Forum Discussion
SCEP policy deployment failing for IOS only
We have configured an internal NDES (intune connector installed) server connected to the client's internal PKI. Intune has been configured with Trusted Root/Intermediate policies to deploy to users/devices as well as an SCEP policy to issue the device a client certificate.
Android devices are working fine, they receive the Trusted Root and Intermediate certs as well as their client authentication certificate.
IOS devices don't work, they receive the Trusted certificates correctly, are compliant against Intune and all other features work fine, only the SCEP policy fails. Under the IOS SCEP policy properties | Device status, the 'deployment status' shows "Pending". When on the IOS SCEP policy Overview page, clicking on the pie graph of 'status for checked in devices (or users)' the device 'Deployment Status' shows "Error" but I cannot see any error detail. I've tried IOS device with 11.x.x as well as an older IOS device.
This isn't the first Intune/NDES deployment we've done, but it's the first time we've struck this error. Is there any assistance please?
Thanks,
Mark
- RuudGijsbersIron Contributor
Hello Mark,
It looks like it has something to do with the customers PKI infrastructure. In the past I've had a similar issue. After contact with MS Support this was the answer:
As we discussed, we discovered that the Signature Algorithm RSASSA-PSS may not be supported by iOS, and that is why iOS devices could not verify the whole chain.
You may need to change the PKI infrastructure from RSASSA-PSS to sha256 or sha512.
Here is a few documentation:
https://discussions.apple.com/thread/6534865?start=0&tstart=0 – apple forum.
I hope this helps.
Best regards,
Ruud Gijsbers
- Mark PalmerCopper Contributor
Thanks Ruud, we're already using SHA256 though.
- RuudGijsbersIron Contributor
Hi Mark,
What do the log files say on the server where the Certificate Connector is installed? You can have a look at the eventlog and the log files in the installation directory for the Certificate Connector. And also the NDES/SCEP log files.
Best regards,
Ruud Gijsbers