Endpoint Security Complete

Hello, I am trying to install mobile management for IOS 5.1 ipads.I did all according to best practices and most advices, avi's and adjustments in  the last months. I've got a scepserver in the DMZ and a mms server. Allthough I think the scepserver will be the next problem, the first problem is that after getting a symantec signed certificate (APNS) imported in the mms server and also  imported in the MDM profile as a payload. It still wont worlk. After the symantec app has been run and filled in accordingly, I get the eula and after that I get a profile install popup (with the words "unsigned in red" ) which I need to click through (and read).But right after the second install button I get a :" the profile "MDM enrollment" could not be installed" popup.I ve scrolled through the ipad's log with the iphone configuration utlity and this is the error I'm getting:

 

(Error) MDM: Cannot Authenticate. Error: NSError:

Desc   : A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<domain>/IOSServices/mdm.sync",^J    500^J)

Mar 29 01:08:21 hqrdrsiPad profiled[1725] <Notice>: (Error) MC: Cannot install MDM MDM. Error: NSError:^JDesc   : The payload MDM could not be installed.^JSugg   : A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: The payload MDM could not be installed.^JUS Sugg: A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    MDM^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<domain>/IOSServices/mdm.sync",^J    500^J)

Mar 29 01:08:21 hqrdrsiPad profiled[1725] <Notice>: (Error) MC: Rolling back installation of profile com.symantec.mdm.enrollment.{E6FDAE753CBC4E34B53B4950ABF4665B}...

Mar 29 01:08:21 hqrdrsiPad profiled[1725] <Notice>: (Error) MC: Installation of profile com.symantec.mdm.enrollment.{E6FDAE753CBC4E34B53B4950ABF4665B} failed with error: NSError:^JDesc   : The profile MDM Enrollment could not be installed.^JSugg   : The payload MDM could not be installed.^JUS Desc: The profile MDM Enrollment could not be installed.^JUS Sugg: The payload MDM could not be installed.^JDomain : MCProfileErrorDomain^JCode   : 1009^JType   : MCFatalError^JParams : (^J    "MDM Enrollment"^J)^J...Underlying error:^JNSError:^JDesc   : The payload MDM could not be installed.^JSugg   : A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: The payload MDM could not be installed.^JUS Sugg: A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    MDM^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<domain>/IOSServices/mdm.sync",^J    500^J)

Mar 29 01:08:21 hqrdrsiPad profiled[1725] <Notice>: (Error) MC: Profile com.symantec.mdm.enrollment.{E6FDAE753CBC4E34B53B4950ABF4665B} failed to install with error: NSError:^JDesc   : Profile Failed to Install^JSugg   : The profile MDM Enrollment could not be installed.^JUS Desc: Profile Failed to Install^JUS Sugg: The profile MDM Enrollment could not be installed.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^J...Underlying error:^JNSError:^JDesc   : The profile MDM Enrollment could not be installed.^JSugg   : The payload MDM could not be installed.^JUS Desc: The profile MDM Enrollment could not be installed.^JUS Sugg: The payload MDM could not be installed.^JDomain : MCProfileErrorDomain^JCode   : 1009^JType   : MCFatalError^JParams : (^J    "MDM Enrollment"^J)^J...Underlying error:^JNSError:^JDesc   : The payload MDM could not be installed.^JSugg   : A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: The payload MDM could not be installed.^JUS Sugg: A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    MDM^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<domain>/IOSServices/mdm.sync",^J    500^J)

 

 

does someone have any idea and help????

Is your SSL cert externally signed?  If you access it remotely over the internet, is it valid?

If not, you might want to try this one here:
http://www.symantec.com/docs/TECH175678

If you haven't done this, give it a spin:
http://www.symantec.com/docs/HOWTO59804

Yep the SSL is valid and signed externally according to the company.. We temperary use kmobile.kuiken.nl. You could see for yourself. And I also took on the second advice a while ago. that did not help. I also tried importing the certificate in the credentials payload , but that also did not help.

SSL looks good, I wouldn't bundle the cert because it is trusted.  SCEP looks to be the problem.  Did you configure SCEP to not expire the challenge enrollment password?  Did you make sure to copy everything from the SCEP certificate properly to MMS?  Perhaps a screenshot of your SCEP profile configuration would help if you've already confirmed that SCEP's mscep_admin page is showing a non-expiring challenge enrollment password.

Yes SCEP is configured not to expire the password. I've copied the scep certificates to the mms server.

And this would be my scep profile configuration:

 

The issue I have with scep is its SSL is not externally signed. Probally that should be (allthough the certificate has been imported in the payload mdm profile ). I don't know if that would be a problem 

Windows authentication is required to browse to the webpage which states the password. But I figure thats normal, but I do not know if the mms server would need access somehouw.

