Resolving connectivity issues between Client Security for Mac and Policy Manager

If you experience issues with the connectivity between Client Security for Mac and Policy Manager where the host is not being registered, try using Safari to open the Policy Manager Server welcome page using exactly the same Policy Manager address that was used to export the mpkg package with the HTTPS protocol. If you get the certificate warning before loading the welcome page content, follow the steps given here to establish a proper trust relationship.

Starting with macOS 11.0 Big Sur, Client Security for Mac can no longer modify the system certificate trust settings, but it is still required to establish a trust relationship for secure communication with Policy Manager instances that are addressed by a DNS name. If you don't have the root CA certificate that is used by Policy Manager set as trusted in the macOS System keychain, Safari shows an error message in the certificate details when you open your Policy Manager address:

So starting with macOS 11.0, the Policy Manager root CA certificate has to be explicitly trusted in the system keychain (macOS accepts certificates with .cer or .pem extensions). If you do not have an intermediate CA trusted for use as the Policy Manager CA within your company, you can continue using an automatically generated one on Mac hosts within your company.

To export a CA certificate, run this command on the computer where Policy Manager Server is installed:
1. For Windows:
  1. For Policy Manager 16: “C:\Program Files\WithSecure\Policy Manager\jre\bin\keytool.exe” -keystore “C:\ProgramData\WithSecure\NS\Policy Manager\Policy Manager Server\data\fspms-ca.jks”-alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected
  2. For Policy Manager 15: "C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -keystore "C:\Program Files (x86)\F-Secure\Management Server 5\data\fspms-ca.jks" -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected
2. For Linux: "/opt/f-secure/fspmc/jre/bin/keytool" -keystore "/var/opt/f-secure/fspms/data/fspms-ca.jks" -alias fspm-ca -exportcert -file fspms-ca.cer -rfc -protected
Transfer fspms-ca.cer to the Mac host and run the following command to trust it on the system level (you will be prompted to enter a password for admin credentials)
Run the following command in the Terminal: sudo security add-trusted-cert -d -r trustRoot -p ssl -k /Library/Keychains/System.keychain "path/to/certificate/file/fspms-ca.cer"

Note: You can also use MDM solutions to deploy the CA certificate to all Mac hosts within the company.

Once all steps are complete, the newly added certificate should appear in "Keychain Access.app" like this:

The Policy Manager Server welcome page should now open in Safari, showing the site certificate as trusted.

To connect to Policy Manager Server or Policy Manager Proxy, Client Security for Mac also requires that they have properly created server certificates. The certificate is issued to the IP address or fully qualified DNS name that the managed client uses as the Policy Manager Server or Policy Manager Proxy connection address. If the name used by the client and the name provided by Policy Manager in the certificate do not match, Safari shows an error message in the certificate details when you open the Policy Manager address:

If Policy Manager Server or Policy Manager Proxy are not able to properly resolve their own DNS address automatically (i.e. external DNS records differ from hostnames), you can use the following additional_java_args to explicitly set custom certificate properties:

certAdditionalDns to specify a comma-separated list of additional DNS values for the subject's alternative names
certAdditionalIp to specify a comma-separated list of additional IP addresses for the subject's alternative names
certForceSubject to override the TLS certificate subject must contain a comma-separated list of all values required to generate the subject

Note: See the following article for more details on additional_java_args : https://community.withsecure.com/en/kb/articles/5631-policy-manager-advanced-configuration-settings

To force certificate renewal:

For Policy Manager Server:

Stop the Policy Manager service.
Remove fspms.jks file from the following locations:
1. On Windows:
  1. For Policy Manager 16: C:\ProgramData\WithSecure\NS\Policy Manager\Policy Manager Server\data\fspms.jks
  2. For Policy Manager 15: C:\Program Files (x86)\F-Secure\Management Server 5\data\fspms.jks
2. On Linux: /var/opt/f-secure/fspms/data/fspms.jks
Start the Policy Manager service. The certificate is created on service startup.

For Policy Manager Proxy:

Stop the Policy Manager Proxy service.
Run the fspmp-enroll-tls-certificate tool located at the following locations to request the new certificate from the Policy Manager Server.
1. On Windows:
  1. For Policy Manager 16: C:\Program Files\WithSecure\Policy Manager\Policy Manager Server\bin\fspmp-enroll-tls-certificate.bat
  2. For Policy Manager 15: C:\Program Files (x86)\F-Secure\Management Server 5\bin\fspmp-enroll-tls-certificate.bat
2. On Linux:
  1. /opt/f-secure/fspms/bin/ fspmp-enroll-tls-certificate
Start the Policy Manager Proxy service.