Resolving connectivity issues between Client Security for Mac and Policy Manager
If you experience issues with the connectivity between Client Security for Mac and Policy Manager where the host is not being registered, try using Safari to open the Policy Manager Server welcome page using exactly the same Policy Manager address that was used to export the mpkg package with the HTTPS protocol. If you get the certificate warning before loading the welcome page content, follow the steps given here to establish a proper trust relationship.
To connect to Policy Manager Server or Policy Manager Proxy, Client Security for Mac requires that they have properly created server certificates. The certificate is issued to the IP address or fully qualified DNS name that the managed client uses as the Policy Manager Server or Policy Manager Proxy connection address. If Policy Manager Server or Policy Manager Proxy are not able to properly resolve their own DNS address automatically (i.e. external DNS records differ from hostnames), use the following
to explicitly set custom certificate properties:
certAdditionalDns to specify a comma-separated list of additional DNS values for the subject's alternative names
certAdditionalIp to specify a comma-separated list of additional IP addresses for the subject's alternative names
certForceSubject to override the TLS certificate,
subject must contain a comma-separated list of all values required to generate the subject
Note: See the following article for more details on
To force the certificate renewal:
- For Policy Manager Server:
- Stop the Policy Manager service.
c:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.jks or
/var/opt/f-secure/fspms/data/fspms.jks (depending on the operating system).
- Start the Policy Manager service. The certificate is created on service startup.
- For Policy Manager Proxy:
- Stop the Policy Manager Proxy service.
- Run the
fspmp-enroll-tls-certificate tool located at
c:\Program Files (x86)\F-Secure\Management Server 5\bin\ or
/opt/f-secure/fspms/bin (depending on the operating system) to request the new certificate from Policy Manager Server.
- Start the Policy Manager Proxy service.
If you do not have an intermediate CA trusted within your company to be used as the Policy Manager CA, you can continue using an automatically generated one on Mac hosts within your company. Starting with macOS 11.0 Big Sur, Client Security for Mac can no longer modify the system certificate trust settings, but it is still required to establish a trust relationship for secure communication with Policy Manager instances that are addressed by a DNS name. So starting with macOS 11.0, the Policy Manager root CA certificate has to be explicitly trusted in the system keychain (macOS accepts certificates with
- To export a CA certificate, run this command on the computer where Policy Manager Server is installed:
- For Windows:
"c:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -keystore "c:\Program Files (x86)\F-Secure\Management Server 5\data\fspms-ca.jks" -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected
- For Linux:
/opt/f-secure/fspms/jre/bin/keytool -keystore /var/opt/f-secure/fspms/data/fspms-ca.jks -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected
fspms-ca.cer to the Mac host and run the following command to trust it on the system level (you will be prompted to enter a password for admin credentials):
sudo security add-trusted-cert -d -r trustRoot -p ssl -k "/Library/Keychains/System.keychain" "path/to/certificate/file/fspms-ca.cer"
Note: You can also use MDM solutions to deploy the CA certificate to all Mac hosts within the company. Once all steps are complete, the newly added certificate should appear in "Keychain Access.app" like this:
The Policy Manager Server welcome page should now open in Safari, showing the site certificate as trusted.