Welcome
Installing and Configuring BigFix Mobile and MCM
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
MCM and BigFix Mobile server and components installation
This guide provides instructions for installing the MCM and BigFix Mobile server along with its components, ensuring proper setup and configuration.
Reference Information
This section contains more detailed information about some of the essential installation aspects.
BigFix MDM Server TLS Certificate Content
Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.

BigFix Documentation Homepage
Modern Client Management and BigFix Mobile
Welcome to the Modern Client Management and BigFix Mobile documentation, where you can find information about how to install, maintain, and use Modern Client Management and BigFix Mobile.
BigFix Mobile and MCM Overview
Discover how BigFix Mobile and Modern Client Management (MCM) extend unified endpoint management to mobile devices and modern OS platforms like iOS, Android, and Windows 10+, all from a single console.
Guides in PDF format
This section contains links to PDF versions of all the MCM and BigFix Mobile manuals.
Installing and Configuring BigFix Mobile and MCM
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
- MCM and BigFix Mobile server and components installation
  This guide provides instructions for installing the MCM and BigFix Mobile server along with its components, ensuring proper setup and configuration.
  - Audience
    This guide is for administrators and IT managers who want to install and configure BigFix MCM and BigFix Mobile. It details prerequisites for each of the scenario and provides installation instructions that allow you to deploy the program in your environment. It also includes information about configuring and maintaining BigFix MCM and BigFix Mobile components.
  - Planning the installation
    Read this section before you begin to install or update any of the BigFix MCM or BigFix Mobile product features. Effective planning and an understanding of the key aspects of the installation process can help ensure a successful installation.
  - On-premises deployment setup
    Understand the prerequisites and preparation required to install the BigFix MDM server and BigFix PlugIn Portal on-premise.
  - On-Premises Upgrade
    Upgrade your on-prem BigFix Mobile and MCM setup to the latest version for improved security, new features, and better support for Apple, Android, and Windows devices. Learn how to update the MDM Server and Plugin, meet key prerequisites like Plugin Portal and Podman, and complete the upgrade with minimal disruption.
  - Configuring BigFix MCM and BigFix Mobile
    After the MCM components are set up, there are additional configuration options available to enable features like Bulk Enrollment for Windows, DEP policies for macOS, or prestage installers for Windows and MacOS MDM endpoints.
  - Reference Information
    This section contains more detailed information about some of the essential installation aspects.
    - Apple MDM Plugin inspectors
      Use Apple MDM plugin inspectors in BigFix MCM and BigFix Mobile to retrieve device-specific data from managed macOS, iOS, and iPadOS devices.
    - Bootstrap tokens for Apple devices
      In macOS 10.5 and above, bootstrap tokens are used for granting secure tokens to user accounts and performing certain operations. For example, on a Mac computer with Apple silicon, the bootstrap token, if available, can be used to authorize the installation of both kernel extensions and software updates when managed using MDM.
    - BigFix MDM Server TLS Certificate Content
      Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.
    - Configure Windows MDM Notification Type to Use Polling
      In restricted or offline environments, skip WNS setup by using polling-based notifications. This lets Windows devices check in with the MDM server on a schedule—no push credentials needed.
    - Enroll to Managed Google Play Accounts Enterprise
      Learn how to enroll to Managed Google Play Accounts enterprise to manage applications on Android devices.
    - Generating WNS credentials
      This document describes how to get Windows Notification Service (WNS) credentials that you can upload during installing or upgrading Windows MDM server.
    - Generating APNs certificate
      To obtain a push certificate from Apple, complete these steps:
    - Installing BigFix
      To install the BigFix Platform, obtain a license, and run the installation wizard that guides you through the installation of the BigFix root server, console, client, and WebUI.
    - Migrating from Docker to Podman
      Migrating from Docker to Podman enables a daemonless, rootless container management approach, improving security and compatibility with RHEL 8+. The migration process includes verifying system compatibility, transferring container images and volumes, updating scripts, and ensuring smooth operation with BigFix MCM and BigFix Mobile.
    - Preparing the Container Runtime Environment
      Setting up the correct container runtime environment is essential for running containerized applications efficiently. This guide provides detailed instructions for preparing a container runtime environment on RHEL 8 and RHEL 9, including prerequisites, installation steps, considerations, and troubleshooting tips.
    - Renew APNs certificate and update Apple MDM service
      You must renew your APNs certificate within the validity period before expiration.
    - Supported system environments
      This section provides information about the supported system environments for MCM.
    - Update Apple Enrollment Certificate before expiration
      To continue to manage the enrolled Apple devices without interruption, you must set up the Fixlet "Update Apple Enrollment Profile before Expiration" as a policy action.
    - Update Enrollment Profile Parameters for Apple MDM Server
      You can update MDM enrollment profile parameters for Apple devices that was initially set up while installing the BigFix Apple MDM Server.
    - Uninstall MDM components
      Learn how to uninstall MDM components.
    - Update Settings for Windows MDM Server
      Learn how to update BigFix MDM Service for Windows for MCM 2.0 or later.
    - Update TLS certificates
      You can update the TLS certificate that was initially installed with the MDM Server. Additionally, you can easily rectify errors by replacing incorrect certificates, keys, and passwords uploaded during installation. To perform this action, use Fixlet 702: BigFix MDM Server - Stage External TrustedCA TLS Certificates.
    - Wildcard certificates
      You can use wildcard TLS certificates for your MDM Server in several scenarios.
  - Troubleshooting
    This section is intended to help you solve problems that might occur when installing BigFix MCM and BigFix Mobile.
- Identity Service Configuration
  Configure identity services for BigFix Mobile and MCM to enable secure authentication and seamless user access. Learn how to integrate with identity providers and streamline user management across Apple, Android, and Windows devices.
- Simple Certificate Enrollment Protocol (SCEP) configuration
  BigFix MCM supports certificate management and certificate-based authentication through Simple Certificate Enrollment Protocol (SCEP). SCEP is the fastest and most secure way to provision certificates to all your MCM-managed devices. With SCEP, IT Admins can automate issuing certificates to the endpoints to provide access to corporate Wi-Fi, VPN, and secure e-mail through encryption.
- Domain join installation and configuration
  Read this section to learn the prerequisites and the tasks to install ODJ service to set up your environment to enroll Windows devices and join Active Directory domain or both Active Directory and Azure AD domain.
- SAML-authentication configuration
  MCM and BigFix Mobile supports Security Assertion Markup Language (SAML) authentication to enroll devices to protect sensitive data and ensure secure access to corporate resources.
Quick Start
This quick start guide gets you up and running with your BigFix MCM and BigFix Mobile solution. It helps you secure, configure, and manage your mobile devices quickly and efficiently.
User Guide
Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
Glossary
This glossary provides terms and definitions for the BigFix software and products.

