Resolving connectivity issues between Client Security for Mac and Policy Manager - F-Secure Community
<main> <article class="userContent"> <p> </p>Resolving connectivity issues between Client Security for Mac and Policy Manager <p>If you experience issues with the connectivity between Client Security for Mac and Policy Manager where the host is not being registered, try using Safari to open the Policy Manager Server welcome page using exactly the same Policy Manager address that was used to export the mpkg package with the HTTPS protocol. If you get the certificate warning before loading the welcome page content, follow the steps given here to establish a proper trust relationship. </p> <div>To connect to Policy Manager Server or Policy Manager Proxy, Client Security for Mac requires that they have properly created server certificates. The certificate is issued to the IP address or fully qualified DNS name that the managed client uses as the Policy Manager Server or Policy Manager Proxy connection address. If Policy Manager Server or Policy Manager Proxy are not able to properly resolve their own DNS address automatically (i.e. external DNS records differ from hostnames), use the following <code class="code codeInline" spellcheck="false" tabindex="0">additional_java_args</code> to explicitly set custom certificate properties: <ul><li><pre class="code codeBlock" spellcheck="false" tabindex="0">certAdditionalDns</pre> to specify a comma-separated list of additional DNS values for the subject's alternative names </li> <li><pre class="code codeBlock" spellcheck="false" tabindex="0">certAdditionalIp</pre> to specify a comma-separated list of additional IP addresses for the subject's alternative names </li> <li><pre class="code codeBlock" spellcheck="false" tabindex="0">certForceSubject</pre> to override the TLS certificate, <code class="code codeInline" spellcheck="false" tabindex="0">subject</code> must contain a comma-separated list of all values required to generate the subject </li> </ul></div> <p><strong>Note:</strong> See the following article for more details on <code class="code codeInline" spellcheck="false" tabindex="0">additional_java_args</code>: <a rel="nofollow" href="https://community.f-secure.com/business-suite-en/kb/articles/5631-policy-manager-advanced-configuration-settings">https://community.f-secure.com/business-suite-en/kb/articles/5631-policy-manager-advanced-configuration-settings</a>. </p> <div>To force the certificate renewal: <ul><li>For Policy Manager Server: <ol><li>Stop the Policy Manager service. </li> <li>Remove <code class="code codeInline" spellcheck="false" tabindex="0">c:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.jks</code> or <code class="code codeInline" spellcheck="false" tabindex="0">/var/opt/f-secure/fspms/data/fspms.jks</code> (depending on the operating system). </li> <li>Start the Policy Manager service. The certificate is created on service startup. </li> </ol></li> <li>For Policy Manager Proxy: <ol><li>Stop the Policy Manager Proxy service. </li> <li>Run the <code class="code codeInline" spellcheck="false" tabindex="0">fspmp-enroll-tls-certificate</code> tool located at <code class="code codeInline" spellcheck="false" tabindex="0">c:\Program Files (x86)\F-Secure\Management Server 5\bin\</code> or <code class="code codeInline" spellcheck="false" tabindex="0">/opt/f-secure/fspms/bin</code> (depending on the operating system) to request the new certificate from Policy Manager Server. </li> <li>Start the Policy Manager Proxy service. </li> </ol></li> </ul></div> <p>If you do not have an intermediate CA trusted within your company to be used as the Policy Manager CA, you can continue using an automatically generated one on Mac hosts within your company. Starting with macOS 11.0 Big Sur, Client Security for Mac can no longer modify the system certificate trust settings, but it is still required to establish a trust relationship for secure communication with Policy Manager instances that are addressed by a DNS name. So starting with macOS 11.0, the Policy Manager root CA certificate has to be explicitly trusted in the system keychain (macOS accepts certificates with <code class="code codeInline" spellcheck="false" tabindex="0">.cer</code> or <code class="code codeInline" spellcheck="false" tabindex="0">.pem</code> extensions). </p> <ol><li> To export a CA certificate, run this command on the computer where Policy Manager Server is installed: <ul><li>For Windows: <pre class="code codeBlock" spellcheck="false" tabindex="0">"c:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -keystore "c:\Program Files (x86)\F-Secure\Management Server 5\data\fspms-ca.jks" -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected</pre> </li> <li>For Linux: <pre class="code codeBlock" spellcheck="false" tabindex="0">/opt/f-secure/fspms/jre/bin/keytool -keystore /var/opt/f-secure/fspms/data/fspms-ca.jks -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected</pre> </li> </ul></li> <li> Transfer <code class="code codeInline" spellcheck="false" tabindex="0">fspms-ca.cer</code> to the Mac host and run the following command to trust it on the system level (you will be prompted to enter a password for admin credentials): <pre class="code codeBlock" spellcheck="false" tabindex="0">sudo security add-trusted-cert -d -r trustRoot -p ssl -k "/Library/Keychains/System.keychain" "path/to/certificate/file/fspms-ca.cer"</pre> <p><strong>Note:</strong> You can also use MDM solutions to deploy the CA certificate to all Mac hosts within the company. </p> Once all steps are complete, the newly added certificate should appear in "Keychain Access.app" like this:<br><img src="https://us.v-cdn.net/6032052/uploads/L9WD3IMKNT7V/cs-mac-pm-connectivity-issue.png" alt="image" class="embedImage-img importedEmbed-img"></img><br> The Policy Manager Server welcome page should now open in Safari, showing the site certificate as trusted. </li> </ol> </article> </main>