Mirek S.

Hello, We checked multiple browsers to identify which one produces this error (seems like you posted chrome error), However for future reference (and potentional improvement) can you please answer following? browser(s) (in case of IE ideally export security settings for security zone console is in) - you already said you tried multiple, however platform/browser still matters for reproduction. webconsole behind reverse proxy/application firewall ESET (or other) product with TLS filtering enabled installed on computer connecting to console Any "uncommon" setup you can think of This issue can arise in case _some_ https requests on same site (in this case as Pavel said seems like js script) is blocked from download. Which in case of TLS (to my knowledge) requires MITM interception (product/WAF/RP/actual attack) or extremely restrictive browser rules. Thanks, M.

Hello, Please create support ticket for this. Currently this is not well handled issue as installation after pressing cancel actually removes relevant log files (startup of Agent which fails due to which logs which should identify cause of failure are erased - too many witches) When message box is open - i.e. don't cancel it until logs are collected (failed to start) please run eset log collector and provide those to support, it should help us to determine cause of this issue in future. HTH

"Error during policy application on device" means device declined configuration profile for some reason - there is sadly no standard way how this is reported in ESMC, nor does Apple tell us anything specific. What you posted actually points out there is issue with UUID generation inside conversion between our and Apple format. We will have to check conversion into configuration profile - it's possible there were some changes which broke this functionality on newer iOS or with Your use-case. Please test this without using user attributes (just put in real values and apply on phone instead), to check if issue persists. We will need iOS version, exported policy, used user attributes (if there are for example special characters...), MDM version and configuration module version on MDM. Please create support ticket (and tell Your distributor to directly forward it to MDM team as there is most likely nothing they can do), or post here (secrets in attachment, only eset stuff can see those) Bad news is this is probably bug, good news is we can probably fix it faster than standard ESMC release cycles as most code related to this functionality is in updateable module. As a side note, we did not manage to reproduce the issue. So to check we will need above specified.

Hello, V4-V5 producs are managed by so-called Legacy Connector (component of Agent). This component does on-behalf-of licensing for these products - if activation succeeds products are configured with license and/or update username/password whichever is applicable for such product. I'm actually unsure if it's still possible to manually set update username/password without those being overwritten by Agent. (This really is on per-product basis and what their product team decide - to expose update parameters in product policy or not) Please upload Agent log (error line should contain "EcpCommunicator") in trace severity (or create support ticket). It's possible something blocks communication with eset licensing servers (edf.eset.com:443) or there is other issue. Offline license file is not supported for on-behalf-of activation as format changed between V5 and V6 line. HTH

Hello, The "Name" (in my example a0) is essentially just identification for You (so put there whatever makes sense to You). Assume You wanted multiple exchange or VPN (etc...) configurations, You would need to address them in policy editor somehow. I also think (unsure would have to check code), iOS configuration profile is filled only if all attributes specified in policy editor are non-empty. Imagine user = set of attributes. user1 = { exchange { mydomain { email = "my@email.com" login = "me" } myshadowdomain { email = "othermy@email.com" login = "otherme" } } } Such attributes are then available in policy editor in a slightly different format of exchange_email/mydomain or exchange_email/myshadowdomain. (Where mydomain and myshadowdomain are Name). This is not only for multiple configurations, but also as MSP support where multiple companies are managed in one ESMC. TBH seeing this I'm unsure why we did it this way as both hierarchical "exchange/mydomain/email" or flat list makes more sense. HTH

Hello, The attributes are configured in the synchronization task. Then each device needs to have a user assigned. Such variables are then replaced in configuration delivered into the phone. If a user is not assigned or attribute synchronized (or defined manually) block of configuration (exchange mailbox etc...) is actually removed from the device configuration profile. Meaning that attributes synchronized as Are available in policy as Which synchronized attribute should map to what really depends on Your AD schema. HTH

Hello, Per-chance is device supervised? (This is not officially supported, but can be done even without ABM/DEP) You may attempt to run Antitheft task "Turn off lost mode" it should work (that is reset internal flags which cause lost mode reported) However IIRC there was an issue with this task in the official release (which is fixed in upcoming service release). You might want to contact support for an unofficial hotfix. HTH

Hello, This setting is currently not available. AFAIK PM is currently checking which new settings for iOS we should deliver, and this one seems like omitted one (according to docs since iOS version 6.0) HTH

Hello, "No APNS certificate has been provided to Mobile Device Connector" For iOS devices to be able to communicate with MDM You need to acquire APNS certificate. 1) For iOS 12 devices it is recommended to have HTTPS certificate from 3rd party issuers due to Apple enforcing ATS (set of requirements on certificate and transport encryption) on MDM. If that's not possible You can create ESMC signed certificate in webconsole when server is in Advanced Security mode. HTH 1) https://support.eset.com/kb6368/?locale=en_US&viewlocale=en_US

Hello, Part of information is sent via management Agent which must be installed on same device as MDM. I assume you did not install it as AdminConnector has pending messages. HTH

Hello --https-cert-path is not Agent certificate but certificate used to communicate with devices. Agent certificate does not have valid properties for this interface. You can create valid https interface certificate in ESMC certificates when You select MDM product. HTH

