iOS MDM Profile is unable to be installed - errors point to a SCEP Server invalid response

book

Article ID: 155716

calendar_today

Updated On:

Products

Mobile Management

Issue/Introduction

When trying to enroll and iOS device to Mobile Management, it gets to the Profile installation screen.  When trying to install the profile, it returns a message that the Profile failed to install.  Checking the URL for the SCEP server, e.g. http://scepserver.domain/CertSrv/mscep/mscep.dll the server returns a valid response.

Reviewing the console output in Xcode or the iPhone Configuration Utility, the following errors are displayed:

Jan 5 15:21:39 unknown profiled[562] <Notice>: (Note ) MC: Checking for MDM installation...
Jan 5 15:21:39 unknown profiled[562] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Jan 5 15:21:39 unknown profiled[562] <Notice>: (Note ) MC: Beginning profile installation...
Jan 5 15:21:45 unknown profiled[562] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Note ) MC: Could not retrieve issued certificate: NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Error) MC: Cannot retrieve SCEP identity: NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Error) MC: Rolling back installation of profile com.symantec.mdm.enrollment.{3FF5EA9C-1D20-4875-BF84-BCF4DACA7609}...
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Error) MC: Installation of profile com.symantec.mdm.enrollment.{3FF5EA9C-1D20-4875-BF84-BCF4DACA7609} failed with error: NSError:
Desc : The profile MDM Enrollment could not be installed.
Sugg : The SCEP server returned an invalid response.
US Desc: The profile MDM Enrollment could not be installed.
US Sugg: The SCEP server returned an invalid response.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"MDM Enrollment"
)
...Underlying error:
NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}
Jan 5 15:21:46 unknown profiled[562] <Notice>: (Error) MC: Profile com.symantec.mdm.enrollment.{3FF5EA9C-1D20-4875-BF84-BCF4DACA7609} failed to install with error: NSError:
Desc : Profile Failed to Install
Sugg : The SCEP server returned an invalid response.
US Desc: Profile Failed to Install
US Sugg: The SCEP server returned an invalid response.
Domain : MCInstallationErrorDomain
Code: 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : The profile MDM Enrollment could not be installed.
Sugg : The SCEP server returned an invalid response.
US Desc: The profile MDM Enrollment could not be installed.
US Sugg: The SCEP server returned an invalid response.
Domain : MCProfileErrorDomain
Code : 1009
Type : MCFatalError
Params : (
"MDM Enrollment"
)
...Underlying error:
NSError:
Desc : The SCEP server returned an invalid response.
US Desc: The SCEP server returned an invalid response.
Domain : MCSCEPErrorDomain
Code : 22013
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}

Cause

When trying to enroll, the iOS device encodes an enrollment request and sends it as a GET request to the SCEP server.  Checking the IIS logs on the SCEP server would show a 404 error message for the request from the device.

The request can possibly be too large for IIS to accept with its default setting of 2048 bytes (2KB).  A larger value like 8192 (8KB) should be sufficient.

Resolution

There are two ways to increase the maximum query request size.  Do this on the SCEP Server, and the Reverse Proxy server, if used.

From an Administrator Command Prompt:

C:\windows\system32\inetsrv\appcmd set config /section:requestFiltering /requestLimits.maxQueryString:8192

From the IIS Manager GUI:

  1. Navigate to the Default Web Site. 
  2. Open "Request Filtering" then choose "Edit Feature Settings..." from the Actions menu. 
  3. Change the "Maximum query string (Bytes)" from its default of 2048 to 8192.

Applies To

Mobile Management 7.1
SCEP Server running on Windows 2008 R2 with IIS 7.5