iOS MDM Profile is unable to be installed - errors point to a SCEP Server invalid response

Article:TECH178368  |  Created: 2012-01-05  |  Updated: 2013-09-09  |  Article URL http://www.symantec.com/docs/TECH178368
Article Type
Technical Solution


Issue



When trying to enroll and iOS device to Mobile Management, it gets to the Profile installation screen.  When trying to install the profile, it returns a message that the Profile failed to install.  Checking the URL for the SCEP server, e.g. http://scepserver.domain/CertSrv/mscep/mscep.dll the server returns a valid response.


Error



Reviewing the console output in Xcode or the iPhone Configuration Utility, the following errors are displayed:

Jan 5 15:21:39 unknown profiled[562] <Notice>: (Note ) MC: Checking for MDM installation...
Jan 5 15:21:39 unknown profiled[562] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Jan 5 15:21:39 unknown profiled[562] <Notice>: (Note ) MC: Beginning profile installation...
Jan 5 15:21:45 unknown profiled[562] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Note ) MC: Could not retrieve issued certificate: NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Error) MC: Cannot retrieve SCEP identity: NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Error) MC: Rolling back installation of profile com.symantec.mdm.enrollment.{3FF5EA9C-1D20-4875-BF84-BCF4DACA7609}...
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Error) MC: Installation of profile com.symantec.mdm.enrollment.{3FF5EA9C-1D20-4875-BF84-BCF4DACA7609} failed with error: NSError:
Desc : The profile MDM Enrollment could not be installed.
Sugg : The SCEP server returned an invalid response.
US Desc: The profile MDM Enrollment could not be installed.
US Sugg: The SCEP server returned an invalid response.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"MDM Enrollment"
)
...Underlying error:
NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Error) MC: Profile com.symantec.mdm.enrollment.{3FF5EA9C-1D20-4875-BF84-BCF4DACA7609} failed to install with error: NSError:
Desc : Profile Failed to Install
Sugg : The SCEP server returned an invalid response.
US Desc: Profile Failed to Install
US Sugg: The SCEP server returned an invalid response.
Domain : MCInstallationErrorDomain
Code: 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : The profile MDM Enrollment could not be installed.
Sugg : The SCEP server returned an invalid response.
US Desc: The profile MDM Enrollment could not be installed.
US Sugg: The SCEP server returned an invalid response.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"MDM Enrollment"
)
...Underlying error:
NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}


Environment



Mobile Management 7.1
SCEP Server running on Windows 2008 R2 with IIS 7.5


Cause



When trying to enroll, the iOS device encodes an enrollment request and sends it as a GET request to the SCEP server.  Checking the IIS logs on the SCEP server would show a 404 error message for the request from the device.

The request can possibly be too large for IIS to accept with its default setting of 2048 bytes (2KB).  A larger value like 8192 (8KB) should be sufficient.


Solution



There are two ways to increase the maximum query request size.  Do this on the SCEP Server, and the Reverse Proxy server, if used.

From an Administrator Command Prompt:

C:\windows\system32\inetsrv\appcmd set config /section:requestFiltering /requestLimits.maxQueryString:8192

From the IIS Manager GUI:

  1. Navigate to the Default Web Site. 
  2. Open "Request Filtering" then choose "Edit Feature Settings..." from the Actions menu. 
  3. Change the "Maximum query string (Bytes)" from its default of 2048 to 8192.



Article URL http://www.symantec.com/docs/TECH178368


Terms of use for this information are found in Legal Notices