There are three levels of encryption that can be enabled per client through BigFix Client Settings:
REQUIRED: Client requires encryption of reports and uploads. The client will not report or upload files if it cannot find an encryption certificate or if its parent relay does not support receipt of encrypted documents (in other words running BES/TEM version less than 18.104.22.1685).
Note: This encryption level setting should only be used if necessary as incorrect configuration can lead to significant reporting issues and orphaned clients. For example, if encryption is disabled in BigFix Admin, any clients configured to require MLE would no longer be able to report.
OPTIONAL: Client prefers but does not require encryption of reports and uploads. If encryption cannot be performed, reports and uploads are sent in clear-text. This setting will improve security while encryption is enabled, but will allow clients to continue to report should encryption be unavailable for any reason.
NONE: Client does not encrypt reports or uploads, even if an encryption certificate is present.
To enable MLE, the BigFix infrastructure components (BigFix Server, BigFix Relay, and BigFix Clients) must be running at least version 22.214.171.1245. The BigFix Server will require additional CPU resources to process the encrypted client. BigFix Server hardware recommendations (for CPU) are as follows:
2-3 GHz - 2 Cores
2-3 GHz - 2-4 Cores
2-3 GHz - 4 Cores
2-3 GHz - 4-8 Cores
2-3 GHz - 8-16 Cores
2-3+ GHz - 16 Cores
If your deployment is over 50,000 seats, or you are using an encryption key strength of 2048 or 4096 bits, BigFix highly recommends also configuring one or more decrypting top level BigFix Relays (with 2-4 CPU cores each) to help distribute the additional processing load.
To enable Message Level Encryption:
Note: If you plan on leveraging top-level relays to decrypt incoming client data, make sure to uncheck "begin encrypting with this key" before clicking OK.
To enable a MLE in a DSA Server Setup:
You can enable a BigFix Relay to decrypt data and pass the decrypted date to the BigFix Server. This is a useful way to offload CPU load from the main BigFix Server to a relay, but it complicates the MLE setup (which is otherwise very simple). Additionally, information between the decrypting relay and the main server will not be encrypted (which is usually not a significant problem).
Generally you will not need to use a decrypting relay unless you have many tens of thousands of agents or if your main BigFix Server CPU load is too high.
To enable a decrypting relay: