Setup BigFix 10 Modern Client for agent less enrollment
More and more companies are utilizing MDM capabilities with workstations and end users. This enables employees to BYOD for a laptop or desktop or ship out device straight to the employees home. From there the new employee would have the ability to enroll their device in BigFix and set polices that tie into those MDM API's that Microsoft and Apple provide. From there we then can deploy the BigFix agent set it to provision mode to that machine and continue managing the device with the agent less policies and keep the machine, complaint, and secure.
Below is a guide on how to setup your MDM server. Some steps are needed for a lab environment for enrollment but if you are using public facing certificates some steps would not be needed. Also not everyone has Redhat experience so i broke down the setup of how to setup a RHEL machine along with installing the BigFix agent.
https://help.hcltechsw.com/bigfix/10.0/mcm/index.html
Download the 7.8 ISO from Redhat
Install the Server with GUI
Set your user account and root password
Select Network and Host Name
Set the hostname
Select Not Listed
Login as root
Open Red Hat Subscription Manager and register your device in order to receiver docker
Run the commands
yum-config-manager --enable rhel-7-server-extras-rpms
Yum install docker
curl -L "https://github.com/docker/compose/releases/download/1.25.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && chmod 755 /usr/local/bin/docker-compose
Service docker start
Set dockers so it starts when OS boots
Set your DNS of your local DNS Server
Open /etc/ host to edit the host file to your bigfix server if dns does not resolve
Copy the BigFix installer to your machine and run the command to install the agent
Create a new folder under /etc/opt called BESClient (Case Sensative)
Copy the actionsite.afxm to this folder
Run the command to start the bigfix agent
Once machine is checking into BigFix remote into your BigFix Server
On the BigFix Server run the command change the path to export the cert to and the common name of your BigFix Server
BESAdmin.exe /generateplugincertificates /certificatespath:C:\Tools [/commonname:bigfixserver]
This will extract files to the patch specified
Make sure you have a DNS alias for your MDM server or use the fully qualified name
We will have create self signed certs since we do not have public facing certs for our labs. These will be the certs used for the MDM server. This is a setup for a lab environment so here you would create your public facing certs for production installs.
On the RHEL 76 machine run the command
Change the name with your mdm server
Note: This is just for a lab to generate a cert. You will need to use a public facing cert for production
(cat /etc/pki/tls/openssl.cnf; printf "\n[SAN]\nsubjectAltName=MDMSERVERNAMEHERE\n") | openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout mdmserver.key -out mdmserver.crt -subj "/CN=MDMSERVERNAMEHERE" -config /dev/stdin;
Copy the two files to a secure location and open them in a text viewer to copy the contents to the Bigfix action
Run the action in you Bigfix Console Install BigFix Windows MDM Server
Note I did not use LDAPS since I do not have a CA with SSL enabled for my lab
Set the password to BigFix (This sets the password to encrypt the private key)
Open each file in notepad and copy the contents
__________________________________________________________________________
mdmserver.crt (1 of 2 files on the RHEL machine)
__________________________________________________________________________
mdmserver.key (1 of 2 files on the RHEL machine)
__________________________________________________________________________
Ca.cert.pem from the certs generated from besadmin tool
__________________________________________________________________________
server.cert.pem from the certs generated from besadmin tool
__________________________________________________________________________
Server.key from the certs generated from besadmin tool
__________________________________________________________________________
Run the action Install Bigfix Plugin for MDM on Windows
__________________________________________________________________________
ca.cert.pem from the certs generated from besadmin tool
__________________________________________________________________________
client.cert.pem from the certs generated from besadmin tool
__________________________________________________________________________
client.key from the certs generated from besadmin tool
__________________________________________________________________________
On the MDM server Rhel 7 machine
Open var/opt/BESUEM/windows
Note if you are on MCM 1.1 look in var/opt/BESUEM folder
Note this next step is optional since i am not using LDAPS
Run the command
Edit the file so LDAP_AUTH=false and save the file and close it
run the command sh service-mdm.sh restart from the location /opt/BESUEM/ to restart the MDM server to make the changes active.
Note: These next steps are due to not having a public facing cert. This step is only required due not having that cert.
On my MDM Sever machine go to the /var/opt/BESUEM/certs folder and backup the mdmserver.pfx file to a secure location to be copied to your client machine
Open mmc
Go to file add/remove snap-in
Select Certificates and hit add
Select Computer Account
Click Finish and Ok
Select Trusted Root Certificate - Certificates
Right click on certificates
Select all task - import
Browse to the mdmserver.pfx cert file we created backed up from the REHL machine and select the pfx file
Now is a good time to take a snapshot of your VM of your test device
Open your web browser and browse to your MDM server with https
login with your AD account
Now you can install a MDM action or Bigfix Agent
Troubleshooting
Restart MDM service on the MDM server
