BigFix Configuration for Certificate Enrollment

This section describes how to configure BigFix MCM to integrate with the certificate enrollment infrastructure using NDES Proxy and LDAP Proxy.

1. Configure LDAP Proxy Connection in BigFix MCM

  1. Log in to the BigFix WebUI
  2. Navigate to: Devices > Modern Client Management (MCM) > Admin
  3. In the left panel, go to: MDM Servers > Manage Capability
  4. Select Target Device: In the Target Devices section, choose the required MDM Server
  5. Configure Identity Service: In the Select Capabilities section, enable Identity Service Configuration:
    1. Under Select ID Service, choose AD/Open LDAP
    2. Configure LDAP Proxy Details: Enter the following details:
      1. LDAP URL Enter the LDAP Proxy endpoint:
        ldaps://<ldap-proxy-host>:<port>
        Example:
        ldaps://ldap-proxy.company.com:636
      2. LDAP Base DN: Specify the base DN for directory queries:
        dc=company,dc=com
      3. LDAP Bind User: Provide the bind user (service account):
        user@domain.com
        Or
        CN=svc_bind,OU=Service Accounts,DC=company,DC=com
      4. LDAP Bind Password - Enter the corresponding password.
  6. Deploy Configuration: Click Deploy
Note:
  • Ensure the LDAP Proxy endpoint is reachable from the BigFix server.
  • Use LDAPS (port 636) for secure communication.
  • The bind user must have read permissions on the directory.
  • Ensure the LDAP Proxy can communicate with Active Directory domain controllers.

2. Configure NDES Proxy Settings on MDM Server (Fixlet-Based)

This section describes how to configure SCEP (NDES Proxy) settings on the MDM Server using the BigFix Console Fixlet.

  1. Open the BigFix Console.
  2. Navigate to: All Content → Fixlets and Tasks
  3. Search for the following Fixlet: 203 - Configure Settings for SCEP functionality on MDM Server
  4. Open the Fixlet and configure SCEP Settings
  5. In the Fixlet action parameters, provide the following details:
    1. SCEP URL
    2. Enter the NDES Proxy SCEP endpoint:
    3. https://<ndes-proxy>/certsrv/mscep.dll/Example: https://ndes-proxy.example.com/certsrv/mscep.dll/
    4. SCEP ADMIN URL: Enter the NDES Admin endpoint (used for challenge password retrieval):http://%3Cndes-admin%3E:8080/certsrv/mscep_admin/ Example:http://ndes-admin.example.com:8080/certsrv/mscep_admin/
    5. Server Type: Set NDES
    6. Server User: Enter the NDES Service Account User name <domain>\svc_ndes
    7. Server Password: Enter the NDES Service Account password.
    8. SCEP Policy: Set: PROXY
      1. Click Take Action
      2. Select the target
      3. Execute the action and monitor for completion

3. Configure Trust and Certificates

Ensure that BigFix trusts the certificate chain used by:

  • NDES Proxy
  • LDAP Proxy
  • Internal Certificate Authority

If required:

  • Import the root CA certificate into the MDM CA trust store
  • Validate TLS connectivity without certificate warnings