How to debug in MacOS environment ?

SecurMander
SecurMander W/ Member Posts: 15 Security Scout
edited June 2023 in WithSecure Business Suite

Hi,

Have a communication problem with some MacOS clients: they don't appear in PMS.

What I did is to check :

1- /usr/local/f-secure/fsmac/sysconfig/pm_address

2- /usr/local/f-secure/fsmac/sysconfig/pm_fingerprint

3- the PMS certificate in the system's keychains and trust it

I'd like to know if there is a guide line to follow about debugging to solve this problem.

Thank you !

Best Answer

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 498 Moderator
    Answer ✓

    Hi,

    Firstly, can the MacOS host reach the Policy Manager via http browser ?

    There are several reasons why F-Secure Client Security for Mac host is unable to connect to the Policy Manager Server after the installation as below:

    • The Policy Manager Address and ports were misconfigured during the exporting process
    • The .mpkg filename was modified after exporting the installer from the Policy Manager Console
    • Certificate issue 

    Before you start troubleshooting, make sure that you have tried the installation with the latest Client Security for Mac installer. You can find the latest installers on the Downloads page.


    1. Make sure that you have used the correct Policy Manager Address when exporting the .mpkg installer.


    2. Make sure that you have not modified the .mpkg filename:


    When you export the .mpkg installation package from the Policy Manager Server, the Policy Manager address and activation key is embedded in the filename. If the filename is modified, the client is unable to read the correct Policy Manager address and activation key during installation.


    Check these files, if they exist and license is active to determine that the product is installed correctly.

    • /usr/local/f-secure/fsmac/sysconfig/pm_fingerprint
    • /usr/local/f-secure/fsmac/sysconfig/pm_address

    3. Check for any certificate issue by using Safari browser to open the Policy Manager Server welcome page.

    . If there is a certificate issue, you could perform the following steps in order to solve it.

     1. Run this command on Policy Manager Server to export CA certificate

       

    In case of Windows:


    "c:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -keystore "c:\Program Files (x86)\F-Secure\Management Server 5\data\fspms-ca.jks" -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected


    In case of Linux:


    /opt/f-secure/fspms/jre/bin/keytool -keystore /var/opt/f-secure/fspms/data/fspms-ca.jks -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected


    2. Transfer the exported certificate of "fspms-ca.cer" to the Big Sur clients


    3. Run the following command to trust it on the system level (you will be prompted to enter a password for admin credentials)


    sudo security add-trusted-cert -d -r trustRoot -p ssl -k "/Library/Keychains/System.keychain" "path/to/certificate/file/fspms-ca.cer"


    Note: You can also use MDM solutions to deploy the CA certificate to all Mac hosts within the company.


    For more detailed information, you could refer to the following community article.


    https://community.f-secure.com/business-suite-en/kb/articles/8933-resolving-connectivity-issues-between-client-security-for-mac-and-policy-manager 


    In case of existing client installation with the connectivity status update issue, you could consider to increase the maximum uploaded package size (maxUploadedPackageSize) to 10 MB as recommended in the community article below and check if there is any improvement after that.


    https://community.f-secure.com/en/discussion/72281/policy-managers-package-upload-limitation-may-cause-status-updates-issues


    You may refer to the following article for more details on how to configure the "maxUploadedPackageSize" setting in Policy Manager server.


    https://community.f-secure.com/business-suite-en/kb/articles/5631-policy-manager-advanced-configuration-settings

Answers

  • SecurMander
    SecurMander W/ Member Posts: 15 Security Scout

    I forgot to add the syslog.

    This is what I found:

    /usr/local/bin/fsav[18212]: Subscription check: Failed to initialize connection to AUA: FSAUA_NOT_AVAILABLE

    /usr/local/bin/fsav[18212]: Subscription check: Failed to get value of channel variable VUser: FSAUA_NOT_INITIALIZE

    /com.f-secure.SECL-SECL[18212]: Subscription check: Failed to get value of channel variable User: FSAUA_NOT_INITIALIZED

    com.f-secure.SECL-SECL[18212]: Subscription check: Failed to initialize connection to AUA: FSAUA_NOT_AVAILABLE

  • SecurMander
    SecurMander W/ Member Posts: 15 Security Scout

    Hi,

    A big thank you for your detailed answer that will be really useful for debug.

    Just some question about the certificate: if I use a F-Secure Manager Proxy with a company-trusted certificate, do I need to export both certificates (fspms and fspmp) on Macbook's client and validate them with both root and client account ? Or do I only have to export a new .mpkg with the fspmp information (which should embedded the company-trusted certificate) ?

    Thank you!

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 205 Moderator

    Hi @SecurMander

    You should export the CA certificate from FSPMS and transfer it to the Mac client to be trusted. 

    Thanks

    Sethu

  • jaynwatson
    jaynwatson W/ Alumni Posts: 1 Security Scout

    Thanks for this guide

This discussion has been closed.