BigFix MDM Server TLS Certificate Content

Understand the required format of the BigFix MDM Server TLS certificate for MDM Server installation.

BigFix MDM server TLS Certificate Content

The MDM Server certificate must be available in a .crt or .pem format, and must take the form of a certificate chain containing the following:

The actual MDM TLS certificate provided by the trusted CA
Any intermediate certificates provided by the trusted CA
The trusted CA root certificate

If your trusted Certificate Authority (CA) does not provide a complete certificate chain directly, you must manually create one by combining the server certificate, intermediate CA, and root CA certificates in the correct order and provide it as the MDM Server’s TLS certificate during MDM Server installation.

The following command is an example for concatenating certificates on Linux:

cat <server TLS .crt> [intermediate .crt] <CA root .crt> > <mdmserver.crt>

<server-TLS.crt> – The server's TLS certificate
[intermediate.crt] – The intermediate certificate (if applicable)
<CA-root.crt> – The root CA certificate
<mdmserver.crt> – The final concatenated certificate file to be used for the MDM server

This may require additional action on one or more files provided by a trusted CA to extract the various certificates and keys needed to build the required chain.

If your certificates are in a different format such as .pfx or .p12, you need to extract the individual certificates. These formats often bundle the private key and certificate chain into a single file.

You can refer to resources like the OpenSSL documentation for help extracting certificates from .pfx or .p12 files.

Encrypt TLS private key

To securely store the private key used while creating the CSR for the Trusted CA TLS certificate, you must encrypt it. Do the following to encrypt the TLS private key.

Run the following command:
When using RHEL8
```
openssl rsa -des3 -in <TLSKEY>.key -out mdmserver.key
```
When using RHEL9
```
openssl rsa -des3 -in <PUSHCERTNAME>_temp.key -out <PUSHCERTNAME>.key -traditional
```
where TLSKEY is the name of the key used when originally creating the TLS Certificate CSR.
When prompted, enter the encrypted private key pass phrase of your choice.
Verify it.

Important: Before uploading the private key to install the MDM server, you must decrypt it.