BobK 1 Posted November 16, 2020 Share Posted November 16, 2020 (edited) EMC Server 7.2 - MS Server 2019 MDMCore 7.2.4206 Windows 10 v2004 HTTP Proxy 2.4.43 History We recently upgraded from 6.5 to 7, 7.1 then 7.2. The Apache HTTP Proxy and Mobile Device Connector upgrades were particularly irksome due in part to the new certificates and CAs. Following the 7.2 upgrade we had to re-installed the MDM Connector and Apache HTTPS Proxy. All seems well with ESET replication on external client agents that have their new agent certificates and, the proxy cache is also working correctly. The MDMCore status page entries are green with replications and certificates. Android Profiles We are trying out the Android Work Profile on several devices using ManageEngine's MDM solution as this offers our users the ability to keep control of their own device's Personal Profiles but corporate Apps and Data is segregated on the Android Work Profile. My device has my own licensed version of ESET Mobile Security installed on my Personal Profile and we are trying ESET Endpoint Security for Android on the Work Profile which is installing and activating fine but I'm struggling with Enrolling to the SMC. Q.1. Are Android Profiles supported? Q.2. Are Multiple ESET products supported on a single device over different profiles? If the answer to the above is yes, then I need help. The enrolment is failing with "Communication Failed" on phone, trace log entry below, the AgentConnection appears to be sending out an unconnected EMII number but then fails with 1046 error. If the answer is NO, do you plan to support Work Profiles? Thank you in advance Trace.log extract: 2020-11-16 14:33:42 D [17480] Started multiagent for 0002aeb5-a068-46a7-a02e-642bfe11002f as PID 29012 2020-11-16 14:33:43 D [13704] AgentConnector: AgentConnection(000003fd): SocketLayer.Accept: , local: (err)system:0, remote: (err)system:0. 2020-11-16 14:33:43 D [3968] AgentConnector: AgentConnection(000003fd): Received new message, message type = 'H', data: MDAwMmFlYjUtYTA2OC00NmE3LWEwMmUtNjQyYmZlMTEwMDJm 2020-11-16 14:33:43 D [3968] AgentConnector: AgentConnection(000003fd): Agent handshake request (0002aeb5-a068-46a7-a02e-642bfe11002f) 2020-11-16 14:33:43 D [3968] AgentConnector: AgentConnection(000003fd): Associated with device: 358651082974278 2020-11-16 14:33:43 D [14328] AgentConnector: AgentConnection(000003fd): Data push complete. 2020-11-16 14:33:44 E [1400] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations). Local: [::ffff:192.168.xxx.xxx]:9980 Peer: [::ffff:94.xxx.xxx.xxx]:51518TLS protocol: SSL: fatal:certificate unknown (read) SSL: error:14094416:lib(20):func(148):reason(1046) 2020-11-16 14:33:44 E [18048] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations). Local: [::ffff:192.168.xxx.xxx]:9980 Peer: [::ffff:94.xxx.xxx.xxx]:51520 TLS protocol: SSL: fatal:certificate unknown (read) SSL: error:14094416:lib(20):func(148):reason(1046) 2020-11-16 14:33:44 D [17464] HTTP request for URL /ed4fqzqr9 , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522 2020-11-16 14:33:44 D [17464] Sending enrollmentpage.html 2020-11-16 14:33:44 D [17464] HTTP request for URL /common.css , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522 2020-11-16 14:33:44 D [17464] HTTP request for URL /eb.esmc.inline-white.svg , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522 2020-11-16 14:33:44 D [17464] HTTP request for URL /bg-header-navigation-item.png , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522 2020-11-16 14:33:45 E [1400] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations). Local: [::ffff:192.168.xxx.xxx]:9980 Peer: [::ffff:94.xxx.xxx.xxx]:51526 TLS protocol: SSL: fatal:certificate unknown (read) SSL: error:14094416:lib(20):func(148):reason(1046) 2020-11-16 14:33:45 E [18048] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations). Local: [::ffff:192.168.xxx.xxx]:9980 Peer: [::ffff:94.xxx.xxx.xxx]:51524 TLS protocol: SSL: fatal:certificate unknown (read) SSL: error:14094416:lib(20):func(148):reason(1046) 2020-11-16 14:33:45 D [17464] HTTP request for URL /flag.us-normal.svg , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522 2020-11-16 14:33:45 E [17896] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations). Local: [::ffff:192.168.xxx.xxx]:9980 Peer: [::ffff:94.xxx.xxx.xxx]:51528 TLS protocol: SSL: fatal:certificate unknown (read) SSL: error:14094416:lib(20):func(148):reason(1046) 2020-11-16 14:33:46 E [18048] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations). Local: [::ffff:192.168.xxx.xxx]:9980 Peer: [::ffff:94.xxx.xxx.xxx]:51534 TLS protocol: SSL: fatal:certificate unknown (read) SSL: error:14094416:lib(20):func(148):reason(1046) 2020-11-16 14:33:52 D [14328] Scheduler.Push notification re-send.Run 2020-11-16 14:33:52 D [14328] Scheduler.Push notification re-send.Completed Edited November 16, 2020 by BobK Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted November 18, 2020 ESET Staff Share Posted November 18, 2020 (edited) Hello, We do not officially support user profiles. As for MDM logs, I see only errors on enrollment port (9980) which can be caused by browser terminating traffic or other issues. Important is mdm communication after enrollment - port 9981 (enrollment is essentially just file download over https). If enrollment doesn't work there might be other issue. We might be able to help if we have all the logs required and You are ok with running production server in not officially supported scenario please contact our customer care (with MDM trace severity and EESA application logs) I'm unsure what You mean by EMII. IMEI is accessible only for Android devices enrolled in Device Owner mode (applications are restricted by google and can't access real device identifiers) HTH, M. Edited November 18, 2020 by Mirek S. Link to comment Share on other sites More sharing options...
BobK 1 Posted November 19, 2020 Author Share Posted November 19, 2020 Hi, Thanks for the reply. Already in contact with Support, slight change, uninstallation of ESET Mobile Security from the test client's Android Personal Profile may have had an impact. I can now see that the client device is using an old certificate, the MDMCore.msi was reinstalled with the correct new certificate but seems to have rolled back to an old certificate. Could this be the recycled SQL database? Current MDM Connector status has the alert "HTTPS certificate change still in progress. The old certificate is still being used" and the newly registered (but not properly enrolled yet" android device "Device is connecting with invalid client certificate. Connection refused." There does not seem to be any way to force a certificate change on the client so will suggest to support we reinstall MDMCore again but delete the database when uninstalling it. i will keep this thread updated as to progress as I'm sure others would like to use Profiles. Link to comment Share on other sites More sharing options...
Recommended Posts