Mirek S.
-
Posts
143 -
Joined
-
Last visited
-
Days Won
2
Posts posted by Mirek S.
-
-
ERA 6.5 AFAIK has the ability to create sha256 signed certificates. (but You will need to enable advanced security)
In the end safest bet when it comes to iOS devices is purchasing a trusted issuer certificate as trust is pre-installed on the device. 99% iOS enrollment issues are due to not established trust between MDM and device, then it's just about finding out which criterium was not met.
We'll be putting up KB with pre-requisites as there are more of them, I will post a link here when it's complete.
-
No, it's just one of the ways how to generate a valid certificate which will be trusted by iOS 12. (and based on your logs you meet other preconditions)
Your other options are
* create certificate manually (however it must be either self-signed or signed by ERA CA in MDC versions prior to 7)
* purchase a certificate from an official authority which is trusted by iOS implicitly. 1)
Please also ensure when You about to set this certificate to MDC it contains root CA. In version 7 we require this as we no longer use system dependant TLS layer (so You save yourself some work when upgrading)
-
Hello,
Apple changed security requirements for iOS 12.
However what would most customers be affected with is certificate signature algorithm requirements (server certificates with SHA1 signature are no longer accepted)
With ESMC (when advanced security is turned on) You can create such a certificate and then run a certificate change process on MDC.
HTH.
-
Please create support tickets as these issues usually require more information.
I'll note we will need log collector logs as we need to check certificate assigned to MDM HTTPS interface.
It's also possible we will need Wireshark logs, as devices may simply refuse communication due to TLS stack and on v6.5 we used windows implementation (switched to OpenSSL on v7). We already encountered some issues with windows TLS, namely security patches (or users) disabling some cipher suites or hash algorithms required for Apple devices (and services) to work correctly.
-
HTTPS certificate isn't changed immediately. In settings where You change certificate is also timeout to apply this certificate.
MDM does this delayed exchange because devices need to be applied new trust (essentially CA from the certificate is first distributed to devices then MDM switches to new certificate)
We'll look into how to communicate this more clearly.
-
C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs (note they may contain sensitive information, so PM them to me)
Thanks.
-
Not enough rights (access denied) is (usually) caused by Agent self-defense mechanism.
I meant Agent trace logs if we can pair them with installation logs we should know more about the issue.
-
2 hours ago, Michał Mielech said:
It still doesn't work. I thought that there was a success ...
Still cannot uninstall ESET Remote Management Agent from workstations. Now I see that there is something else in log.txt
Cannot get access to file because it is in use by other process ...
What now ?
ERROR: boost::filesystem::remove: (0x20), Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces: "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Data\data.db"
MSI (s) (94!F0) [11:38:25:788]: Closing MSIHANDLE (55) of type 790531 for thread 10480
MSI (s) (94!F0) [11:38:25:788]: Creating MSIHANDLE (56) of type 790531 for thread 10480
ERROR: (DbCreate) boost::filesystem::remove: (0x20), Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces: "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Data\data.db"
MSI (s) (94!F0) [11:38:25:789]: Closing MSIHANDLE (56) of type 790531 for thread 10480
MSI (s) (94!F0) [11:38:25:789]: Creating MSIHANDLE (57) of type 790531 for thread 10480
INFO: Successful GET property 'P_SILENT' with value -
MSI (s) (94!F0) [11:38:25:789]: Closing MSIHANDLE (57) of type 790531 for thread 10480
MSI (s) (94!F0) [11:38:25:789]: Creating MSIHANDLE (58) of type 790531 for thread 10480
Error 30000. A critical error occurred. Please see the installation log for more information. Enabling the log is described at the ESET knowledge base website:
support.eset.com/kb406/
MSI (s) (94!F0) [11:38:33:338]: Product: ESET Remote Administrator Agent -- Error 30000. A critical error occurred. Please see the installation log for more information. Enabling the log is described at the ESET knowledge base website:
support.eset.com/kb406/Can You also provide Agent logs from same time You tried uninstallation?
I assume Agent restarted somehow and enabled self-defense.
-
On 9/4/2018 at 6:05 AM, Ali Akbar said:
Hi
I had few Window 7 machines failed to install Agent v7.The error is
Services "ESET Managment Agent' (EraAgentSvc) failed to start.Verify that you have sufficient privileges to start system services
Please find attach file for the logs
Hello.
