Amafito 0 Posted June 7, 2021 Share Posted June 7, 2021 Hi! I'm having certificate issues during the installation of ESET Endpoint Security on Android mobile devices. This question is related to both MDM and "customer care" issues with an ESET MSP. This forum is the most related one among the ones I can select for a new topic. Apologies if it is the wrong place, Let me know the right forum in such case. I'm looking for suggestions on how is a good way to proceed in a case like the one described below. Thanks in advance for any suggestion. Case description: I'm having certificate issues during the installation of ESET Endpoint Security on Android mobile devices. I have an MSP business license. The MSP provider emailed me a link (to open on the devices) that, via an intermediate page, leads to play store to download/install the ESET Endpoint Security app. The link's target page opens with a certificate error: firefox error is SEC_ERROR_UNKNOWN_ISSUER chrome error is NET::ERR_CERT_AUTHORITY_INVALID It seems to be some kind of certificate misconfiguration on the MSP side so I stopped and opened a ticket reporting it to the MSP along with the info about the invalid certificate. They replied and immediately marked the issue as resolved: "the installation can be completed even in case of expired certificates" This seemed strange to me. The error is not about "expired certificates", it is about invalid Certification Authority. Accepting their advice I used the link to download the product from the store but when the app starts another certificate error pops up, this time in a window with the options "proceed anyway" and "cancel" and the following message (*1): Your certificate is not setup properly You may have setup your certificate incorrectly or you might be under attack from third parties trying to steal your data I asked myself "Is it really ok to continue?". I reopened the ticket asking the MSP to confirm the legit of the certificate in previous communication. They replied and immediately marked the issue as resolved, again: You can proceed with the installation. ESET has no contraindications about the AV engine operations. Here again the MSP response seems to be vague. The ticket is about the legit of the certificate. I can't understand why they are talking about "contraindications about the ESET AV engine operations". There seems to be something wrong here but I'm not sure about it. I'm trying to figure out what is going on. Maybe I'm behaving with an excess of caution, or it could be a neglect on the MSP side. What could be a good way to proceed in such cases? Is it right to insist on fixing the certificate issue before continue with the installation? Or is it not a big deal and I'm just getting it in the wrong way. Thanks for any help. FOOTNOTE: (*1) The certificate info in both the link page and the app refers to the same certificate (both have the same SHA-256 fingerprint) Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted June 7, 2021 ESET Staff Share Posted June 7, 2021 Hello @Amafito It seems to me, that the MSP has incorrectly setup the certificate, which is untrusted by the device. I have forwarded it to the respective colleagues, which might suggest what needs to be done on the MSP side, so you will not get any errors. Regards, Michal Link to comment Share on other sites More sharing options...
ESET Staff Mirek S. 18 Posted June 7, 2021 ESET Staff Share Posted June 7, 2021 (edited) Hello, As @MichalJ noted, this is "issue" on MSP provider side, where he installed certificate which is not by default trusted by Android devices. Situation can be remedied by using 3rd party certificate (not ESMC/not self-signed) trusted by Android certificate store by default. Note this issue is related only to enrollment, after enrollment is complete (I.e. You manually choose to trust MSP generated certificate) connection is secure. There does not seem to be official list of trusted root CAs preinstalled with Android, so I'll at least point out same list for Apple devices. https://support.apple.com/en-us/HT205205 For our cMDM solution I believe we are using digicert signed certificate which works across large range of devices and versions. Whether You require Your MSP to fix that certificate depends on Your flow. If Your users (or users across Your company) are skilled enough to ensure it's actually the MSP certificate and not a DNS spoof which could enroll You to different MDM or not. Another option would be manually adding root CA of MSP used certificate into Android trusted root CA store with some secure delivery path prior to enrollment. My opinion would be to require this as certificates can be for free (Let's encrypt was successfully used with our users) and extra load of verification of where You're enrolling should not be Your business in MSP managed environment. HTH, M. Edited June 7, 2021 by Mirek S. Link to comment Share on other sites More sharing options...
Recommended Posts