Home

SCEP policy deployment failing for IOS only

%3CLINGO-SUB%20id%3D%22lingo-sub-161169%22%20slang%3D%22en-US%22%3ESCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-161169%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20configured%20an%20internal%20NDES%20(intune%20connector%20installed)%20server%20connected%20to%20the%20client's%20internal%20PKI.%20Intune%20has%20been%20configured%20with%20Trusted%20Root%2FIntermediate%20policies%20to%20deploy%20to%20users%2Fdevices%20as%20well%20as%20an%20SCEP%20policy%20to%20issue%20the%20device%20a%20client%20certificate.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAndroid%20devices%20are%20working%20fine%2C%20they%20receive%20the%20Trusted%20Root%20and%20Intermediate%20certs%20as%20well%20as%20their%20client%20authentication%20certificate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIOS%20devices%20don't%20work%2C%20they%20receive%20the%20Trusted%20certificates%20correctly%2C%20are%20compliant%20against%20Intune%20and%20all%20other%20features%20work%20fine%2C%20only%20the%20SCEP%20policy%20fails.%20Under%20the%20IOS%20SCEP%20policy%20properties%20%7C%20Device%20status%2C%20the%20'deployment%20status'%20shows%20%22Pending%22.%26nbsp%3B%20When%20on%20the%20IOS%20SCEP%20policy%20Overview%20page%2C%20clicking%20on%20the%20pie%20graph%20of%20'status%20for%20checked%20in%20devices%20(or%20users)'%20the%20device%20'Deployment%20Status'%20shows%20%22Error%22%20but%20I%20cannot%20see%20any%20error%20detail.%20I've%20tried%20IOS%20device%20with%2011.x.x%20as%20well%20as%20an%20older%20IOS%20device.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20isn't%20the%20first%20Intune%2FNDES%20deployment%20we've%20done%2C%20but%20it's%20the%20first%20time%20we've%20struck%20this%20error.%20Is%20there%20any%20assistance%20please%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3CBR%20%2F%3EMark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-161169%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-211097%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-211097%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Mark%2C%3C%2FP%3E%3CP%3EMay%20I%20asked%20what%20your%20typo%20was%3F%20I%20am%20having%20the%20same%20issue%20and%20can't%20seem%20to%20pin-point%20where%20this%20is%20failing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-197566%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197566%22%20slang%3D%22en-US%22%3E%3CP%3EFunny%20story...%20turned%20out%20to%20be%20a%20typo%20thanks%20to%20copy%2Fpaste...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20a%20somewhat%20related%20note%2C%20the%20way%20Intune%20pushes%20MAM%20policies%20out%20is%20a%20real%20pain.%20I%20like%20the%20idea%20of%20only%20pushing%20polices%20for%20work%20related%20data%2C%20but%20trying%20to%20get%20that%20to%20trigger%20can%20be%20difficult!!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-197299%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197299%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20can%20see%20that%20is%20has%20the%20profile%20and%20the%20Trusted%20Root%20certificate%20is%20on%20the%20device%20but%20the%20SCEP%20Cert%20is%20failed%20and%20there%20is%20nothing%20in%20the%20portal%20about%20why%20it%20failed%20and%20nothing%20logged%20on%20the%20SCEP%20Server...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-197296%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197296%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20Company%20portal%20logs%2C%20do%20you%20see%20if%20device%20received%20profile%20and%20even%20tried%20to%20connect%20to%20SCEP%20server%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-197294%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197294%22%20slang%3D%22en-US%22%3EWe%20have%20both%20assigned%20the%20same%20group...%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-197165%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197165%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20had%20the%20same%20issue%20and%20after%20struggling%20with%20support%20for%20sometime%2C%20they%20found%20out%20that%20SCEP%20profile%20will%20be%20delivered%20to%20devices%26nbsp%3B%3CSTRONG%3Eonly%26nbsp%3B%3C%2FSTRONG%3Eif%20Trusted%20root%20and%20SCEP%20are%20targeted%20to%20exactly%20the%20same%20group.%3C%2FP%3E%3CP%3EIn%20my%20case%20i%20was%20deploying%20root%20to%20all%20users%2C%20but%20SCEP%20was%20deployed%20to%20corporate%20devices%20only.%3C%2FP%3E%3CP%3EAfter%20I%20deployed%20both%20to%20the%20same%20group%2C%20issue%20gone%20away.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-197101%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-197101%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Mark%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20you%20all%20ever%20figure%20out%20the%20root%20cause%20of%20the%20issue%3F%26nbsp%3B%20Experiencing%20the%20same%20problem%20with%20ios%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162204%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162204%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20it%20make%20any%20difference%20if%20you%20assign%20the%20SCEP%20profile%20to%20a%20device%20group%20or%20a%20user%20group%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOtherwise%20I%20suggest%20you%20open%20a%20support%20ticket%20with%20Microsoft.%20My%20experience%20with%20Microsoft%20Support%20is%20very%20good%2C%20they%20usually%20respond%20the%20same%20day.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ERuud%20Gijsbers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162075%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162075%22%20slang%3D%22en-US%22%3E%3CP%3EYeah%20we've%20checked%20every%20log%20file%20possible%20including%20*.svclogs%20but%20they%20don't%20even%20show%20an%20attempt%2C%20failed%20request%20or%20anything.%20I've%20recreated%20the%20SCEP%20policy%20today%20but%20it%20has%20not%20helped.%20Can%20also%20confirm%20I%20can%20connect%20to%20the%20ndes%20URL%20from%20the%20test%20devices%20and%20receive%20the%20correct%20403%20error%20on%20the%20site%20as%20per%20the%20documentation.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-162009%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-162009%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Mark%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20do%20the%20log%20files%20say%20on%20the%20server%20where%20the%20Certificate%20Connector%20is%20installed%3F%20You%20can%20have%20a%20look%20at%20the%20eventlog%20and%20the%20log%20files%20in%20the%20installation%20directory%20for%20the%20Certificate%20Connector.%20And%20also%20the%20NDES%2FSCEP%20log%20files.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ERuud%20Gijsbers%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-161967%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-161967%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20Ruud%2C%20we're%20already%20using%20SHA256%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-161317%22%20slang%3D%22en-US%22%3ERe%3A%20SCEP%20policy%20deployment%20failing%20for%20IOS%20only%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-161317%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Mark%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20looks%20like%20it%20has%20something%20to%20do%20with%20the%20customers%20PKI%20infrastructure.%20In%20the%20past%20I've%20had%20a%20similar%20issue.%20After%20contact%20with%20MS%20Support%20this%20was%20the%20answer%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EAs%20we%20discussed%2C%20we%20discovered%20that%20the%20Signature%20Algorithm%20RSASSA-PSS%20may%20not%20be%20supported%20by%20iOS%2C%20and%20that%20is%20why%20iOS%20devices%20could%20not%20verify%20the%20whole%20chain.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EYou%20may%20need%20to%20change%20the%20PKI%20infrastructure%20from%20RSASSA-PSS%20to%20sha256%20or%20sha512.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EHere%20is%20%26nbsp%3Ba%20few%20documentation%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Faskpfeplat%2F2015%2F03%2F15%2Fsha-1-deprecation-and-changing-the-root-cas-hash-algorithm%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Faskpfeplat%2F2015%2F03%2F15%2Fsha-1-deprecation-and-changing-the-root-cas-hash-algorithm%2F%3C%2FA%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%3CA%20href%3D%22https%3A%2F%2Fdiscussions.apple.com%2Fthread%2F6534865%3Fstart%3D0%26amp%3Btstart%3D0%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdiscussions.apple.com%2Fthread%2F6534865%3Fstart%3D0%26amp%3Btstart%3D0%3C%2FA%3E%20%E2%80%93%20apple%20forum.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20helps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ERuud%20Gijsbers%3C%2FP%3E%3C%2FLINGO-BODY%3E
Mark Palmer
New Contributor

