcome to the Modern Client Management and BigFix Mobile documentation, where you can find information about how to install, maintain, and use Modern Client Management and BigFix Mobile.
BigFix Mobile and MCM Overview
Discover how BigFix Mobile and Modern Client Management (MCM) extend unified endpoint management to mobile devices and modern OS platforms like iOS, Android, and Windows 10+, all from a single console.
Guides in PDF format
This section contains links to PDF versions of all the MCM and BigFix Mobile manuals.
Installing and Configuring BigFix Mobile and MCM
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
  This guide provides instructions for installing the MCM and BigFix Mobile server along with its components, ensuring proper setup and configuration.
- Identity Service Configuration
  Configure identity services for BigFix Mobile and MCM to enable secure authentication and seamless user access. Learn how to integrate with identity providers and streamline user management across Apple, Android, and Windows devices.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.
  - Key terms
    Read this section to get familiarized with the terms used in SAML-authenticated enrollment.
  - Using Okta
  - Using PingFederate
    This document explains how to configure SAML Authentication for MCM using PingFederate through the MCM WebUI.
    - Step 1. Configure SAML from the MCM WebUI
      To configure SAML Authentication for MCM using PingFederate, follow these steps:
    - Step 2: Configure the SP Connection in PingFederate
      Configure PingFederate by registering MCM as a Service Provider (SP) and setting the Assertion Consumer Service (ACS) URL. This allows PingFederate to securely send SAML assertions to the MCM server after user authentication.
    - Step 3. Create saml_credentials.json
      Create a saml_credentials.json file with properties for SAML authentication.
    - Step 4. Get signOnUrl from PingFederate Server
      This section outlines the steps required to retrieve the SignOn URL from the PingFederate server.
    - Step 5. Get issuer from PingFederate Server
      This section describes how to obtain the Issuer value from the PingFederate server. The Issuer uniquely identifies the PingFederate instance in SAML or OIDC transactions and is required when configuring trust relationships and validating authentication responses between integrated systems.
    - Step 6. Download IDP_CERT.cert from PingFederate Server
      This section explains how to download the IdP signing certificate (IDP_CERT.cert) from the PingFederate server. The certificate is used to verify digital signatures on authentication responses and establish a trusted connection between PingFederate and integrated applications or services.
    - Step 7. Verification Steps
      This section outlines the steps to validate the integration and ensure the configuration is functioning correctly.
    - Troubleshooting
Deployment Guide
This document provides guidance for deploying the certificate enrollment infrastructure required for BigFix Mobile Configuration Management (MCM). It describes how to integrate BigFix MCM with Microsoft certificate services to enable device certificate enrollment using the Simple Certificate Enrollment Protocol (SCEP).
Quick Start
This quick start guide gets you up and running with your BigFix MCM and BigFix Mobile solution. It helps you secure, configure, and manage your mobile devices quickly and efficiently.
User Guide
Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
Glossary
This glossary provides terms and definitions for the BigFix software and products.

Step 2: Configure the SP Connection in PingFederate

Configure PingFederate by registering MCM as a Service Provider (SP) and setting the Assertion Consumer Service (ACS) URL. This allows PingFederate to securely send SAML assertions to the MCM server after user authentication.

Before you begin

You must have administrator access to the PingFederate Admin Console.
The MCM server must be accessible from the PingFederate server over HTTPS.

About this task

Before MCM can receive SAML assertions from PingFederate, you must register MCM as a Service Provider (SP) in PingFederate and configure the Assertion Consumer Service (ACS) URL. This URL is the endpoint on the MCM server where PingFederate will POST the SAML assertion after the user authenticates.

Procedure

Log in to the PingFederate Admin Console.
Create or open the SP Connection for MCM.
Navigate to Applications > SP Connections. Click Create New to create a new SP connection, or click an existing MCM SP connection to edit it.

Configure the Assertion Consumer Service URL. Click Add a new row and configure the following:

Option	Description
Field	Value
Binding	POST
Endpoint UR	https://<MCM_SERVER_FQDN>/enrollment/saml/callback
Default	Check this box

Replace <MCM_SERVER_FQDN> with the fully qualified domain name of your MCM server.

Example: https://mcm.bigfix.com/enrollment/saml/callback

Important: The binding must be set to POST. MCM does not support the Redirect binding for the ACS endpoint.
Click Save to apply the SP connection settings.

Results

PingFederate is now configured to POST SAML assertions to the MCM callback endpoint after successful authentication. Proceed to Step 3 to retrieve the signOnUrl from this SP connection.

Note: If MCM is deployed behind a load balancer or reverse proxy, use the public-facing FQDN of the proxy — not the internal MCM host — as the MCM_SERVER_FQDN.