BYOD ESET SMC Mobile Connector and Android Work Profile

[BobK 1]

EMC Server 7.2 - MS Server 2019
MDMCore 7.2.4206 Windows 10 v2004 
HTTP Proxy 2.4.43

History
We recently upgraded from 6.5  to 7, 7.1 then 7.2.

The Apache HTTP Proxy and Mobile Device Connector upgrades were particularly irksome due in part to the new certificates and CAs.  Following the 7.2 upgrade we had to re-installed the MDM Connector and Apache HTTPS Proxy.

All seems well with ESET replication on external client agents that have their new agent certificates and, the proxy cache is also working correctly.  The MDMCore status page entries are green with replications and certificates.

Android Profiles
We are trying out the Android Work Profile on several devices using ManageEngine's MDM solution as this offers our users the ability to keep control of their own device's Personal Profiles but corporate Apps and Data is segregated on the Android Work Profile.  My device has my own licensed version of ESET Mobile Security installed on my Personal Profile and we are trying ESET Endpoint Security for Android on the Work Profile which is installing and activating fine but I'm struggling with Enrolling to the SMC.

Q.1. Are Android Profiles supported?
Q.2. Are Multiple ESET products supported on a single device over different profiles?

If the answer to the above is yes, then I need help.
The enrolment is failing with "Communication Failed" on phone, trace log entry below, the AgentConnection appears to be sending out an unconnected EMII number but then fails with 1046 error.

If the answer is NO, do you plan to support Work Profiles? 

Thank you in advance
 

Trace.log extract:
2020-11-16 14:33:42 D [17480] Started multiagent for 0002aeb5-a068-46a7-a02e-642bfe11002f as PID 29012
2020-11-16 14:33:43 D [13704] AgentConnector: AgentConnection(000003fd): SocketLayer.Accept: , local: (err)system:0, remote: (err)system:0.
2020-11-16 14:33:43 D [3968] AgentConnector: AgentConnection(000003fd): Received new message, message type = 'H', data: MDAwMmFlYjUtYTA2OC00NmE3LWEwMmUtNjQyYmZlMTEwMDJm
2020-11-16 14:33:43 D [3968] AgentConnector: AgentConnection(000003fd): Agent handshake request (0002aeb5-a068-46a7-a02e-642bfe11002f)
2020-11-16 14:33:43 D [3968] AgentConnector: AgentConnection(000003fd): Associated with device: 358651082974278
2020-11-16 14:33:43 D [14328] AgentConnector: AgentConnection(000003fd): Data push complete.
2020-11-16 14:33:44 E [1400] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations).
    Local: [::ffff:192.168.xxx.xxx]:9980
    Peer: [::ffff:94.xxx.xxx.xxx]:51518TLS protocol:
        SSL: fatal:certificate unknown (read)
        SSL: error:14094416:lib(20):func(148):reason(1046)
2020-11-16 14:33:44 E [18048] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations).
    Local: [::ffff:192.168.xxx.xxx]:9980
    Peer: [::ffff:94.xxx.xxx.xxx]:51520
    TLS protocol:
        SSL: fatal:certificate unknown (read)
        SSL: error:14094416:lib(20):func(148):reason(1046)
2020-11-16 14:33:44 D [17464] HTTP request for URL /ed4fqzqr9 , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522
2020-11-16 14:33:44 D [17464] Sending enrollmentpage.html
2020-11-16 14:33:44 D [17464] HTTP request for URL /common.css , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522
2020-11-16 14:33:44 D [17464] HTTP request for URL /eb.esmc.inline-white.svg , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522
2020-11-16 14:33:44 D [17464] HTTP request for URL /bg-header-navigation-item.png , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522
2020-11-16 14:33:45 E [1400] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations).
    Local: [::ffff:192.168.xxx.xxx]:9980
    Peer: [::ffff:94.xxx.xxx.xxx]:51526
    TLS protocol:
        SSL: fatal:certificate unknown (read)
        SSL: error:14094416:lib(20):func(148):reason(1046)
2020-11-16 14:33:45 E [18048] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations).
    Local: [::ffff:192.168.xxx.xxx]:9980
    Peer: [::ffff:94.xxx.xxx.xxx]:51524
    TLS protocol:
        SSL: fatal:certificate unknown (read)
        SSL: error:14094416:lib(20):func(148):reason(1046)
2020-11-16 14:33:45 D [17464] HTTP request for URL /flag.us-normal.svg , port 9980, from IP [::ffff:94.xxx.xxx.xxx]:51522
2020-11-16 14:33:45 E [17896] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations).
    Local: [::ffff:192.168.xxx.xxx]:9980
    Peer: [::ffff:94.xxx.xxx.xxx]:51528
    TLS protocol:
        SSL: fatal:certificate unknown (read)
        SSL: error:14094416:lib(20):func(148):reason(1046)
2020-11-16 14:33:46 E [18048] Uncaught exception: NodSslException, NodSSL error occurred in completeHandshake.RecvEncryptedData (Internal error in the underlying implementations).
    Local: [::ffff:192.168.xxx.xxx]:9980
    Peer: [::ffff:94.xxx.xxx.xxx]:51534
    TLS protocol:
        SSL: fatal:certificate unknown (read)
        SSL: error:14094416:lib(20):func(148):reason(1046)
2020-11-16 14:33:52 D [14328] Scheduler.Push notification re-send.Run
2020-11-16 14:33:52 D [14328] Scheduler.Push notification re-send.Completed

Edited November 16, 2020 by BobK

[Mirek S. 18]

Hello,

We do not officially support user profiles.

As for MDM logs, I see only errors on enrollment port (9980) which can be caused by browser terminating traffic or other issues. Important is mdm communication after enrollment - port 9981 (enrollment is essentially just file download over https). If enrollment doesn't work there might be other issue.

We might be able to help if we have all the logs required and You are ok with running production server in not officially supported scenario please contact our customer care (with MDM trace severity and EESA application logs)

I'm unsure what You mean by EMII. IMEI is accessible only for Android devices enrolled in Device Owner mode (applications are restricted by google and can't access real device identifiers)

HTH,

M.

Edited November 18, 2020 by Mirek S.

[BobK 1]

Hi,

Thanks for the reply.

Already in contact with Support, slight change, uninstallation of ESET Mobile Security from the test client's Android Personal Profile may have had an impact.  I can now see that the client device is using an old certificate, the MDMCore.msi was reinstalled with the correct new certificate but seems to have rolled back to an old certificate.  Could this be the recycled SQL database?

Current MDM Connector status has the alert "HTTPS certificate change still in progress. The old certificate is still being used" and the newly registered (but not properly enrolled yet" android device "Device is connecting with invalid client certificate. Connection refused."

There does not seem to be any way to force a certificate change on the client so will suggest to support we reinstall MDMCore again but delete the database when uninstalling it.

i will keep this thread updated as to progress as I'm sure others would like to use Profiles.