If you use the offline installation package to install Symantec Management Agent on a client computer which is inside the corporate network, the Cloud-enabled Management (CEM) policy is not applied to that client computer.
Also, the CEM policy is not applied with an offline package.
This problem is related to agent registration when an agent is installed using a CEM package but can connect to the Notification Server (NS) server directly. In this case it tries to access GetClientCertificat.aspx on Default web site, this page can be accessed only with a temporary certificate available from the CEM package. The agent has this certificate but since the default web site is configured to "Ignore" certificates, the certificate is not accepted by the server and agent validation fails.
Change the IIS configuration for the Symantec Agent site, on the NS from, from "Ignore" to "Accept" certificates on the SSL Settings page.
As this issue is caused by IIS configuration settings, program changes are not planned to address the behavior.
ITMS 7.5 and later Hotfixes
(the problem can appear on any version of ITMS 7.5)