Jump to content

MSP certificate issues in installation of ESET Endpoint Security on Android


Recommended Posts

Hi!

I'm having certificate issues during the installation of ESET Endpoint Security on Android mobile devices.

This question is related to both MDM and "customer care" issues with an ESET MSP.

This forum is the most related one among the ones I can select for a new topic.
Apologies if it is the wrong place, Let me know the right forum in such case.

I'm looking for suggestions on how is a good way to proceed in a case like the one described below.

Thanks in advance for any suggestion.

Case description:

I'm having certificate issues during the installation of ESET Endpoint Security on Android mobile devices.
I have an MSP business license. The MSP provider emailed me a link (to open on the devices) that, via an intermediate page, leads to play store to download/install the ESET Endpoint Security app.

The link's target page opens with a certificate error:
firefox error is SEC_ERROR_UNKNOWN_ISSUER
chrome error is NET::ERR_CERT_AUTHORITY_INVALID

It seems to be some kind of certificate misconfiguration on the MSP side so I stopped and opened a ticket reporting it to the MSP along with the info about the invalid certificate.
They replied and immediately marked the issue as resolved:
    "the installation can be completed even in case of expired certificates"

This seemed strange to me.
The error is not about "expired certificates", it is about invalid Certification Authority.
Accepting their advice I used the link to download the product from the store but when the app starts another certificate error pops up, this time in a window with the options "proceed anyway" and "cancel" and the following message (*1):

    Your certificate is not setup properly
    You may have setup your certificate incorrectly or you might be under attack from third parties trying to steal your data

I asked myself "Is it really ok to continue?".
I reopened the ticket asking the MSP to confirm the legit of the certificate in previous communication.
They replied and immediately marked the issue as resolved, again:
    You can proceed with the installation.
    ESET has no contraindications about the AV engine operations.

Here again the MSP response seems to be vague.
The ticket is about the legit of the certificate. I can't understand why they are talking about "contraindications about the ESET AV engine operations".
There seems to be something wrong here but I'm not sure about it.

I'm trying to figure out what is going on. Maybe I'm behaving with an excess of caution, or it could be a neglect on the MSP side.

What could be a good way to proceed in such cases?

Is it right to insist on fixing the certificate issue before continue with the installation?
Or is it not a big deal and I'm just getting it in the wrong way.

Thanks for any help.

FOOTNOTE:
(*1) The certificate info in both the link page and the app refers to the same certificate (both have the same SHA-256 fingerprint)

Link to comment
Share on other sites

  • ESET Staff

Hello @Amafito

It seems to me, that the MSP has incorrectly setup the certificate, which is untrusted by the device. I have forwarded it to the respective colleagues, which might suggest what needs to be done on the MSP side, so you will not get any errors. 

Regards,

Michal 

 

Link to comment
Share on other sites

  • ESET Staff
Posted (edited)

Hello,

As @MichalJ noted, this is "issue" on MSP provider side, where he installed certificate which is not by default trusted by Android devices.

Situation can be remedied by using 3rd party certificate (not ESMC/not self-signed) trusted by Android certificate store by default.

Note this issue is related only to enrollment, after enrollment is complete (I.e. You manually choose to trust MSP generated certificate) connection is secure.

There does not seem to be official list of trusted root CAs preinstalled with Android, so I'll at least point out same list for Apple devices.

https://support.apple.com/en-us/HT205205

For our cMDM solution I believe we are using digicert signed certificate which works across large range of devices and versions.

Whether You require Your MSP to fix that certificate depends on Your flow. If Your users (or users across Your company) are skilled enough to ensure it's actually the MSP certificate and not a DNS spoof which could enroll You to different MDM or not. Another option would be manually adding root CA of MSP used certificate into Android trusted root CA store with some secure delivery path prior to enrollment.

My opinion would be to require this as certificates can be for free (Let's encrypt was successfully used with our users) and extra load of verification of where You're enrolling should not be Your business in MSP managed environment.

HTH,

M.

Edited by Mirek S.
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...