Troubleshooting - Mac Agent
  • 2 Minutes to read
  • PDF

Troubleshooting - Mac Agent

  • PDF

About this document


This document lists down the possible errors and their solution you may encounter while installing and using Mac Agent.

Errors


Unable to install SAFE

Error: “safe_Vxxxx.pkg” can’t be opened because it was not downloaded from the App Store.

Solution

  1. Open System Preferences from the Apple menu, then click the Security & Privacy icon.
  2. Click the “Open Anyway” option.
  3. Click the Open button.

Unable to communicate with SAFE Server

Logfile location: “/Library/Application Support/com.safe.security“

Error: An SSL error has occurred and a secure connection to the server cannot be made.

Solution

Please make sure your server certificate is following below requirements:

All TLS server certificates must comply with these new security requirements in iOS 13 and macOS 10.15:

  • TLS server certificates and issuing CAs using RSA keys must use key sizes greater than or equal to 2048 bits. Certificates using RSA key sizes smaller than 2048 bits are no longer trusted for TLS.
  • TLS server certificates and issuing CAs must use a hash algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed certificates are no longer trusted for TLS.
  • TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

Additionally, all TLS server certificates issued after July 1, 2019 (as indicated in the NotBefore field of the certificate) must follow these guidelines:

  • TLS server certificates must contain an ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.
  • TLS server certificates must have a validity period of 825 days or fewer (as expressed in the NotBefore and NotAfter fields of the certificate).

Connections to TLS servers violating these new requirements will fail and may cause network failures, apps to fail, and websites to not load in Safari in iOS 13 and macOS 10.15.

Unable to change SAFE Server URL

Solution

Execute the following command in the terminal after passing the new Activation Key and Safe Server URL.

sudo killall Safe
On macOS Agent 2.x.x.x or later, execute the following command to change the server.

sudo /Library/Application\ Support/com.safe.security/Safe --reset  
sudo /Library/Application\ Support/com.safe.security/Safe configuration -a <ACTIVATION_KEY_HERE> -s <SAFE_URL_HERE>

How to share installer logs?

Solution

  1. Select the installer window.
  2. Press command + L.
  3. Select Show All Logs from the drop-down menu (Top left corner).
  4. Click Save and select a location.
  5. Click Save and share the saved file with the support team.

Agent crashing with EXC_CRASH (Code Signature Invalid) error

Error: EXC_CRASH (Code Signature Invalid)

Solution

This type of crash is observed if the user installs macOS on unsupported hardware.

How to confirm If the installation was successful?

Solution

  • Confirm that agent is installed by checking log file created in location  /Library/Application\ Support/com.safe.security
  • Confirm that the provided activation key and safe URL are proper by executing the command sudo defaults read com.safe.security 
  • Confirm that the asset is shown in SAFE by checking in UI. Currently, supported applicabilities are macOS Mojave, macOS Catalina, and macOS Big Sur.

What are the debug options available in macOS Agent 2.x.x.x or later?

  1. --show-policy
  2. --run-agent 
  3. --reset

Execute the following command to display policy:

[email protected] ~ % sudo /Library/Application\ Support/com.safe.security/Safe --show-policy       
Password:
{
  "minimumLogLevel" : "INFO",
  "policyName" : "Global",
  "syslogConfiguration" : {
    "enabled" : "true",
    "minimumLogLevel" : "ERROR"
  },
  "communication" : {
    "servers" : {
      "primary" : "https:\/\/uat2.lucideus.tech\/",
      "relay" : "https:\/\/relay.safescore.io\/",
      "siteCoordinatorUrls" : [

      ]
    },
    "relayEnabled" : "false"
  },
  "scanSchedule" : {
    "endTime" : "2021-04-13 17:00:00",
    "startTime" : "2021-04-13 16:00:00"
  },
  "httpHeartbeatIntervalSecs" : 60,
  "detectService" : "false",
  "policyVersion" : 1618329711,
  "udpHeartbeatIntervalSecs" : 20
}

Execute the following command to run a scan:

[email protected] ~ % sudo /Library/Application\ Support/com.safe.security/Safe --run-agent         
Password:
Scanning...
Scan was successful

Execute the following command to reset the agent (Same as fresh installation):

sudo /Library/Application\ Support/com.safe.security/Safe --reset  

The user should pass the activation key and safe URL after running the reset command to activate the agent.


Was this article helpful?