And during the enroll profile problem I did see one packet (wireshark) going to the scep server from the device or the mms server. So I never thought it would be concerning the scep server.

A transaction with the server at https://<domain>/IOSServices/mdm.sync has failed with the status 500.

These specific errors are caused by IIS being forced to use SSL communication.  The MMS Server tries to access other pages internally across HTTP.
Solution:
Disable the "Require SSL" option for the server, or at least, for the Mobile Management paths.

If there is an error with the MDM SSl certificate you would get this error: The server certificate for https://MMS_SERVER:443/IOSServices/mdm.sync is invalid.

 

disable SSL option on the iis server did not resolve the problem.

but I am getting this error over and over :

 

WS APNS.GetFeedback() exception. System.Net.WebException: The request failed with HTTP status 404: Not Found.

 

this error keeps poping up in the <symantec directory> nlog\nt_feedback log

 

And when I trigger a mdm enrollment  install I get an error in  iosservices log in the same nlog folder:

 

.5987 ERROR Error Processing Response from Device. System.Net.WebException: The request failed with HTTP status 404: Not Found.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at OSIMDMHandler.OSIMDMWS.OSIMDMHandlerWS.ProcessDeviceCheckIn(String XmlCheckInResponse)
   at OSIMDMHandler.MDMPutHandler.ProcessRequest(HttpContext context)

 

 

 

The request can possibly be too large for IIS to accept with its default setting of 2048 bytes (2KB).  A larger value like 8192 (8KB) should be sufficient.

 

I've changed the "Maximum query string (Bytes)" from its default of 2048 to 8192 on both servers (mms and SCEP) .

 But the same problem  (and errors from the log) still persist.

I would like to add that the process of the mdm enrollment probably does not even get to the state at which it contacts the scep server. (I'm not receiving any tcp/ip packets form the ipad or mms server which should be sent to the scep server for whatever reason.)

I am not using a reversed proxy server btw.

 

 

 

 

I eventually solved the most scep  issues by cleaning out all the credentials in the ios configuration profile externally sign ssl.

Now I'm kind of stuck at the profile install process again:

I'm getting a "profile failed to install" the profile mdm enrollment" could not be installed." popup

this popup comes right after the "generating key" , "enrolling certificate" and installing profile text appears.

 

 

 

I do not know if any more than these two (APNS?)certificates should be imported as payload in the credential settings for the IOS enrollment configuration.

 

the log of the ipad:

