If you use the offline installation package to install Symantec Management Agent on a client computer which is inside the corporate network, the Cloud-enabled Management (CEM) policy is not applied to that client computer.

Also, the CEM policy is not applied with an offline package and the following error is found in the logs:

Unable to get the client certificate response XML associated with the specified request (Request: , Exception: Altiris.NS.Exceptions.NSComException (0x00000005): The caller is unauthorized to request a new client certificate.
at Altiris.Web.NS.Agent.GetClientCertificateBase.GetClientCertificateXml())

ITMS 8.x

This problem is related to agent registration when an agent is installed using a CEM package but can connect to the Notification Server (NS) server directly. In this case it tries to access GetClientCertificate.aspx on Default web site, this page can be accessed only with a temporary certificate available from the CEM package. The agent has this certificate but since the default web site is configured to "Ignore" certificates, the certificate is not accepted by the server and the agent validation fails.

Change the IIS configuration for the Symantec Agent site, on the Notification Server, from "Ignore" to "Accept" certificates on the SSL Settings page.

As this issue is caused by IIS configuration settings, changes in ITMS are not planned to address this behavior.