WSS Agent is not fully loaded error after install via MDM
Article ID: 232403
Updated On:
Products
Cloud Secure Web Gateway - Cloud SWG
Issue/Introduction
WSS Agent is not fully loaded after installing via an MDM. The command systemextensionsctl list shows that the WSS Agent network extension is being loaded and activated.
% systemextensionsctl list
* * Y2CCP3S9W7 com.symantec.wssa.wssax (7.5.1.16390/7.5.1) WSSA Network Extension [activated enabled]
Environment
- Web Security Service
- WSS Agent 7.2.1+
- macOS Big Sur 11+
Cause
The problem is caused by VPN profiles being set up incorrectly.
The error message found in the macOS system console logs indicated that the Provider Designated Requirement did not match, therefore it failed to create it from the anchor. The error shows "/ exists /" without the asterisks.
error 20:56:34.918236-0600 nesessionmanager Failed to create a designated requirement from anchor apple generic and identifier
"com.symantec.wssa.wssax" and (certificate leaf[field.1.2.840.113635.100.6.1.9] / exists / or
certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists / and
certificate leaf[subject.OU] = Y2CCP3S9W7)
Resolution
To resolve the problem, make sure that the VPN profiles were configured correctly and are identical to those instructions provided in the article: Install WSS Agent on macOS Big Sur under MDM—New Installations on Big Sur.
The Provider Designated Requirement should be as shown below. It SHOULD be /* exists */.
anchor apple generic and identifier "com.symantec.wssa.wssax" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */
or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = Y2CCP3S9W7)
Feedback
Yes
No
Powered by
