Jump to content

Mirek S.

ESET Staff
  • Content Count

  • Joined

  • Last visited

  • Days Won


Posts posted by Mirek S.

  1. Hello,

    MDM should register with EPNS on behalf of devices (devices themselves use FCM or APNS). The reason for this error is EPNS tokens did not make it onto ESMC server for some reason. Please verify MDM proxy can replicate to ESMC server and can connect to EPNS (epns.eset.com:8883/443), otherwise we will need high verbosity logs from MDM and MultiAgents - please create customer care ticket.

    As a sidenote this issue is "cosmetical" as communication between devices and MDM is triggered by new work for device (task) or by EESA when it has logs, we added EPSN only for "single paint of glass" feeling.


  2. I believe easiest option would be to redeploy via SCCM (with valid install_config). This will repair installation on all endpoints.

    Now this might get tricky if You are on SCCM 2012+ as it lost option to rerun, instead detection based on time of installation could be used.

    As a sidenote it seems to me like quiet installation without valid hostname should not succeed, at least I don't see any use-case for it.

  3. Hello,

    As @Perry noted 3rd party certification authorities typically provide pem or pkcs#12 web certificate which does not contain root CA as that is not required for common webservers - this certificate is typically preinstalled on devices so that chain of trust can be established. MDM does a "bit more" than typical webserver - during enrollment we also install root CA to enrolled device to establish trust (we can't guess whether certificate is selfsigned or signed by CA already trusted by device) so we have extra requirement.

    I'll look into improving documentation wrt to 3rd party certificates as openssl command line how to convert between formats and appending root CA to existing certificates should help some users.


  4. To have "secure" as in trusted by browser, You need to purchase 3rd party certificate from common internet certification authority.

    One of such certificate authorities is let's encrypt who provide certificates for free.

    ESMC creates self-signed certificates which are not trusted unless their root CA is imported into device certificate store.

    @Command IT What You probably mean was certificate chain installation which was required till 6.5 due to TLS layer we used. In 7.0+ we use different TLS layer on windows (openssl) and PKCS#12 is newly required to contain entire certificate chain including root CA - system certificate store is not used anymore.

  • Create New...