Hello, As far as I know this is currently not possible, we only support OU in user and computer synchronization tasks. (That is OU have one to many relation while Security Groups have many to many relation to users) May I ask why you want to sync security group? HTH

Hello, On v7 we don't use default OpenSSL verification, but eset custom one. This depends on a directory (OpenSSL CAPath) and certificates stored in it. We are aware we don't support some "styles" of how trusted certificates are stored. (AFAIK bundles) Please check OpenSSL default CAPath in account MDM is run. If that matches system wide configuration (where s_client verified ok), then root CAs are most likely stored in an unsupported way. You should be able to workaround this by adding entrust root CAs as PEM encoded files (our verification implementation enumerates all files and folders and attempts to read them) into OpenSSL CAPath directory. HTH

Hello, I would have to see /etc/letsencrypt/live/my.domain/fullchain.pem, however I assume it's doesn't really contain CA certficate. I think enough would be to append CA certificate in above mentioned file and run same command. CA certificate in this case would be at 1) HTH. 1) https://letsencrypt.org/certs/isrgrootx1.pem.txt

Hello, Currently, the option to install applications is not implemented in EESA (Android), only for iOS devices. Also, the requirement for this to work would be placing of such APK on HTTP(s) server, SMB (file:// protocol) will never be supported for mobile applications. We will add this as an improvement into the backlog.

Currently, there are no other options (other than per-device activation). In the future, we might consider volume licensing which in my opinion would be more appropriate for iOS devices. You may also drop an improvement request here. HTH

Hello, Licenses for ESET Endpoint Security for Android should work with iOS devices. MDM does something we call on-behalf-of licensing in this case, where it keeps licenses on MDM instead on devices itself as we don't provide application for iOS. Please note that iOS does not support offline licenses (Android now does) https://support.eset.com/kb3598/ HTH

Hello, iOS related protection states start to be reported when iOS device browser connects to enrollment endpoint (9980) with valid authorization. Currently there is no UI way to dismiss those I'm aware of, however, you may rewrite to 0 (or delete) "configuration.IosConnected" from "keyvalue" table in MDM database. (while MDM is down as these values are cached). If this persists or returns even with no attempted iOS enrollments please raise a support ticket as above is described way is how it was designed, not necessarily how it was implemented. HTH

Hello, HTTPS certificate can be changed via MDM policy and process is for 7.X same in Windows and Linux installations. You probably refer to certificate chain installation into windows certificate store, this is not required on Linux or 7.X Windows as we changed TLS implementation from native to ours. Please be aware of certificate requirements for iOS (ensure that issuer you buy the certificate from has required attributes) https://help.eset.com/esmc_install/70/en-US/mobile.html specifically, SHA-256 signature is required, other requirements are met by MDM 7.X https://help.eset.com/era_install/65/en-US/certificate_mdm_https_requirements.html specifically, hostname properties Apple devices are picky about certificates and it's better to ensure hostname is present as DNS name in Subject Alternative Names extension _and_ as Common Name certificate requirements for MDM 7.X from 7.X we require root CA certificate inside configured pkcs12 (pfx file), we use CA certificate to install trust onto devices. you can import issuer root CA certificate into pkcs12 via OpenSSL or other tools, issuers typically don't include root CA certificate in pkcs12 they provide. HTH

Yes. APNS certificate is MDM configuration and thus must be assigned to device MDM is installed. HTH

Hello, Recommended is to leave registry as they are for now. Upcoming service release should correct issues caused by the previous version. Specifically installations affected with 7.0 version being installed while being reported as 6.X from installer point of view - upgrade will update installer registry to match what is really installed. both 6.X and 7.0 version being reported as installed - upgrade will remove both previous versions For upgrade to succeed previous version(s) installation package file is required. We backup installation package within Agent. Windows backups currently installed applications packages in windows specific directories. Original location (from where installation was run) is also used to find msi package if previous lookups failed. For GPO deploys it's therefore recommended to keep previous packages(s) on distribution point and only add new versions instead of replacing them. For those potentionally affected by missing installation package, it's possible to select those in installation UI mode. HTH

Sorry, I forgot users are not allowed to download attachments. For the time being please PM me for the tool (it will be part of next hotfix release) Thanks in advance.

Hello, EsetCloudAdministrator is limited to 250 devices so it's not an option You can use now. Best migration scenario depends on your requirements. Do You have ERAv5 servers connected in a hierarchy? Is downtime in monitoring acceptable? Is appliance preferable deployment? Are you using parametric groups? - You will need to re-define those as we don't support migration. You might want to play with v7 a little before migrating. Do you require historical logs migrated? Do you require policies migrated?

Hello, We are currently investigating the issue to determine the best solution and cause of this issue. We would appreciate the output of diagnostic tool (dumps installer registry related to Agent). In attachment is a new version of the diagnostic tool and .bat file which runs the diagnostic tool with required parameters. Please PM me resulting registry dumps (preferably from several computers so we have greater statistics) Thanks in advance Diagnostic.Agent.7.1.91.0_x64.zip

Can You PM me your MDM site if it's visible to the world? There are other pre-requisites (PFS cipher suites in 6.X this depends on OS/openssl version, etc...)