After you perform a fresh installation of PIM 12.x endpoint on an host you may find that there are no policies deployed. Here are some things to check.
1. check the policyfetcher log in /opt/CA/AccessControl/log for errors, you may find similar failures as the following:
10:05:10@May 10 2017 - trying to connect to host "DH__WRITER@***.***.***"
10:05:31@May 10 2017 - failed to connect to host "DH__WRITER@***.***.***" (10071), retrying...
10:05:31@May 10 2017 - Going to sleep 60 seconds ... (non abortable)
This indicates that policyfetcher is unable to connect in order to fetch policies.
2. check the connection from the endpoint to the DH in selang and see if you get a socket creation failed message:
AC> host ***.***.***
(***.***.***)
ERROR: Connection failed
Socket creation failed
Both of these are indicating that port 8891 may be blocked between these hosts. Try verifying that port 8891 is not being blocked with telnet. Distributing AC policies to endpoints through Advanced Policy Management needs to have port 8891 open for communications.
here is a link to documentation on port usage:
https://docops.ca.com/ca-privileged-identity-manager/12-9/EN/reference/used-ports/ca-controlminder-unix-endpoint-used-ports