 Apr  2 00:39:27 iPad sandboxd[1095] <Notice>: Mobile MGMT(1093) deny filewritecreate /private/var/mobile/Applications/0A3FD105F3B8466AA8FF864CB9EEF5AF/Documentsapt
 Apr  2 00:39:29 iPad sandboxd[1095] <Notice>: Mobile MGMT(1093) deny filewritecreate /private/var/mobile/Applications/0A3FD105F3B8466AA8FF864CB9EEF5AF/Documentsapt
 Apr  2 00:39:31 iPad profiled[1098] <Notice>: (Note ) profiled: Service starting...
 Apr  2 00:39:31 iPad profiled[1098] <Notice>: (Note ) MC: Profile com.symantec.mdm.enrollment.{E6FDAE753CBC4E34B53B4950ABF4665B} queued for installation.
 Apr  2 00:39:33 iPad profiled[1098] <Notice>: (Note ) MC: Checking for MDM installation...
 Apr  2 00:39:33 iPad profiled[1098] <Notice>: (Note ) MC: ...finished checking for MDM installation.
 Apr  2 00:39:33 iPad profiled[1098] <Notice>: (Note ) MC: Beginning profile installation...
 Apr  2 00:39:38 iPad profiled[1098] <Notice>: (Note ) profiled: Device unlock notification received
 Apr  2 00:39:39 iPad kernel[0] <Debug>: AppleKeyStore:Sending lock change
 Apr  2 00:39:40 iPad profiled[1098] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...
 Apr  2 00:39:40 iPad profiled[1098] <Notice>: (Note ) MC: Issued certificate received.
 Apr  2 00:39:41 iPad profiled[1098] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
 Desc   : A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<server dns>/IOSServices/mdm.sync",^J    500^J)
 Apr  2 00:39:41 iPad profiled[1098] <Notice>: (Error) MC: Cannot install MDM MDM. Error: NSError:^JDesc   : The payload MDM could not be installed.^JSugg   : A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: The payload MDM could not be installed.^JUS Sugg: A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    MDM^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<server dns>/IOSServices/mdm.sync",^J    500^J)
 Apr  2 00:39:41 iPad profiled[1098] <Notice>: (Error) MC: Rolling back installation of profile com.symantec.mdm.enrollment.{E6FDAE753CBC4E34B53B4950ABF4665B}...
 Apr  2 00:39:41 iPad profiled[1098] <Notice>: (Error) MC: Installation of profile com.symantec.mdm.enrollment.{E6FDAE753CBC4E34B53B4950ABF4665B} failed with error: NSError:^JDesc   : The profile MDM Enrollment could not be installed.^JSugg   : The payload MDM could not be installed.^JUS Desc: The profile MDM Enrollment could not be installed.^JUS Sugg: The payload MDM could not be installed.^JDomain : MCProfileErrorDomain^JCode   : 1009^JType   : MCFatalError^JParams : (^J    "MDM Enrollment"^J)^J...Underlying error:^JNSError:^JDesc   : The payload MDM could not be installed.^JSugg   : A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: The payload MDM could not be installed.^JUS Sugg: A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    MDM^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<server dns>/IOSServices/mdm.sync",^J    500^J)
 Apr  2 00:39:41 iPad profiled[1098] <Notice>: (Error) MC: Profile com.symantec.mdm.enrollment.{E6FDAE753CBC4E34B53B4950ABF4665B} failed to install with error: NSError:^JDesc   : Profile Failed to Install^JSugg   : The profile MDM Enrollment could not be installed.^JUS Desc: Profile Failed to Install^JUS Sugg: The profile MDM Enrollment could not be installed.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^J...Underlying error:^JNSError:^JDesc   : The profile MDM Enrollment could not be installed.^JSugg   : The payload MDM could not be installed.^JUS Desc: The profile MDM Enrollment could not be installed.^JUS Sugg: The payload MDM could not be installed.^JDomain : MCProfileErrorDomain^JCode   : 1009^JType   : MCFatalError^JParams : (^J    "MDM Enrollment"^J)^J...Underlying error:^JNSError:^JDesc   : The payload MDM could not be installed.^JSugg   : A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: The payload MDM could not be installed.^JUS Sugg: A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    MDM^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JUS Desc: A transaction with the server at https://<server dns>/IOSServices/mdm.sync has failed with the status 500.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<server dns>/IOSServices/mdm.sync",^J    500^J)
 Apr  2 00:39:41 iPad profiled[1098] <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e74000000000000004c
 Apr  2 00:40:41 iPad profiled[1098] <Notice>: (Note ) profiled: Idled.
 Apr  2 00:40:41 iPad profiled[1098] <Notice>: (Note ) profiled: Service stopping.

 

 The iis log of the mms server states the last http query of the ipad:

2012-04-01 22:38:58 W3SVC1 SRVMMS01AMNL 192.168.203.73 POST /iosservices/SYMC-iOSWebService.aspx - 443 - 77.248.82.190 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 213 1230 1123
 2012-04-01 22:39:00 W3SVC1 SRVMMS01AMNL 192.168.203.73 GET /iosservices/MobileLibraryFeedProxy.aspx feedLanguage=en&platformId=04&platformVersion=5.1 443 - 77.248.82.190 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 2165 288 2948
 2012-04-01 22:39:27 W3SVC1 SRVMMS01AMNL 192.168.203.73 GET /MobileEnrollment/Symc-IOSEnroll.ASPX - 443 - 77.248.82.190 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 261 235 468
 2012-04-01 22:39:27 W3SVC1 SRVMMS01AMNL 192.168.203.73 POST /MobileEnrollment/Symc-IOSEnroll.ASPX - 443 - 77.248.82.190 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 725 1232 124
 2012-04-01 22:39:27 W3SVC1 SRVMMS01AMNL 192.168.203.73 GET /mobileenrollment/eula-en.html - 443 - 77.248.82.190 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 565 228 15
 2012-04-01 22:39:29 W3SVC1 SRVMMS01AMNL 192.168.203.73 POST /iosservices/SYMC-iOSWebService.aspx - 443 - 77.248.82.190 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 837 1212 78
 2012-04-01 22:39:29 W3SVC1 SRVMMS01AMNL 192.168.203.73 GET /iosservices/MobileLibraryFeedProxy.aspx feedLanguage=en&platformId=04&platformVersion=5.1 443 - 77.248.82.190 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 2165 288 171
 2012-04-01 22:39:31 W3SVC1 SRVMMS01AMNL 192.168.203.73 GET /MobileEnrollment/MobileConfig.aspx - 443 - 77.248.82.190 HTTP/1.1 Mozilla/5.0+(iPad;+CPU+OS+5_1+like+Mac+OS+X)+AppleWebKit/534.46+(KHTML,+like+Gecko)+Version/5.1+Mobile/9B176+Safari/7534.48.3 - - <server dns> 200 0 0 4165 369 1170
 2012-04-01 22:42:42 W3SVC1 SRVMMS01AMNL 192.168.203.73 POST /iosservices/SYMC-iOSWebService.aspx - 443 - 86.80.112.221 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 837 1272 577
 2012-04-01 22:42:42 W3SVC1 SRVMMS01AMNL 192.168.203.73 GET /iosservices/MobileLibraryFeedProxy.aspx feedLanguage=nl&platformId=04&platformVersion=5.1 443 - 86.80.112.221 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <server dns> 200 0 0 6453 288 249
 2012-04-01 22:42:43 W3SVC1 SRVMMS01AMNL 192.168.203.73 GET /iosservices/MobileLibraryFeedProxy.aspx feedLanguage=nl&platformId=04&platformVersion=5.1 443 - 86.80.112.221 HTTP/1.1 Mobile%20MGMT/1.4+CFNetwork/548.1.4+Darwin/11.0.0 - - <mms FQDN> 200 0 0 6453 288 312
 

