Client Authentication

Client Authentication (introduced in version 9) extends the security model used by IBM Endpoint Manager to encompass trusted client reports and private messages. This feature is not backward-compatible, and clients prior to version 9.0 will not be able to communicate with an authenticating relay or server.

Starting from Endpoint Manager version 9.1.11, you can use the minimumSupportedClient setting to specify the minimum version of BigFix Agents that are used in your Endpoint Manager environment. If the minimum version required is 9.0 or above, the client authentication is required for all the clients to register and operate. For more information about this configuration, see Additional administration commands for Windows system, or Running the Endpoint Manager Administration Tool for Linux systems.

The original security model has two central capabilities:

• Clients trust content from server. All commands and questions that clients receive are signed by a key that is verified against a public key installed on the client.
• Clients can submit private reports to server. The client can choose to encrypt reports that it sends up to the server, so that no attacker can interpret what is contained in the report. This feature is disabled by default, and is switched on with a setting.

Client Authentication extends the security model to provide the mirror image of these two capabilities:

• Server can trust reports from clients (non-repudiation). Clients sign every report that they submit to the server, which is able to verify that the report does not come from an attacker.
• Server can send private data to clients (mailboxing). The server can encrypt data that it sends to an individual client, so that no attacker can interpret the data.

Communication using an authenticated relay is a two-way trusted and private communication channel that uses SSL to encrypt all communications. However, communication between a non-authenticating relay and its children is not encrypted unless it is an encrypted report or a mailboxed action or file.

This level of security is useful for many purposes. Your company may have security policies that require authenticating relays on your internet-facing nodes, in your DMZ, or any network connection that you don’t totally trust. With authentication, you can prevent clients that haven’t yet joined your deployment from getting any information about the deployment.