How to Distribute Broker Certificates to Clients

Version 6

    Verified Product Versions

    Endpoint Manager 9.5Endpoint Manager 9.6Endpoint Manager 2016.x


    Leveraging the LANDESK Cloud Services Appliance (CSA) is integral to many LDMS administrators use of the product. The CSA, once configured properly allows clients on laptops or workstations located off the core servers network, to securely relay vital information from the LDMS client to the core server. This can help administrators keep track of their devices and their location, ensure they are being patched, remotely controlled, and much more. Once the CSA has been configured properly (For help with this: How to Configure a Gateway (Cloud Service Appliance) - Quick Guide), in order to allow for the client to communicate with the core through the CSA, the broker certificate has to be distributed to the client machines.


    This document is meant to help LANDESK administrators to understand the three supported methods for distributing these broker certificates and when they may consider using each. Included with each summary is a link to a detailed how-to document explaining how to implement each method.



    This document outlines these three supported methods to distribute the broker certificates to client machine:

    1. Manual Request using BrokerConfig.exe

    2. Deploying a Script through LDMS

    3. Unattended Configuration



    Method 1: Manual Request using BrokerConfig.exe

    After the agent is successfully installed on the client; a BrokerConfig.exe file is created on the client machine in the C:\Program Files (x86)\LANDesk\LDClient folder. This file can be used to manually pull down a broker certificate form the core or CSA if off network.



    -Can be used on both on-network and off-network clients without additional configuration.

    -This executable is on every client machine.

    -Can also be used to troubleshoot issues involving the CSA/broker request process.



    -Requires manual intervention

    -Not ideal solution for many machines due to lack of automation

    -Requires entering of credentials when off-network


    Given the advantages and disadvantages of this method, this method is recommended for a small number of machines and for troubleshooting the CSA/testing purposes.


    For detailed instructions see the following document:

    How to Manually Request a Broker Certificate with BrokerConfig.exe


    2. Deploying a Script through LDMS

    LANDESK Management Suite includes a script that can be used to request the broker certificate. The script executes the broker configuration request on targeted machines. This script can be found in Tools > Distribution > Manage Scripts > All Scripts:



    -Comes packaged with LDMS by default

    -Automated- can be deployed to large numbers of machines with little configuration required

    -Easy to setup

    -Process is largely invulnerable to configuration issues



    -Only works with devices that are on the network


    Overall, the scripting process is straightforward and simple and works very well. Unfortunately, because the scripts are distributed through the clients and require direct connectivity with the core- this will only work with on-network devices. This process is recommended for most scenarios and works well for individual machines and large numbers of machines on your network.


    For detailed instructions see the following document:

    How to Distribute Broker Certificates via Script to On-Network Client Machines


    3. Unattended Configuration

    The last supported method that can be used to distribute the broker certificate is the unattended configuration using a utility, configurebroker.exe which is attached to the associated how-to document below. Configurebroker.exe creates an LNG file which can then be used to automatically authenticate through the Cloud Services Appliance. This method, after proper configuration allows for agents to request the broker certificate as a part of the installation process.



    -Works for both off-network and on-network clients

    -Once configured, the process is fully automated and requires no intervention

    -Incorporates the broker certificate request process with the install



    -Initial configuration is complex and may require some time to setup

    -Due to the configuration process being complex, configuration issues are somewhat common.

    -Requires creation of an Windows account on the core for this specific purpose


    As this method works for all clients and is automated, we recommend this for users who want this process to be more integrated with their client deployment/configuration and are willing to dedicate some time to setting up this solution.


    For detailed instructions see the following document:

    How to Perform an Unattended configuration of the client for the Cloud Services Appliance



    Given the advantages and limitations of each method, there is likely no one method that is good for every application. Accordingly, we recommend administrators carefully consider what method best suites the needs of their environment in any given situation.


    Troubleshooting Resources

    If any issues are encountered in requesting this certificate, please see the following article:

    How to Troubleshoot the Cloud Services Appliance (CSA)/Gateway


    Related Articles

    Best Known Method for Configuring LANDESK Cloud Service Appliance (former Management Gateway) version 4.2 and newer

    Quick Guide - Gateway (Cloud Service Appliance) Configuration