 

Where and how should/could I check for the problem now?

What type of CA (enterprise or standalone)?  I saw a similar issue when trying to use a standalone CA instead of an enterprise CA.  When you have a standalone CA, it doesn't build all the cert templates, which can cause problems.  Where is your scep server?

It is a enterprice CA in the DMZ. But when I try to add the certificate template mmc, I get a message that a new certificate needs to be installed. But because its disconnected with the domain controler (which is not in the DMZ) it fails out with the message that the new certificate could not be installed.

 

should I temperary migrate the scep to the DC local network , install the new certificate and migrate it again to the DMZ?

 

 

Yes, I would try that.  If the templates aren't installed, that will definitely create a problem.

I've installed the templates but the same problem still persists.There are no payloads in the credentials sections of the ios enrollment configuration. I suspect because both mms and scep server are externally signed ,it would not need any . Is that correct?

 

 

 

and I still get this 404 error on the MMS server:

 

ERROR Error Processing Response from Device. System.Net.WebException: The request failed with HTTP status 404: Not Found.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at OSIMDMHandler.OSIMDMWS.OSIMDMHandlerWS.ProcessDeviceCheckIn(String XmlCheckInResponse)

It is againfor the query string but may you give this command line a try as well:

Use the following IIS appcmd.exe command:

%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"3072" /commit:apphost

I've allready done this. But I queried it again.And the same problem still persists

I also get this error:

 

Apr  4 13:35:20 hqrdrs-iPad profiled[144] <Notice>: (Note ) MC: Profile -c-o-m-.-s-y-m-a-n-t-e-c-.-m-d-m-.-e-n-r-o-l-l-m-e-n-t-.-{-E-6-F-D-A-E-7-5---3-C-B-C---4-E-3-4---B-5-3-B---4-9-5-0-A-B-F-4-6-6-5-B-} -q-u-e-u-e-d -f-o-r -i-n-s-t-a-l-l-a-t-i-o-n-.
Apr  4 13:35:20 hqrdrs-iPad Preferences[116] <Warning>: ERROR: Can't find plist Root in bundle NSBundle </var/mobile/Applications/CC90C45C-161B-4969-8F7E-46F1025AAD98/Mobile MGMT.app/Settings.bundle> (not yet loaded)
Apr  4 13:35:20 hqrdrs-iPad Preferences[116] <Warning>: ERROR: Couldn't load plist from (null)

 

but this error is before the install profile action is innitiated

If you look in the registry, can you see what template is being used?  The templates should be at: "HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP"

I have the exact same settings as the screenshot

What I did notice is that if I copoy the thumpprint from the query http://<scepserver>/CertSrv/mscep_admin/

Iwil get this:

The registration Authority's response is invalid.

 

I gues this is normal??..because the fingerprint field in the SCEP configuration needs to be empty?...

 

attached is a picture of all (most) the installed certificates.

 

Apr  6 01:55:14 hqrdrs-iPad profiled[1248] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...
Apr  6 01:55:15 hqrdrs-iPad profiled[1248] <Notice>: (Note ) MC: Could not retrieve issued certificate: NSError:
Desc   : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code   : 22013
Type   : MCFatalError
Apr  6 01:55:15 hqrdrs-iPad profiled[1248] <Notice>: (Error) MC: Cannot retrieve SCEP identity: NSError:
Desc   : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code   : 22013
Type   : MCFatalError

 

 

Does anyone have any pointers?

