Welcome
Deployment Guide
This document provides guidance for deploying the certificate enrollment infrastructure required for BigFix Mobile Configuration Management (MCM). It describes how to integrate BigFix MCM with Microsoft certificate services to enable device certificate enrollment using the Simple Certificate Enrollment Protocol (SCEP).
Communication Ports and Network Flow
This section describes the network communication paths and required ports between components involved in the certificate enrollment workflow for BigFix MCM.

BigFix Documentation Homepage
Modern Client Management and BigFix Mobile
Welcome to the Modern Client Management and BigFix Mobile documentation, where you can find information about how to install, maintain, and use Modern Client Management and BigFix Mobile.
BigFix Mobile and MCM Overview
Discover how BigFix Mobile and Modern Client Management (MCM) extend unified endpoint management to mobile devices and modern OS platforms like iOS, Android, and Windows 10+, all from a single console.
Guides in PDF format
This section contains links to PDF versions of all the MCM and BigFix Mobile manuals.
Installing and Configuring BigFix Mobile and MCM
Read this guide to learn about the requirements and available installation scenarios to ensure that the deployment of BigFix MCM and BigFix Mobile goes smoothly in your environment.
Deployment Guide
This document provides guidance for deploying the certificate enrollment infrastructure required for BigFix Mobile Configuration Management (MCM). It describes how to integrate BigFix MCM with Microsoft certificate services to enable device certificate enrollment using the Simple Certificate Enrollment Protocol (SCEP).
- Deployment architecture
  The following diagram illustrates the deployment architecture for integrating BigFix MCM with the certificate enrollment infrastructure. It shows the key components involved in the certificate enrollment workflow, including Active Directory, Microsoft Certificate Authority (CA), Network Device Enrollment Service (NDES), NDES Proxy, LDAP Proxy, and BigFix components.
- Infrastructure prerequisites
  Before configuring certificate enrollment for BigFix MCM, ensure that the required infrastructure components and access permissions are available. The certificate enrollment workflow relies on integration between Active Directory, Microsoft Certificate Services, NDES, and BigFix components.The following prerequisites should be verified before proceeding with the configuration steps described in this guide.
- Active Directory setup
  Active Directory provides the directory services required for integrating Microsoft Certificate Authority (CA) and Network Device Enrollment Service (NDES). The following steps ensure that the Active Directory environment is properly prepared before configuring the certificate enrollment infrastructure.
- Certificate Authority (CA) Configuration
  The Microsoft Certificate Authority (CA) is responsible for issuing certificates requested through Network Device Enrollment Service (NDES) using the Simple Certificate Enrollment Protocol (SCEP).This section describes the required configuration on an existing Enterprise Certificate Authority to support certificate enrollment.
- SCEP Certificate Template Configuration
  A custom certificate template must be created to support SCEP-based certificate enrollment with required security and key configurations.
- NDES Installation and Configuration
  The Network Device Enrollment Service (NDES) provides the SCEP interface that allows devices managed by BigFix MCM to request certificates from the Microsoft Certificate Authority. This section describes how to install and configure NDES and verify that it is ready to process certificate enrollment requests.
- NDES Proxy Configuration
  This document provides step-by-step instructions for installing and configuring HAProxy as a proxy for the Network Device Enrollment Service (NDES), covering both challenge and certificate enrollment requests.
- LDAP Proxy Configuration
  This section provides step-by-step instructions to install and configure OpenLDAP as an LDAP proxy on RHEL 8.
- BigFix Configuration for Certificate Enrollment
  This section describes how to configure BigFix MCM to integrate with the certificate enrollment infrastructure using NDES Proxy and LDAP Proxy.
- SCEP Profile Configuration in BigFix
  This section describes how to create and configure a SCEP profile in BigFix MCM to enable device certificate enrollment using the configured NDES Proxy infrastructure.
- Communication Ports and Network Flow
  This section describes the network communication paths and required ports between components involved in the certificate enrollment workflow for BigFix MCM.
- Certificate Enrollment Flow
  This section describes the end-to-end certificate enrollment flow for devices managed by BigFix MCM, using MCM Proxy, NDES Proxy, and Microsoft Certificate Authority.
How-to guide
This section provides step-by-step instructions for setting up a BigFix environment, focusing on integration with third-party prerequisites such as Apple Business Manager and Google Play. It guides users through the necessary configuration steps to ensure seamless interoperability with these external services.
Quick Start
This quick start guide gets you up and running with your BigFix MCM and BigFix Mobile solution. It helps you secure, configure, and manage your mobile devices quickly and efficiently.
User Guide
Administrator Guide
Read this guide to learn about enrolling, administering, and troubleshooting endpoints through BigFix MCM and BigFix Mobile.
Glossary
This glossary provides terms and definitions for the BigFix software and products.

Communication Ports and Network Flow

This section describes the network communication paths and required ports between components involved in the certificate enrollment workflow for BigFix MCM.

Ensure that all required ports are open and accessible between the respective components.

Communication Flow Overview

The certificate enrollment process involves communication between:

Managed devices
BigFix MCM server
NDES Proxy
NDES server
LDAP Proxy
Active Directory
Certificate Authority

Port and Communication Matrix


Source	Destination	Port	Protocol	Purpose
Device	BigFix MCM Server	443	HTTPS	Device management, policy delivery and SCEP certificate enrollment
BigFix MCM Server	NDES Proxy	443	HTTPS	SCEP certificate requests and challenge password flow
BigFix MCM Server	LDAP Proxy	636 (or 389)	LDAPS / LDAP	Directory queries
NDES Proxy	NDES Server	443	HTTPS	Forward SCEP requests and Challenge Password Requests
LDAP Proxy	Active Directory	636 (or 389)	LDAPS / LDAP	Directory lookup
NDES Server	Certificate Authority	Dynamic RPC / 135	RPC	Certificate issuance

Network Flow Summary

MDM Server receives SCEP profile from BigFix to deliver to the target device.
MDM Server sends a request for a challenge password to the NDES Proxy.
NDES Proxy forwards request to NDES server.
NDES generates a challenge password and returns it to the MDMServer.
MDM Server injects the challenge password and other parameters into the SCEP Profile and delivers the profile to the device through MDM.
Device processes the SCEP policy and as a result sends a certificate request to MCM Proxy service.
MCM Proxy service forwards request to NDES Proxy
NDES Proxy forwards request to NDES server
NDES communicates with Certificate Authority
CA issues certificate
Certificate is returned to device