The logs sadly do not contain Agent logs (that is we can't determine why it failed to start). If this issue is reproducible please do following at the time You get this error (before You press cancel) please zip entire folder C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData and PM it to me.
Thanks and sorry for the inconvenience.
-
Hello,
We use iOS built-in MDM which is backward compatible. So it should.
However, I don't recall we had tested this (as it was released recently), so to ensure please raise a support ticket, so our QA engineers can check.
We'll be releasing configuration updates later if there are any notable changes, these will be delivered to existing installations via module updates.
-
This is "feature". You can change the timeout interval when new certificate is applied. Otherwise, MDM waits till all devices exchanged their current trust with new one. As You changed hostname the devices must be re-enrolled anyway (as by hostname change they lost connectivity).
You can find this timeout in policy in https certificate.
As a side note, You're getting the protection state because protection states are evaluated on a certificate which is currently in use. We will think how to make this clearer for a future version.
-
Hello,
You can ensure certificate You created has valid (same) hostname via GetConfiguration task. (hostname is still visible in configuration)
The reason for removal from policy was that changing this option is essentially equal to reinstallation. (all devices lose connectivity)
If configured hostname matches the certificate, please PM me ESET log collector logs.
Thanks and sorry for the inconvenience.
-
17 hours ago, Pinni3 said:
If its not a problem I would like to send You logs tomorrow as Im on 10% of my Global objects when it comes to upgrade. This problems is currently my number 1 reason I didnt deployed upgrade global
No problem at all. We will be glad to have those anytime.
If the issue does not just apper randomly but is repeatable it would be great to have process monitor logs from the time of upgrade as well as MSI logs are usually not verbose enough.
16 hours ago, Igor Kramarsich said:LegacyConnectorSupport, do you mean this file?
I mistakenly understood You had the same problem as @Pinni3, however that does not seem to be the case (You had Agent reported as installed applications). @MichalJ solution should work for you.
-
Can You please PM me installation/upgrade logs?
If this was the component upgrade task ESET log collector logs from affected machine should contain the last upgrade logs.
Otherwise, where logs are (or if they're available at all) depends on the method of deployment You used.
Thanks in advance and sorry for the inconvenience.
-
The protection state means "Windows updates available".
The issue is not the same the other you mention and as Marcos noted this string should be in "Translation support module", not ESMC localization files. (and it's been in there a long time, version 1704 is definitely sufficient)
-
Yes, policies are forward compatible.
-
That seems to be unfortunate effect of application of v7 policy to product with not up-to-date configuration module.
As products now have (or should have) up to date configuration module (1685.14 on EES v6.5) this issue should not happen again and in case it already happened and product has invalid configuration this should auto-correct with next policy application. (Agent restart or new policy)
Your case with GetConfiguration was most likely caused this way (policy was applied incorrectly on product and You actually saw in requested configuration what product though was correct result of policy application)
Sorry for issues caused.
-
In that case, assign it to the computer where ERA server and MDC is. (sorry MDM is previous product name I'm used to)
-
Almost there
Yes create a policy for 'ESET Mobile Device Connector' however You'll have to assign it to the computer where MDM is installed (not where ERA server is)
-
Yes you can do re-install as well, however configuring server connection via policy would work as well.
If You have mobile devices enrolled you can select option to keep database and use it during re-installation. (not recommended scenario however)
> I tried a 'Repair' install same as I ran for the ERA Agent to reset the port but there was no option for the Host or port number
Will create improvement for this.
-
If Agent which is on same computer as MDM is connecting to ESMC you can create policy which will be applied to MDM. We transfer MDM policy via managing Agent.
If Agent which is on same computer as MDM is not connecting you may need to reinstall it and continue with policy.
HTH
-
Port is configurable in server settings.
Connection => Security Management Center port (require restart!)
However please read kb first, Otherwise you may loose conectivity permanently (and have to reinstall).
https://support.eset.com/kb3701/?locale=en_US&viewlocale=en_US
-
Hello,
MySQL ODBC v8 driver is unsupported as we identified multiple issues with it.
https://support.eset.com/kb6760/?locale=en_US&viewlocale=en_US
HTH
-
Hello,
In MDC policy there is a server list where You can specify port as well. (Connection => Edit server list)
Linux File security and how to manage in ERA
in ESET PROTECT On-prem (Remote Management)
Posted
Hello,
Activation via ESMC/ERA should work. More information on why it failed should be present in Agent logs. That is please create a support ticket (or PM me Agent logs in trace severity from the time of attempted activation)