Mac agent is unable to register back to the Symantec Management Platform Server
search cancel

Mac agent is unable to register back to the Symantec Management Platform Server

book

Article ID: 263156

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

The customer recently reinstalled the Symantec Management Agent (SMA) on one of his MAC machines.

After the agent loads, the MAC machine receives the initial settings policy but after that, it is unable to receive new configuration.

From the Agent logs (under opt/altiris/notification/nsagent/var/), the following messages are noticed:

INFO 2023-03-27 10:57:17.564     38115  123145421242368  PolicyManager > Final results of the policy refresh:
  Return = 2214592525, Failed to update policies from the Notification Server
  PolicyStatus = 2164916228, The agent is not registered
  DownloadStatus = 0, Success
  PolicyError = The agent is not registered
INFO 2023-03-27 10:57:17.623     38115  123145420419072  ClientEvent > ULM Agent was registered on NS, start the event queue.
INFO 2023-03-27 10:57:17.625     38115  123145420419072  PolicyManager > ULM Agent was registered on NS, send basic inventory and perform policy refresh.

....

INFO 2023-03-27 10:57:43.726     38115  123145422614528  PolicyManager > RefreshPoliciesImpl(): Initial settings policy received.

WARN 2023-03-27 20:59:30.832     38115  123145422876672  MachineIDObject_i > Can't send data to server, Error is :2147549190,Could not resolve host 

WARN 2023-03-27 20:59:33.273     38115  123145422602240  CT-download > Transfer failed ('38115_123145422602240_1679975972_2998817726'): Attempt for url https://ns2018.example.net:443/Altiris/NS/Agent/PostEvent.aspx?source={55158E99-1616-43D2-BE78-EBE22A01B056}&encrypted=1 returned 2164588563, Could not resolve host: ns2018.example.net

WARN 2023-03-27 20:59:33.280     38115  123145422602240  EventQueue > TrySendEvent(): Unable to send queued event /opt/altiris/notification/nsagent/var/queue/200.000000000167997597200000.nse: 2164588563, Failed connect to gateway.
INFO 2023-03-27 20:59:35.015     38115  123145423151104  PolicyManager > UpdatePolicies(): Getting URL: https://ns2018.example.net:443/Altiris/NS/Agent/GetClientPolicies.aspx

WARN 2023-03-27 21:02:00.132     38115  123145418248192  CT-download > Transfer failed ('38115_123145418248192_1679976055_1403007887'): Attempt for url https://ns2018.example.net:443/Altiris/NS/Agent/CreateResource.aspx?nsversion=1 returned 2147549212, Operation timed out after 60073 milliseconds with 0 out of 0 bytes received

INFO 2023-03-27 21:02:00.138     38115  123145418248192  NetworkMonitor > NS is unavailable, basic inventory and agent health will not be sent.

Environment

ITMS 8.6, 8.7

Cause

  1. "Initial settings policy received."
    This means that the agent is not fully registered on NS and does not fall in the collections, thus is unable to receive a proper policy.
  2. Later in the logs appear next one:
    url https://ns2018.example.net:443/Altiris/NS/Agent/ConnectionTest.asp returned 2147549212, Operation timed out

    SMA tries to receive policies and sent events to SMP Server and fails due to connectivity errors (Could not resolve host: ns2018.domain.net).

All these connectivity issues were caused by improper configuration under the (Initial Settings) policy.

We noticed that under (Initial Settings) for the Targeted Agent Settings>(Initial Settings)>UNIX/Linux/Mac tab, he had the option "Use system CA store for certificate checks" turned on.

 

Resolution

Note:

FYI: for uninstalling the whole agent with all plug-ins in the correct order, it is more convenient to use the utility which ships with SMA code installation:

"./opt/altiris/notification/nsagent/bin/aex-uninstall -f"
Also, it is possible to remove the "/opt/altiris/notification/" directory after uninstalling, in case some wrong configurations or binaries are left and uninstallation was unable to delete some user-created data.

 

After the customer disabled "Use system CA store for certificate checks" setting, the MAC machine could register and get the proper Agent policy. Now those MAC machines that were having issues seem to be working now.

Please pay attention that this checkbox is OFF by default, and it is not possible just to check it, but need to provide the name of the certificate by entering it by hand. This means this checkbox was configured by admins previously.

When the checkbox is checked then the entry field should contain the name of the file containing the certificates which will be used to verify certificates used in the negotiation process. If you do not specify this, then used only the certificate that the agent has received from servers or from the offline package.

This is done for setting up the HTTPS transport with its own custom certificates and should be done with care since it requires a lot of manual set-up work from admin (exist since 2015).