We use BigFix in a multi-tenant configuration. We have multiple customers with remote users that do not use VPN or any network connection to their employer but need to be patched to ensure federal requirements concerning NPI and other data. We do have internet facing relays with authentication enabled. We change the passwords often.
I am looking for a solution in which these remote users can install the agent and register with the Internet facing relay without us having to provide those users with the registration password.
I am perfectly ok with giving the end users a new script every time we need to install the agent and have it connect but I absolutely can’t allow a password clear text in such a script.
For a manual key exchange, the client is going to need to have a password to perform the first registration. You could obfuscate the password and decode it in a script on the client, but unless you already have an external crypto system with public/private keys already, you won’t be able to do anything “cryptographically secure”.
You can create a list of possible passwords, even a unique password for each client. The passwords in the KeyExchangePasswords file are one-time-use - so once a client has registered with one of the passwords, that password cannot be reused by another client (or even by the same machine, if the BES Client is uninstalled/reinstalled later).