We have configured an internal NDES (intune connector installed) server connected to the client's internal PKI. Intune has been configured with Trusted Root/Intermediate policies to deploy to users/devices as well as an SCEP policy to issue the device a client certificate.


Android devices are working fine, they receive the Trusted Root and Intermediate certs as well as their client authentication certificate.

 

IOS devices don't work, they receive the Trusted certificates correctly, are compliant against Intune and all other features work fine, only the SCEP policy fails. Under the IOS SCEP policy properties | Device status, the 'deployment status' shows "Pending".  When on the IOS SCEP policy Overview page, clicking on the pie graph of 'status for checked in devices (or users)' the device 'Deployment Status' shows "Error" but I cannot see any error detail. I've tried IOS device with 11.x.x as well as an older IOS device.

 

This isn't the first Intune/NDES deployment we've done, but it's the first time we've struck this error. Is there any assistance please?

 

Thanks,
Mark

12 Replies

Hello Mark,

 

It looks like it has something to do with the customers PKI infrastructure. In the past I've had a similar issue. After contact with MS Support this was the answer:

 

As we discussed, we discovered that the Signature Algorithm RSASSA-PSS may not be supported by iOS, and that is why iOS devices could not verify the whole chain.

 

You may need to change the PKI infrastructure from RSASSA-PSS to sha256 or sha512.

 

Here is  a few documentation:

https://blogs.technet.microsoft.com/askpfeplat/2015/03/15/sha-1-deprecation-and-changing-the-root-ca...

https://discussions.apple.com/thread/6534865?start=0&tstart=0 – apple forum.

 

 

I hope this helps.

 

Best regards,

Ruud Gijsbers

Thanks Ruud, we're already using SHA256 though.

Hi Mark,

 

What do the log files say on the server where the Certificate Connector is installed? You can have a look at the eventlog and the log files in the installation directory for the Certificate Connector. And also the NDES/SCEP log files.

 

Best regards,

Ruud Gijsbers

Yeah we've checked every log file possible including *.svclogs but they don't even show an attempt, failed request or anything. I've recreated the SCEP policy today but it has not helped. Can also confirm I can connect to the ndes URL from the test devices and receive the correct 403 error on the site as per the documentation.

Does it make any difference if you assign the SCEP profile to a device group or a user group?

 

Otherwise I suggest you open a support ticket with Microsoft. My experience with Microsoft Support is very good, they usually respond the same day.

 

Best regards,

Ruud Gijsbers

Hey Mark,

 

Did you all ever figure out the root cause of the issue?  Experiencing the same problem with ios devices.

 

Thanks

i had the same issue and after struggling with support for sometime, they found out that SCEP profile will be delivered to devices only if Trusted root and SCEP are targeted to exactly the same group.

In my case i was deploying root to all users, but SCEP was deployed to corporate devices only.

After I deployed both to the same group, issue gone away.

We have both assigned the same group...

In Company portal logs, do you see if device received profile and even tried to connect to SCEP server?

We can see that is has the profile and the Trusted Root certificate is on the device but the SCEP Cert is failed and there is nothing in the portal about why it failed and nothing logged on the SCEP Server...

Funny story... turned out to be a typo thanks to copy/paste...

 

On a somewhat related note, the way Intune pushes MAM policies out is a real pain. I like the idea of only pushing polices for work related data, but trying to get that to trigger can be difficult!!

Hi Mark,

May I asked what your typo was? I am having the same issue and can't seem to pin-point where this is failing.