The customer recently reinstalled the Symantec Management Agent (SMA) on one of his MAC machines.
After the agent loads, the MAC machine receives the initial settings policy but after that, it is unable to receive new configuration.
From the Agent logs (under opt/altiris/notification/nsagent/var/), the following messages are noticed:
INFO 2023-03-27 10:57:17.564 38115 123145421242368 PolicyManager > Final results of the policy refresh:
Return = 2214592525, Failed to update policies from the Notification Server
PolicyStatus = 2164916228, The agent is not registered
DownloadStatus = 0, Success
PolicyError = The agent is not registered
INFO 2023-03-27 10:57:17.623 38115 123145420419072 ClientEvent > ULM Agent was registered on NS, start the event queue.
INFO 2023-03-27 10:57:17.625 38115 123145420419072 PolicyManager > ULM Agent was registered on NS, send basic inventory and perform policy refresh.
....
INFO 2023-03-27 10:57:43.726 38115 123145422614528 PolicyManager > RefreshPoliciesImpl(): Initial settings policy received.
WARN 2023-03-27 20:59:30.832 38115 123145422876672 MachineIDObject_i > Can't send data to server, Error is :2147549190,Could not resolve host
WARN 2023-03-27 20:59:33.273 38115 123145422602240 CT-download > Transfer failed ('38115_123145422602240_1679975972_2998817726'): Attempt for url https://ns2018.example.net:443/Altiris/NS/Agent/PostEvent.aspx?source={55158E99-1616-43D2-BE78-EBE22A01B056}&encrypted=1 returned 2164588563, Could not resolve host: ns2018.example.net
WARN 2023-03-27 20:59:33.280 38115 123145422602240 EventQueue > TrySendEvent(): Unable to send queued event /opt/altiris/notification/nsagent/var/queue/200.000000000167997597200000.nse: 2164588563, Failed connect to gateway.
INFO 2023-03-27 20:59:35.015 38115 123145423151104 PolicyManager > UpdatePolicies(): Getting URL: https://ns2018.example.net:443/Altiris/NS/Agent/GetClientPolicies.aspx
WARN 2023-03-27 21:02:00.132 38115 123145418248192 CT-download > Transfer failed ('38115_123145418248192_1679976055_1403007887'): Attempt for url https://ns2018.example.net:443/Altiris/NS/Agent/CreateResource.aspx?nsversion=1 returned 2147549212, Operation timed out after 60073 milliseconds with 0 out of 0 bytes received
INFO 2023-03-27 21:02:00.138 38115 123145418248192 NetworkMonitor > NS is unavailable, basic inventory and agent health will not be sent.
ITMS 8.6, 8.7
All these connectivity issues were caused by improper configuration under the (Initial Settings) policy.
We noticed that under (Initial Settings) for the Targeted Agent Settings>(Initial Settings)>UNIX/Linux/Mac tab, he had the option "Use system CA store for certificate checks" turned on.
Note:
FYI: for uninstalling the whole agent with all plug-ins in the correct order, it is more convenient to use the utility which ships with SMA code installation:
"./opt/altiris/notification/nsagent/bin/aex-uninstall -f"
Also, it is possible to remove the "/opt/altiris/notification/" directory after uninstalling, in case some wrong configurations or binaries are left and uninstallation was unable to delete some user-created data.
After the customer disabled "Use system CA store for certificate checks" setting, the MAC machine could register and get the proper Agent policy. Now those MAC machines that were having issues seem to be working now.
Please pay attention that this checkbox is OFF by default, and it is not possible just to check it, but need to provide the name of the certificate by entering it by hand. This means this checkbox was configured by admins previously.
When the checkbox is checked then the entry field should contain the name of the file containing the certificates which will be used to verify certificates used in the negotiation process. If you do not specify this, then used only the certificate that the agent has received from servers or from the offline package.
This is done for setting up the HTTPS transport with its own custom certificates and should be done with care since it requires a lot of manual set-up work from admin (exist since 2015).