Forum Discussion
SCEP policy deployment failing for IOS only
Hey Mark,
Did you all ever figure out the root cause of the issue? Experiencing the same problem with ios devices.
Thanks
i had the same issue and after struggling with support for sometime, they found out that SCEP profile will be delivered to devices only if Trusted root and SCEP are targeted to exactly the same group.
In my case i was deploying root to all users, but SCEP was deployed to corporate devices only.
After I deployed both to the same group, issue gone away.
Old thread, necro I know, but hoping to give this very good solution a boost.
I can confirm that Intune is very finicky when it comes to targeting the same (it seems types of) groups for *both* the trusted root certificate *and* the SCEP certificate.
In our case, our trusted root certificate was assigned to a device group that contained "All iOS devices". Yep, just all of them. SCEP user certificate (a client certificate with user's UPN as subject) deployed to same group, and all worked fine. Wifi profile deployed to a big group of AD users also came in and worked.
Then we realise that it's maybe not smart to give all devices a client certificate based on UPN of an AD account - maybe one day we want to set up devices not associated with an AD account. So I changed targetting for SCEP to be a user group full of domain users. SCEP profile stopped deploying, WiFi profile also wasn't coming in - they just sat at "pending". (WiFi not coming in makes sense - it depends on the SCEP cert. SCEP cert not coming in was annoying, and contrary to MS documentation, which states you can target a device *or* user group: https://docs.microsoft.com/en-us/intune/protect/certificates-profile-scep#assign-the-certificate-profile)
Changed SCEP targetting to a test group of one device, left WiFi targetting at all the AD users, left trusted root targetting at all iOS devices, and what do you know? SCEP cert came in.
By also deploying our trusted root to a group of users, we can now target SCEP certs at any group of users.
So to precisify Alexander Vanyurikhin's solution, if you target the trusted root deployment at a group of devices, then you *must* target the SCEP deployment also at a group of devices, even if it's a user certificate you are deploying! (stupid!). If you want to target SCEP deployment at a group of users, then you *also* must target the trusted root deployment at a group of users.
(Our setup now deploys the trusted root to all devices, but also to AD users so that SCEP targetting at AD users works as intended)
-Jamie
haha just realised that a bit further down in the documentation in the same section, it states that "Although you create and assign the trusted certificate profile and the SCEP certificate profile separately, both must be assigned. Without both installed on a device, the SCEP certificate policy fails. Ensure that any trusted root certificate profiles are also deployed to the same groups as the SCEP profile"
- We have both assigned the same group...
In Company portal logs, do you see if device received profile and even tried to connect to SCEP server?
We can see that is has the profile and the Trusted Root certificate is on the device but the SCEP Cert is failed and there is nothing in the portal about why it failed and nothing logged on the SCEP Server...