This was solved by adjusting the SCEP configuration in the IOS enrollment profile:

I have now filled in the fingerprint with the tumbprint of the CA certificate

 

But still the ultimate sollution is not here:

This is where I'm stuk now

:

Apr  6 11:34:07 hqrdrsiPad profiled[212] <Notice>: (Note ) profiled: Service starting...
Apr  6 11:34:07 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Profile <mms domain>.kmobile queued for installation.
Apr  6 11:34:07 hqrdrsiPad mc_mobile_tunnel[211] <Notice>: (Note ) MC: mc_mobile_tunnel shutting down.
Apr  6 11:34:11 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Checking for MDM installation...
Apr  6 11:34:11 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Apr  6 11:34:11 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Beginning profile installation...
Apr  6 11:34:15 hqrdrsiPad profiled[212] <Notice>: (Note ) profiled: Device unlock notification received
Apr  6 11:34:15 hqrdrsiPad kernel[0] <Debug>: AppleKeyStore:Sending lock change
Apr  6 11:34:16 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Saving certificate as the S/MIME encryption certificate for postmaster@<mms domain>
Apr  6 11:34:17 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...
Apr  6 11:34:18 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Issued certificate received.
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
Desc   : A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JUS Desc: A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<mms domain>/mobileenrollment/symciosenroll.aspx",^J    405^J)
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Error) MC: Cannot install MDM <mmsdomain>.mdm10. Error: NSError:^JDesc   : The payload <mms domain>.kmobile.mdm10 could not be installed.^JSugg   : A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JUS Desc: The payload <mms domain>.kmobile.mdm10 could not be installed.^JUS Sugg: A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    "<mms domain>.kmobile.mdm10"^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JUS Desc: A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<mms domain>/mobileenrollment/symc-iosenroll.aspx",^J    405^J)
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Error) MC: Rolling back installation of profile <mms domain>.kmobile...
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Error) MC: Installation of profile <mms domain>.kmobile failed with error: NSError:^JDesc   : The profile test1 could not be installed.^JSugg   : The payload <mms domain>.kmobile.mdm10 could not be installed.^JUS Desc: The profile test1 could not be installed.^JUS Sugg: The payload <mms domain>.kmobile.mdm10 could not be installed.^JDomain : MCProfileErrorDomain^JCode   : 1009^JType   : MCFatalError^JParams : (^J    test1^J)^J...Underlying error:^JNSError:^JDesc   : The payload <mms domain>.kmobile.mdm10 could not be installed.^JSugg   : A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JUS Desc: The payload <mms domain>.kmobile.mdm10 could not be installed.^JUS Sugg: A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    "<mms domain>.kmobile.mdm10"^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JUS Desc: A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<mms domain>/mobileenrollment/symciosenroll.aspx",^J    405^J)
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Error) MC: Profile <mms domain>.kmobile failed to install with error: NSError:^JDesc   : Profile Failed to Install^JSugg   : The profile test1 could not be installed.^JUS Desc: Profile Failed to Install^JUS Sugg: The profile test1 could not be installed.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^J...Underlying error:^JNSError:^JDesc   : The profile test1 could not be installed.^JSugg   : The payload <mms domain>.kmobile.mdm10 could not be installed.^JUS Desc: The profile test1 could not be installed.^JUS Sugg: The payload <mms domain>.kmobile.mdm10 could not be installed.^JDomain : MCProfileErrorDomain^JCode   : 1009^JType   : MCFatalError^JParams : (^J    test1^J)^J...Underlying error:^JNSError:^JDesc   : The payload <mms domain>.kmobile.mdm10 could not be installed.^JSugg   : A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JUS Desc: The payload <mms domain>.kmobile.mdm10 could not be installed.^JUS Sugg: A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    "<mms domain>.kmobile.mdm10"^J)^J...Underlying error:^JNSError:^JDesc   : A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JUS Desc: A transaction with the server at https://<mms domain>/mobileenrollment/symciosenroll.aspx has failed with the status 405.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23001^JType   : MCFatalError^JParams : (^J    "https://<mms domain>/mobileenrollment/symciosenroll.aspx",^J    405^J)
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Removing certificate with persistent ID 636572740000000000000129
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Removing certificate with persistent ID 63657274000000000000012a
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Removing certificate with persistent ID 63657274000000000000012b
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Removing certificate with persistent ID 636572740000000000000126
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Removing certificate with persistent ID 636572740000000000000127
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Removing certificate with persistent ID 636572740000000000000128
Apr  6 11:34:19 hqrdrsiPad profiled[212] <Notice>: (Note ) MC: Removing certificate with persistent ID 69646e74000000000000012e