SCEP policy deployment failing for IOS only

Copper Contributor

We have configured an internal NDES (intune connector installed) server connected to the client's internal PKI. Intune has been configured with Trusted Root/Intermediate policies to deploy to users/devices as well as an SCEP policy to issue the device a client certificate.

Android devices are working fine, they receive the Trusted Root and Intermediate certs as well as their client authentication certificate.


IOS devices don't work, they receive the Trusted certificates correctly, are compliant against Intune and all other features work fine, only the SCEP policy fails. Under the IOS SCEP policy properties | Device status, the 'deployment status' shows "Pending".  When on the IOS SCEP policy Overview page, clicking on the pie graph of 'status for checked in devices (or users)' the device 'Deployment Status' shows "Error" but I cannot see any error detail. I've tried IOS device with 11.x.x as well as an older IOS device.


This isn't the first Intune/NDES deployment we've done, but it's the first time we've struck this error. Is there any assistance please?



14 Replies

Hello Mark,


It looks like it has something to do with the customers PKI infrastructure. In the past I've had a similar issue. After contact with MS Support this was the answer:


As we discussed, we discovered that the Signature Algorithm RSASSA-PSS may not be supported by iOS, and that is why iOS devices could not verify the whole chain.


You may need to change the PKI infrastructure from RSASSA-PSS to sha256 or sha512.


Here is  a few documentation: – apple forum.



I hope this helps.


Best regards,

Ruud Gijsbers

Thanks Ruud, we're already using SHA256 though.

Hi Mark,


What do the log files say on the server where the Certificate Connector is installed? You can have a look at the eventlog and the log files in the installation directory for the Certificate Connector. And also the NDES/SCEP log files.


Best regards,

Ruud Gijsbers

Yeah we've checked every log file possible including *.svclogs but they don't even show an attempt, failed request or anything. I've recreated the SCEP policy today but it has not helped. Can also confirm I can connect to the ndes URL from the test devices and receive the correct 403 error on the site as per the documentation.

Does it make any difference if you assign the SCEP profile to a device group or a user group?


Otherwise I suggest you open a support ticket with Microsoft. My experience with Microsoft Support is very good, they usually respond the same day.


Best regards,

Ruud Gijsbers

Hey Mark,


Did you all ever figure out the root cause of the issue?  Experiencing the same problem with ios devices.



i had the same issue and after struggling with support for sometime, they found out that SCEP profile will be delivered to devices only if Trusted root and SCEP are targeted to exactly the same group.

In my case i was deploying root to all users, but SCEP was deployed to corporate devices only.

After I deployed both to the same group, issue gone away.

We have both assigned the same group...

In Company portal logs, do you see if device received profile and even tried to connect to SCEP server?

We can see that is has the profile and the Trusted Root certificate is on the device but the SCEP Cert is failed and there is nothing in the portal about why it failed and nothing logged on the SCEP Server...

Funny story... turned out to be a typo thanks to copy/paste...


On a somewhat related note, the way Intune pushes MAM policies out is a real pain. I like the idea of only pushing polices for work related data, but trying to get that to trigger can be difficult!!

Hi Mark,

May I asked what your typo was? I am having the same issue and can't seem to pin-point where this is failing.


Old thread, necro I know, but hoping to give this very good solution a boost.


I can confirm that Intune is very finicky when it comes to targeting the same (it seems types of) groups for *both* the trusted root certificate *and* the SCEP certificate.


In our case, our trusted root certificate was assigned to a device group that contained "All iOS devices". Yep, just all of them. SCEP user certificate (a client certificate with user's UPN as subject) deployed to same group, and all worked fine. Wifi profile deployed to a big group of AD users also came in and worked.


Then we realise that it's maybe not smart to give all devices a client certificate based on UPN of an AD account - maybe one day we want to set up devices not associated with an AD account. So I changed targetting for SCEP to be a user group full of domain users. SCEP profile stopped deploying, WiFi profile also wasn't coming in - they just sat at "pending". (WiFi not coming in makes sense - it depends on the SCEP cert. SCEP cert not coming in was annoying, and contrary to MS documentation, which states you can target a device *or* user group:


Changed SCEP targetting to a test group of one device, left WiFi targetting at all the AD users, left trusted root targetting at all iOS devices, and what do you know? SCEP cert came in.


By also deploying our trusted root to a group of users, we can now target SCEP certs at any group of users.


So to precisify @Alexander Vanyurikhin's solution, if you target the trusted root deployment at a group of devices, then you *must* target the SCEP deployment also at a group of devices, even if it's a user certificate you are deploying! (stupid!). If you want to target SCEP deployment at a group of users, then you *also* must target the trusted root deployment at a group of users.


(Our setup now deploys the trusted root to all devices, but also to AD users so that SCEP targetting at AD users works as intended)



haha just realised that a bit further down in the documentation in the same section, it states that "Although you create and assign the trusted certificate profile and the SCEP certificate profile separately, both must be assigned. Without both installed on a device, the SCEP certificate policy fails. Ensure that any trusted root certificate profiles are also deployed to the same groups as the SCEP profile"